From 2b121a699c4c8968522cf59a9345ba1df284b832 Mon Sep 17 00:00:00 2001 From: Eric Van Norman Date: Wed, 12 Oct 2022 10:52:57 -0500 Subject: [PATCH 1/3] Test with reference docs using Goldmark in istio/api --- .../reference/config/annotations/index.html | 4 +- .../config/istio.analysis.v1alpha1/index.html | 70 +- .../config/istio.mesh.v1alpha1/index.html | 1160 ++++++++-------- .../config/istio.operator.v1alpha1/index.html | 174 ++- .../docs/reference/config/labels/index.html | 4 +- .../meta/v1beta1/istio-status/index.html | 36 +- .../networking/destination-rule/index.html | 850 +++++------- .../config/networking/envoy-filter/index.html | 439 +++--- .../config/networking/gateway/index.html | 390 +++--- .../config/networking/proxy-config/index.html | 50 +- .../networking/service-entry/index.html | 586 ++++---- .../config/networking/sidecar/index.html | 499 +++---- .../networking/virtual-service/index.html | 1205 +++++++---------- .../networking/workload-entry/index.html | 205 ++- .../networking/workload-group/index.html | 78 +- .../proxy_extensions/wasm-plugin/index.html | 149 +- .../security/authorization-policy/index.html | 203 ++- .../reference/config/security/jwt/index.html | 87 +- .../security/peer_authentication/index.html | 26 +- .../request_authentication/index.html | 66 +- .../reference/config/telemetry/index.html | 302 ++--- .../config/type/workload-selector/index.html | 40 +- .../reference/config/annotations/index.html | 4 +- .../config/istio.analysis.v1alpha1/index.html | 70 +- .../config/istio.mesh.v1alpha1/index.html | 1160 ++++++++-------- .../config/istio.operator.v1alpha1/index.html | 174 ++- .../docs/reference/config/labels/index.html | 4 +- .../meta/v1beta1/istio-status/index.html | 36 +- .../networking/destination-rule/index.html | 850 +++++------- .../config/networking/envoy-filter/index.html | 439 +++--- .../config/networking/gateway/index.html | 390 +++--- .../config/networking/proxy-config/index.html | 50 +- .../networking/service-entry/index.html | 586 ++++---- .../config/networking/sidecar/index.html | 499 +++---- .../networking/virtual-service/index.html | 1205 +++++++---------- .../networking/workload-entry/index.html | 205 ++- .../networking/workload-group/index.html | 78 +- .../proxy_extensions/wasm-plugin/index.html | 149 +- .../security/authorization-policy/index.html | 203 ++- .../reference/config/security/jwt/index.html | 87 +- .../security/peer_authentication/index.html | 26 +- .../request_authentication/index.html | 66 +- .../reference/config/telemetry/index.html | 302 ++--- .../config/type/workload-selector/index.html | 40 +- scripts/grab_reference_docs.sh | 2 +- 45 files changed, 5861 insertions(+), 7387 deletions(-) diff --git a/content/en/docs/reference/config/annotations/index.html b/content/en/docs/reference/config/annotations/index.html index e3446f8dbc3cd..3cf883b198a3a 100644 --- a/content/en/docs/reference/config/annotations/index.html +++ b/content/en/docs/reference/config/annotations/index.html @@ -1,6 +1,6 @@ --- -WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO -source_repo: https://github.com/istio/api +WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO +source_repo: https://github.com/ericvn/api title: Resource Annotations description: Resource annotations used by Istio. location: https://istio.io/docs/reference/config/annotations/ diff --git a/content/en/docs/reference/config/istio.analysis.v1alpha1/index.html b/content/en/docs/reference/config/istio.analysis.v1alpha1/index.html index 65f537b02cca2..10c9ba25ee134 100644 --- a/content/en/docs/reference/config/istio.analysis.v1alpha1/index.html +++ b/content/en/docs/reference/config/istio.analysis.v1alpha1/index.html @@ -1,10 +1,10 @@ --- -WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO -source_repo: https://github.com/istio/api +WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO +source_repo: https://github.com/ericvn/api title: Analysis Messages description: Describes the structure of messages generated by Istio analyzers. location: https://istio.io/docs/reference/config/istio.analysis.v1alpha1.html -layout: protoc-gen-docs +layout: partner-component generator: protoc-gen-docs weight: 20 number_of_entries: 7 @@ -13,7 +13,7 @@

AnalysisMessageBase

-

AnalysisMessageBase describes some common information that is needed for all +

AnalysisMessageBase describes some common information that is needed for all
messages. All information should be static with respect to the error code.

@@ -50,9 +50,9 @@

AnalysisMessageBase

@@ -65,10 +65,10 @@

AnalysisMessageBase

AnalysisMessageWeakSchema

-

AnalysisMessageWeakSchema is the set of information that’s needed to define a -weakly-typed schema. The purpose of this proto is to provide a mechanism for -validating istio/istio/galley/pkg/config/analysis/msg/messages.yaml to make -sure that we don’t allow committing underspecified types.

+

AnalysisMessageWeakSchema is the set of information that's needed to define a
+weakly-typed schema. The purpose of this proto is to provide a mechanism for
+validating istio/istio/galley/pkg/config/analysis/msg/messages.yaml to make
+sure that we don't allow committing underspecified types.

documentationUrl string -

A url pointing to the Istio documentation for this specific error type. -Should be of the form -^http(s)?://(preliminary\.)?istio.io/docs/reference/config/analysis/ +

A url pointing to the Istio documentation for this specific error type.
+Should be of the form
+^http(s)?://(preliminary\.)?istio.io/docs/reference/config/analysis/
Required.
@@ -106,8 +106,8 @@

AnalysisMessageWeakSchema

@@ -131,11 +131,11 @@

AnalysisMessageWeakSchema

GenericAnalysisMessage

-

GenericAnalysisMessage is an instance of an AnalysisMessage defined by a -schema, whose metaschema is AnalysisMessageWeakSchema. (Names are hard.) Code -should be able to perform validation of arguments as needed by using the -message type information to look at the AnalysisMessageWeakSchema and examine the -list of args at runtime. Developers can also create stronger-typed versions +

GenericAnalysisMessage is an instance of an AnalysisMessage defined by a
+schema, whose metaschema is AnalysisMessageWeakSchema. (Names are hard.) Code
+should be able to perform validation of arguments as needed by using the
+message type information to look at the AnalysisMessageWeakSchema and examine the
+list of args at runtime. Developers can also create stronger-typed versions
of GenericAnalysisMessage for well-known and stable message types.

template string -

A go-style template string (https://golang.org/pkg/fmt/#hdr-Printing) -defining how to combine the args for a particular message into a log line. +

A go-style template string (https://golang.org/pkg/fmt/#hdr-Printing)
+defining how to combine the args for a particular message into a log line.
Required.
@@ -174,11 +174,11 @@

GenericAnalysisMessage

@@ -191,7 +191,7 @@

GenericAnalysisMessage

InternalErrorAnalysisMessage

-

InternalErrorAnalysisMessage is a strongly-typed message representing some +

InternalErrorAnalysisMessage is a strongly-typed message representing some
error in Istio code that prevented us from performing analysis at all.

resourcePaths string[] -

A list of strings specifying the resource identifiers that were the cause -of message generation. A “path” here is a (NAMESPACE\/)?RESOURCETYPE/NAME -tuple that uniquely identifies a particular resource. There doesn’t seem to -be a single concept for this, but this is intuitively taken from -https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology +

A list of strings specifying the resource identifiers that were the cause
+of message generation. A "path" here is a (NAMESPACE/)?RESOURCETYPE/NAME
+tuple that uniquely identifies a particular resource. There doesn't seem to
+be a single concept for this, but this is intuitively taken from
+https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology
At least one is required.
@@ -231,9 +231,9 @@

InternalErrorAnalysisMessage

AnalysisMessageBase.Type

-

A unique identifier for the type of message. Name is intended to be -human-readable, code is intended to be machine readable. There should be a -one-to-one mapping between name and code. (i.e. do not re-use names or +

A unique identifier for the type of message. Name is intended to be
+human-readable, code is intended to be machine readable. There should be a
+one-to-one mapping between name and code. (i.e. do not re-use names or
codes between message types.)

@@ -250,8 +250,8 @@

AnalysisMessageBase.Type

@@ -263,8 +263,8 @@

AnalysisMessageBase.Type

@@ -302,9 +302,9 @@

AnalysisMessageWeakSchema.ArgType

goType @@ -317,7 +317,7 @@

AnalysisMessageWeakSchema.ArgType

AnalysisMessageBase.Level

-

The values here are chosen so that more severe messages get sorted higher, +

The values here are chosen so that more severe messages get sorted higher,
as well as leaving space in between to add more later

name string -

A human-readable name for the message type. e.g. “InternalError”, -“PodMissingProxy”. This should be the same for all messages of the same type. +

A human-readable name for the message type. e.g. "InternalError",
+"PodMissingProxy". This should be the same for all messages of the same type.
Required.

 code string -

A 7 character code matching ^IST[0-9]{4}$ intended to uniquely identify -the message type. (e.g. “IST0001” is mapped to the “InternalError” message +

A 7 character code matching ^IST[0-9]{4}$ intended to uniquely identify
+the message type. (e.g. "IST0001" is mapped to the "InternalError" message
type.) 0000-0100 are reserved. Required.

 string -

Required. Should be a golang type, used in code generation. -Ideally this will change to a less language-pinned type before this gets -out of alpha, but for compatibility with current istio/istio code it’s +

Required. Should be a golang type, used in code generation.
+Ideally this will change to a less language-pinned type before this gets
+out of alpha, but for compatibility with current istio/istio code it's
go_type for now.
diff --git a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html index d5e2635726d79..d7bf4bfba413b 100644 --- a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html +++ b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html @@ -1,10 +1,10 @@ --- -WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO -source_repo: https://github.com/istio/api +WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO +source_repo: https://github.com/ericvn/api title: Global Mesh Options description: Configuration affecting the service mesh as a whole. location: https://istio.io/docs/reference/config/istio.mesh.v1alpha1.html -layout: protoc-gen-docs +layout: partner-component generator: protoc-gen-docs weight: 20 number_of_entries: 55 @@ -29,7 +29,7 @@

MeshConfig

@@ -52,7 +52,7 @@

MeshConfig

@@ -64,15 +64,15 @@

MeshConfig

@@ -95,8 +95,8 @@

MeshConfig

@@ -108,7 +108,7 @@

MeshConfig

@@ -120,7 +120,7 @@

MeshConfig

@@ -132,10 +132,10 @@

MeshConfig

@@ -147,7 +147,7 @@

MeshConfig

@@ -159,7 +159,7 @@

MeshConfig

@@ -171,8 +171,8 @@

MeshConfig

@@ -195,9 +195,9 @@

MeshConfig

@@ -209,9 +209,9 @@

MeshConfig

@@ -223,10 +223,10 @@

MeshConfig

@@ -238,17 +238,17 @@

MeshConfig

@@ -260,8 +260,8 @@

MeshConfig

@@ -273,16 +273,16 @@

MeshConfig

@@ -294,7 +294,7 @@

MeshConfig

@@ -306,14 +306,12 @@

MeshConfig

@@ -325,9 +323,9 @@

MeshConfig

@@ -339,30 +337,26 @@

MeshConfig

@@ -374,10 +368,9 @@

MeshConfig

@@ -389,10 +382,9 @@

MeshConfig

@@ -404,13 +396,12 @@

MeshConfig

@@ -433,7 +424,7 @@

MeshConfig

@@ -445,9 +436,9 @@

MeshConfig

@@ -459,22 +450,18 @@

MeshConfig

@@ -550,7 +533,7 @@

MeshConfig

@@ -573,15 +556,16 @@

MeshConfig

@@ -606,12 +589,12 @@

MeshConfig

@@ -623,13 +606,13 @@

MeshConfig

@@ -653,8 +636,8 @@

MeshConfig

ConfigSource

-

ConfigSource describes information about a configuration store inside a -mesh. A single control plane instance can interact with one or more data +

ConfigSource describes information about a configuration store inside a
+mesh. A single control plane instance can interact with one or more data
sources.

proxyListenPort int32 -

Port on which Envoy should listen for incoming connections from +

Port on which Envoy should listen for incoming connections from
other services. Default port is 15001.

 connectTimeout Duration -

Connection timeout used by Envoy. (MUST BE >=1ms) +

Connection timeout used by Envoy. (MUST BE >=1ms)
Default timeout is 10s.

 protocolDetectionTimeout Duration -

Automatic protocol detection uses a set of heuristics to -determine whether the connection is using TLS or not (on the -server side), as well as the application protocol being used -(e.g., http vs tcp). These heuristics rely on the client sending -the first bits of data. For server first protocols like MySQL, -MongoDB, etc. Envoy will timeout on the protocol detection after -the specified period, defaulting to non mTLS plain TCP -traffic. Set this field to tweak the period that Envoy will wait -for the client to send the first bits of data. (MUST BE >=1ms or +

Automatic protocol detection uses a set of heuristics to
+determine whether the connection is using TLS or not (on the
+server side), as well as the application protocol being used
+(e.g., http vs tcp). These heuristics rely on the client sending
+the first bits of data. For server first protocols like MySQL,
+MongoDB, etc. Envoy will timeout on the protocol detection after
+the specified period, defaulting to non mTLS plain TCP
+traffic. Set this field to tweak the period that Envoy will wait
+for the client to send the first bits of data. (MUST BE >=1ms or
0s to disable). Default detection timeout is 0s (no timeout).

 ingressClass string -

Class of ingress resources to be processed by Istio ingress -controller. This corresponds to the value of +

Class of ingress resources to be processed by Istio ingress
+controller. This corresponds to the value of
kubernetes.io/ingress.class annotation.

 ingressService string -

Name of the Kubernetes service used for the istio ingress controller. +

Name of the Kubernetes service used for the istio ingress controller.
If no ingress controller is specified, the default value istio-ingressgateway is used.

 ingressControllerMode IngressControllerMode -

Defines whether to use Istio ingress controller for annotated or all ingress resources. +

Defines whether to use Istio ingress controller for annotated or all ingress resources.
Default mode is STRICT.

 ingressSelector string -

Defines which gateway deployment to use as the Ingress controller. This field corresponds to -the Gateway.selector field, and will be set as istio: INGRESS_SELECTOR. -By default, ingressgateway is used, which will select the default IngressGateway as it has the -istio: ingressgateway labels. +

Defines which gateway deployment to use as the Ingress controller. This field corresponds to
+the Gateway.selector field, and will be set as istio: INGRESS_SELECTOR.
+By default, ingressgateway is used, which will select the default IngressGateway as it has the
+istio: ingressgateway labels.
It is recommended that this is the same value as ingress_service.

 enableTracing bool -

Flag to control generation of trace spans and request IDs. +

Flag to control generation of trace spans and request IDs.
Requires a trace span collector defined in the proxy configuration.

 accessLogFile string -

File address for the proxy access log (e.g. /dev/stdout). +

File address for the proxy access log (e.g. /dev/stdout).
Empty value disables access logging.

 accessLogFormat string -

Format for the proxy access log -Empty value results in proxy’s default access log format

+

Format for the proxy access log
+Empty value results in proxy's default access log format

 @@ -183,7 +183,7 @@

MeshConfig

accessLogEncoding AccessLogEncoding -

Encoding for the proxy access log (TEXT or JSON). +

Encoding for the proxy access log (TEXT or JSON).
Default value is TEXT.

 enableEnvoyAccessLogService bool -

This flag enables Envoy’s gRPC Access Log Service. -See Access Log Service -for details about Envoy’s gRPC Access Log Service API. +

This flag enables Envoy's gRPC Access Log Service.
+See Access Log Service
+for details about Envoy's gRPC Access Log Service API.
Default value is false.

 disableEnvoyListenerLog bool -

This flag disables Envoy Listener logs. -See Listener Access Log -Istio Enables Envoy’s listener access logs on “NoRoute” response flag. +

This flag disables Envoy Listener logs.
+See Listener Access Log
+Istio Enables Envoy's listener access logs on "NoRoute" response flag.
Default value is false.

 defaultConfig ProxyConfig -

Default proxy config used by gateway and sidecars. -In case of Kubernetes, the proxy config is applied once during the injection process, -and remain constant for the duration of the pod. The rest of the mesh config can be changed -at runtime and config gets distributed dynamically. +

Default proxy config used by gateway and sidecars.
+In case of Kubernetes, the proxy config is applied once during the injection process,
+and remain constant for the duration of the pod. The rest of the mesh config can be changed
+at runtime and config gets distributed dynamically.
On Kubernetes, this can be overridden on individual pods with the proxy.istio.io/config annotation.

 outboundTrafficPolicy OutboundTrafficPolicy -

Set the default behavior of the sidecar for handling outbound -traffic from the application. If your application uses one or -more external services that are not known apriori, setting the -policy to ALLOW_ANY will cause the sidecars to route any unknown -traffic originating from the application to its requested -destination. Users are strongly encouraged to use ServiceEntries -to explicitly declare any external dependencies, instead of using -ALLOW_ANY, so that traffic to these services can be -monitored. Can be overridden at a Sidecar level by setting the -OutboundTrafficPolicy in the Sidecar -API. +

Set the default behavior of the sidecar for handling outbound
+traffic from the application. If your application uses one or
+more external services that are not known apriori, setting the
+policy to ALLOW_ANY will cause the sidecars to route any unknown
+traffic originating from the application to its requested
+destination. Users are strongly encouraged to use ServiceEntries
+to explicitly declare any external dependencies, instead of using
+ALLOW_ANY, so that traffic to these services can be
+monitored. Can be overridden at a Sidecar level by setting the
+OutboundTrafficPolicy in the Sidecar
+API.
Default mode is ALLOW_ANY which means outbound traffic to unknown destinations will be allowed.

 configSources ConfigSource[] -

ConfigSource describes a source of configuration data for networking -rules, and other Istio configuration artifacts. Multiple data sources +

ConfigSource describes a source of configuration data for networking
+rules, and other Istio configuration artifacts. Multiple data sources
can be configured for a single control plane.

 enableAutoMtls BoolValue -

This flag is used to enable mutual TLS automatically for service to service communication -within the mesh, default true. -If set to true, and a given service does not have a corresponding DestinationRule configured, -or its DestinationRule does not have ClientTLSSettings specified, Istio configures client side -TLS configuration appropriately. More specifically, -If the upstream authentication policy is in STRICT mode, use Istio provisioned certificate -for mutual TLS to connect to upstream. -If upstream service is in plain text mode, use plain text. -If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use -mutual TLS when server sides are capable of accepting mutual TLS traffic. +

This flag is used to enable mutual TLS automatically for service to service communication
+within the mesh, default true.
+If set to true, and a given service does not have a corresponding DestinationRule configured,
+or its DestinationRule does not have ClientTLSSettings specified, Istio configures client side
+TLS configuration appropriately. More specifically,
+If the upstream authentication policy is in STRICT mode, use Istio provisioned certificate
+for mutual TLS to connect to upstream.
+If upstream service is in plain text mode, use plain text.
+If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
+mutual TLS when server sides are capable of accepting mutual TLS traffic.
If service DestinationRule exists and has ClientTLSSettings specified, that is always used instead.

 trustDomain string -

The trust domain corresponds to the trust root of a system. +

The trust domain corresponds to the trust root of a system.
Refer to SPIFFE-ID

 trustDomainAliases string[] -

The trust domain aliases represent the aliases of trust_domain. +

The trust domain aliases represent the aliases of trust_domain.
For example, if we have

- 
trustDomain: td1
 trustDomainAliases: ["td2", "td3"]
- -

Any service with the identity td1/ns/foo/sa/a-service-account, td2/ns/foo/sa/a-service-account, +

Any service with the identity td1/ns/foo/sa/a-service-account, td2/ns/foo/sa/a-service-account,
or td3/ns/foo/sa/a-service-account will be treated the same in the Istio mesh.

 caCertificates CertificateData[] -

The extra root certificates for workload-to-workload communication. -The plugin certificates (the ‘cacerts’ secret) or self-signed certificates (the ‘istio-ca-secret’ secret) -are automatically added by Istiod. +

The extra root certificates for workload-to-workload communication.
+The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret)
+are automatically added by Istiod.
The CA certificate that signs the workload certificates is automatically added by Istio Agent.

 defaultServiceExportTo string[] -

The default value for the ServiceEntry.export_to field and services -imported through container registry integrations, e.g. this applies to -Kubernetes Service resources. The value is a list of namespace names and +

The default value for the ServiceEntry.export_to field and services
+imported through container registry integrations, e.g. this applies to
+Kubernetes Service resources. The value is a list of namespace names and
reserved namespace aliases. The allowed namespace aliases are:

- 
* - All Namespaces
 . - Current Namespace
 ~ - No Namespace
- -

If not set the system will use “*” as the default value which implies that +

If not set the system will use "*" as the default value which implies that
services are exported to all namespaces.

- -

All namespaces is a reasonable default for implementations that don’t -need to restrict access or visibility of services across namespace -boundaries. If that requirement is present it is generally good practice to -make the default Current namespace so that services are only visible -within their own namespaces by default. Operators can then expand the -visibility of services to other namespaces as needed. Use of No Namespace -is expected to be rare but can have utility for deployments where -dependency management needs to be precise even within the scope of a single +

All namespaces is a reasonable default for implementations that don't
+need to restrict access or visibility of services across namespace
+boundaries. If that requirement is present it is generally good practice to
+make the default Current namespace so that services are only visible
+within their own namespaces by default. Operators can then expand the
+visibility of services to other namespaces as needed. Use of No Namespace
+is expected to be rare but can have utility for deployments where
+dependency management needs to be precise even within the scope of a single
namespace.

- -

For further discussion see the reference documentation for ServiceEntry, +

For further discussion see the reference documentation for ServiceEntry,
Sidecar, and Gateway.

 defaultVirtualServiceExportTo string[] -

The default value for the VirtualService.export_to field. Has the same +

The default value for the VirtualService.export_to field. Has the same
syntax as default_service_export_to.

- -

If not set the system will use “*” as the default value which implies that +

If not set the system will use "*" as the default value which implies that
virtual services are exported to all namespaces

 defaultDestinationRuleExportTo string[] -

The default value for the DestinationRule.export_to field. Has the same +

The default value for the DestinationRule.export_to field. Has the same
syntax as default_service_export_to.

- -

If not set the system will use “*” as the default value which implies that +

If not set the system will use "*" as the default value which implies that
destination rules are exported to all namespaces

 rootNamespace string -

The namespace to treat as the administrative root namespace for -Istio configuration. When processing a leaf namespace Istio will search for -declarations in that namespace first and if none are found it will -search in the root namespace. Any matching declaration found in the root +

The namespace to treat as the administrative root namespace for
+Istio configuration. When processing a leaf namespace Istio will search for
+declarations in that namespace first and if none are found it will
+search in the root namespace. Any matching declaration found in the root
namespace is processed as if it were declared in the leaf namespace.

- -

The precise semantics of this processing are documented on each resource +

The precise semantics of this processing are documented on each resource
type.

 dnsRefreshRate Duration -

Configures DNS refresh rate for Envoy clusters of type STRICT_DNS +

Configures DNS refresh rate for Envoy clusters of type STRICT_DNS
Default refresh rate is 5s.

 h2UpgradePolicy H2UpgradePolicy -

Specify if http1.1 connections should be upgraded to http2 by default. -if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE. -If one or more services or namespaces do not have sidecar(s), then this should be set to DO_NOT_UPGRADE. +

Specify if http1.1 connections should be upgraded to http2 by default.
+if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE.
+If one or more services or namespaces do not have sidecar(s), then this should be set to DO_NOT_UPGRADE.
It can be enabled by destination using the destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy override.

 inboundClusterStatName string -

Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for -network filters like TCP and Redis. -By default, Istio emits statistics with the pattern inbound|<port>|<port-name>|<service-FQDN>. +

Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for
+network filters like TCP and Redis.
+By default, Istio emits statistics with the pattern inbound|<port>|<port-name>|<service-FQDN>.
For example inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local. This can be used to override that pattern.

-

A Pattern can be composed of various pre-defined variables. The following variables are supported.

-
  • %SERVICE% - Will be substituted with name of the service.
  • %SERVICE_FQDN% - Will be substituted with FQDN of the service.
  • %SERVICE_PORT% - Will be substituted with port of the service.
  • %SERVICE_PORT_NAME% - Will be substituted with port name of the service.
-

Following are some examples of supported patterns for reviews:

-
  • %SERVICE_FQDN%_%SERVICE_PORT% will use reviews.prod.svc.cluster.local_7443 as the stats name.
  • %SERVICE% will use reviews.prod as the stats name.
    • @@ -489,13 +476,11 @@

    MeshConfig

outboundClusterStatName string -

Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for -network filters like TCP and Redis. -By default, Istio emits statistics with the pattern outbound|<port>|<subsetname>|<service-FQDN>. +

Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for
+network filters like TCP and Redis.
+By default, Istio emits statistics with the pattern outbound|<port>|<subsetname>|<service-FQDN>.
For example outbound|8080|v2|reviews.prod.svc.cluster.local. This can be used to override that pattern.

-

A Pattern can be composed of various pre-defined variables. The following variables are supported.

-
  • %SERVICE% - Will be substituted with name of the service.
  • %SERVICE_FQDN% - Will be substituted with FQDN of the service.
    • @@ -503,9 +488,7 @@

    MeshConfig

  • %SERVICE_PORT_NAME% - Will be substituted with port name of the service.
  • %SUBSET_NAME% - Will be substituted with subset.
-

Following are some examples of supported patterns for reviews:

-
  • %SERVICE_FQDN%_%SERVICE_PORT% will use reviews.prod.svc.cluster.local_7443 as the stats name.
  • %SERVICE% will use reviews.prod as the stats name.
    • @@ -531,14 +514,14 @@

    MeshConfig

enablePrometheusMerge BoolValue -

If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy -and Istio agent. The sidecar injection will replace prometheus.io annotations present on the pod -and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics. -This relies on the annotations prometheus.io/scrape, prometheus.io/port, and -prometheus.io/path annotations. -If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide. -In this case, it is recommended to disable aggregation on that deployment with the -prometheus.istio.io/merge-metrics: "false" annotation. +

If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
+and Istio agent. The sidecar injection will replace prometheus.io annotations present on the pod
+and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
+This relies on the annotations prometheus.io/scrape, prometheus.io/port, and
+prometheus.io/path annotations.
+If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide.
+In this case, it is recommended to disable aggregation on that deployment with the
+prometheus.istio.io/merge-metrics: "false" annotation.
If not specified, this will be enabled by default.

 extensionProviders ExtensionProvider[] -

Defines a list of extension providers that extend Istio’s functionality. For example, the AuthorizationPolicy +

Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy
can be used with an extension provider to delegate the authorization decision to a custom authorization system.

 discoverySelectors LabelSelector[] -

A list of Kubernetes selectors that specify the set of namespaces that Istio considers when -computing configuration updates for sidecars. This can be used to reduce Istio’s computational load -by limiting the number of entities (including services, pods, and endpoints) that are watched and processed. -If omitted, Istio will use the default behavior of processing all namespaces in the cluster. -Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector. -The following example selects any namespace that matches either below: -1. The namespace has both of these labels: env: prod and region: us-east1 -2. The namespace has label app equal to cassandra or spark.

- +

A list of Kubernetes selectors that specify the set of namespaces that Istio considers when
+computing configuration updates for sidecars. This can be used to reduce Istio's computational load
+by limiting the number of entities (including services, pods, and endpoints) that are watched and processed.
+If omitted, Istio will use the default behavior of processing all namespaces in the cluster.
+Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector.
+The following example selects any namespace that matches either below:

+
    +
  1. The namespace has both of these labels: env: prod and region: us-east1
    2. +
  2. The namespace has label app equal to cassandra or spark.
    3. +
discoverySelectors:
   - matchLabels:
       env: prod
@@ -593,8 +577,7 @@ 
MeshConfig

         - cassandra
         - spark
- -

Refer to the kubernetes selector docs +

Refer to the kubernetes selector docs
for additional detail on selector semantics.

 pathNormalization ProxyPathNormalization -

ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are -normalized by the sidecars and gateways. -The normalized paths will be used in all aspects through the requests’ lifetime on the -sidecars and gateways, which includes routing decisions in outbound direction (client proxy), -authorization policy match and enforcement in inbound direction (server proxy), and the URL -path proxied to the upstream service. +

ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are
+normalized by the sidecars and gateways.
+The normalized paths will be used in all aspects through the requests' lifetime on the
+sidecars and gateways, which includes routing decisions in outbound direction (client proxy),
+authorization policy match and enforcement in inbound direction (server proxy), and the URL
+path proxied to the upstream service.
If not set, the NormalizationType.DEFAULT configuration will be used.

 defaultHttpRetryPolicy HTTPRetry -

Configure the default HTTP retry policy. -The default number of retry attempts is set at 2 for these errors: - “connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes”. -Setting the number of attempts to 0 disables retry policy globally. -This setting can be overriden on a per-host basis using the Virtual Service -API. -All settings in the retry policy except perTryTimeout can currently be +

Configure the default HTTP retry policy.
+The default number of retry attempts is set at 2 for these errors:
+"connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes".
+Setting the number of attempts to 0 disables retry policy globally.
+This setting can be overriden on a per-host basis using the Virtual Service
+API.
+All settings in the retry policy except perTryTimeout can currently be
configured globally via this field.
@@ -671,9 +654,9 @@

ConfigSource

@@ -685,8 +668,8 @@

ConfigSource

@@ -759,10 +742,10 @@

MeshConfig.CertificateData

@@ -774,8 +757,8 @@

MeshConfig.CertificateData

@@ -787,14 +770,14 @@

MeshConfig.CertificateData

@@ -821,8 +804,8 @@

MeshConfig.ThriftConfig

@@ -860,8 +843,8 @@

MeshConfig.CA

@@ -873,13 +856,15 @@

MeshConfig.CA

@@ -902,7 +887,7 @@

MeshConfig.CA

@@ -973,9 +958,9 @@

MeshConfig.ExtensionProvider

@@ -1098,10 +1083,9 @@

MeshConfig.ExtensionProvider

MeshConfig.DefaultProviders

-

Holds the name references to the providers that will be used by default +

Holds the name references to the providers that will be used by default
in other Istio configuration resources if the provider is not specified.

- -

These names must match a provider defined in extension_providers that is +

These names must match a provider defined in extension_providers that is
one of the supported tracing providers.

address string -

Address of the server implementing the Istio Mesh Configuration -protocol (MCP). Can be IP address or a fully qualified DNS name. -Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or +

Address of the server implementing the Istio Mesh Configuration
+protocol (MCP). Can be IP address or a fully qualified DNS name.
+Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or
fs:/// to specify a file-based backend with absolute path to the directory.

 tlsSettings ClientTLSSettings -

Use the tls_settings to specify the tls mode to use. If the MCP server -uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS +

Use the tls_settings to specify the tls mode to use. If the MCP server
+uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
mode as ISTIO_MUTUAL.

 spiffeBundleUrl string (oneof) -

The SPIFFE bundle endpoint URL that complies to: -https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle -The endpoint should support authentication based on Web PKI: -https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki +

The SPIFFE bundle endpoint URL that complies to:
+https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle
+The endpoint should support authentication based on Web PKI:
+https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki
The certificate is retrieved from the endpoint.

 certSigners string[] -

Optional. Specify the kubernetes signers (External CA) that use this trustAnchor -when Istiod is acting as RA(registration authority) +

Optional. Specify the kubernetes signers (External CA) that use this trustAnchor
+when Istiod is acting as RA(registration authority)
If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.

 trustDomains string[] -

Optional. Specify the list of trust domains to which this trustAnchor data belongs. -If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain -and its aliases. -Note that we can have multiple trustAnchor data for a same trust_domain. -In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. -If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. -If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. -If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. +

Optional. Specify the list of trust domains to which this trustAnchor data belongs.
+If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
+and its aliases.
+Note that we can have multiple trustAnchor data for a same trust_domain.
+In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
+If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers.
+If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers.
+If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains.
If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains.

 rateLimitUrl string -

Specify thrift rate limit service URL. If pilot has thrift protocol support enabled, -this will enable the rate limit service for destinations that have matching rate +

Specify thrift rate limit service URL. If pilot has thrift protocol support enabled,
+this will enable the rate limit service for destinations that have matching rate
limit configurations.

 address string -

REQUIRED. Address of the CA server implementing the Istio CA gRPC API. -Can be IP address or a fully qualified DNS name with port +

REQUIRED. Address of the CA server implementing the Istio CA gRPC API.
+Can be IP address or a fully qualified DNS name with port
Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000

 tlsSettings ClientTLSSettings -

Use the tls_settings to specify the tls mode to use. -Regarding tls_settings: -- DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar. -DISABLE MODE can also be used for testing -- TLS MUTUAL MODE be on by default. If the CA certificates -(cert bundle to verify the CA server’s certificate) is omitted, Istiod will -use the system root certs to verify the CA server’s certificate.

+

Use the tls_settings to specify the tls mode to use.
+Regarding tls_settings:

+
    +
  • DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
    +DISABLE MODE can also be used for testing
    • +
  • TLS MUTUAL MODE be on by default. If the CA certificates
    +(cert bundle to verify the CA server's certificate) is omitted, Istiod will
    +use the system root certs to verify the CA server's certificate.
    • +
 @@ -890,7 +875,7 @@

MeshConfig.CA

requestTimeout Duration -

timeout for forward CSR requests from Istiod to External CA +

timeout for forward CSR requests from Istiod to External CA
Default: 10s

 istiodSide bool -

Use istiod_side to specify CA Server integrate to Istiod side or Agent side +

Use istiod_side to specify CA Server integrate to Istiod side or Agent side
Default: true

 lightstep LightstepTracingProvider (oneof) -

Configures a Lightstep tracing provider. -Note: For Istio 1.15+, configuring this provider will result in -using an OpenTelemetryTracingProvider configured specially for +

Configures a Lightstep tracing provider.
+Note: For Istio 1.15+, configuring this provider will result in
+using an OpenTelemetryTracingProvider configured specially for
Lightstep. This is part of the Lightstep transition to OpenTelemetry.
@@ -1190,11 +1174,11 @@

MeshConfig.TLSConfig

@@ -1223,24 +1207,21 @@

MeshConfig.ServiceSettings.Settings

@@ -1267,10 +1248,10 @@

Mesh

@@ -1282,9 +1263,9 @@

Mesh

@@ -1296,9 +1277,9 @@

Mesh

@@ -1325,12 +1306,11 @@

Mes

@@ -1365,9 +1345,9 @@

Mes

@@ -1460,16 +1443,17 @@

Mes

@@ -1578,8 +1563,8 @@

Mes

@@ -1591,8 +1576,8 @@

Mes

@@ -1671,8 +1655,8 @@

MeshConfig.Extension

MeshConfig.ExtensionProvider.LightstepTracingProvider

-

Defines configuration for a Lightstep tracer. -Note: Lightstep has moved to OpenTelemetry-based integrations. Istio 1.15+ +

Defines configuration for a Lightstep tracer.
+Note: Lightstep has moved to OpenTelemetry-based integrations. Istio 1.15+
will generate OpenTelemetry-compatible configuration when using this option.

minProtocolVersion TLSProtocol -

Optional: the minimum TLS protocol version. The default minimum -TLS version will be TLS 1.2. As servers may not be Envoy and be -set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the -minimum TLS version for clients may also be TLS 1.2. -In the current Istio implementation, the maximum TLS protocol version +

Optional: the minimum TLS protocol version. The default minimum
+TLS version will be TLS 1.2. As servers may not be Envoy and be
+set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the
+minimum TLS version for clients may also be TLS 1.2.
+In the current Istio implementation, the maximum TLS protocol version
is TLS 1.3.

clusterLocal bool -

If true, specifies that the client and service endpoints must reside in the same cluster. -By default, in multi-cluster deployments, the Istio control plane assumes all service -endpoints to be reachable from any client in any of the clusters which are part of the -mesh. This configuration option limits the set of service endpoints visible to a client +

If true, specifies that the client and service endpoints must reside in the same cluster.
+By default, in multi-cluster deployments, the Istio control plane assumes all service
+endpoints to be reachable from any client in any of the clusters which are part of the
+mesh. This configuration option limits the set of service endpoints visible to a client
to be cluster scoped.

-

There are some common scenarios when this can be useful:

-
    -
  • A service (or group of services) is inherently local to the cluster and has local storage +
  • A service (or group of services) is inherently local to the cluster and has local storage
    for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).
    • -
  • A mesh administrator wants to slowly migrate services to Istio. They might start by first -having services cluster-local and then slowly transition them to mesh-wide. They could do -this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group +
  • A mesh administrator wants to slowly migrate services to Istio. They might start by first
    +having services cluster-local and then slowly transition them to mesh-wide. They could do
    +this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group
    (e.g. *.myns.svc.cluster.local).
- -

By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all +

By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all
services in the kube-system namespace to be cluster-local, unless explicitly overridden here.

maxRequestBytes uint32 -

Sets the maximum size of a message body that the ext-authz filter will hold in memory. -If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). -Otherwise the request will be sent to the provider with a partial message. -Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the +

Sets the maximum size of a message body that the ext-authz filter will hold in memory.
+If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
+Otherwise the request will be sent to the provider with a partial message.
+Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
fail_open is set to true.

allowPartialMessage bool -

When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. -The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. -A “x-envoy-auth-partial-body: false|true” metadata header will be added to the authorization request message +

When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
+The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
+A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
indicating if the body data is partial.

packAsBytes bool -

If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes -in the raw_body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). -Otherwise, it will be filled with UTF-8 string in the body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). +

If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
+in the raw_body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
+Otherwise, it will be filled with UTF-8 string in the body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.

service string -

REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +

REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.

- -

Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.

+

Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".

 @@ -1352,8 +1332,8 @@

Mes

timeout Duration -

The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s). -When this timeout condition is met, the proxy marks the communication to the authorization service as failure. +

The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
+When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
In this situation, the response sent back to the client will depend on the configured fail_open field.

pathPrefix string -

Sets a prefix to the value of authorization request header Path. -For example, setting this to “/check” for an original user request at path “/admin” will cause the -authorization check request to be sent to the authorization service at the path “/check/admin” instead of “/admin”.

+

Sets a prefix to the value of authorization request header Path.
+For example, setting this to "/check" for an original user request at path "/admin" will cause the
+authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin".

 @@ -1378,9 +1358,9 @@

Mes

failOpen bool -

If true, the user request will be allowed even if the communication with the authorization service has failed, -or if the authorization service has returned a HTTP 5xx error. -Default is false and the request will be rejected with “Forbidden” response.

+

If true, the user request will be allowed even if the communication with the authorization service has failed,
+or if the authorization service has returned a HTTP 5xx error.
+Default is false and the request will be rejected with "Forbidden" response.

 @@ -1391,8 +1371,8 @@

Mes

statusOnError string -

Sets the HTTP status that is returned to the client when there is a network error to the authorization service. -The default status is “403” (HTTP Forbidden).

+

Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
+The default status is "403" (HTTP Forbidden).

 @@ -1414,18 +1394,21 @@

Mes

includeRequestHeadersInCheck string[] -

List of client request headers that should be included in the authorization request sent to the authorization service. -Note that in addition to the headers specified here following headers are included by default: -1. Host, Method, Path and Content-Length are automatically sent. -2. Content-Length will be set to 0 and the request will not have a message body. However, the authorization -request can include the buffered client request body (controlled by include_request_body_in_check setting), -consequently the value of Content-Length of the authorization request reflects the size of its payload size.

- -

Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match -https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule): -- Exact match: “abc” will match on value “abc”. -- Prefix match: “abc*” will match on value “abc” and “abcd”. -- Suffix match: “*abc” will match on value “abc” and “xabc”.

+

List of client request headers that should be included in the authorization request sent to the authorization service.
+Note that in addition to the headers specified here following headers are included by default:

+
    +
  1. Host, Method, Path and Content-Length are automatically sent.
    2. +
  2. Content-Length will be set to 0 and the request will not have a message body. However, the authorization
    +request can include the buffered client request body (controlled by include_request_body_in_check setting),
    +consequently the value of Content-Length of the authorization request reflects the size of its payload size.
    3. +
+

Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
+https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):

+
    +
  • Exact match: "abc" will match on value "abc".
    • +
  • Prefix match: "abc*" will match on value "abc" and "abcd".
    • +
  • Suffix match: "*abc" will match on value "abc" and "xabc".
    • +
 @@ -1436,8 +1419,8 @@

Mes

includeAdditionalHeadersInCheck map<string, string> -

Set of additional fixed headers that should be included in the authorization request sent to the authorization service. -Key is the header name and value is the header value. +

Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
+Key is the header name and value is the header value.
Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden.

headersToUpstreamOnAllow string[] -

List of headers from the authorization service that should be added or overridden in the original request and -forwarded to the upstream when the authorization check result is allowed (HTTP code 200). -If not specified, the original request will not be modified and forwarded to backend as-is. +

List of headers from the authorization service that should be added or overridden in the original request and
+forwarded to the upstream when the authorization check result is allowed (HTTP code 200).
+If not specified, the original request will not be modified and forwarded to backend as-is.
Note, any existing headers will be overridden.

- -

Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match -https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule): -- Exact match: “abc” will match on value “abc”. -- Prefix match: “abc*” will match on value “abc” and “abcd”. -- Suffix match: “*abc” will match on value “abc” and “xabc”.

+

Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
+https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):

+
    +
  • Exact match: "abc" will match on value "abc".
    • +
  • Prefix match: "abc*" will match on value "abc" and "abcd".
    • +
  • Suffix match: "*abc" will match on value "abc" and "xabc".
    • +
 @@ -1480,19 +1464,20 @@

Mes

headersToDownstreamOnDeny string[] -

List of headers from the authorization service that should be forwarded to downstream when the authorization -check result is not allowed (HTTP code other than 200). -If not specified, all the authorization response headers, except Authority (Host) will be in the response to -the downstream. -When a header is included in this list, Path, Status, Content-Length, WWWAuthenticate and Location are -automatically added. +

List of headers from the authorization service that should be forwarded to downstream when the authorization
+check result is not allowed (HTTP code other than 200).
+If not specified, all the authorization response headers, except Authority (Host) will be in the response to
+the downstream.
+When a header is included in this list, Path, Status, Content-Length, WWWAuthenticate and Location are
+automatically added.
Note, the body from the authorization service is always included in the response to downstream.

- -

Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match -https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule): -- Exact match: “abc” will match on value “abc”. -- Prefix match: “abc*” will match on value “abc” and “abcd”. -- Suffix match: “*abc” will match on value “abc” and “xabc”.

+

Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
+https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):

+
    +
  • Exact match: "abc" will match on value "abc".
    • +
  • Prefix match: "abc*" will match on value "abc" and "abcd".
    • +
  • Suffix match: "*abc" will match on value "abc" and "xabc".
    • +
 @@ -1503,16 +1488,17 @@

Mes

headersToDownstreamOnAllow string[] -

List of headers from the authorization service that should be forwarded to downstream when the authorization -check result is allowed (HTTP code 200). -If not specified, the original response will not be modified and forwarded to downstream as-is. +

List of headers from the authorization service that should be forwarded to downstream when the authorization
+check result is allowed (HTTP code 200).
+If not specified, the original response will not be modified and forwarded to downstream as-is.
Note, any existing headers will be overridden.

- -

Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match -https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule): -- Exact match: “abc” will match on value “abc”. -- Prefix match: “abc*” will match on value “abc” and “abcd”. -- Suffix match: “*abc” will match on value “abc” and “xabc”.

+

Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
+https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):

+
    +
  • Exact match: "abc" will match on value "abc".
    • +
  • Prefix match: "abc*" will match on value "abc" and "abcd".
    • +
  • Suffix match: "*abc" will match on value "abc" and "xabc".
    • +
 @@ -1538,12 +1524,11 @@

Mes

service string -

REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +

REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.

- -

Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.

+

Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".

 @@ -1565,8 +1550,8 @@

Mes

timeout Duration -

The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s). -When this timeout condition is met, the proxy marks the communication to the authorization service as failure. +

The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
+When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
In this situation, the response sent back to the client will depend on the configured fail_open field.

failOpen bool -

If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed, -or if the authorization service has returned a HTTP 5xx error. +

If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed,
+or if the authorization service has returned a HTTP 5xx error.
Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately.

statusOnError string -

Sets the HTTP status that is returned to the client when there is a network error to the authorization service. -The default status is “403” (HTTP Forbidden).

+

Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
+The default status is "403" (HTTP Forbidden).

 @@ -1631,12 +1616,11 @@

MeshConfig.Extension

service string -

REQUIRED. Specifies the service that the Zipkin API. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +

REQUIRED. Specifies the service that the Zipkin API.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.

- -

Example: “zipkin.default.svc.cluster.local” or “bar/zipkin.example.com”.

+

Example: "zipkin.default.svc.cluster.local" or "bar/zipkin.example.com".

 @@ -1658,7 +1642,7 @@

MeshConfig.Extension

maxTagLength uint32 -

Optional. Controls the overall path length allowed in a reported span. +

Optional. Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.
@@ -1689,12 +1673,11 @@

MeshConfig.Extens

@@ -1756,12 +1739,11 @@

MeshConfig.Extensio

@@ -1812,12 +1794,11 @@

MeshConfig.Exten

service string -

REQUIRED. Specifies the service for the Lightstep collector. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +

REQUIRED. Specifies the service for the Lightstep collector.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.

- -

Example: “lightstep.default.svc.cluster.local” or “bar/lightstep.example.com”.

+

Example: "lightstep.default.svc.cluster.local" or "bar/lightstep.example.com".

 @@ -1727,7 +1710,7 @@

MeshConfig.Extens

maxTagLength uint32 -

Optional. Controls the overall path length allowed in a reported span. +

Optional. Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.

service string -

REQUIRED. Specifies the service for the Datadog agent. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +

REQUIRED. Specifies the service for the Datadog agent.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.

- -

Example: “datadog.default.svc.cluster.local” or “bar/datadog.example.com”.

+

Example: "datadog.default.svc.cluster.local" or "bar/datadog.example.com".

 @@ -1783,7 +1765,7 @@

MeshConfig.Extensio

maxTagLength uint32 -

Optional. Controls the overall path length allowed in a reported span. +

Optional. Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.

service string -

REQUIRED. Specifies the service for the SkyWalking receiver. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +

REQUIRED. Specifies the service for the SkyWalking receiver.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.

- -

Example: “skywalking.default.svc.cluster.local” or “bar/skywalking.example.com”.

+

Example: "skywalking.default.svc.cluster.local" or "bar/skywalking.example.com".

 @@ -1852,9 +1833,8 @@

MeshConfig.Exten

MeshConfig.ExtensionProvider.StackdriverProvider

Defines configuration for Stackdriver.

- -

WARNING: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used -alongside any OpenCensus provider configuration. This is due to a limitation in the implementation of OpenCensus +

WARNING: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used
+alongside any OpenCensus provider configuration. This is due to a limitation in the implementation of OpenCensus
driver in Envoy.

@@ -1871,7 +1851,7 @@

MeshConfig.ExtensionPr

@@ -1896,14 +1876,12 @@

MeshConfig.ExtensionPr

MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider

Defines configuration for an OpenCensus tracer writing to an OpenCensus backend.

- -

WARNING: OpenCensusAgentTracingProviders should be used with extreme care. Configuration of -OpenCensus providers CANNOT be changed during the course of proxy’s lifetime due to a limitation -in the implementation of OpenCensus driver in Envoy. This means only a single provider configuration -may be used for OpenCensus at any given time for a proxy or group of proxies AND that any change to the provider +

WARNING: OpenCensusAgentTracingProviders should be used with extreme care. Configuration of
+OpenCensus providers CANNOT be changed during the course of proxy's lifetime due to a limitation
+in the implementation of OpenCensus driver in Envoy. This means only a single provider configuration
+may be used for OpenCensus at any given time for a proxy or group of proxies AND that any change to the provider
configuration MUST be accompanied by a restart of all proxies that will use that configuration.

- -

NOTE: Stackdriver tracing uses OpenCensus configuraiton under the hood and, as a result, cannot be used +

NOTE: Stackdriver tracing uses OpenCensus configuraiton under the hood and, as a result, cannot be used
alongside OpenCensus provider configuration.

maxTagLength uint32 -

Optional. Controls the overall path length allowed in a reported span. +

Optional. Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.
@@ -1920,12 +1898,11 @@

MeshConfig.

@@ -1961,7 +1938,7 @@

MeshConfig.

@@ -1977,7 +1954,7 @@

MeshConfig.Exten

MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider

-

Defines configuration for Envoy-based access logging that writes to +

Defines configuration for Envoy-based access logging that writes to
local files (and/or standard streams).

service string -

REQUIRED. Specifies the service for the OpenCensusAgent. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +

REQUIRED. Specifies the service for the OpenCensusAgent.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.

- -

Example: “ocagent.default.svc.cluster.local” or “bar/ocagent.example.com”.

+

Example: "ocagent.default.svc.cluster.local" or "bar/ocagent.example.com".

 @@ -1947,9 +1924,9 @@

MeshConfig.

context TraceContext[] -

Specifies the set of context propagation headers used for distributed -tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified, -the proxy will attempt to read each header for each request and will +

Specifies the set of context propagation headers used for distributed
+tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified,
+the proxy will attempt to read each header for each request and will
write all headers.

maxTagLength uint32 -

Optional. Controls the overall path length allowed in a reported span. +

Optional. Controls the overall path length allowed in a reported span.
NOTE: currently only controls max length of the path tag.
@@ -1994,8 +1971,8 @@

MeshConfig.Exte

@@ -2019,7 +1996,7 @@

MeshConfig.Exte

MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider

-

Defines configuration for an Envoy Access Logging Service +

Defines configuration for an Envoy Access Logging Service
integration for HTTP traffic.

path string -

Path to a local file to write the access log entries. -This may be used to write to streams, via /dev/stderr and /dev/stdout +

Path to a local file to write the access log entries.
+This may be used to write to streams, via /dev/stderr and /dev/stdout
If unspecified, defaults to /dev/stdout.
@@ -2036,12 +2013,11 @@

MeshConfig.Exte

service string -

REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +

REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.

- -

Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.

+

Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".

 @@ -2063,10 +2039,12 @@

MeshConfig.Exte

logName string -

Optional. The friendly name of the access log. -Defaults: -- “http_envoy_accesslog” -- “listener_envoy_accesslog”

+

Optional. The friendly name of the access log.
+Defaults:

+
    +
  • "http_envoy_accesslog"
    • +
  • "listener_envoy_accesslog"
    • +
 @@ -2122,7 +2100,7 @@

MeshConfig.Exte

MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider

-

Defines configuration for an Envoy Access Logging Service +

Defines configuration for an Envoy Access Logging Service
integration for TCP traffic.

@@ -2139,12 +2117,11 @@

MeshConfig.Exten

@@ -2325,15 +2302,13 @@

MeshC

@@ -2378,16 +2353,14 @@

Me

service string -

REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +

REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.

- -

Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.

+

Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".

 @@ -2166,10 +2143,12 @@

MeshConfig.Exten

logName string -

Optional. The friendly name of the access log. -Defaults: -- “tcp_envoy_accesslog” -- “listener_envoy_accesslog”

+

Optional. The friendly name of the access log.
+Defaults:

+
    +
  • "tcp_envoy_accesslog"
    • +
  • "listener_envoy_accesslog"
    • +
 @@ -2208,12 +2187,11 @@

MeshConfig.E

service string -

REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service. -The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient -to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a +

REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.

- -

Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.

+

Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".

 @@ -2235,9 +2213,11 @@

MeshConfig.E

logName string -

Optional. The friendly name of the access log. -Defaults: -- “otel_envoy_accesslog”

+

Optional. The friendly name of the access log.
+Defaults:

+
    +
  • "otel_envoy_accesslog"
    • +
 @@ -2248,8 +2228,8 @@

MeshConfig.E

logFormat LogFormat -

Optional. Format for the proxy access log -Empty value results in proxy’s default access log format, following Envoy access logging formatting.

+

Optional. Format for the proxy access log
+Empty value results in proxy's default access log format, following Envoy access logging formatting.

 @@ -2275,14 +2255,13 @@

MeshConfig.Ext

labels map<string, string> -

Collection of tag names and tag expressions to include in the log -entry. Conflicts are resolved by the tag name by overriding previously +

Collection of tag names and tag expressions to include in the log
+entry. Conflicts are resolved by the tag name by overriding previously
supplied values.

- -

Example: - labels: - path: request.url_path - foo: request.headers[‘x-foo’]

+

Example:
+labels:
+path: request.url_path
+foo: request.headers['x-foo']

 @@ -2308,12 +2287,10 @@

MeshC

text string (oneof) -

Textual format for the envoy access logs. Envoy command operators may be -used in the format. The format string documentation +

Textual format for the envoy access logs. Envoy command operators may be
+used in the format. The format string documentation
provides more information.

- -

NOTE: Istio will insert a newline (‘\n’) on all formats (if missing).

- +

NOTE: Istio will insert a newline ('\n') on all formats (if missing).

Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"

labels Struct (oneof) -

JSON structured format for the envoy access logs. Envoy command operators -can be used as values for fields within the Struct. Values are rendered -as strings, numbers, or boolean values, as appropriate -(see: format dictionaries). Nested JSON is -supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA). +

JSON structured format for the envoy access logs. Envoy command operators
+can be used as values for fields within the Struct. Values are rendered
+as strings, numbers, or boolean values, as appropriate
+(see: format dictionaries). Nested JSON is
+supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
Use labels: {} for default envoy JSON log format.

-

Example:

- 
labels:
   status: "%RESPONSE_CODE%"
   message: "%LOCAL_REPLY_BODY%"
@@ -2363,10 +2338,10 @@ 
Me
text string -

Textual format for the envoy access logs. Envoy command operators may be -used in the format. The format string documentation -provides more information. -Alias to body filed in Open Telemetry +

Textual format for the envoy access logs. Envoy command operators may be
+used in the format. The format string documentation
+provides more information.
+Alias to body filed in Open Telemetry
Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"

labels Struct -

Optional. Additional attributes that describe the specific event occurrence. -Structured format for the envoy access logs. Envoy command operators -can be used as values for fields within the Struct. Values are rendered -as strings, numbers, or boolean values, as appropriate -(see: format dictionaries). Nested JSON is -supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA). +

Optional. Additional attributes that describe the specific event occurrence.
+Structured format for the envoy access logs. Envoy command operators
+can be used as values for fields within the Struct. Values are rendered
+as strings, numbers, or boolean values, as appropriate
+(see: format dictionaries). Nested JSON is
+supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
Alias to attributes filed in Open Telemetry

-

Example:

- 
labels:
   status: "%RESPONSE_CODE%"
   message: "%LOCAL_REPLY_BODY%"
@@ -2403,9 +2376,9 @@ 
Me
 
 
k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector

 

-
A label selector is a label query over a set of resources. The result of matchLabels and
-matchExpressions are ANDed. An empty label selector matches all objects. A null
-label selector matches no objects.
+
A label selector is a label query over a set of resources. The result of matchLabels and

+matchExpressions are ANDed. An empty label selector matches all objects. A null

+label selector matches no objects.

 +structType=atomic

 
 
@@ -2422,9 +2395,9 @@ 
k8s.io.apimachinery.
 

@@ -2436,7 +2409,7 @@ 
k8s.io.apimachinery.
 

@@ -2476,8 +2449,8 @@ 
Tracing

@@ -2522,7 +2495,7 @@ 
Tracing

@@ -2534,8 +2507,8 @@ 
Tracing

@@ -2548,7 +2521,7 @@ 
Tracing
PrivateKeyProvider

-
PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured
+
PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured

 mesh wide or individual per-workload basis.

 
 
matchLabels
 map<string, string>
 
-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-map is equivalent to an element of matchExpressions, whose key field is “key”, the
-operator is “In”, and the values array contains only “value”. The requirements are ANDed.
+
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels

+map is equivalent to an element of matchExpressions, whose key field is "key", the

+operator is "In", and the values array contains only "value". The requirements are ANDed.

 +optional

 
 		matchExpressions
 LabelSelectorRequirement[]
 
-
matchExpressions is a list of label selector requirements. The requirements are ANDed.
+
matchExpressions is a list of label selector requirements. The requirements are ANDed.

 +optional

 
 		
 lightstep
 Lightstep (oneof)
 
-
Use a Lightstep tracer.
-NOTE: For Istio 1.15+, this configuration option will result
+
Use a Lightstep tracer.

+NOTE: For Istio 1.15+, this configuration option will result

 in using OpenTelemetry-based Lightstep integration.

 
 		
 sampling
 double
 
-
The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation,
+
The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation,

 if not requested by the client or not forced. Default is 1.0.

 
 		
 tlsSettings
 ClientTLSSettings
 
-
Use the tls_settings to specify the tls mode to use. If the remote tracing service
-uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
+
Use the tls_settings to specify the tls mode to use. If the remote tracing service

+uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS

 mode as ISTIO_MUTUAL.

 
 		
 
 
 

@@ -2575,27 +2548,22 @@ 
PrivateKeyProvider
ProxyConfig

-
ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis
-as well as by the mesh-wide defaults.
+
ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis

+as well as by the mesh-wide defaults.

 To set the mesh wide defaults, configure the defaultConfig section of meshConfig. For example:

-
 
meshConfig:
   defaultConfig:
     discoveryAddress: istiod:15012
 

-
 
This can also be configured on a per-workload basis by configuring the proxy.istio.io/config annotation on the pod. For example:

-
 
annotations:
   proxy.istio.io/config: |
     discoveryAddress: istiod:15012
 

-
-
If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults.
-This is different than a deep merge provided by protobuf.
-For example, "tracing": { "sampling": 5 } would completely override a setting configuring a tracing provider
+
If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults.

+This is different than a deep merge provided by protobuf.

+For example, "tracing": { "sampling": 5 } would completely override a setting configuring a tracing provider

 such as "tracing": { "zipkin": { "address": "..." } }.

-
 
Note: fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.

 
 

 
 
 

@@ -2612,7 +2580,7 @@ 
ProxyConfig

@@ -2635,18 +2603,17 @@ 
ProxyConfig

@@ -2658,7 +2625,7 @@ 
ProxyConfig

@@ -2670,8 +2637,8 @@ 
ProxyConfig

@@ -2683,9 +2650,9 @@ 
ProxyConfig

@@ -2697,7 +2664,7 @@ 
ProxyConfig

@@ -2720,7 +2687,7 @@ 
ProxyConfig

@@ -2732,7 +2699,7 @@ 
ProxyConfig

@@ -2744,7 +2711,7 @@ 
ProxyConfig

@@ -2756,10 +2723,10 @@ 
ProxyConfig

@@ -2771,9 +2738,9 @@ 
ProxyConfig

@@ -2818,10 +2785,10 @@ 
ProxyConfig

@@ -2857,7 +2824,7 @@ 
ProxyConfig

@@ -2869,7 +2836,7 @@ 
ProxyConfig

@@ -2881,9 +2848,9 @@ 
ProxyConfig

@@ -2895,10 +2862,10 @@ 
ProxyConfig

@@ -2910,8 +2877,8 @@ 
ProxyConfig

@@ -2923,8 +2890,8 @@ 
ProxyConfig

@@ -2936,18 +2903,17 @@ 
ProxyConfig

@@ -2969,10 +2934,10 @@ 
ProxyConfig

@@ -3019,8 +2984,8 @@ 
ProxyConfig

@@ -3059,8 +3024,8 @@ 
RemoteService

@@ -3140,9 +3105,9 @@ 
Tracing.Datadog
Tracing.Stackdriver

-
Stackdriver defines configuration for a Stackdriver tracer.
-See Envoy’s OpenCensus trace configuration
-and
+
Stackdriver defines configuration for a Stackdriver tracer.

+See Envoy's OpenCensus trace configuration

+and

 OpenCensus trace config for details.

 
 

 
configPath
 string
 
-
Path to the generated configuration file directory.
+
Path to the generated configuration file directory.

 Proxy agent generates the actual configuration and stores it in this directory.

 
 		
 serviceCluster
 string (oneof)
 
-
Service cluster defines the name for the service_cluster that is
-shared by all Envoy instances. This setting corresponds to
---service-cluster flag in Envoy.  In a typical Envoy deployment, the
-service-cluster flag is used to identify the caller, for
+
Service cluster defines the name for the service_cluster that is

+shared by all Envoy instances. This setting corresponds to

+--service-cluster flag in Envoy.  In a typical Envoy deployment, the

+service-cluster flag is used to identify the caller, for

 source-based routing scenarios.

-
-
Since Istio does not assign a local service/service version to each
-Envoy instance, the name is same for all of them.  However, the
-source/caller’s identity (e.g., IP address) is encoded in the
---service-node flag when launching Envoy.  When the RDS service
-receives API calls from Envoy, it uses the value of the service-node
-flag to compute routes that are relative to the service instances
+
Since Istio does not assign a local service/service version to each

+Envoy instance, the name is same for all of them.  However, the

+source/caller's identity (e.g., IP address) is encoded in the

+--service-node flag when launching Envoy.  When the RDS service

+receives API calls from Envoy, it uses the value of the service-node

+flag to compute routes that are relative to the service instances

 located at that IP address.

 
 		
 tracingServiceName
 TracingServiceName (oneof)
 
-
Used by Envoy proxies to assign the values for the service names in trace
+
Used by Envoy proxies to assign the values for the service names in trace

 spans.

 
 		
 drainDuration
 Duration
 
-
The time in seconds that Envoy will drain connections during a hot
-restart. MUST be >=1s (e.g., 1s/1m/1h)
+
The time in seconds that Envoy will drain connections during a hot

+restart. MUST be >=1s (e.g., 1s/1m/1h)

 Default drain duration is 45s.

 
 		
 parentShutdownDuration
 Duration
 
-
The time in seconds that Envoy will wait before shutting down the
-parent process during a hot restart. MUST be >=1s (e.g., 1s/1m/1h).
-MUST BE greater than drain_duration parameter.
+
The time in seconds that Envoy will wait before shutting down the

+parent process during a hot restart. MUST be >=1s (e.g., 1s/1m/1h).

+MUST BE greater than drain_duration parameter.

 Default shutdown duration is 60s.

 
 		
 discoveryAddress
 string
 
-
Address of the discovery service exposing xDS with mTLS connection.
+
Address of the discovery service exposing xDS with mTLS connection.

 The inject configuration may override this value.

 
 		
 proxyAdminPort
 int32
 
-
Port on which Envoy should listen for administrative commands.
+
Port on which Envoy should listen for administrative commands.

 Default port is 15000.

 
 		
 controlPlaneAuthPolicy
 AuthenticationPolicy
 
-
AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
+
AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.

 Default is set to MUTUAL_TLS.

 
 		
 customConfigFile
 string
 
-
File path of custom proxy configuration, currently used by proxies
+
File path of custom proxy configuration, currently used by proxies

 in front of Mixer and Pilot.

 
 		
 statNameLength
 int32
 
-
Maximum length of name field in Envoy’s metrics. The length of the name field
-is determined by the length of a name field in a service and the set of labels that
-comprise a particular version of the service. The default value is set to 189 characters.
-Envoy’s internal metrics take up 67 characters, for a total of 256 character name per metric.
+
Maximum length of name field in Envoy's metrics. The length of the name field

+is determined by the length of a name field in a service and the set of labels that

+comprise a particular version of the service. The default value is set to 189 characters.

+Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric.

 Increase the value of this field if you find that the metrics from Envoys are truncated.

 
 		
 concurrency
 Int32Value
 
-
The number of worker threads to run.
-If unset, this will be automatically determined based on CPU requests/limits.
-If set to 0, all cores on the machine will be used.
+
The number of worker threads to run.

+If unset, this will be automatically determined based on CPU requests/limits.

+If set to 0, all cores on the machine will be used.

 Default is 2 worker threads.

 
 		
 envoyAccessLogService
 RemoteService
 
-
Address of the service to which access logs from Envoys should be
-sent. (e.g. accesslog-service:15000). See Access Log
-Service
-for details about Envoy’s gRPC Access Log Service API.

+
Address of the service to which access logs from Envoys should be

+sent. (e.g. accesslog-service:15000). See Access Log

+Service

+for details about Envoy's gRPC Access Log Service API.

 
 		
 
@@ -2832,9 +2799,9 @@ 
ProxyConfig

 		envoyMetricsService
 RemoteService
 
-
Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000).
-See Metric Service
-for details about Envoy’s Metrics Service API.

+
Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000).

+See Metric Service

+for details about Envoy's Metrics Service API.

 
 		
 
@@ -2845,7 +2812,7 @@ 
ProxyConfig

 		proxyMetadata
 map<string, string>
 
-
Additional environment variables for the proxy.
+
Additional environment variables for the proxy.

 Names starting with ISTIO_META_ will be included in the generated bootstrap and sent to the XDS server.

 
 		
 runtimeValues
 map<string, string>
 
-
Envoy runtime configuration to set during bootstrapping.
+
Envoy runtime configuration to set during bootstrapping.

 This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.

 
 		
 statusPort
 int32
 
-
Port on which the agent should listen for administrative commands such as readiness probe.
+
Port on which the agent should listen for administrative commands such as readiness probe.

 Default is set to port 15020.

 
 		
 extraStatTags
 string[]
 
-
An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be
-added by configuring the telemetry extension. Each additional tag needs to be present in this list.
-Extra tags emitted by the telemetry extensions must be listed here so that they can be processed
+
An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be

+added by configuring the telemetry extension. Each additional tag needs to be present in this list.

+Extra tags emitted by the telemetry extensions must be listed here so that they can be processed

 and exposed as Prometheus metrics.

 
 		
 terminationDrainDuration
 Duration
 
-
The amount of time allowed for connections to complete on proxy shutdown.
-On receiving SIGTERM or SIGINT, istio-agent tells the active Envoy to start draining,
-preventing any new connections and allowing existing connections to complete. It then
-sleeps for the termination_drain_duration and then kills any remaining active Envoy processes.
+
The amount of time allowed for connections to complete on proxy shutdown.

+On receiving SIGTERM or SIGINT, istio-agent tells the active Envoy to start draining,

+preventing any new connections and allowing existing connections to complete. It then

+sleeps for the termination_drain_duration and then kills any remaining active Envoy processes.

 If not set, a default of 5s will be applied.

 
 		
 meshId
 string
 
-
The unique identifier for the service mesh
-All control planes running in the same service mesh should specify the same mesh ID.
+
The unique identifier for the service mesh

+All control planes running in the same service mesh should specify the same mesh ID.

 Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.

 
 		
 readinessProbe
 ReadinessProbe
 
-
VM Health Checking readiness probe. This health check config exactly mirrors the
-kubernetes readiness probe configuration both in schema and logic.
+
VM Health Checking readiness probe. This health check config exactly mirrors the

+kubernetes readiness probe configuration both in schema and logic.

 Only one health check method of 3 can be set at a time.

 
 		
 proxyStatsMatcher
 ProxyStatsMatcher
 
-
Proxy stats matcher defines configuration for reporting custom Envoy stats.
-To reduce memory and CPU overhead from Envoy stats system, Istio proxies by
-default create and expose only a subset of Envoy stats. This option is to
-control creation of additional Envoy stats with prefix, suffix, and regex
-expressions match on the name of the stats. This replaces the stats
-inclusion annotations
-(sidecar.istio.io/statsInclusionPrefixes,
-sidecar.istio.io/statsInclusionRegexps, and
-sidecar.istio.io/statsInclusionSuffixes). For example, to enable stats
-for circuit breaker, retry, and upstream connections, you can specify stats
+
Proxy stats matcher defines configuration for reporting custom Envoy stats.

+To reduce memory and CPU overhead from Envoy stats system, Istio proxies by

+default create and expose only a subset of Envoy stats. This option is to

+control creation of additional Envoy stats with prefix, suffix, and regex

+expressions match on the name of the stats. This replaces the stats

+inclusion annotations

+(sidecar.istio.io/statsInclusionPrefixes,

+sidecar.istio.io/statsInclusionRegexps, and

+sidecar.istio.io/statsInclusionSuffixes). For example, to enable stats

+for circuit breaker, retry, and upstream connections, you can specify stats

 matcher as follow:

-
 
proxyStatsMatcher:
   inclusionRegexps:
     - .*circuit_breakers.*
@@ -2955,9 +2921,8 @@ 
ProxyConfig

     - upstream_rq_retry
     - upstream_cx
 

-
-
Note including more Envoy stats might increase number of time series
-collected by prometheus significantly. Care needs to be taken on Prometheus
+
Note including more Envoy stats might increase number of time series

+collected by prometheus significantly. Care needs to be taken on Prometheus

 resource provision and configuration to reduce cardinality.

 
 		
 holdApplicationUntilProxyStarts
 BoolValue
 
-
Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior.
-This feature adds hooks to delay application startup until the pod proxy
-is ready to accept traffic, mitigating some startup race conditions.
-Default value is ‘false’.

+
Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior.

+This feature adds hooks to delay application startup until the pod proxy

+is ready to accept traffic, mitigating some startup race conditions.

+Default value is 'false'.

 
 		
 
@@ -2983,9 +2948,9 @@ 
ProxyConfig

 		caCertificatesPem
 string[]
 
-
The PEM data of the extra root certificates for workload-to-workload communication.
-This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA.
-The plugin certificates (the ‘cacerts’ secret), self-signed certificates (the ‘istio-ca-secret’ secret)
+
The PEM data of the extra root certificates for workload-to-workload communication.

+This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA.

+The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret)

 are added automatically by Istiod.

 
 		
 zipkinAddress
 string
 
-
Address of the Zipkin service (e.g. zipkin:9411).
-DEPRECATED: Use tracing instead.

+
Address of the Zipkin service (e.g. zipkin:9411).

+DEPRECATED: Use tracing instead.

 
 		
 
@@ -3046,8 +3011,8 @@ 
RemoteService

 		address
 string
 
-
Address of a remove service used for various purposes (access log
-receiver, metrics receiver, etc.). Can be IP address or a fully
+
Address of a remove service used for various purposes (access log

+receiver, metrics receiver, etc.). Can be IP address or a fully

 qualified DNS name.

 
 		
 tlsSettings
 ClientTLSSettings
 
-
Use the tls_settings to specify the tls mode to use. If the remote service
-uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
+
Use the tls_settings to specify the tls mode to use. If the remote service

+uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS

 mode as ISTIO_MUTUAL.

 
 		
 
 
 

@@ -3160,11 +3125,11 @@ 
Tracing.Stackdriver
Tracing.OpenCensusAgent

-
OpenCensusAgent defines configuration for an OpenCensus tracer writing to
-an OpenCensus agent backend. See
-Envoy’s OpenCensus trace configuration
-and
-OpenCensus trace config
+
OpenCensusAgent defines configuration for an OpenCensus tracer writing to

+an OpenCensus agent backend. See

+Envoy's OpenCensus trace configuration

+and

+OpenCensus trace config

 for details.

 
 

 
 
 

@@ -3181,9 +3146,9 @@ 
Tracing.OpenCensusAgent

@@ -3195,9 +3160,9 @@ 
Tracing.OpenCensusAgent

@@ -3226,11 +3191,11 @@ 
PrivateKeyProvider.CryptoMb

@@ -3243,7 +3208,7 @@ 
PrivateKeyProvider.CryptoMb
ProxyConfig.ProxyStatsMatcher

-
Proxy stats name matchers for stats creation. Note this is in addition to
+
Proxy stats name matchers for stats creation. Note this is in addition to

 the minimum Envoy stats that Istio generates by default.

 
 

 
address
 string
 
-
gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or
-unix:path). See gRPC naming
-docs for
+
gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or

+unix:path). See gRPC naming

+docs for

 details.

 
 		
 context
 TraceContext[]
 
-
Specifies the set of context propagation headers used for distributed
-tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified,
-the proxy will attempt to read each header for each request and will
+
Specifies the set of context propagation headers used for distributed

+tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified,

+the proxy will attempt to read each header for each request and will

 write all headers.

 
 		
 pollDelay
 Duration
 
-
How long to wait until the per-thread processing queue should be processed. If the processing queue
-gets full (eight sign or decrypt requests are received) it is processed immediately.
-However, if the queue is not filled before the delay has expired, the requests already in the queue
-are processed, even if the queue is not full.
-In effect, this value controls the balance between latency and throughput.
+
How long to wait until the per-thread processing queue should be processed. If the processing queue

+gets full (eight sign or decrypt requests are received) it is processed immediately.

+However, if the queue is not filled before the delay has expired, the requests already in the queue

+are processed, even if the queue is not full.

+In effect, this value controls the balance between latency and throughput.

 The duration needs to be set to a non-zero value.

 
 		
 
 
 

@@ -3294,10 +3259,10 @@ 
ProxyConfig.ProxyStatsMatcher
Network

-
Network provides information about the endpoints in a routable L3
-network. A single routable L3 network can have one or more service
-registries. Note that the network has no relation to the locality of the
-endpoint. The endpoint locality will be obtained from the service
+
Network provides information about the endpoints in a routable L3

+network. A single routable L3 network can have one or more service

+registries. Note that the network has no relation to the locality of the

+endpoint. The endpoint locality will be obtained from the service

 registry.

 
 

 
 
 

@@ -3314,8 +3279,8 @@ 
Network

@@ -3339,11 +3304,9 @@ 
Network
MeshNetworks

-
MeshNetworks (config map) provides information about the set of networks
+
MeshNetworks (config map) provides information about the set of networks

 inside a mesh and how to route to endpoints in each network. For example

-
 
MeshNetworks(file/config map):

-
 
networks:
   network1:
     endpoints:
@@ -3372,8 +3335,8 @@ 
MeshNetworks

 

@@ -3386,27 +3349,26 @@ 
MeshNetworks

 
 
Network.NetworkEndpoints

 

-
NetworkEndpoints describes how the network associated with an endpoint
-should be inferred. An endpoint will be assigned to a network based on
+
NetworkEndpoints describes how the network associated with an endpoint

+should be inferred. An endpoint will be assigned to a network based on

 the following rules:

-
 
    
-
  1. Implicitly: If the registry explicitly provides information about
-the network to which the endpoint belongs to. In some cases, its
-possible to indicate the network associated with the endpoint by
-adding the ISTIO_META_NETWORK environment variable to the sidecar.
    2. 
-
-
  2. Explicitly:
    3. 
+
  3. 
+
    Implicitly: If the registry explicitly provides information about
    
+the network to which the endpoint belongs to. In some cases, its
    
+possible to indicate the network associated with the endpoint by
    
+adding the ISTIO_META_NETWORK environment variable to the sidecar.
    
+
    4. 
+
  4. 
+
    Explicitly:
    
+
    a. By matching the registry name with one of the "fromRegistry"
    
+in the mesh config. A "from_registry" can only be assigned to a
    
+single network.
    
+
    b. By matching the IP against one of the CIDR ranges in a mesh
    
+config network. The CIDR ranges must not overlap and be assigned to
    
+a single network.
    
+
    5. 
 

-
-
a. By matching the registry name with one of the “fromRegistry”
-   in the mesh config. A “from_registry” can only be assigned to a
-   single network.

-
-
b. By matching the IP against one of the CIDR ranges in a mesh
-   config network. The CIDR ranges must not overlap and be assigned to
-   a single network.

-
 
(2) will override (1) if both are present.

 
 

 
endpoints
 NetworkEndpoints[]
 
-
The list of endpoints in the network (obtained through the
-constituent service registries or from CIDR ranges). All endpoints in
+
The list of endpoints in the network (obtained through the

+constituent service registries or from CIDR ranges). All endpoints in

 the network are directly accessible to one another.

 
 		
 
 
 networks
 map<string, Network>
 
-
The set of networks inside this mesh. Each network should
-have a unique name and information about how to infer the endpoints in
+
The set of networks inside this mesh. Each network should

+have a unique name and information about how to infer the endpoints in

 the network as well as the gateways associated with the network.

 
 

@@ -3423,7 +3385,7 @@ 
Network.NetworkEndpoints

 
@@ -3435,9 +3397,9 @@ 
Network.NetworkEndpoints

 
@@ -3450,8 +3412,8 @@ 
Network.NetworkEndpoints

 
 
Network.IstioNetworkGateway

 

-
The gateway associated with this network. Traffic from remote networks
-will arrive at the specified gateway:port. All incoming traffic must
+
The gateway associated with this network. Traffic from remote networks

+will arrive at the specified gateway:port. All incoming traffic must

 use mTLS.

 
 
fromCidr
 string (oneof)
 
-
A CIDR range for the set of endpoints in this network. The CIDR
+
A CIDR range for the set of endpoints in this network. The CIDR

 ranges for endpoints from different networks must not overlap.

 
 		fromRegistry
 string (oneof)
 
-
Add all endpoints from the specified registry into this network.
-The names of the registries should correspond to the kubeconfig file name
-inside the secret that was used to configure the registry (Kubernetes
+
Add all endpoints from the specified registry into this network.

+The names of the registries should correspond to the kubeconfig file name

+inside the secret that was used to configure the registry (Kubernetes

 multicluster) or supplied by MCP server.

 
 

@@ -3468,12 +3430,12 @@ 
Network.IstioNetworkGateway

 
@@ -3530,7 +3492,7 @@ 
MeshConfig.OutboundTrafficPolicy.
 

@@ -3538,7 +3500,7 @@ 
MeshConfig.OutboundTrafficPolicy.
 

@@ -3548,7 +3510,7 @@ 
MeshConfig.OutboundTrafficPolicy.
 
 
MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContext

 

-
TraceContext selects the context propagation headers used for
+
TraceContext selects the context propagation headers used for

 distributed tracing.

 
 
registryServiceName
 string (oneof)
 
-
A fully qualified domain name of the gateway service.  Pilot will
-lookup the service from the service registries in the network and
-obtain the endpoint IPs of the gateway from the service
-registry. Note that while the service name is a fully qualified
-domain name, it need not be resolvable outside the orchestration
-platform for the registry. e.g., this could be
+
A fully qualified domain name of the gateway service.  Pilot will

+lookup the service from the service registries in the network and

+obtain the endpoint IPs of the gateway from the service

+registry. Note that while the service name is a fully qualified

+domain name, it need not be resolvable outside the orchestration

+platform for the registry. e.g., this could be

 istio-ingressgateway.istio-system.svc.cluster.local.

 
 

 REGISTRY_ONLY
 
-
outbound traffic will be restricted to services defined in the
+
outbound traffic will be restricted to services defined in the

 service registry as well as those defined through ServiceEntries

 
 

 ALLOW_ANY
 
-
outbound traffic to unknown destinations will be allowed, in case
+
outbound traffic to unknown destinations will be allowed, in case

 there are no services or ServiceEntries for the destination port

 
 

@@ -3562,8 +3524,8 @@ 

 

@@ -3578,7 +3540,7 @@ 

 

@@ -3586,9 +3548,9 @@ 

 

@@ -3623,8 +3585,8 @@ 
MeshConfig.ProxyPat
 

@@ -3632,7 +3594,7 @@ 
MeshConfig.ProxyPat
 

@@ -3640,8 +3602,8 @@ 
MeshConfig.ProxyPat
 

@@ -3712,10 +3674,10 @@ 
MeshConfig.IngressControllerMode

 
@@ -3723,10 +3685,10 @@ 
MeshConfig.IngressControllerMode

 
@@ -3805,8 +3767,8 @@ 
Resource

 
@@ -3816,7 +3778,7 @@ 
Resource

 
 
Tracing.OpenCensusAgent.TraceContext

 

-
TraceContext selects the context propagation headers used for
+
TraceContext selects the context propagation headers used for

 distributed tracing.

 
 
W3C_TRACE_CONTEXT
 
-
Use W3C Trace Context propagation using the traceparent HTTP header.
-See the
+
Use W3C Trace Context propagation using the traceparent HTTP header.

+See the

 Trace Context documentation for details.

 
 		CLOUD_TRACE_CONTEXT
 
-
Use Cloud Trace context propagation using the
+
Use Cloud Trace context propagation using the

 X-Cloud-Trace-Context http header.

 
 		B3
 
-
Use multi-header B3 context propagation using the X-B3-TraceId,
-X-B3-SpanId, and X-B3-Sampled HTTP headers. See
-B3 header propagation README
+
Use multi-header B3 context propagation using the X-B3-TraceId,

+X-B3-SpanId, and X-B3-Sampled HTTP headers. See

+B3 header propagation README

 for details.

 
 

 BASE
 
-
Normalize according to RFC 3986.
-For Envoy proxies, this is the normalize_path option.
+
Normalize according to RFC 3986.

+For Envoy proxies, this is the normalize_path option.

 For example, /a/../b normalizes to /b.

 
 

 MERGE_SLASHES
 
-
In addition to the BASE normalization, consecutive slashes are also merged.
+
In addition to the BASE normalization, consecutive slashes are also merged.

 For example, /a//b normalizes to a/b.

 
 

 DECODE_AND_MERGE_SLASHES
 
-
In addition to normalization in MERGE_SLASHES, slash characters are UTF-8 decoded (case insensitive) prior to merging.
-This means %2F, %2f, %5C, and %5c sequences in the request path will be rewritten to / or \.
+
In addition to normalization in MERGE_SLASHES, slash characters are UTF-8 decoded (case insensitive) prior to merging.

+This means %2F, %2f, %5C, and %5c sequences in the request path will be rewritten to / or \.

 For example, /a%2f/b normalizes to a/b.

 
 

 DEFAULT
 
-
Istio ingress controller will act on ingress resources that do not
-contain any annotation or whose annotations match the value
-specified in the ingress_class parameter described earlier. Use this
-mode if Istio ingress controller will be the default ingress
+
Istio ingress controller will act on ingress resources that do not

+contain any annotation or whose annotations match the value

+specified in the ingress_class parameter described earlier. Use this

+mode if Istio ingress controller will be the default ingress

 controller for the entire Kubernetes cluster.

 
 

 STRICT
 
-
Istio ingress controller will only act on ingress resources whose
-annotations match the value specified in the ingress_class parameter
-described earlier. Use this mode if Istio ingress controller will be
-a secondary ingress controller (e.g., in addition to a
+
Istio ingress controller will only act on ingress resources whose

+annotations match the value specified in the ingress_class parameter

+described earlier. Use this mode if Istio ingress controller will be

+a secondary ingress controller (e.g., in addition to a

 cloud-provided ingress controller).

 
 

 SERVICE_REGISTRY
 
-
Set to only receive service entries that are generated by the platform.
-These auto generated service entries are combination of services and endpoints
+
Set to only receive service entries that are generated by the platform.

+These auto generated service entries are combination of services and endpoints

 that are generated by a specific platform e.g. k8

 
 

@@ -3830,8 +3792,8 @@ 
Tracing.OpenCensusAgent.TraceConte
 

@@ -3846,7 +3808,7 @@ 
Tracing.OpenCensusAgent.TraceConte
 

@@ -3854,9 +3816,9 @@ 
Tracing.OpenCensusAgent.TraceConte
 

@@ -3866,8 +3828,8 @@ 
Tracing.OpenCensusAgent.TraceConte
 
 
ProxyConfig.TracingServiceName

 

-
Allows specification of various Istio-supported naming schemes for the
-Envoy service_cluster value. The servce_cluster value is primarily used
+
Allows specification of various Istio-supported naming schemes for the

+Envoy service_cluster value. The servce_cluster value is primarily used

 by Envoys to provide service names for tracing spans.

 
 

 W3C_TRACE_CONTEXT
 
-
Use W3C Trace Context propagation using the traceparent HTTP header.
-See the
+
Use W3C Trace Context propagation using the traceparent HTTP header.

+See the

 Trace Context documentation for details.

 
 

 CLOUD_TRACE_CONTEXT
 
-
Use Cloud Trace context propagation using the
+
Use Cloud Trace context propagation using the

 X-Cloud-Trace-Context http header.

 
 

 B3
 
-
Use multi-header B3 context propagation using the X-B3-TraceId,
-X-B3-SpanId, and X-B3-Sampled HTTP headers. See
-B3 header propagation README
+
Use multi-header B3 context propagation using the X-B3-TraceId,

+X-B3-SpanId, and X-B3-Sampled HTTP headers. See

+B3 header propagation README

 for details.

 
 

@@ -3881,7 +3843,7 @@ 
ProxyConfig.TracingServiceName

 
@@ -3905,8 +3867,8 @@ 
ProxyConfig.TracingServiceName

 
 
ProxyConfig.InboundInterceptionMode

 

-
The mode used to redirect inbound traffic to Envoy.
-This setting has no effect on outbound traffic: iptables REDIRECT is always used for
+
The mode used to redirect inbound traffic to Envoy.

+This setting has no effect on outbound traffic: iptables REDIRECT is always used for

 outbound connections.

 
 

 APP_LABEL_AND_NAMESPACE
 
-
Default scheme. Uses the app label and workload namespace to construct
+
Default scheme. Uses the app label and workload namespace to construct

 a cluster name. If the app label does not exist istio-proxy is used.

 
 

@@ -3920,7 +3882,7 @@ 
ProxyConfig.InboundInterceptionMode
 

@@ -3928,9 +3890,9 @@ 
ProxyConfig.InboundInterceptionMode
 

@@ -3938,7 +3900,7 @@ 
ProxyConfig.InboundInterceptionMode
 

@@ -3948,8 +3910,8 @@ 
ProxyConfig.InboundInterceptionMode
 
 
AuthenticationPolicy

 

-
AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
-It can be set for two different scopes, mesh-wide or set on a per-pod basis using the ProxyConfig annotation.
+
AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.

+It can be set for two different scopes, mesh-wide or set on a per-pod basis using the ProxyConfig annotation.

 Mesh policy cannot be INHERIT.

 
 

 REDIRECT
 
-
The REDIRECT mode uses iptables REDIRECT to NAT and redirect to Envoy. This mode loses
+
The REDIRECT mode uses iptables REDIRECT to NAT and redirect to Envoy. This mode loses

 source IP addresses during redirection.

 
 

 TPROXY
 
-
The TPROXY mode uses iptables TPROXY to redirect to Envoy. This mode preserves both the
-source and destination IP addresses and ports, so that they can be used for advanced
-filtering and manipulation. This mode also configures the sidecar to run with the
+
The TPROXY mode uses iptables TPROXY to redirect to Envoy. This mode preserves both the

+source and destination IP addresses and ports, so that they can be used for advanced

+filtering and manipulation. This mode also configures the sidecar to run with the

 CAP_NET_ADMIN capability, which is required to use TPROXY.

 
 

 NONE
 
-
The NONE mode does not configure redirect to Envoy at all. This is an advanced
+
The NONE mode does not configure redirect to Envoy at all. This is an advanced

 configuration that typically requires changes to user applications.

 
 

@@ -3977,7 +3939,7 @@ 
AuthenticationPolicy

 
diff --git a/content/en/docs/reference/config/istio.operator.v1alpha1/index.html b/content/en/docs/reference/config/istio.operator.v1alpha1/index.html
index 65502923c5988..93f058bd5aab4 100644
--- a/content/en/docs/reference/config/istio.operator.v1alpha1/index.html
+++ b/content/en/docs/reference/config/istio.operator.v1alpha1/index.html
@@ -1,27 +1,26 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: IstioOperator Options
 description: Configuration affecting Istio control plane installation version and shape.
 location: https://istio.io/docs/reference/config/istio.operator.v1alpha1.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 weight: 20
 number_of_entries: 74
 ---
-
Configuration affecting Istio control plane installation version and shape.
-Note: unlike other Istio protos, field names must use camelCase. This is asserted in tests.
-Without camelCase, the json tag on the Go struct will not match the user’s JSON representation.
-This leads to Kubernetes merge libraries, which rely on this tag, to fail.
+
Configuration affecting Istio control plane installation version and shape.

+Note: unlike other Istio protos, field names must use camelCase. This is asserted in tests.

+Without camelCase, the json tag on the Go struct will not match the user's JSON representation.

+This leads to Kubernetes merge libraries, which rely on this tag, to fail.

 All other usages use jsonpb which does not use the json tag.

 
 
IstioOperatorSpec

 

-
IstioOperatorSpec defines the desired installed state of Istio components.
-The spec is a used to define a customization of the default profile values that are supplied with each Istio release.
-Because the spec is a customization API, specifying an empty IstioOperatorSpec results in a default Istio
+
IstioOperatorSpec defines the desired installed state of Istio components.

+The spec is a used to define a customization of the default profile values that are supplied with each Istio release.

+Because the spec is a customization API, specifying an empty IstioOperatorSpec results in a default Istio

 component values.

-
 
apiVersion: install.istio.io/v1alpha1
 kind: IstioOperator
 spec:
@@ -53,12 +52,10 @@ 
IstioOperatorSpec

 

@@ -71,7 +68,6 @@ 
IstioOperatorSpec

 
@@ -121,7 +117,7 @@ 
IstioOperatorSpec

 
@@ -133,7 +129,7 @@ 
IstioOperatorSpec

 
@@ -156,7 +152,7 @@ 
IstioOperatorSpec

 
@@ -168,9 +164,9 @@ 
IstioOperatorSpec

 
@@ -193,8 +189,8 @@ 
IstioOperatorSpec

 
@@ -224,7 +220,6 @@ 
InstallStatus

 
@@ -667,7 +662,7 @@ 
KubernetesResourcesSpec

 
@@ -679,7 +674,7 @@ 
KubernetesResourcesSpec

 
@@ -691,7 +686,7 @@ 
KubernetesResourcesSpec

 
@@ -703,7 +698,7 @@ 
KubernetesResourcesSpec

 
@@ -715,7 +710,7 @@ 
KubernetesResourcesSpec

 
@@ -727,7 +722,7 @@ 
KubernetesResourcesSpec

 
@@ -739,7 +734,7 @@ 
KubernetesResourcesSpec

 
@@ -751,8 +746,8 @@ 
KubernetesResourcesSpec

 
@@ -764,7 +759,7 @@ 
KubernetesResourcesSpec

 
@@ -776,7 +771,7 @@ 
KubernetesResourcesSpec

 
@@ -788,7 +783,7 @@ 
KubernetesResourcesSpec

 
@@ -800,7 +795,7 @@ 
KubernetesResourcesSpec

 
@@ -812,7 +807,7 @@ 
KubernetesResourcesSpec

 
@@ -824,7 +819,7 @@ 
KubernetesResourcesSpec

 
@@ -836,7 +831,7 @@ 
KubernetesResourcesSpec

 
@@ -848,8 +843,8 @@ 
KubernetesResourcesSpec

 
@@ -861,7 +856,7 @@ 
KubernetesResourcesSpec

 
@@ -923,7 +918,7 @@ 
K8sObjectOverlay

 
@@ -2265,7 +2260,7 @@ 
ObjectMetricSource

 
@@ -3631,9 +3626,9 @@ 
SeccompProfile

 
 
IntOrString

 

-
IntOrString is a type that can hold an int32 or a string.  When used in
-JSON or YAML marshalling and unmarshalling, it produces or consumes the
-inner type.  This allows you to have, for example, a JSON field that can
+
IntOrString is a type that can hold an int32 or a string.  When used in

+JSON or YAML marshalling and unmarshalling, it produces or consumes the

+inner type.  This allows you to have, for example, a JSON field that can

 accept a name or number.

 
 

 INHERIT
 
-
Use the policy defined by the parent scope. Should not be used for mesh
+
Use the policy defined by the parent scope. Should not be used for mesh

 policy.

 
 		string
 
 
Path or name for the profile e.g.

-
 
    
 
  • minimal (looks in profiles dir for a file called minimal.yaml)
    • 
 
  • /tmp/istio/install/values/custom/custom-install.yaml (local file path)
    • 
 

-
 
default profile is used if this field is unset.

 
 		string
 
 
Path for the install package. e.g.

-
 
    
 
  • /tmp/istio-installer/nightly (local file path)
    • 
 

@@ -107,9 +103,9 @@ 
IstioOperatorSpec

 		namespace
 string
 
-
Namespace to install control plane resources into. If unset, Istio will be installed into the same namespace
-as the IstioOperator CR. You must also set values.global.istioNamespace if you wish to install Istio in
-a custom namespace.
+
Namespace to install control plane resources into. If unset, Istio will be installed into the same namespace

+as the IstioOperator CR. You must also set values.global.istioNamespace if you wish to install Istio in

+a custom namespace.

 If you have enabled CNI, you must  exclude this namespace by adding it to the list values.cni.excludeNamespaces.

 
 		revision
 string
 
-
Identify the revision this installation is associated with.
+
Identify the revision this installation is associated with.

 This option is currently experimental.

 
 		defaultRevision
 bool
 
-
Identify whether this revision is the default revision for the cluster
+
Identify whether this revision is the default revision for the cluster

 This option is currently experimental.

 
 		components
 IstioComponentSetSpec
 
-
Kubernetes resource settings, enablement and component-specific settings that are not internal to the
+
Kubernetes resource settings, enablement and component-specific settings that are not internal to the

 component.

 
 		values
 Struct
 
-
Overrides for default values.yaml. This is a validated pass-through to Helm templates.
-See the Helm installation options for schema details.
-Anything that is available in IstioOperatorSpec should be set above rather than using the passthrough. This
+
Overrides for default values.yaml. This is a validated pass-through to Helm templates.

+See the Helm installation options for schema details.

+Anything that is available in IstioOperatorSpec should be set above rather than using the passthrough. This

 includes Kubernetes resource settings for components in KubernetesResourcesSpec.

 
 		addonComponents
 map<string, ExternalComponentSpec>
 
-
Deprecated.
-Users should manage the installation of addon components on their own.
+
Deprecated.

+Users should manage the installation of addon components on their own.

 Refer to samples/addons for demo installation of addon components.

 
 		Status
 
 
Overall status of all components controlled by the operator.

-
 
    
 
  • If all components have status NONE, overall status is NONE.
    • 
 
  • If all components are HEALTHY, overall status is HEALTHY.
    • 
@@ -655,7 +650,7 @@ 
    KubernetesResourcesSpec
    
 
affinity
 Affinity
 
-
k8s affinity.
+
k8s affinity.

 https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

 
 		env
 EnvVar[]
 
-
Deployment environment variables.
+
Deployment environment variables.

 https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/

 
 		hpaSpec
 HorizontalPodAutoscalerSpec
 
-
k8s HorizontalPodAutoscaler settings.
+
k8s HorizontalPodAutoscaler settings.

 https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/

 
 		imagePullPolicy
 string
 
-
k8s imagePullPolicy.
+
k8s imagePullPolicy.

 https://kubernetes.io/docs/concepts/containers/images/

 
 		nodeSelector
 map<string, string>
 
-
k8s nodeSelector.
+
k8s nodeSelector.

 https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector

 
 		podDisruptionBudget
 PodDisruptionBudgetSpec
 
-
k8s PodDisruptionBudget settings.
+
k8s PodDisruptionBudget settings.

 https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#how-disruption-budgets-work

 
 		podAnnotations
 map<string, string>
 
-
k8s pod annotations.
+
k8s pod annotations.

 https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

 
 		priorityClassName
 string
 
-
k8s priority_class_name. Default for all resources unless overridden.
+
k8s priority_class_name. Default for all resources unless overridden.

 https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass

 
 		readinessProbe
 ReadinessProbe
 
-
k8s readinessProbe settings.
-https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
+
k8s readinessProbe settings.

+https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/

 k8s.io.api.core.v1.Probe readiness_probe = 9;

 
 		replicaCount
 uint32
 
-
k8s Deployment replicas setting.
+
k8s Deployment replicas setting.

 https://kubernetes.io/docs/concepts/workloads/controllers/deployment/

 
 		resources
 Resources
 
-
k8s resources settings.
+
k8s resources settings.

 https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container

 
 		service
 ServiceSpec
 
-
k8s Service settings.
+
k8s Service settings.

 https://kubernetes.io/docs/concepts/services-networking/service/

 
 		strategy
 DeploymentStrategy
 
-
k8s deployment strategy.
+
k8s deployment strategy.

 https://kubernetes.io/docs/concepts/workloads/controllers/deployment/

 
 		tolerations
 Toleration[]
 
-
k8s toleration
+
k8s toleration

 https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

 
 		serviceAnnotations
 map<string, string>
 
-
k8s service annotations.
+
k8s service annotations.

 https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

 
 		securityContext
 PodSecurityContext
 
-
k8s pod security context
+
k8s pod security context

 https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

 
 		volumes
 Volume[]
 
-
k8s volume
-https://kubernetes.io/docs/concepts/storage/volumes/
+
k8s volume

+https://kubernetes.io/docs/concepts/storage/volumes/

 Volumes defines the collection of Volume to inject into the pod.

 
 		volumeMounts
 VolumeMount[]
 
-
k8s volumeMounts
+
k8s volumeMounts

 VolumeMounts defines the collection of VolumeMount to inject into containers.

 
 		name
 string
 
-
Name of resource.
+
Name of resource.

 Namespace is always the component namespace.

 
 		target
 Value
 
-
Type changes from CrossVersionObjectReference to ResourceMetricTarget in autoscaling v2beta2/v2 compared with v2beta1
+
Type changes from CrossVersionObjectReference to ResourceMetricTarget in autoscaling v2beta2/v2 compared with v2beta1

 Change it to dynamic type to keep backward compatible

 
 

@@ -3736,9 +3731,9 @@ 
K8sObjectOverlay.PathValue

 
@@ -3750,10 +3745,10 @@ 
K8sObjectOverlay.PathValue

 
@@ -3766,11 +3761,10 @@ 
K8sObjectOverlay.PathValue

 
 
google.protobuf.Value

 

-
Value represents a dynamically typed value which can be either
-null, a number, a string, a boolean, a recursive struct value, or a
-list of values. A producer of value is expected to set one of that
+
Value represents a dynamically typed value which can be either

+null, a number, a string, a boolean, a recursive struct value, or a

+list of values. A producer of value is expected to set one of that

 variants, absence of any variant indicates an error.

-
 
The JSON representation for Value is JSON value.

 
 
path
 string
 
-
Path of the form a.[key1:value1].b.[:value2]
-Where [key1:value1] is a selector for a key-value pair to identify a list element and [:value] is a value
-selector to identify a list element in a leaf list.
+
Path of the form a.[key1:value1].b.[:value2]

+Where [key1:value1] is a selector for a key-value pair to identify a list element and [:value] is a value

+selector to identify a list element in a leaf list.

 All path intermediate nodes must exist.

 
 		value
 Value
 
-
Value to add, delete or replace.
-For add, the path should be a new leaf.
-For delete, value should be unset.
-For replace, path should reference an existing node.
+
Value to add, delete or replace.

+For add, the path should be a new leaf.

+For delete, value should be unset.

+For replace, path should reference an existing node.

 All values are strings but are converted into appropriate type based on schema.

 
 

@@ -3870,9 +3864,9 @@ 
k8s.io.api.core.v1.Volume

 
@@ -3924,8 +3918,8 @@ 
k8s.io.api.core.v1.VolumeMount

 
@@ -3937,8 +3931,8 @@ 
k8s.io.api.core.v1.VolumeMount

 
@@ -3962,10 +3956,10 @@ 
k8s.io.api.core.v1.VolumeMount

 
@@ -3977,10 +3971,10 @@ 
k8s.io.api.core.v1.VolumeMount

 
@@ -3993,9 +3987,9 @@ 
k8s.io.api.core.v1.VolumeMount

 
 
k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector

 

-
A label selector is a label query over a set of resources. The result of matchLabels and
-matchExpressions are ANDed. An empty label selector matches all objects. A null
-label selector matches no objects.
+
A label selector is a label query over a set of resources. The result of matchLabels and

+matchExpressions are ANDed. An empty label selector matches all objects. A null

+label selector matches no objects.

 +structType=atomic

 
 
name
 string
 
-
name of the volume.
-Must be a DNS_LABEL and unique within the pod.
-More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

+
name of the volume.

+Must be a DNS_LABEL and unique within the pod.

+More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

 
 		
 
@@ -3883,8 +3877,8 @@ 
k8s.io.api.core.v1.Volume

 		volumeSource
 VolumeSource
 
-
volumeSource represents the location and type of the mounted volume.
-If not specified, the Volume is implied to be an EmptyDir.
+
volumeSource represents the location and type of the mounted volume.

+If not specified, the Volume is implied to be an EmptyDir.

 This implied behavior is deprecated and will be removed in a future version.

 
 		readOnly
 bool
 
-
Mounted read-only if true, read-write otherwise (false or unspecified).
-Defaults to false.
+
Mounted read-only if true, read-write otherwise (false or unspecified).

+Defaults to false.

 +optional

 
 		mountPath
 string
 
-
Path within the container at which the volume should be mounted.  Must
-not contain ‘:’.

+
Path within the container at which the volume should be mounted.  Must

+not contain ':'.

 
 		
 
@@ -3949,8 +3943,8 @@ 
k8s.io.api.core.v1.VolumeMount

 		subPath
 string
 
-
Path within the volume from which the container’s volume should be mounted.
-Defaults to “” (volume’s root).
+
Path within the volume from which the container's volume should be mounted.

+Defaults to "" (volume's root).

 +optional

 
 		mountPropagation
 string
 
-
mountPropagation determines how mounts are propagated from the host
-to container and the other way around.
-When not set, MountPropagationNone is used.
-This field is beta in 1.10.
+
mountPropagation determines how mounts are propagated from the host

+to container and the other way around.

+When not set, MountPropagationNone is used.

+This field is beta in 1.10.

 +optional

 
 		subPathExpr
 string
 
-
Expanded path within the volume from which the container’s volume should be mounted.
-Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container’s environment.
-Defaults to “” (volume’s root).
-SubPathExpr and SubPath are mutually exclusive.
+
Expanded path within the volume from which the container's volume should be mounted.

+Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.

+Defaults to "" (volume's root).

+SubPathExpr and SubPath are mutually exclusive.

 +optional

 
 

@@ -4012,9 +4006,9 @@ 
k8s.io.apimachinery.
 

@@ -4026,7 +4020,7 @@ 
k8s.io.apimachinery.
 

@@ -4087,8 +4081,8 @@ 
InstallStatus.Status

 
diff --git a/content/en/docs/reference/config/labels/index.html b/content/en/docs/reference/config/labels/index.html
index 2bf14acebd388..f23adff55a40e 100644
--- a/content/en/docs/reference/config/labels/index.html
+++ b/content/en/docs/reference/config/labels/index.html
@@ -1,6 +1,6 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Resource Labels
 description: Resource labels used by Istio.
 location: https://istio.io/docs/reference/config/labels/
diff --git a/content/en/docs/reference/config/meta/v1beta1/istio-status/index.html b/content/en/docs/reference/config/meta/v1beta1/istio-status/index.html
index 84ddda9a154e9..b52e70e03abea 100644
--- a/content/en/docs/reference/config/meta/v1beta1/istio-status/index.html
+++ b/content/en/docs/reference/config/meta/v1beta1/istio-status/index.html
@@ -1,10 +1,10 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Istio Status
 description: Common status field for all istio collections.
 location: https://istio.io/docs/reference/config/meta/v1beta1/istio-status.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 number_of_entries: 2
 ---
@@ -24,10 +24,10 @@ 
IstioStatus

 
@@ -39,9 +39,9 @@ 
IstioStatus

 
@@ -53,9 +53,9 @@ 
IstioStatus

 
@@ -93,7 +93,7 @@ 
IstioCondition

 
@@ -105,7 +105,7 @@ 
IstioCondition

 
@@ -117,7 +117,7 @@ 
IstioCondition

 
@@ -129,7 +129,7 @@ 
IstioCondition

 
@@ -141,7 +141,7 @@ 
IstioCondition

 
diff --git a/content/en/docs/reference/config/networking/destination-rule/index.html b/content/en/docs/reference/config/networking/destination-rule/index.html
index 1cd74cc056b48..d303f851a6ab7 100644
--- a/content/en/docs/reference/config/networking/destination-rule/index.html
+++ b/content/en/docs/reference/config/networking/destination-rule/index.html
@@ -1,25 +1,23 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Destination Rule
 description: Configuration affecting load balancing, outlier detection, etc.
 location: https://istio.io/docs/reference/config/networking/destination-rule.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.DestinationRule
 aliases: [/docs/reference/config/networking/v1alpha3/destination-rule]
 number_of_entries: 23
 ---
-
DestinationRule defines policies that apply to traffic intended for a
-service after routing has occurred. These rules specify configuration
-for load balancing, connection pool size from the sidecar, and outlier
-detection settings to detect and evict unhealthy hosts from the load
-balancing pool. For example, a simple load balancing policy for the
+
DestinationRule defines policies that apply to traffic intended for a

+service after routing has occurred. These rules specify configuration

+for load balancing, connection pool size from the sidecar, and outlier

+detection settings to detect and evict unhealthy hosts from the load

+balancing pool. For example, a simple load balancing policy for the

 ratings service would look as follows:

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -30,11 +28,8 @@
     loadBalancer:
       simple: LEAST_REQUEST
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -45,19 +40,15 @@
     loadBalancer:
       simple: LEAST_REQUEST
 

-
-
{{}}
-{{}}

-
-
Version specific policies can be specified by defining a named
-subset and overriding the settings specified at the service level. The
-following rule uses a round robin load balancing policy for all traffic
-going to a subset named testversion that is composed of endpoints (e.g.,
+
{{}}

+{{}}

+
Version specific policies can be specified by defining a named

+subset and overriding the settings specified at the service level. The

+following rule uses a round robin load balancing policy for all traffic

+going to a subset named testversion that is composed of endpoints (e.g.,

 pods) with labels (version:v3).

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -75,11 +66,8 @@
       loadBalancer:
         simple: ROUND_ROBIN
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -97,21 +85,16 @@
       loadBalancer:
         simple: ROUND_ROBIN
 

-
-
{{}}
-{{}}

-
-
Note: Policies specified for subsets will not take effect until
+
{{}}

+{{}}

+
Note: Policies specified for subsets will not take effect until

 a route rule explicitly sends traffic to this subset.

-
-
Traffic policies can be customized to specific ports as well. The
-following rule uses the least connection load balancing policy for all
-traffic to port 80, while uses a round robin load balancing setting for
+
Traffic policies can be customized to specific ports as well. The

+following rule uses the least connection load balancing policy for all

+traffic to port 80, while uses a round robin load balancing setting for

 traffic to the port 9080.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -129,11 +112,8 @@
       loadBalancer:
         simple: ROUND_ROBIN
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -151,17 +131,13 @@
       loadBalancer:
         simple: ROUND_ROBIN
 

-
-
{{}}
-{{}}

-
-
Destination Rules can be customized to specific workloads as well.
-The following example shows how a destination rule can be applied to a
+
{{}}

+{{}}

+
Destination Rules can be customized to specific workloads as well.

+The following example shows how a destination rule can be applied to a

 specific workload using the workloadSelector configuration.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -181,10 +157,8 @@
         credentialName: client-credential
         mode: MUTUAL
 

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -204,13 +178,12 @@
         credentialName: client-credential
         mode: MUTUAL
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}

 
 
DestinationRule

 

-
DestinationRule defines policies that apply to traffic intended for a service
+
DestinationRule defines policies that apply to traffic intended for a service

 after routing has occurred.

 
 
matchLabels
 map<string, string>
 
-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-map is equivalent to an element of matchExpressions, whose key field is “key”, the
-operator is “In”, and the values array contains only “value”. The requirements are ANDed.
+
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels

+map is equivalent to an element of matchExpressions, whose key field is "key", the

+operator is "In", and the values array contains only "value". The requirements are ANDed.

 +optional

 
 		matchExpressions
 LabelSelectorRequirement[]
 
-
matchExpressions is a list of label selector requirements. The requirements are ANDed.
+
matchExpressions is a list of label selector requirements. The requirements are ANDed.

 +optional

 
 

 ACTION_REQUIRED
 
-
Overall status only and would not be set as a component status.
-Action is needed from the user for reconciliation to proceed
+
Overall status only and would not be set as a component status.

+Action is needed from the user for reconciliation to proceed

 e.g. There are proxies still pointing to the control plane revision when try to remove an IstioOperator CR.

 
 		conditions
 IstioCondition[]
 
-
Current service state of pod.
-More info: https://istio.io/docs/reference/config/config-status/
-+optional
-+patchMergeKey=type
+
Current service state of pod.

+More info: https://istio.io/docs/reference/config/config-status/

++optional

++patchMergeKey=type

 +patchStrategy=merge

 
 		validationMessages
 AnalysisMessageBase[]
 
-
Includes any errors or warnings detected by Istio’s analyzers.
-+optional
-+patchMergeKey=type
+
Includes any errors or warnings detected by Istio's analyzers.

++optional

++patchMergeKey=type

 +patchStrategy=merge

 
 		observedGeneration
 int64
 
-
Resource Generation to which the Reconciled Condition refers.
-When this value is not equal to the object’s metadata generation, reconciled condition  calculation for the current
-generation is still in progress.  See https://istio.io/latest/docs/reference/config/config-status/ for more info.
+
Resource Generation to which the Reconciled Condition refers.

+When this value is not equal to the object's metadata generation, reconciled condition  calculation for the current

+generation is still in progress.  See https://istio.io/latest/docs/reference/config/config-status/ for more info.

 +optional

 
 		status
 string
 
-
Status is the status of the condition.
+
Status is the status of the condition.

 Can be True, False, Unknown.

 
 		lastProbeTime
 Timestamp
 
-
Last time we probed the condition.
+
Last time we probed the condition.

 +optional

 
 		lastTransitionTime
 Timestamp
 
-
Last time the condition transitioned from one status to another.
+
Last time the condition transitioned from one status to another.

 +optional

 
 		reason
 string
 
-
Unique, one-word, CamelCase reason for the condition’s last transition.
+
Unique, one-word, CamelCase reason for the condition's last transition.

 +optional

 
 		message
 string
 
-
Human-readable message indicating details about last transition.
+
Human-readable message indicating details about last transition.

 +optional

 
 

@@ -227,21 +200,19 @@ 
DestinationRule

 
@@ -253,7 +224,7 @@ 
DestinationRule

 
@@ -265,7 +236,7 @@ 
DestinationRule

 
@@ -277,19 +248,17 @@ 
DestinationRule

 
@@ -301,14 +270,14 @@ 
DestinationRule

 
host
 string
 
-
The name of a service from the service registry. Service
-names are looked up from the platform’s service registry (e.g.,
-Kubernetes services, Consul services, etc.) and from the hosts
-declared by ServiceEntries. Rules defined for
+
The name of a service from the service registry. Service

+names are looked up from the platform's service registry (e.g.,

+Kubernetes services, Consul services, etc.) and from the hosts

+declared by ServiceEntries. Rules defined for

 services that do not exist in the service registry will be ignored.

-
-
Note for Kubernetes users: When short names are used (e.g. “reviews”
-instead of “reviews.default.svc.cluster.local”), Istio will interpret
-the short name based on the namespace of the rule, not the service. A
-rule in the “default” namespace containing a host “reviews” will be
-interpreted as “reviews.default.svc.cluster.local”, irrespective of
-the actual namespace associated with the reviews service. To avoid
-potential misconfigurations, it is recommended to always use fully
+
Note for Kubernetes users: When short names are used (e.g. "reviews"

+instead of "reviews.default.svc.cluster.local"), Istio will interpret

+the short name based on the namespace of the rule, not the service. A

+rule in the "default" namespace containing a host "reviews" will be

+interpreted as "reviews.default.svc.cluster.local", irrespective of

+the actual namespace associated with the reviews service. To avoid

+potential misconfigurations, it is recommended to always use fully

 qualified domain names over short names.

-
 
Note that the host field applies to both HTTP and TCP services.

 
 		trafficPolicy
 TrafficPolicy
 
-
Traffic policies to apply (load balancing policy, connection pool
+
Traffic policies to apply (load balancing policy, connection pool

 sizes, outlier detection).

 
 		subsets
 Subset[]
 
-
One or more named sets that represent individual versions of a
+
One or more named sets that represent individual versions of a

 service. Traffic policies can be overridden at subset level.

 
 		exportTo
 string[]
 
-
A list of namespaces to which this destination rule is exported.
-The resolution of a destination rule to apply to a service occurs in the
-context of a hierarchy of namespaces. Exporting a destination rule allows
-it to be included in the resolution hierarchy for services in
-other namespaces. This feature provides a mechanism for service owners
-and mesh administrators to control the visibility of destination rules
+
A list of namespaces to which this destination rule is exported.

+The resolution of a destination rule to apply to a service occurs in the

+context of a hierarchy of namespaces. Exporting a destination rule allows

+it to be included in the resolution hierarchy for services in

+other namespaces. This feature provides a mechanism for service owners

+and mesh administrators to control the visibility of destination rules

 across namespace boundaries.

-
-
If no namespaces are specified then the destination rule is exported to all
+
If no namespaces are specified then the destination rule is exported to all

 namespaces by default.

-
-
The value “.” is reserved and defines an export to the same namespace that
-the destination rule is declared in. Similarly, the value “*” is reserved and
+
The value "." is reserved and defines an export to the same namespace that

+the destination rule is declared in. Similarly, the value "*" is reserved and

 defines an export to all namespaces.

 
 		workloadSelector
 WorkloadSelector
 
-
Criteria used to select the specific set of pods/VMs on which this
- DestinationRule configuration should be applied. If specified, the DestinationRule
- configuration will be applied only to the workload instances matching the workload selector
- label in the same namespace. Workload selectors do not apply across namespace boundaries.
- If omitted, the DestinationRule falls back to its default behavior.
- For example, if specific sidecars need to have egress TLS settings for services outside
- of the mesh, instead of every sidecar in the mesh needing to have the
- configuration (which is the default behaviour), a workload selector can be specified.

+
Criteria used to select the specific set of pods/VMs on which this

+DestinationRule configuration should be applied. If specified, the DestinationRule

+configuration will be applied only to the workload instances matching the workload selector

+label in the same namespace. Workload selectors do not apply across namespace boundaries.

+If omitted, the DestinationRule falls back to its default behavior.

+For example, if specific sidecars need to have egress TLS settings for services outside

+of the mesh, instead of every sidecar in the mesh needing to have the

+configuration (which is the default behaviour), a workload selector can be specified.

 
 		
 
@@ -320,7 +289,7 @@ 
DestinationRule

 
 
TrafficPolicy

 

-
Traffic policies to apply for a specific destination, across all
+
Traffic policies to apply for a specific destination, across all

 destination ports. See DestinationRule for examples.

 
 
@@ -381,10 +350,10 @@ 
TrafficPolicy

@@ -396,9 +365,9 @@ 
TrafficPolicy

 
portLevelSettings
 PortTrafficPolicy[]
 
-
Traffic policies specific to individual ports. Note that port level
-settings will override the destination-level settings. Traffic
-settings specified at the destination-level will not be inherited when
-overridden by port-level settings, i.e. default values will be applied
+
Traffic policies specific to individual ports. Note that port level

+settings will override the destination-level settings. Traffic

+settings specified at the destination-level will not be inherited when

+overridden by port-level settings, i.e. default values will be applied

 to fields omitted in port-level traffic policies.

 
 		
 tunnel
 TunnelSettings
 
-
Configuration of tunneling TCP over other transport or application layers
-for the host configured in the DestinationRule.
-Tunnel settings can be applied to TCP or TLS routes and can’t be applied to HTTP routes.

+
Configuration of tunneling TCP over other transport or application layers

+for the host configured in the DestinationRule.

+Tunnel settings can be applied to TCP or TLS routes and can't be applied to HTTP routes.

 
 		
 
@@ -410,18 +379,16 @@ 
TrafficPolicy

 
 
Subset

 

-
A subset of endpoints of a service. Subsets can be used for scenarios
-like A/B testing, or routing to a specific version of a service. Refer
-to VirtualService documentation for examples of using
-subsets in these scenarios. In addition, traffic policies defined at the
-service-level can be overridden at a subset-level. The following rule
-uses a round robin load balancing policy for all traffic going to a
-subset named testversion that is composed of endpoints (e.g., pods) with
+
A subset of endpoints of a service. Subsets can be used for scenarios

+like A/B testing, or routing to a specific version of a service. Refer

+to VirtualService documentation for examples of using

+subsets in these scenarios. In addition, traffic policies defined at the

+service-level can be overridden at a subset-level. The following rule

+uses a round robin load balancing policy for all traffic going to a

+subset named testversion that is composed of endpoints (e.g., pods) with

 labels (version:v3).

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -439,11 +406,8 @@ 
Subset

       loadBalancer:
         simple: ROUND_ROBIN
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -461,17 +425,14 @@ 
Subset

       loadBalancer:
         simple: ROUND_ROBIN
 

-
-
{{}}
-{{}}

-
-
Note: Policies specified for subsets will not take effect until
+
{{}}

+{{}}

+
Note: Policies specified for subsets will not take effect until

 a route rule explicitly sends traffic to this subset.

-
-
One or more labels are typically required to identify the subset destination,
-however, when the corresponding DestinationRule represents a host that
-supports multiple SNI hosts (e.g., an egress gateway), a subset without labels
-may be meaningful. In this case a traffic policy with ClientTLSSettings
+
One or more labels are typically required to identify the subset destination,

+however, when the corresponding DestinationRule represents a host that

+supports multiple SNI hosts (e.g., an egress gateway), a subset without labels

+may be meaningful. In this case a traffic policy with ClientTLSSettings

 can be used to identify a specific SNI host corresponding to the named subset.

 
 
@@ -488,7 +449,7 @@ 
Subset

@@ -500,7 +461,7 @@ 
Subset

@@ -512,9 +473,9 @@ 
Subset

@@ -527,17 +488,14 @@ 
Subset
LoadBalancerSettings

-
Load balancing policies to apply for a specific destination. See Envoy’s
-load balancing
-documentation
+
Load balancing policies to apply for a specific destination. See Envoy's

+load balancing

+documentation

 for more details.

-
-
For example, the following rule uses a round robin load balancing policy
+
For example, the following rule uses a round robin load balancing policy

 for all traffic going to the ratings service.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -548,11 +506,8 @@ 
LoadBalancerSettings

     loadBalancer:
       simple: ROUND_ROBIN
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -563,17 +518,13 @@ 
LoadBalancerSettings

     loadBalancer:
       simple: ROUND_ROBIN
 

-
-
{{}}
-{{}}

-
-
The following example sets up sticky sessions for the ratings service
-hashing-based load balancer for the same ratings service using the
+
{{}}

+{{}}

+
The following example sets up sticky sessions for the ratings service

+hashing-based load balancer for the same ratings service using the

 the User cookie as the hash key.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -587,11 +538,8 @@ 
LoadBalancerSettings

           name: user
           ttl: 0s
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -605,9 +553,8 @@ 
LoadBalancerSettings

           name: user
           ttl: 0s
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}

 
 

 
name
 string
 
-
Name of the subset. The service name and the subset name can
+
Name of the subset. The service name and the subset name can

 be used for traffic splitting in a route rule.

 
 		
 labels
 map<string, string>
 
-
Labels apply a filter over the endpoints of a service in the
+
Labels apply a filter over the endpoints of a service in the

 service registry. See route rules for examples of usage.

 
 		
 trafficPolicy
 TrafficPolicy
 
-
Traffic policies that apply to this subset. Subsets inherit the
-traffic policies specified at the DestinationRule level. Settings
-specified at the subset level will override the corresponding settings
+
Traffic policies that apply to this subset. Subsets inherit the

+traffic policies specified at the DestinationRule level. Settings

+specified at the subset level will override the corresponding settings

 specified at the DestinationRule level.

 
 		
 
 
 

@@ -641,7 +588,7 @@ 
LoadBalancerSettings

@@ -653,10 +600,10 @@ 
LoadBalancerSettings

@@ -669,18 +616,15 @@ 
LoadBalancerSettings
ConnectionPoolSettings

-
Connection pool settings for an upstream host. The settings apply to
-each individual host in the upstream service.  See Envoy’s circuit
-breaker
-for more details. Connection pool settings can be applied at the TCP
+
Connection pool settings for an upstream host. The settings apply to

+each individual host in the upstream service.  See Envoy's circuit

+breaker

+for more details. Connection pool settings can be applied at the TCP

 level as well as at HTTP level.

-
-
For example, the following rule sets a limit of 100 connections to redis
+
For example, the following rule sets a limit of 100 connections to redis

 service called myredissrv with a connect timeout of 30ms

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -696,11 +640,8 @@ 
ConnectionPoolSettings

           time: 7200s
           interval: 75s
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -716,9 +657,8 @@ 
ConnectionPoolSettings

           time: 7200s
           interval: 75s
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}

 
 

 
 
localityLbSetting
 LocalityLoadBalancerSetting
 
-
Locality load balancer settings, this will override mesh wide settings in entirety, meaning no merging would be performed
+
Locality load balancer settings, this will override mesh wide settings in entirety, meaning no merging would be performed

 between this object and the object one in MeshConfig

 
 		
 warmupDurationSecs
 Duration
 
-
Represents the warmup duration of Service. If set, the newly created endpoint of service
-remains in warmup mode starting from its creation time for the duration of this window and
-Istio progressively increases amount of traffic for that endpoint instead of sending proportional amount of traffic.
-This should be enabled for services that require warm up time to serve full production load with reasonable latency.
+
Represents the warmup duration of Service. If set, the newly created endpoint of service

+remains in warmup mode starting from its creation time for the duration of this window and

+Istio progressively increases amount of traffic for that endpoint instead of sending proportional amount of traffic.

+This should be enabled for services that require warm up time to serve full production load with reasonable latency.

 Currently this is only supported for ROUND_ROBIN and LEAST_REQUEST load balancers.

 
 		
 
 
 

@@ -757,25 +697,22 @@ 
ConnectionPoolSettings
OutlierDetection

-
A Circuit breaker implementation that tracks the status of each
-individual host in the upstream service.  Applicable to both HTTP and
-TCP services.  For HTTP services, hosts that continually return 5xx
-errors for API calls are ejected from the pool for a pre-defined period
-of time. For TCP services, connection timeouts or connection
-failures to a given host counts as an error when measuring the
-consecutive errors metric. See Envoy’s outlier
-detection
+
A Circuit breaker implementation that tracks the status of each

+individual host in the upstream service.  Applicable to both HTTP and

+TCP services.  For HTTP services, hosts that continually return 5xx

+errors for API calls are ejected from the pool for a pre-defined period

+of time. For TCP services, connection timeouts or connection

+failures to a given host counts as an error when measuring the

+consecutive errors metric. See Envoy's outlier

+detection

 for more details.

-
-
The following rule sets a connection pool size of 100 HTTP1 connections
-with no more than 10 req/connection to the “reviews” service. In addition,
-it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
-hosts to be scanned every 5 mins so that any host that fails 7 consecutive
+
The following rule sets a connection pool size of 100 HTTP1 connections

+with no more than 10 req/connection to the "reviews" service. In addition,

+it sets a limit of 1000 concurrent HTTP2 requests and configures upstream

+hosts to be scanned every 5 mins so that any host that fails 7 consecutive

 times with a 502, 503, or 504 error code will be ejected for 15 minutes.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -794,11 +731,8 @@ 
OutlierDetection

       interval: 5m
       baseEjectionTime: 15m
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -817,9 +751,8 @@ 
OutlierDetection

       interval: 5m
       baseEjectionTime: 15m
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}

 
 

 
 
 
 

@@ -835,13 +768,13 @@ 
OutlierDetection

@@ -853,8 +786,8 @@ 
OutlierDetection

@@ -866,18 +799,17 @@ 
OutlierDetection

@@ -889,17 +821,16 @@ 
OutlierDetection

@@ -911,7 +842,7 @@ 
OutlierDetection

@@ -923,10 +854,10 @@ 
OutlierDetection

@@ -938,7 +869,7 @@ 
OutlierDetection

@@ -950,12 +881,12 @@ 
OutlierDetection

@@ -968,16 +899,13 @@ 
OutlierDetection
ClientTLSSettings

-
SSL/TLS related settings for upstream connections. See Envoy’s TLS
-context
+
SSL/TLS related settings for upstream connections. See Envoy's TLS

+context

 for more details. These settings are common to both HTTP and TCP upstreams.

-
-
For example, the following rule configures a client to use mutual TLS
+
For example, the following rule configures a client to use mutual TLS

 for connections to upstream database cluster.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -991,11 +919,8 @@ 
ClientTLSSettings

       privateKey: /etc/certs/client_private_key.pem
       caCertificates: /etc/certs/rootcacerts.pem
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -1009,16 +934,12 @@ 
ClientTLSSettings

       privateKey: /etc/certs/client_private_key.pem
       caCertificates: /etc/certs/rootcacerts.pem
 

-
-
{{}}
-{{}}

-
-
The following rule configures a client to use TLS when talking to a
+
{{}}

+{{}}

+
The following rule configures a client to use TLS when talking to a

 foreign service whose domain matches *.foo.com.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -1029,11 +950,8 @@ 
ClientTLSSettings

     tls:
       mode: SIMPLE
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -1044,16 +962,12 @@ 
ClientTLSSettings

     tls:
       mode: SIMPLE
 

-
-
{{}}
-{{}}

-
-
The following rule configures a client to use Istio mutual TLS when talking
+
{{}}

+{{}}

+
The following rule configures a client to use Istio mutual TLS when talking

 to rating services.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -1064,11 +978,8 @@ 
ClientTLSSettings

     tls:
       mode: ISTIO_MUTUAL
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -1079,9 +990,8 @@ 
ClientTLSSettings

     tls:
       mode: ISTIO_MUTUAL
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}

 
 

 
 
splitExternalLocalOriginErrors
 bool
 
-
Determines whether to distinguish local origin failures from external errors. If set to true
-consecutive_local_origin_failure is taken into account for outlier detection calculations.
-This should be used when you want to derive the outlier detection status based on the errors
-seen locally such as failure to connect, timeout while connecting etc. rather than the status code
-retuned by upstream service. This is especially useful when the upstream service explicitly returns
-a 5xx for some requests and you want to ignore those responses from upstream service while determining
-the outlier detection status of a host.
+
Determines whether to distinguish local origin failures from external errors. If set to true

+consecutive_local_origin_failure is taken into account for outlier detection calculations.

+This should be used when you want to derive the outlier detection status based on the errors

+seen locally such as failure to connect, timeout while connecting etc. rather than the status code

+retuned by upstream service. This is especially useful when the upstream service explicitly returns

+a 5xx for some requests and you want to ignore those responses from upstream service while determining

+the outlier detection status of a host.

 Defaults to false.

 
 		
 consecutiveLocalOriginFailures
 UInt32Value
 
-
The number of consecutive locally originated failures before ejection
-occurs. Defaults to 5. Parameter takes effect only when split_external_local_origin_errors
+
The number of consecutive locally originated failures before ejection

+occurs. Defaults to 5. Parameter takes effect only when split_external_local_origin_errors

 is set to true.

 
 		
 consecutiveGatewayErrors
 UInt32Value
 
-
Number of gateway errors before a host is ejected from the connection pool.
-When the upstream host is accessed over HTTP, a 502, 503, or 504 return
-code qualifies as a gateway error. When the upstream host is accessed over
-an opaque TCP connection, connect timeouts and connection error/failure
-events qualify as a gateway error.
+
Number of gateway errors before a host is ejected from the connection pool.

+When the upstream host is accessed over HTTP, a 502, 503, or 504 return

+code qualifies as a gateway error. When the upstream host is accessed over

+an opaque TCP connection, connect timeouts and connection error/failure

+events qualify as a gateway error.

 This feature is disabled by default or when set to the value 0.

-
-
Note that consecutive_gateway_errors and consecutive_5xx_errors can be
-used separately or together. Because the errors counted by
-consecutive_gateway_errors are also included in consecutive_5xx_errors,
-if the value of consecutive_gateway_errors is greater than or equal to
-the value of consecutive_5xx_errors, consecutive_gateway_errors will have
+
Note that consecutive_gateway_errors and consecutive_5xx_errors can be

+used separately or together. Because the errors counted by

+consecutive_gateway_errors are also included in consecutive_5xx_errors,

+if the value of consecutive_gateway_errors is greater than or equal to

+the value of consecutive_5xx_errors, consecutive_gateway_errors will have

 no effect.

 
 		
 consecutive5xxErrors
 UInt32Value
 
-
Number of 5xx errors before a host is ejected from the connection pool.
-When the upstream host is accessed over an opaque TCP connection, connect
-timeouts, connection error/failure and request failure events qualify as a
-5xx error.
+
Number of 5xx errors before a host is ejected from the connection pool.

+When the upstream host is accessed over an opaque TCP connection, connect

+timeouts, connection error/failure and request failure events qualify as a

+5xx error.

 This feature defaults to 5 but can be disabled by setting the value to 0.

-
-
Note that consecutive_gateway_errors and consecutive_5xx_errors can be
-used separately or together. Because the errors counted by
-consecutive_gateway_errors are also included in consecutive_5xx_errors,
-if the value of consecutive_gateway_errors is greater than or equal to
-the value of consecutive_5xx_errors, consecutive_gateway_errors will have
+
Note that consecutive_gateway_errors and consecutive_5xx_errors can be

+used separately or together. Because the errors counted by

+consecutive_gateway_errors are also included in consecutive_5xx_errors,

+if the value of consecutive_gateway_errors is greater than or equal to

+the value of consecutive_5xx_errors, consecutive_gateway_errors will have

 no effect.

 
 		
 interval
 Duration
 
-
Time interval between ejection sweep analysis. format:
+
Time interval between ejection sweep analysis. format:

 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.

 
 		
 baseEjectionTime
 Duration
 
-
Minimum ejection duration. A host will remain ejected for a period
-equal to the product of minimum ejection duration and the number of
-times the host has been ejected. This technique allows the system to
-automatically increase the ejection period for unhealthy upstream
+
Minimum ejection duration. A host will remain ejected for a period

+equal to the product of minimum ejection duration and the number of

+times the host has been ejected. This technique allows the system to

+automatically increase the ejection period for unhealthy upstream

 servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.

 
 		
 maxEjectionPercent
 int32
 
-
Maximum % of hosts in the load balancing pool for the upstream
+
Maximum % of hosts in the load balancing pool for the upstream

 service that can be ejected. Defaults to 10%.

 
 		
 minHealthPercent
 int32
 
-
Outlier detection will be enabled as long as the associated load balancing
-pool has at least min_health_percent hosts in healthy mode. When the
-percentage of healthy hosts in the load balancing pool drops below this
-threshold, outlier detection will be disabled and the proxy will load balance
-across all hosts in the pool (healthy and unhealthy). The threshold can be
-disabled by setting it to 0%. The default is 0% as it’s not typically
+
Outlier detection will be enabled as long as the associated load balancing

+pool has at least min_health_percent hosts in healthy mode. When the

+percentage of healthy hosts in the load balancing pool drops below this

+threshold, outlier detection will be disabled and the proxy will load balance

+across all hosts in the pool (healthy and unhealthy). The threshold can be

+disabled by setting it to 0%. The default is 0% as it's not typically

 applicable in k8s environments with few pods per service.

 
 		
 
 
 

@@ -1097,7 +1007,7 @@ 
ClientTLSSettings

@@ -1109,8 +1019,8 @@ 
ClientTLSSettings

@@ -1122,8 +1032,8 @@ 
ClientTLSSettings

@@ -1135,9 +1045,9 @@ 
ClientTLSSettings

@@ -1149,21 +1059,20 @@ 
ClientTLSSettings

@@ -1175,13 +1084,13 @@ 
ClientTLSSettings

@@ -1193,9 +1102,9 @@ 
ClientTLSSettings

@@ -1207,17 +1116,16 @@ 
ClientTLSSettings

@@ -1230,22 +1138,20 @@ 
ClientTLSSettings
LocalityLoadBalancerSetting

-
Locality-weighted load balancing allows administrators to control the
-distribution of traffic to endpoints based on the localities of where the
-traffic originates and where it will terminate. These localities are
-specified using arbitrary labels that designate a hierarchy of localities in
-{region}/{zone}/{sub-zone} form. For additional detail refer to
-Locality Weight
+
Locality-weighted load balancing allows administrators to control the

+distribution of traffic to endpoints based on the localities of where the

+traffic originates and where it will terminate. These localities are

+specified using arbitrary labels that designate a hierarchy of localities in

+{region}/{zone}/{sub-zone} form. For additional detail refer to

+Locality Weight

 The following example shows how to setup locality weights mesh-wide.

-
-
Given a mesh with workloads and their service deployed to “us-west/zone1/”
-and “us-west/zone2/”. This example specifies that when traffic accessing a
-service originates from workloads in “us-west/zone1/”, 80% of the traffic
-will be sent to endpoints in “us-west/zone1/”, i.e the same zone, and the
-remaining 20% will go to endpoints in “us-west/zone2/”. This setup is
-intended to favor routing traffic to endpoints in the same locality.
-A similar setting is specified for traffic originating in “us-west/zone2/”.

-
+
Given a mesh with workloads and their service deployed to "us-west/zone1/"

+and "us-west/zone2/". This example specifies that when traffic accessing a

+service originates from workloads in "us-west/zone1/", 80% of the traffic

+will be sent to endpoints in "us-west/zone1/", i.e the same zone, and the

+remaining 20% will go to endpoints in "us-west/zone2/". This setup is

+intended to favor routing traffic to endpoints in the same locality.

+A similar setting is specified for traffic originating in "us-west/zone2/".

 
  distribute:
     - from: us-west/zone1/*
       to:
@@ -1256,25 +1162,21 @@ 
LocalityLoadBalancerSetting

         "us-west/zone1/*": 20
         "us-west/zone2/*": 80
 

-
-
If the goal of the operator is not to distribute load across zones and
-regions but rather to restrict the regionality of failover to meet other
-operational requirements an operator can set a ‘failover’ policy instead of
-a ‘distribute’ policy.

-
-
The following example sets up a locality failover policy for regions.
-Assume a service resides in zones within us-east, us-west & eu-west
-this example specifies that when endpoints within us-east become unhealthy
-traffic should failover to endpoints in any zone or sub-zone within eu-west
+
If the goal of the operator is not to distribute load across zones and

+regions but rather to restrict the regionality of failover to meet other

+operational requirements an operator can set a 'failover' policy instead of

+a 'distribute' policy.

+
The following example sets up a locality failover policy for regions.

+Assume a service resides in zones within us-east, us-west & eu-west

+this example specifies that when endpoints within us-east become unhealthy

+traffic should failover to endpoints in any zone or sub-zone within eu-west

 and similarly us-west should failover to us-east.

-
 
 failover:
    - from: us-east
      to: eu-west
    - from: us-west
      to: us-east
 

-
 
Locality load balancing settings.

 
 

 
 
mode
 TLSmode
 
-
Indicates whether connections to this port should be secured
+
Indicates whether connections to this port should be secured

 using TLS. The value of this field determines how TLS is enforced.

 
 		
 clientCertificate
 string
 
-
REQUIRED if mode is MUTUAL. The path to the file holding the
-client-side TLS certificate to use.
+
REQUIRED if mode is MUTUAL. The path to the file holding the

+client-side TLS certificate to use.

 Should be empty if mode is ISTIO_MUTUAL.

 
 		
 privateKey
 string
 
-
REQUIRED if mode is MUTUAL. The path to the file holding the
-client’s private key.
+
REQUIRED if mode is MUTUAL. The path to the file holding the

+client's private key.

 Should be empty if mode is ISTIO_MUTUAL.

 
 		
 caCertificates
 string
 
-
OPTIONAL: The path to the file containing certificate authority
-certificates to use in verifying a presented server certificate. If
-omitted, the proxy will not verify the server’s certificate.
+
OPTIONAL: The path to the file containing certificate authority

+certificates to use in verifying a presented server certificate. If

+omitted, the proxy will not verify the server's certificate.

 Should be empty if mode is ISTIO_MUTUAL.

 
 		
 credentialName
 string
 
-
The name of the secret that holds the TLS certs for the
-client including the CA certificates. Secret must exist in the
-same namespace with the proxy using the certificates.
-The secret (of type generic)should contain the
-following keys and values: key: <privateKey>,
-cert: <clientCert>, cacert: <CACertificate>.
-Here CACertificate is used to verify the server certificate.
-Secret of type tls for client certificates along with
-ca.crt key for CA certificates is also supported.
-Only one of client certificates and CA certificate
+
The name of the secret that holds the TLS certs for the

+client including the CA certificates. Secret must exist in the

+same namespace with the proxy using the certificates.

+The secret (of type generic)should contain the

+following keys and values: key: <privateKey>,

+cert: <clientCert>, cacert: <CACertificate>.

+Here CACertificate is used to verify the server certificate.

+Secret of type tls for client certificates along with

+ca.crt key for CA certificates is also supported.

+Only one of client certificates and CA certificate

 or credentialName can be specified.

-
-
NOTE: This field is applicable at sidecars only if
-DestinationRule has a workloadSelector specified.
-Otherwise the field will be applicable only at gateways, and
+
NOTE: This field is applicable at sidecars only if

+DestinationRule has a workloadSelector specified.

+Otherwise the field will be applicable only at gateways, and

 sidecars will continue to use the certificate paths.

 
 		
 subjectAltNames
 string[]
 
-
A list of alternate names to verify the subject identity in the
-certificate. If specified, the proxy will verify that the server
-certificate’s subject alt name matches one of the specified values.
-If specified, this list overrides the value of subject_alt_names
-from the ServiceEntry. If unspecified, automatic validation of upstream
-presented certificate for new upstream connections will be done based on the
-downstream HTTP host/authority header, provided VERIFY_CERT_AT_CLIENT
+
A list of alternate names to verify the subject identity in the

+certificate. If specified, the proxy will verify that the server

+certificate's subject alt name matches one of the specified values.

+If specified, this list overrides the value of subject_alt_names

+from the ServiceEntry. If unspecified, automatic validation of upstream

+presented certificate for new upstream connections will be done based on the

+downstream HTTP host/authority header, provided VERIFY_CERT_AT_CLIENT

 and ENABLE_AUTO_SNI environmental variables are set to true.

 
 		
 sni
 string
 
-
SNI string to present to the server during TLS handshake.
-If unspecified, SNI will be automatically set based on downstream HTTP
-host/authority header for SIMPLE and MUTUAL TLS modes, provided ENABLE_AUTO_SNI
+
SNI string to present to the server during TLS handshake.

+If unspecified, SNI will be automatically set based on downstream HTTP

+host/authority header for SIMPLE and MUTUAL TLS modes, provided ENABLE_AUTO_SNI

 environmental variable is set to true.

 
 		
 insecureSkipVerify
 BoolValue
 
-
InsecureSkipVerify specifies whether the proxy should skip verifying the
-CA signature and SAN for the server certificate corresponding to the host.
-This flag should only be set if global CA signature verifcation is
-enabled, VerifyCertAtClient environmental variable is set to true,
-but no verification is desired for a specific host. If enabled with or
-without VerifyCertAtClient enabled, verification of the CA signature and
+
InsecureSkipVerify specifies whether the proxy should skip verifying the

+CA signature and SAN for the server certificate corresponding to the host.

+This flag should only be set if global CA signature verifcation is

+enabled, VerifyCertAtClient environmental variable is set to true,

+but no verification is desired for a specific host. If enabled with or

+without VerifyCertAtClient enabled, verification of the CA signature and

 SAN will be skipped.

-
-
InsecureSkipVerify is false by default.
-VerifyCertAtClient is false by default in Istio version 1.9 but will
-be true by default in a later version where, going forward, it will be
+
InsecureSkipVerify is false by default.

+VerifyCertAtClient is false by default in Istio version 1.9 but will

+be true by default in a later version where, going forward, it will be

 enabled by default.

 
 		
 
 
 

@@ -1291,9 +1193,9 @@ 
LocalityLoadBalancerSetting

@@ -1305,9 +1207,9 @@ 
LocalityLoadBalancerSetting

@@ -1319,22 +1221,18 @@ 
LocalityLoadBalancerSetting

@@ -1372,7 +1266,7 @@ 
LocalityLoadBalancerSetting

@@ -1401,7 +1295,7 @@ 
TrafficPolicy.PortTrafficPolicy

@@ -1472,11 +1366,11 @@ 
TrafficPolicy.TunnelSettings

@@ -1488,7 +1382,7 @@ 
TrafficPolicy.TunnelSettings

@@ -1512,10 +1406,10 @@ 
TrafficPolicy.TunnelSettings
LoadBalancerSettings.ConsistentHashLB

-
Consistent Hash-based load balancing can be used to provide soft
-session affinity based on HTTP headers, cookies or other
-properties. The affinity to a particular destination host may be
-lost when one or more hosts are added/removed from the destination
+
Consistent Hash-based load balancing can be used to provide soft

+session affinity based on HTTP headers, cookies or other

+properties. The affinity to a particular destination host may be

+lost when one or more hosts are added/removed from the destination

 service.

 
 

 
distribute
 Distribute[]
 
-
Optional: only one of distribute, failover or failoverPriority can be set.
-Explicitly specify loadbalancing weight across different zones and geographical locations.
-Refer to Locality weighted load balancing
+
Optional: only one of distribute, failover or failoverPriority can be set.

+Explicitly specify loadbalancing weight across different zones and geographical locations.

+Refer to Locality weighted load balancing

 If empty, the locality weight is set according to the endpoints number within it.

 
 		
 failover
 Failover[]
 
-
Optional: only one of distribute, failover or failoverPriority can be set.
-Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.
-Should be used together with OutlierDetection to detect unhealthy endpoints.
+
Optional: only one of distribute, failover or failoverPriority can be set.

+Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.

+Should be used together with OutlierDetection to detect unhealthy endpoints.

 Note: if no OutlierDetection specified, this will not take effect.

 
 		
 failoverPriority
 string[]
 
-
failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing.
-This is to support traffic failover across different groups of endpoints.
+
failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing.

+This is to support traffic failover across different groups of endpoints.

 Suppose there are total N labels specified:

-
 
    
 
  1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority.
    2. 
 
  2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority.
    3. 
 
  3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority.
    4. 
 
  4. All the other endpoints have priority P(N) i.e. lowest priority.
    5. 
 

-
 
Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match.

-
-
It can be any label specified on both client and server workloads.
+
It can be any label specified on both client and server workloads.

 The following labels which have special semantic meaning are also supported:

-
 
    
 
  • topology.istio.io/network is used to match the network metadata of an endpoint, which can be specified by pod/namespace label topology.istio.io/network, sidecar env ISTIO_META_NETWORK or MeshNetworks.
    • 
 
  • topology.istio.io/cluster is used to match the clusterID of an endpoint, which can be specified by pod label topology.istio.io/cluster or pod env ISTIO_META_CLUSTER_ID.
    • 
@@ -1342,16 +1240,13 @@ 
    LocalityLoadBalancerSetting
    
 
  • topology.kubernetes.io/zone is used to match the zone metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/zone or the deprecated label failure-domain.beta.kubernetes.io/zone.
    • 
 
  • topology.istio.io/subzone is used to match the subzone metadata of an endpoint, which maps to Istio node label topology.istio.io/subzone.
    • 
 

-
 
The below topology config indicates the following priority levels:

-
 
failoverPriority:
 - "topology.istio.io/network"
 - "topology.kubernetes.io/region"
 - "topology.kubernetes.io/zone"
 - "topology.istio.io/subzone"
 

-
 
    
 
  1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority.
    2. 
 
  2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority.
    3. 
@@ -1359,8 +1254,7 @@ 
    LocalityLoadBalancerSetting
    
 
  3. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority.
    4. 
 
  4. all the other endpoints have the same lowest priority.
    5. 
 

-
-
Optional: only one of distribute, failover or failoverPriority can be set.
+
Optional: only one of distribute, failover or failoverPriority can be set.

 And it should be used together with OutlierDetection to detect unhealthy endpoints, otherwise has no effect.

 
 		
 enabled
 BoolValue
 
-
enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.
+
enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.

 e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is.

 
 		
 port
 PortSelector
 
-
Specifies the number of a port on the destination service
+
Specifies the number of a port on the destination service

 on which this policy is being applied.

 
 		
 protocol
 string
 
-
Specifies which protocol to use for tunneling the downstream connection.
-Supported protocols are:
-  CONNECT - uses HTTP CONNECT;
-  POST - uses HTTP POST.
-CONNECT is used by default if not specified.
+
Specifies which protocol to use for tunneling the downstream connection.

+Supported protocols are:

+CONNECT - uses HTTP CONNECT;

+POST - uses HTTP POST.

+CONNECT is used by default if not specified.

 HTTP version for upstream requests is determined by the service protocol defined for the proxy.

 
 		
 targetHost
 string
 
-
Specifies a host to which the downstream connection is tunneled.
+
Specifies a host to which the downstream connection is tunneled.

 Target host must be an FQDN or IP address.

 
 		
 
 
 

@@ -1554,7 +1448,7 @@ 
LoadBalancerSettings.ConsistentHa
 

@@ -1625,10 +1519,10 @@ 
LoadBalancerSettings.Con
 

@@ -1655,8 +1549,8 @@ 
LoadBalancerSettings.Consi
 

@@ -1669,8 +1563,8 @@ 
LoadBalancerSettings.Consi
 
 
LoadBalancerSettings.ConsistentHashLB.HTTPCookie

-
Describes a HTTP cookie that will be used as the hash key for the
-Consistent Hash load balancer. If the cookie is not present, it will
+
Describes a HTTP cookie that will be used as the hash key for the

+Consistent Hash load balancer. If the cookie is not present, it will

 be generated.

 
 
useSourceIp
 bool (oneof)
 
-
Hash based on the source IP address.
+
Hash based on the source IP address.

 This is applicable for both TCP and HTTP connections.

 
 		minimumRingSize
 uint64
 
-
The minimum number of virtual nodes to use for the hash
-ring. Defaults to 1024. Larger ring sizes result in more granular
-load distributions. If the number of hosts in the load balancing
-pool is larger than the ring size, each host will be assigned a
+
The minimum number of virtual nodes to use for the hash

+ring. Defaults to 1024. Larger ring sizes result in more granular

+load distributions. If the number of hosts in the load balancing

+pool is larger than the ring size, each host will be assigned a

 single virtual node.

 
 		tableSize
 uint64
 
-
The table size for Maglev hashing. This helps in controlling the
-disruption when the backend hosts change.
+
The table size for Maglev hashing. This helps in controlling the

+disruption when the backend hosts change.

 Increasing the table size reduces the amount of disruption.

 
 		
 

@@ -1748,7 +1642,7 @@ 
ConnectionPoolSettings.TCPSettingsconnectTimeout
 

@@ -1771,8 +1665,8 @@ 
ConnectionPoolSettings.TCPSettingsmaxConnectionDuration
 

@@ -1801,10 +1695,10 @@ 
ConnectionPoolSettings.HTTPSettings
 

@@ -1816,7 +1710,7 @@ 
ConnectionPoolSettings.HTTPSettings
 

@@ -1828,8 +1722,8 @@ 
ConnectionPoolSettings.HTTPSettings
 

@@ -1841,7 +1735,7 @@ 
ConnectionPoolSettings.HTTPSettings
 

@@ -1853,12 +1747,12 @@ 
ConnectionPoolSettings.HTTPSettings
 

@@ -1881,8 +1775,8 @@ 
ConnectionPoolSettings.HTTPSettings
 

@@ -1911,8 +1805,8 @@ 
ConnectionPoolSettings.
 

@@ -1924,8 +1818,8 @@ 
ConnectionPoolSettings.
 

@@ -1937,8 +1831,8 @@ 
ConnectionPoolSettings.
 

@@ -1951,15 +1845,12 @@ 
ConnectionPoolSettings.
 
 
LocalityLoadBalancerSetting.Distribute

-
Describes how traffic originating in the ‘from’ zone or sub-zone is
-distributed over a set of ‘to’ zones. Syntax for specifying a zone is
-{region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
+
Describes how traffic originating in the 'from' zone or sub-zone is

+distributed over a set of 'to' zones. Syntax for specifying a zone is

+{region}/{zone}/{sub-zone} and terminal wildcards are allowed on any

 segment of the specification. Examples:

-
 
* - matches all localities

-
 
us-west/* - all zones and sub-zones within the us-west region

-
 
us-west/zone-1/* - all sub-zones within us-west/zone-1

 
 
Duration
 
-
TCP connection timeout. format:
+
TCP connection timeout. format:

 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.

 
 		Duration
 
-
The maximum duration of a connection. The duration is defined as the period since a connection
-was established. If not set, there is no max duration. When max_connection_duration
+
The maximum duration of a connection. The duration is defined as the period since a connection

+was established. If not set, there is no max duration. When max_connection_duration

 is reached the connection will be closed. Duration must be at least 1ms.

 
 		http1MaxPendingRequests
 int32
 
-
Maximum number of requests that will be queued while waiting for
-a ready connection pool connection. Default 1024.
-Refer to https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking
-under which conditions a new connection is created for HTTP2.
+
Maximum number of requests that will be queued while waiting for

+a ready connection pool connection. Default 1024.

+Refer to https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking

+under which conditions a new connection is created for HTTP2.

 Please note that this is applicable to both HTTP/1.1 and HTTP2.

 
 		http2MaxRequests
 int32
 
-
Maximum number of active requests to a destination. Default 1024.
+
Maximum number of active requests to a destination. Default 1024.

 Please note that this is applicable to both HTTP/1.1 and HTTP2.

 
 		maxRequestsPerConnection
 int32
 
-
Maximum number of requests per connection to a backend. Setting this
-parameter to 1 disables keep alive. Default 0, meaning “unlimited”,
+
Maximum number of requests per connection to a backend. Setting this

+parameter to 1 disables keep alive. Default 0, meaning "unlimited",

 up to 2^29.

 
 		maxRetries
 int32
 
-
Maximum number of retries that can be outstanding to all hosts in a
+
Maximum number of retries that can be outstanding to all hosts in a

 cluster at a given time. Defaults to 2^32-1.

 
 		idleTimeout
 Duration
 
-
The idle timeout for upstream connection pool connections. The idle timeout
-is defined as the period in which there are no active requests.
-If not set, the default is 1 hour. When the idle timeout is reached,
-the connection will be closed. If the connection is an HTTP/2
-connection a drain sequence will occur prior to closing the connection.
-Note that request based timeouts mean that HTTP/2 PINGs will not
+
The idle timeout for upstream connection pool connections. The idle timeout

+is defined as the period in which there are no active requests.

+If not set, the default is 1 hour. When the idle timeout is reached,

+the connection will be closed. If the connection is an HTTP/2

+connection a drain sequence will occur prior to closing the connection.

+Note that request based timeouts mean that HTTP/2 PINGs will not

 keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.

 
 		useClientProtocol
 bool
 
-
If set to true, client protocol will be preserved while initiating connection to backend.
-Note that when this is set to true, h2_upgrade_policy will be ineffective i.e. the client
+
If set to true, client protocol will be preserved while initiating connection to backend.

+Note that when this is set to true, h2_upgrade_policy will be ineffective i.e. the client

 connections will not be upgraded to http2.

 
 		probes
 uint32
 
-
Maximum number of keepalive probes to send without response before
-deciding the connection is dead. Default is to use the OS level configuration
+
Maximum number of keepalive probes to send without response before

+deciding the connection is dead. Default is to use the OS level configuration

 (unless overridden, Linux defaults to 9.)

 
 		time
 Duration
 
-
The time duration a connection needs to be idle before keep-alive
-probes start being sent. Default is to use the OS level configuration
+
The time duration a connection needs to be idle before keep-alive

+probes start being sent. Default is to use the OS level configuration

 (unless overridden, Linux defaults to 7200s (ie 2 hours.)

 
 		interval
 Duration
 
-
The time duration between keep-alive probes.
-Default is to use the OS level configuration
+
The time duration between keep-alive probes.

+Default is to use the OS level configuration

 (unless overridden, Linux defaults to 75s.)

 
 		
 

@@ -1976,7 +1867,7 @@ 
LocalityLoadBalancerSetting.Dist
 

@@ -2001,12 +1892,12 @@ 
LocalityLoadBalancerSetting.Dist
 
 
LocalityLoadBalancerSetting.Failover

-
Specify the traffic failover policy across regions. Since zone and sub-zone
-failover is supported by default this only needs to be specified for
-regions when the operator needs to constrain traffic failover so that
-the default behavior of failing over to any endpoint globally does not
-apply. This is useful when failing over traffic across regions would not
-improve service health or may need to be restricted for other reasons
+
Specify the traffic failover policy across regions. Since zone and sub-zone

+failover is supported by default this only needs to be specified for

+regions when the operator needs to constrain traffic failover so that

+the default behavior of failing over to any endpoint globally does not

+apply. This is useful when failing over traffic across regions would not

+improve service health or may need to be restricted for other reasons

 like regulatory controls.

 
 
from
 string
 
-
Originating locality, ‘/’ separated, e.g. ‘region/zone/sub_zone’.

+
Originating locality, '/' separated, e.g. 'region/zone/sub_zone'.

 
 		
 
@@ -1987,8 +1878,8 @@ 
LocalityLoadBalancerSetting.Dist
 
to
 map<string, uint32>
 
-
Map of upstream localities to traffic distribution weights. The sum of
-all weights should be 100. Any locality not present will
+
Map of upstream localities to traffic distribution weights. The sum of

+all weights should be 100. Any locality not present will

 receive no traffic.

 
 		
 

@@ -2034,8 +1925,8 @@ 
LocalityLoadBalancerSetting.Failov
 
to
 string
 
-
Destination region the traffic will fail over to when endpoints in
-the ‘from’ region becomes unhealthy.

+
Destination region the traffic will fail over to when endpoints in

+the 'from' region becomes unhealthy.

 
 		
 
@@ -2048,7 +1939,6 @@ 
LocalityLoadBalancerSetting.Failov
 
google.protobuf.UInt32Value

 

 
Wrapper message for uint32.

-
 
The JSON representation for UInt32Value is JSON number.

 
 
@@ -2090,7 +1980,7 @@ 
LoadBalancerSettings.SimpleLB

@@ -2098,8 +1988,8 @@ 
LoadBalancerSettings.SimpleLB

@@ -2107,10 +1997,10 @@ 
LoadBalancerSettings.SimpleLB

@@ -2118,9 +2008,9 @@ 
LoadBalancerSettings.SimpleLB

@@ -2128,9 +2018,9 @@ 
LoadBalancerSettings.SimpleLB

@@ -2167,7 +2057,7 @@ 
ConnectionPoolSetti
 

@@ -2175,7 +2065,7 @@ 
ConnectionPoolSetti
 

@@ -2212,7 +2102,7 @@ 
ClientTLSSettings.TLSmode

@@ -2220,10 +2110,10 @@ 
ClientTLSSettings.TLSmode

diff --git a/content/en/docs/reference/config/networking/envoy-filter/index.html b/content/en/docs/reference/config/networking/envoy-filter/index.html
index d3233aa08a7be..f086692c8a8d4 100644
--- a/content/en/docs/reference/config/networking/envoy-filter/index.html
+++ b/content/en/docs/reference/config/networking/envoy-filter/index.html
@@ -1,54 +1,49 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Envoy Filter
 description: Customizing Envoy configuration generated by Istio.
 location: https://istio.io/docs/reference/config/networking/envoy-filter.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.EnvoyFilter
 aliases: [/docs/reference/config/networking/v1alpha3/envoy-filter]
 number_of_entries: 18
 ---
-
EnvoyFilter provides a mechanism to customize the Envoy
-configuration generated by Istio Pilot. Use EnvoyFilter to modify
-values for certain fields, add specific filters, or even add
-entirely new listeners, clusters, etc. This feature must be used
-with care, as incorrect configurations could potentially
-destabilize the entire mesh. Unlike other Istio networking objects,
-EnvoyFilters are additively applied. Any number of EnvoyFilters can
-exist for a given workload in a specific namespace. The order of
-application of these EnvoyFilters is as follows: all EnvoyFilters
-in the config root
-namespace,
-followed by all matching EnvoyFilters in the workload’s namespace.

-
-
NOTE 1: Some aspects of this API are deeply tied to the internal
-implementation in Istio networking subsystem as well as Envoy’s XDS
-API. While the EnvoyFilter API by itself will maintain backward
-compatibility, any envoy configuration provided through this
-mechanism should be carefully monitored across Istio proxy version
-upgrades, to ensure that deprecated fields are removed and replaced
+
EnvoyFilter provides a mechanism to customize the Envoy

+configuration generated by Istio Pilot. Use EnvoyFilter to modify

+values for certain fields, add specific filters, or even add

+entirely new listeners, clusters, etc. This feature must be used

+with care, as incorrect configurations could potentially

+destabilize the entire mesh. Unlike other Istio networking objects,

+EnvoyFilters are additively applied. Any number of EnvoyFilters can

+exist for a given workload in a specific namespace. The order of

+application of these EnvoyFilters is as follows: all EnvoyFilters

+in the config root

+namespace,

+followed by all matching EnvoyFilters in the workload's namespace.

+
NOTE 1: Some aspects of this API are deeply tied to the internal

+implementation in Istio networking subsystem as well as Envoy's XDS

+API. While the EnvoyFilter API by itself will maintain backward

+compatibility, any envoy configuration provided through this

+mechanism should be carefully monitored across Istio proxy version

+upgrades, to ensure that deprecated fields are removed and replaced

 appropriately.

-
-
NOTE 2: When multiple EnvoyFilters are bound to the same
-workload in a given namespace, all patches will be processed
-sequentially in order of creation time.  The behavior is undefined
+
NOTE 2: When multiple EnvoyFilters are bound to the same

+workload in a given namespace, all patches will be processed

+sequentially in order of creation time.  The behavior is undefined

 if multiple EnvoyFilter configurations conflict with each other.

-
-
NOTE 3: To apply an EnvoyFilter resource to all workloads
-(sidecars and gateways) in the system, define the resource in the
-config root
-namespace,
+
NOTE 3: To apply an EnvoyFilter resource to all workloads

+(sidecars and gateways) in the system, define the resource in the

+config root

+namespace,

 without a workloadSelector.

-
-
The example below declares a global default EnvoyFilter resource in
-the root namespace called istio-config, that adds a custom
-protocol filter on all sidecars in the system, for outbound port
-9307. The filter should be added before the terminating tcp_proxy
-filter to take effect. In addition, it sets a 30s idle timeout for
+
The example below declares a global default EnvoyFilter resource in

+the root namespace called istio-config, that adds a custom

+protocol filter on all sidecars in the system, for outbound port

+9307. The filter should be added before the terminating tcp_proxy

+filter to take effect. In addition, it sets a 30s idle timeout for

 all HTTP connections in both gateways and sidecars.

-
 
apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
@@ -88,14 +83,12 @@
           common_http_protocol_options:
             idle_timeout: 30s
 

-
-
The following example enables Envoy’s Lua filter for all inbound
-HTTP calls arriving at service port 8080 of the reviews service pod
-with labels “app: reviews”, in the bookinfo namespace. The lua
-filter calls out to an external service internal.org.net:8888 that
-requires a special cluster definition in envoy. The cluster is also
+
The following example enables Envoy's Lua filter for all inbound

+HTTP calls arriving at service port 8080 of the reviews service pod

+with labels "app: reviews", in the bookinfo namespace. The lua

+filter calls out to an external service internal.org.net:8888 that

+requires a special cluster definition in envoy. The cluster is also

 added to the sidecar as part of this configuration.

-
 
apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
@@ -159,12 +152,10 @@
                     address: "internal.org.net"
                     port_value: 8888
 

-
-
The following example overwrites certain fields (HTTP idle timeout
-and X-Forward-For trusted hops) in the HTTP connection manager in a
-listener on the ingress gateway in istio-system namespace for the
+
The following example overwrites certain fields (HTTP idle timeout

+and X-Forward-For trusted hops) in the HTTP connection manager in a

+listener on the ingress gateway in istio-system namespace for the

 SNI host app.example.com:

-
 
apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
@@ -192,11 +183,9 @@
           common_http_protocol_options:
             idle_timeout: 30s
 

-
-
The following example inserts an attributegen filter
-that produces istio_operationId attribute which is consumed
+
The following example inserts an attributegen filter

+that produces istio_operationId attribute which is consumed

 by the istio.stats filter. filterClass: STATS encodes this dependency.

-
 
apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
@@ -237,9 +226,7 @@
                code:
                  local: { inline_string: "envoy.wasm.attributegen" }
 

-
 
The following example inserts an http ext_authz filter in the myns namespace.

-
 
apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
@@ -264,12 +251,10 @@
             - key: foo
               value: myauth.acme # required by local ext auth server.
 

-
-
A workload in the myns namespace needs to access a different ext_auth server
-that does not accept initial metadata. Since proto merge cannot remove fields, the
-following configuration uses the REPLACE operation. If you do not need to inherit
+
A workload in the myns namespace needs to access a different ext_auth server

+that does not accept initial metadata. Since proto merge cannot remove fields, the

+following configuration uses the REPLACE operation. If you do not need to inherit

 fields, REPLACE is preferred over MERGE.

-
 
apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
@@ -293,9 +278,7 @@
             envoy_grpc:
               cluster_name: acme-ext-authz-alt
 

-
 
The following example deploys a Wasm extension for all inbound sidecar HTTP requests.

-
 
apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
@@ -348,12 +331,10 @@
             ads: {}
           type_urls: ["type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm"]
 

-
-
The following example adds a Wasm service extension for all proxies using a locally available Wasm file.
-The singleton Wasm extension is used to maintain a shared state between workers executing Wasm filters.
-For example, a local rate limit extension would rely on a singleton to limit requests across all workers.
+
The following example adds a Wasm service extension for all proxies using a locally available Wasm file.

+The singleton Wasm extension is used to maintain a shared state between workers executing Wasm filters.

+For example, a local rate limit extension would rely on a singleton to limit requests across all workers.

 As another example, an authorization Wasm extension can use a singleton to maintain a database of accounts.

-
 
apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
@@ -385,7 +366,7 @@
 
 
EnvoyFilter

 

-
EnvoyFilter provides a mechanism to customize the Envoy configuration
+
EnvoyFilter provides a mechanism to customize the Envoy configuration

 generated by Istio Pilot.

 
 

 

 UNSPECIFIED
 
-
No load balancing algorithm has been specified by the user. Istio
+
No load balancing algorithm has been specified by the user. Istio

 will select an appropriate default.

 
 		
 

 RANDOM
 
-
The random load balancer selects a random healthy host. The random
-load balancer generally performs better than round robin if no health
+
The random load balancer selects a random healthy host. The random

+load balancer generally performs better than round robin if no health

 checking policy is configured.

 
 		
 

 PASSTHROUGH
 
-
This option will forward the connection to the original IP address
-requested by the caller without doing any form of load
-balancing. This option must be used with care. It is meant for
-advanced use cases. Refer to Original Destination load balancer in
+
This option will forward the connection to the original IP address

+requested by the caller without doing any form of load

+balancing. This option must be used with care. It is meant for

+advanced use cases. Refer to Original Destination load balancer in

 Envoy for further details.

 
 		
 

 ROUND_ROBIN
 
-
A basic round robin load balancing policy. This is generally unsafe
-for many scenarios (e.g. when enpoint weighting is used) as it can
-overburden endpoints. In general, prefer to use LEAST_REQUEST as a
+
A basic round robin load balancing policy. This is generally unsafe

+for many scenarios (e.g. when enpoint weighting is used) as it can

+overburden endpoints. In general, prefer to use LEAST_REQUEST as a

 drop-in replacement for ROUND_ROBIN.

 
 		
 

 LEAST_REQUEST
 
-
The least request load balancer spreads load across endpoints, favoring
-endpoints with the least outstanding requests. This is generally safer
-and outperforms ROUND_ROBIN in nearly all cases. Prefer to use
+
The least request load balancer spreads load across endpoints, favoring

+endpoints with the least outstanding requests. This is generally safer

+and outperforms ROUND_ROBIN in nearly all cases. Prefer to use

 LEAST_REQUEST as a drop-in replacement for ROUND_ROBIN.

 
 

 DO_NOT_UPGRADE
 
-
Do not upgrade the connection to http2.
+
Do not upgrade the connection to http2.

 This opt-out option overrides the default.

 
 

 UPGRADE
 
-
Upgrade the connection to http2.
+
Upgrade the connection to http2.

 This opt-in option overrides the default.

 
 		
 

 MUTUAL
 
-
Secure connections to the upstream using mutual TLS by presenting
+
Secure connections to the upstream using mutual TLS by presenting

 client certificates for authentication.

 
 		
 

 ISTIO_MUTUAL
 
-
Secure connections to the upstream using mutual TLS by presenting
-client certificates for authentication.
-Compared to Mutual mode, this mode uses certificates generated
-automatically by Istio for mTLS authentication. When this mode is
+
Secure connections to the upstream using mutual TLS by presenting

+client certificates for authentication.

+Compared to Mutual mode, this mode uses certificates generated

+automatically by Istio for mTLS authentication. When this mode is

 used, all other fields in ClientTLSSettings should be empty.

 
 

@@ -402,13 +383,13 @@ 
EnvoyFilter

 
@@ -431,21 +412,18 @@ 
EnvoyFilter

 
@@ -474,13 +452,13 @@ 
EnvoyFilter.ProxyMatch

 
@@ -492,11 +470,11 @@ 
EnvoyFilter.ProxyMatch

 
@@ -509,7 +487,7 @@ 
EnvoyFilter.ProxyMatch

 
 
EnvoyFilter.ClusterMatch

 

-
Conditions specified in ClusterMatch must be met for the patch
+
Conditions specified in ClusterMatch must be met for the patch

 to be applied to a cluster.

 
 
workloadSelector
 WorkloadSelector
 
-
Criteria used to select the specific set of pods/VMs on which
-this patch configuration should be applied. If omitted, the set
-of patches in this configuration will be applied to all workload
-instances in the same namespace.  If omitted, the EnvoyFilter
-patches will be applied to all workloads in the same
-namespace. If the EnvoyFilter is present in the config root
-namespace, it will be applied to all applicable workloads in any
+
Criteria used to select the specific set of pods/VMs on which

+this patch configuration should be applied. If omitted, the set

+of patches in this configuration will be applied to all workload

+instances in the same namespace.  If omitted, the EnvoyFilter

+patches will be applied to all workloads in the same

+namespace. If the EnvoyFilter is present in the config root

+namespace, it will be applied to all applicable workloads in any

 namespace.

 
 		priority
 int32
 
-
Priority defines the order in which patch sets are applied within a context.
-When one patch depends on another patch, the order of patch application
-is significant. The API provides two primary ways to order patches.
-Patch sets in the root namespace are applied before the patch sets in the
-workload namespace. Patches within a patch set are processed in the order
+
Priority defines the order in which patch sets are applied within a context.

+When one patch depends on another patch, the order of patch application

+is significant. The API provides two primary ways to order patches.

+Patch sets in the root namespace are applied before the patch sets in the

+workload namespace. Patches within a patch set are processed in the order

 that they appear in the configPatches list.

-
-
The default value for priority is 0 and the range is [ min-int32, max-int32 ].
-A patch set with a negative priority is processed before the default. A patch
+
The default value for priority is 0 and the range is [ min-int32, max-int32 ].

+A patch set with a negative priority is processed before the default. A patch

 set with a positive priority is processed after the default.

-
-
It is recommended to start with priority values that are multiples of 10
+
It is recommended to start with priority values that are multiples of 10

 to leave room for further insertion.

-
-
Patch sets are sorted in the following ascending key order:
+
Patch sets are sorted in the following ascending key order:

 priority, creation time, fully qualified resource name.

 
 		proxyVersion
 string
 
-
A regular expression in golang regex format (RE2) that can be
-used to select proxies using a specific version of istio
-proxy. The Istio version for a given proxy is obtained from the
-node metadata field ISTIO_VERSION supplied by the proxy when
-connecting to Pilot. This value is embedded as an environment
-variable (ISTIO_META_ISTIO_VERSION) in the Istio proxy docker
-image. Custom proxy implementations should provide this metadata
+
A regular expression in golang regex format (RE2) that can be

+used to select proxies using a specific version of istio

+proxy. The Istio version for a given proxy is obtained from the

+node metadata field ISTIO_VERSION supplied by the proxy when

+connecting to Pilot. This value is embedded as an environment

+variable (ISTIO_META_ISTIO_VERSION) in the Istio proxy docker

+image. Custom proxy implementations should provide this metadata

 variable to take advantage of the Istio version check option.

 
 		metadata
 map<string, string>
 
-
Match on the node metadata supplied by a proxy when connecting
-to Istio Pilot. Note that while Envoy’s node metadata is of
-type Struct, only string key-value pairs are processed by
-Pilot. All keys specified in the metadata must match with exact
-values. The match will fail if any of the specified keys are
+
Match on the node metadata supplied by a proxy when connecting

+to Istio Pilot. Note that while Envoy's node metadata is of

+type Struct, only string key-value pairs are processed by

+Pilot. All keys specified in the metadata must match with exact

+values. The match will fail if any of the specified keys are

 absent or the values fail to match.

 
 

@@ -526,8 +504,8 @@ 
EnvoyFilter.ClusterMatch

 
@@ -539,10 +517,10 @@ 
EnvoyFilter.ClusterMatch

 
@@ -554,7 +532,7 @@ 
EnvoyFilter.ClusterMatch

 
@@ -566,9 +544,9 @@ 
EnvoyFilter.ClusterMatch

 
@@ -581,8 +559,8 @@ 
EnvoyFilter.ClusterMatch

 
 
EnvoyFilter.RouteConfigurationMatch

 

-
Conditions specified in RouteConfigurationMatch must be met for
-the patch to be applied to a route configuration object or a
+
Conditions specified in RouteConfigurationMatch must be met for

+the patch to be applied to a route configuration object or a

 specific virtual host within the route configuration.

 
 
portNumber
 uint32
 
-
The service port for which this cluster was generated.  If
-omitted, applies to clusters for any port.
+
The service port for which this cluster was generated.  If

+omitted, applies to clusters for any port.

 Note: for inbound cluster, it is the service target port.

 
 		service
 string
 
-
The fully qualified service name for this cluster. If omitted,
-applies to clusters for any service. For services defined
-through service entries, the service name is same as the hosts
-defined in the service entry.
+
The fully qualified service name for this cluster. If omitted,

+applies to clusters for any service. For services defined

+through service entries, the service name is same as the hosts

+defined in the service entry.

 Note: for inbound cluster, this is ignored.

 
 		subset
 string
 
-
The subset associated with the service. If omitted, applies to
+
The subset associated with the service. If omitted, applies to

 clusters for any subset of a service.

 
 		name
 string
 
-
The exact name of the cluster to match. To match a specific
-cluster by name, such as the internally generated Passthrough
-cluster, leave all fields in clusterMatch empty, except the
+
The exact name of the cluster to match. To match a specific

+cluster by name, such as the internally generated Passthrough

+cluster, leave all fields in clusterMatch empty, except the

 name.

 
 

@@ -599,8 +577,8 @@ 
EnvoyFilter.RouteConfigurationMatch
 

@@ -612,7 +590,7 @@ 
EnvoyFilter.RouteConfigurationMatch
 

@@ -624,11 +602,11 @@ 
EnvoyFilter.RouteConfigurationMatch
 

@@ -640,7 +618,7 @@ 
EnvoyFilter.RouteConfigurationMatch
 

@@ -652,8 +630,8 @@ 
EnvoyFilter.RouteConfigurationMatch
 

@@ -666,8 +644,8 @@ 
EnvoyFilter.RouteConfigurationMatch
 
 
EnvoyFilter.ListenerMatch

 

-
Conditions specified in a listener match must be met for the
-patch to be applied to a specific listener across all filter
+
Conditions specified in a listener match must be met for the

+patch to be applied to a specific listener across all filter

 chains, or a specific filter chain inside the listener.

 
 
portNumber
 uint32
 
-
The service port number or gateway server port number for which
-this route configuration was generated. If omitted, applies to
+
The service port number or gateway server port number for which

+this route configuration was generated. If omitted, applies to

 route configurations for all ports.

 
 		portName
 string
 
-
Applicable only for GATEWAY context. The gateway server port
+
Applicable only for GATEWAY context. The gateway server port

 name for which this route configuration was generated.

 
 		gateway
 string
 
-
The Istio gateway config’s namespace/name for which this route
-configuration was generated. Applies only if the context is
-GATEWAY. Should be in the namespace/name format. Use this field
-in conjunction with the portNumber and portName to accurately
-select the Envoy route configuration for a specific HTTPS
+
The Istio gateway config's namespace/name for which this route

+configuration was generated. Applies only if the context is

+GATEWAY. Should be in the namespace/name format. Use this field

+in conjunction with the portNumber and portName to accurately

+select the Envoy route configuration for a specific HTTPS

 server within a gateway config object.

 
 		vhost
 VirtualHostMatch
 
-
Match a specific virtual host in a route configuration and
+
Match a specific virtual host in a route configuration and

 apply the patch to the virtual host.

 
 		name
 string
 
-
Route configuration name to match on. Can be used to match a
-specific route configuration by name, such as the internally
+
Route configuration name to match on. Can be used to match a

+specific route configuration by name, such as the internally

 generated http_proxy route configuration for all sidecars.

 
 

@@ -684,9 +662,9 @@ 
EnvoyFilter.ListenerMatch

 
@@ -698,9 +676,9 @@ 
EnvoyFilter.ListenerMatch

 
@@ -712,7 +690,7 @@ 
EnvoyFilter.ListenerMatch

 
@@ -752,7 +730,7 @@ 
EnvoyFilter.Patch

 
@@ -776,7 +754,7 @@ 
EnvoyFilter.Patch

 
 
EnvoyFilter.EnvoyConfigObjectMatch

 

-
One or more match conditions to be met before a patch is applied
+
One or more match conditions to be met before a patch is applied

 to the generated configuration for a given proxy.

 
 
portNumber
 uint32
 
-
The service port/gateway port to which traffic is being
-sent/received. If not specified, matches all listeners. Even though
-inbound listeners are generated for the instance/pod ports, only
+
The service port/gateway port to which traffic is being

+sent/received. If not specified, matches all listeners. Even though

+inbound listeners are generated for the instance/pod ports, only

 service ports should be used to match listeners.

 
 		filterChain
 FilterChainMatch
 
-
Match a specific filter chain in a listener. If specified, the
-patch will be applied to the filter chain (and a specific
-filter if specified) and not to other filter chains in the
+
Match a specific filter chain in a listener. If specified, the

+patch will be applied to the filter chain (and a specific

+filter if specified) and not to other filter chains in the

 listener.

 
 		name
 string
 
-
Match a specific listener by its name. The listeners generated
+
Match a specific listener by its name. The listeners generated

 by Pilot are typically named as IP:Port.

 
 		value
 Struct
 
-
The JSON config of the object being patched. This will be merged using
+
The JSON config of the object being patched. This will be merged using

 proto merge semantics with the existing proto in the path.

 
 

@@ -793,8 +771,8 @@ 
EnvoyFilter.EnvoyConfigObjectMatchcontext
 

@@ -867,14 +845,14 @@ 
EnvoyFilter.EnvoyConfigObjectPatchapplyTo
 

@@ -925,9 +903,9 @@ 
EnvoyFilter.RouteConfigu
 

@@ -967,9 +945,9 @@ 
EnvoyFilter.RouteC
 

@@ -993,9 +971,9 @@ 
EnvoyFilter.RouteC
 
 
EnvoyFilter.ListenerMatch.FilterChainMatch

 

-
For listeners with multiple filter chains (e.g., inbound
-listeners on sidecars with permissive mTLS, gateway listeners
-with multiple SNI matches), the filter chain match can be used
+
For listeners with multiple filter chains (e.g., inbound

+listeners on sidecars with permissive mTLS, gateway listeners

+with multiple SNI matches), the filter chain match can be used

 to select a specific filter chain to patch.

 
 
PatchContext
 
-
The specific config generation context to match on. Istio Pilot
-generates envoy configuration in the context of a gateway,
+
The specific config generation context to match on. Istio Pilot

+generates envoy configuration in the context of a gateway,

 inbound traffic to sidecar and outbound traffic from sidecar.

 
 		ApplyTo
 
-
Specifies where in the Envoy configuration, the patch should be
-applied.  The match is expected to select the appropriate
-object based on applyTo.  For example, an applyTo with
-HTTP_FILTER is expected to have a match condition on the
-listeners, with a network filter selection on
-envoy.filters.network.http_connection_manager and a sub filter selection on the
-HTTP filter relative to which the insertion should be
-performed. Similarly, an applyTo on CLUSTER should have a match
+
Specifies where in the Envoy configuration, the patch should be

+applied.  The match is expected to select the appropriate

+object based on applyTo.  For example, an applyTo with

+HTTP_FILTER is expected to have a match condition on the

+listeners, with a network filter selection on

+envoy.filters.network.http_connection_manager and a sub filter selection on the

+HTTP filter relative to which the insertion should be

+performed. Similarly, an applyTo on CLUSTER should have a match

 (if provided) on the cluster and not on a listener.

 
 		name
 string
 
-
The Route objects generated by default are named as
-default.  Route objects generated using a virtual service
-will carry the name used in the virtual service’s HTTP
+
The Route objects generated by default are named as

+default.  Route objects generated using a virtual service

+will carry the name used in the virtual service's HTTP

 routes.

 
 		name
 string
 
-
The VirtualHosts objects generated by Istio are named as
-host:port, where the host typically corresponds to the
-VirtualService’s host field or the hostname of a service in the
+
The VirtualHosts objects generated by Istio are named as

+host:port, where the host typically corresponds to the

+VirtualService's host field or the hostname of a service in the

 registry.

 
 

@@ -1023,8 +1001,8 @@ 
EnvoyFilter.ListenerMatch.Fi
 

@@ -1036,14 +1014,12 @@ 
EnvoyFilter.ListenerMatch.Fi
 

@@ -1075,8 +1050,8 @@ 
EnvoyFilter.ListenerMatch.Fi
 

@@ -1088,7 +1063,7 @@ 
EnvoyFilter.ListenerMatch.Fi
 

@@ -1117,8 +1092,8 @@ 
EnvoyFilter.ListenerMatch.FilterM
 

@@ -1130,8 +1105,8 @@ 
EnvoyFilter.ListenerMatch.FilterM
 

@@ -1144,9 +1119,9 @@ 
EnvoyFilter.ListenerMatch.FilterM
 
 
EnvoyFilter.ListenerMatch.SubFilterMatch

 

-
Conditions to match a specific filter within another
-filter. This field is typically useful to match a HTTP filter
-inside the envoy.filters.network.http_connection_manager network filter.
+
Conditions to match a specific filter within another

+filter. This field is typically useful to match a HTTP filter

+inside the envoy.filters.network.http_connection_manager network filter.

 This could also be applicable for thrift filters.

 
 
sni
 string
 
-
The SNI value used by a filter chain’s match condition.  This
-condition will evaluate to false if the filter chain has no
+
The SNI value used by a filter chain's match condition.  This

+condition will evaluate to false if the filter chain has no

 sni match.

 
 		transportProtocol
 string
 
-
Applies only to SIDECAR_INBOUND context. If non-empty, a
-transport protocol to consider when determining a filter
-chain match.  This value will be compared against the
-transport protocol of a new connection, when it’s detected by
+
Applies only to SIDECAR_INBOUND context. If non-empty, a

+transport protocol to consider when determining a filter

+chain match.  This value will be compared against the

+transport protocol of a new connection, when it's detected by

 the tls_inspector listener filter.

-
 
Accepted values include:

-
 
    
 
  • raw_buffer - default, used when no transport protocol is detected.
    • 
 
  • tls - set when TLS protocol is detected by the TLS inspector.
    • 
@@ -1058,12 +1034,11 @@ 
    EnvoyFilter.ListenerMatch.Fi
 
applicationProtocols
 string
 
-
Applies only to sidecars. If non-empty, a comma separated set
-of application protocols to consider when determining a
-filter chain match.  This value will be compared against the
-application protocols of a new connection, when it’s detected
+
Applies only to sidecars. If non-empty, a comma separated set

+of application protocols to consider when determining a

+filter chain match.  This value will be compared against the

+application protocols of a new connection, when it's detected

 by one of the listener filters such as the http_inspector.

-
 
Accepted values include: h2, http/1.1, http/1.0

 
 		filter
 FilterMatch
 
-
The name of a specific filter to apply the patch to. Set this
-to envoy.filters.network.http_connection_manager to add a filter or apply a
+
The name of a specific filter to apply the patch to. Set this

+to envoy.filters.network.http_connection_manager to add a filter or apply a

 patch to the HTTP connection manager.

 
 		destinationPort
 uint32
 
-
The destination_port value used by a filter chain’s match condition.
+
The destination_port value used by a filter chain's match condition.

 This condition will evaluate to false if the filter chain has no destination_port match.

 
 		name
 string
 
-
The filter name to match on.
-For standard Envoy filters, canonical filter
+
The filter name to match on.

+For standard Envoy filters, canonical filter

 names should be used.

 
 		subFilter
 SubFilterMatch
 
-
The next level filter within this filter to match
-upon. Typically used for HTTP Connection Manager filters and
+
The next level filter within this filter to match

+upon. Typically used for HTTP Connection Manager filters and

 Thrift filters.

 
 

@@ -1218,7 +1193,7 @@ 
EnvoyFilter.Route
 
 
EnvoyFilter.Patch.Operation

 

-
Operation denotes how the patch should be applied to the selected
+
Operation denotes how the patch should be applied to the selected

 configuration.

 
 

@@ -1237,8 +1212,8 @@ 
EnvoyFilter.Patch.Operation

 
@@ -1246,9 +1221,9 @@ 
EnvoyFilter.Patch.Operation

 
@@ -1256,10 +1231,10 @@ 
EnvoyFilter.Patch.Operation

 
@@ -1267,14 +1242,14 @@ 
EnvoyFilter.Patch.Operation

 
@@ -1282,14 +1257,14 @@ 
EnvoyFilter.Patch.Operation

 
@@ -1297,14 +1272,14 @@ 
EnvoyFilter.Patch.Operation

 
@@ -1312,9 +1287,9 @@ 
EnvoyFilter.Patch.Operation

 
@@ -1324,14 +1299,14 @@ 
EnvoyFilter.Patch.Operation

 
 
EnvoyFilter.Patch.FilterClass

 

-
FilterClass determines the filter insertion point in the filter chain
-relative to the filters implicitly inserted by the control plane.
-It is used in conjuction with the ADD operation.
-This is the preferred insertion mechanism for adding filters over
-the INSERT_* operations since those operations rely on potentially unstable
-filter names.
-Filter ordering is important if your filter depends on or affects the
-functioning of a another filter in the filter chain.
+
FilterClass determines the filter insertion point in the filter chain

+relative to the filters implicitly inserted by the control plane.

+It is used in conjuction with the ADD operation.

+This is the preferred insertion mechanism for adding filters over

+the INSERT_* operations since those operations rely on potentially unstable

+filter names.

+Filter ordering is important if your filter depends on or affects the

+functioning of a another filter in the filter chain.

 Within a filter class, filters are inserted in the order of processing.

 
 

 MERGE
 
-
Merge the provided config with the generated config using
-proto merge semantics. If you are specifying config in its
+
Merge the provided config with the generated config using

+proto merge semantics. If you are specifying config in its

 entirety, use REPLACE instead.

 
 

 ADD
 
-
Add the provided config to an existing list (of listeners,
-clusters, virtual hosts, network filters, or http
-filters). This operation will be ignored when applyTo is set
+
Add the provided config to an existing list (of listeners,

+clusters, virtual hosts, network filters, or http

+filters). This operation will be ignored when applyTo is set

 to ROUTE_CONFIGURATION, or HTTP_ROUTE.

 
 

 REMOVE
 
-
Remove the selected object from the list (of listeners,
-clusters, virtual hosts, network filters, routes, or http
-filters). Does not require a value to be specified. This
-operation will be ignored when applyTo is set to
+
Remove the selected object from the list (of listeners,

+clusters, virtual hosts, network filters, routes, or http

+filters). Does not require a value to be specified. This

+operation will be ignored when applyTo is set to

 ROUTE_CONFIGURATION, or HTTP_ROUTE.

 
 

 INSERT_BEFORE
 
-
Insert operation on an array of named objects. This operation
-is typically useful only in the context of filters or routes,
-where the order of elements matter. Routes should be ordered
-based on most to least specific matching criteria since the
-first matching element is selected. For clusters and virtual hosts,
-order of the element in the array does not matter. Insert
-before the selected filter or sub filter. If no filter is
-selected, the specified filter will be inserted at the front
+
Insert operation on an array of named objects. This operation

+is typically useful only in the context of filters or routes,

+where the order of elements matter. Routes should be ordered

+based on most to least specific matching criteria since the

+first matching element is selected. For clusters and virtual hosts,

+order of the element in the array does not matter. Insert

+before the selected filter or sub filter. If no filter is

+selected, the specified filter will be inserted at the front

 of the list.

 
 

 INSERT_AFTER
 
-
Insert operation on an array of named objects. This operation
-is typically useful only in the context of filters or routes,
-where the order of elements matter. Routes should be ordered
-based on most to least specific matching criteria since the
-first matching element is selected. For clusters and virtual hosts,
-order of the element in the array does not matter. Insert
-after the selected filter or sub filter. If no filter is
-selected, the specified filter will be inserted at the end
+
Insert operation on an array of named objects. This operation

+is typically useful only in the context of filters or routes,

+where the order of elements matter. Routes should be ordered

+based on most to least specific matching criteria since the

+first matching element is selected. For clusters and virtual hosts,

+order of the element in the array does not matter. Insert

+after the selected filter or sub filter. If no filter is

+selected, the specified filter will be inserted at the end

 of the list.

 
 

 INSERT_FIRST
 
-
Insert operation on an array of named objects. This operation
-is typically useful only in the context of filters or routes,
-where the order of elements matter. Routes should be ordered
-based on most to least specific matching criteria since the
-first matching element is selected. For clusters and virtual hosts,
-order of the element in the array does not matter. Insert
-first in the list based on the presence of selected filter or not.
-This is specifically useful when you want your filter first in the
+
Insert operation on an array of named objects. This operation

+is typically useful only in the context of filters or routes,

+where the order of elements matter. Routes should be ordered

+based on most to least specific matching criteria since the

+first matching element is selected. For clusters and virtual hosts,

+order of the element in the array does not matter. Insert

+first in the list based on the presence of selected filter or not.

+This is specifically useful when you want your filter first in the

 list based on a match condition specified in Match clause.

 
 

 REPLACE
 
-
Replace contents of a named filter with new contents.
-REPLACE operation is only valid for HTTP_FILTER and
-NETWORK_FILTER. If the named filter is not found, this operation
+
Replace contents of a named filter with new contents.

+REPLACE operation is only valid for HTTP_FILTER and

+NETWORK_FILTER. If the named filter is not found, this operation

 has no effect.

 
 

@@ -1345,7 +1320,7 @@ 
EnvoyFilter.Patch.FilterClass

 
@@ -1408,7 +1383,7 @@ 
EnvoyFilter.ApplyTo

 
@@ -1416,8 +1391,8 @@ 
EnvoyFilter.ApplyTo

 
@@ -1425,9 +1400,9 @@ 
EnvoyFilter.ApplyTo

 
@@ -1442,7 +1417,7 @@ 
EnvoyFilter.ApplyTo

 
@@ -1457,7 +1432,7 @@ 
EnvoyFilter.ApplyTo

 
@@ -1474,7 +1449,7 @@ 
EnvoyFilter.ApplyTo

 
 
EnvoyFilter.PatchContext

 

-
PatchContext selects a class of configurations based on the
+
PatchContext selects a class of configurations based on the

 traffic flow direction and workload type.

 
 

 UNSPECIFIED
 
-
Control plane decides where to insert the filter.
+
Control plane decides where to insert the filter.

 Do not specify FilterClass if the filter is independent of others.

 
 

 NETWORK_FILTER
 
-
Applies the patch to the network filter chain, to modify an
+
Applies the patch to the network filter chain, to modify an

 existing filter or add a new filter.

 
 

 HTTP_FILTER
 
-
Applies the patch to the HTTP filter chain in the http
-connection manager, to modify an existing filter or add a new
+
Applies the patch to the HTTP filter chain in the http

+connection manager, to modify an existing filter or add a new

 filter.

 
 

 ROUTE_CONFIGURATION
 
-
Applies the patch to the Route configuration (rds output)
-inside a HTTP connection manager. This does not apply to the
-virtual host. Currently, only MERGE operation is allowed on the
+
Applies the patch to the Route configuration (rds output)

+inside a HTTP connection manager. This does not apply to the

+virtual host. Currently, only MERGE operation is allowed on the

 route configuration objects.

 
 

 HTTP_ROUTE
 
-
Applies the patch to a route object inside the matched virtual
+
Applies the patch to a route object inside the matched virtual

 host in a route configuration.

 
 

 EXTENSION_CONFIG
 
-
Applies the patch to or adds an extension config in ECDS output. Note that ECDS
+
Applies the patch to or adds an extension config in ECDS output. Note that ECDS

 is only supported by HTTP filters.

 
 

diff --git a/content/en/docs/reference/config/networking/gateway/index.html b/content/en/docs/reference/config/networking/gateway/index.html
index 1e6bb5f1e47f3..767df12ebc85e 100644
--- a/content/en/docs/reference/config/networking/gateway/index.html
+++ b/content/en/docs/reference/config/networking/gateway/index.html
@@ -1,31 +1,27 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Gateway
 description: Configuration affecting edge load balancer.
 location: https://istio.io/docs/reference/config/networking/gateway.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.Gateway
 aliases: [/docs/reference/config/networking/v1alpha3/gateway]
 number_of_entries: 6
 ---
-
Gateway describes a load balancer operating at the edge of the mesh
-receiving incoming or outgoing HTTP/TCP connections. The specification
-describes a set of ports that should be exposed, the type of protocol to
+
Gateway describes a load balancer operating at the edge of the mesh

+receiving incoming or outgoing HTTP/TCP connections. The specification

+describes a set of ports that should be exposed, the type of protocol to

 use, SNI configuration for the load balancer, etc.

-
-
For example, the following Gateway configuration sets up a proxy to act
-as a load balancer exposing port 80 and 9080 (http), 443 (https),
-9443(https) and port 2379 (TCP) for ingress.  The gateway will be
-applied to the proxy running on a pod with labels app:
-my-gateway-controller. While Istio will configure the proxy to listen
-on these ports, it is the responsibility of the user to ensure that
+
For example, the following Gateway configuration sets up a proxy to act

+as a load balancer exposing port 80 and 9080 (http), 443 (https),

+9443(https) and port 2379 (TCP) for ingress.  The gateway will be

+applied to the proxy running on a pod with labels app: my-gateway-controller. While Istio will configure the proxy to listen

+on these ports, it is the responsibility of the user to ensure that

 external traffic to these ports are allowed into the mesh.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -77,11 +73,8 @@
     hosts:
     - "*"
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -133,28 +126,23 @@
     hosts:
     - "*"
 

-
-
{{}}
-{{}}

-
-
The Gateway specification above describes the L4-L6 properties of a load
-balancer. A VirtualService can then be bound to a gateway to control
+
{{}}

+{{}}

+
The Gateway specification above describes the L4-L6 properties of a load

+balancer. A VirtualService can then be bound to a gateway to control

 the forwarding of traffic arriving at a particular host or gateway port.

-
-
For example, the following VirtualService splits traffic for
-https://uk.bookinfo.com/reviews, https://eu.bookinfo.com/reviews,
-http://uk.bookinfo.com:9080/reviews,
-http://eu.bookinfo.com:9080/reviews into two versions (prod and qa) of
-an internal reviews service on port 9080. In addition, requests
-containing the cookie “user: dev-123” will be sent to special port 7777
-in the qa version. The same rule is also applicable inside the mesh for
-requests to the “reviews.prod.svc.cluster.local” service. This rule is
-applicable across ports 443, 9080. Note that http://uk.bookinfo.com
+
For example, the following VirtualService splits traffic for

+https://uk.bookinfo.com/reviews, https://eu.bookinfo.com/reviews,

+http://uk.bookinfo.com:9080/reviews,

+http://eu.bookinfo.com:9080/reviews into two versions (prod and qa) of

+an internal reviews service on port 9080. In addition, requests

+containing the cookie "user: dev-123" will be sent to special port 7777

+in the qa version. The same rule is also applicable inside the mesh for

+requests to the "reviews.prod.svc.cluster.local" service. This rule is

+applicable across ports 443, 9080. Note that http://uk.bookinfo.com

 gets redirected to https://uk.bookinfo.com (i.e. 80 redirects to 443).

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -191,11 +179,8 @@
         host: reviews.qa.svc.cluster.local
       weight: 20
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -232,18 +217,14 @@
         host: reviews.qa.svc.cluster.local
       weight: 20
 

-
-
{{}}
-{{}}

-
-
The following VirtualService forwards traffic arriving at (external)
-port 27017 to internal Mongo server on port 5555. This rule is not
-applicable internally in the mesh as the gateway list omits the
+
{{}}

+{{}}

+
The following VirtualService forwards traffic arriving at (external)

+port 27017 to internal Mongo server on port 5555. This rule is not

+applicable internally in the mesh as the gateway list omits the

 reserved name mesh.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -263,11 +244,8 @@
         port:
           number: 5555
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -287,19 +265,15 @@
         port:
           number: 5555
 

-
-
{{}}
-{{}}

-
-
It is possible to restrict the set of virtual services that can bind to
-a gateway server using the namespace/hostname syntax in the hosts field.
-For example, the following Gateway allows any virtual service in the ns1
-namespace to bind to it, while restricting only the virtual service with
+
{{}}

+{{}}

+
It is possible to restrict the set of virtual services that can bind to

+a gateway server using the namespace/hostname syntax in the hosts field.

+For example, the following Gateway allows any virtual service in the ns1

+namespace to bind to it, while restricting only the virtual service with

 foo.bar.com host in the ns2 namespace to bind to it.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -317,11 +291,8 @@
     - "ns1/*"
     - "ns2/foo.bar.com"
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -339,13 +310,12 @@
     - "ns1/*"
     - "ns2/foo.bar.com"
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}

 
 
Gateway

 

-
Gateway describes a load balancer operating at the edge of the mesh
+
Gateway describes a load balancer operating at the edge of the mesh

 receiving incoming or outgoing HTTP/TCP connections.

 
 

@@ -373,17 +343,17 @@ 
Gateway

 
@@ -396,12 +366,10 @@ 
Gateway

 
 
Server

 

-
Server describes the properties of the proxy on a given load balancer
+
Server describes the properties of the proxy on a given load balancer

 port. For example,

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -417,11 +385,8 @@ 
Server

     hosts:
     - "*"
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -437,15 +402,11 @@ 
Server

     hosts:
     - "*"
 

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
Another example

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -461,11 +422,8 @@ 
Server

     hosts:
     - "*"
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -481,15 +439,11 @@ 
Server

     hosts:
     - "*"
 

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
The following is an example of TLS configuration for port 443

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -508,11 +462,8 @@ 
Server

       mode: SIMPLE
       credentialName: tls-cert
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -531,9 +482,8 @@ 
Server

       mode: SIMPLE
       credentialName: tls-cert
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}

 
 
selector
 map<string, string>
 
-
One or more labels that indicate a specific set of pods/VMs
-on which this gateway configuration should be applied.
-By default workloads are searched across all namespaces based on label selectors.
-This implies that a gateway resource in the namespace “foo” can select pods in
-the namespace “bar” based on labels.
-This behavior can be controlled via the PILOT_SCOPE_GATEWAY_TO_NAMESPACE
-environment variable in istiod. If this variable is set
-to true, the scope of label search is restricted to the configuration
-namespace in which the the resource is present. In other words, the Gateway
-resource must reside in the same namespace as the gateway workload
-instance.
+
One or more labels that indicate a specific set of pods/VMs

+on which this gateway configuration should be applied.

+By default workloads are searched across all namespaces based on label selectors.

+This implies that a gateway resource in the namespace "foo" can select pods in

+the namespace "bar" based on labels.

+This behavior can be controlled via the PILOT_SCOPE_GATEWAY_TO_NAMESPACE

+environment variable in istiod. If this variable is set

+to true, the scope of label search is restricted to the configuration

+namespace in which the the resource is present. In other words, the Gateway

+resource must reside in the same namespace as the gateway workload

+instance.

 If selector is nil, the Gateway will be applied to all workloads.

 
 

@@ -549,7 +499,7 @@ 
Server

 
@@ -561,13 +511,13 @@ 
Server

 
@@ -579,34 +529,31 @@ 
Server

 
@@ -618,8 +565,8 @@ 
Server

 
@@ -631,8 +578,8 @@ 
Server

 
@@ -672,9 +619,9 @@ 
Port

 
@@ -697,7 +644,7 @@ 
Port

 
@@ -724,7 +671,7 @@ 
ServerTLSSettings

 
@@ -736,8 +683,8 @@ 
ServerTLSSettings

 
@@ -749,7 +696,7 @@ 
ServerTLSSettings

 
@@ -761,8 +708,8 @@ 
ServerTLSSettings

 
@@ -786,16 +733,15 @@ 
ServerTLSSettings

 
@@ -807,7 +753,7 @@ 
ServerTLSSettings

 
@@ -819,10 +765,10 @@ 
ServerTLSSettings

 
@@ -834,11 +780,11 @@ 
ServerTLSSettings

 
@@ -872,7 +818,7 @@ 
ServerTLSSettings

 
@@ -898,8 +844,8 @@ 
ServerTLSSettings.TLSmode

 
@@ -914,7 +860,7 @@ 
ServerTLSSettings.TLSmode

 
@@ -922,16 +868,16 @@ 
ServerTLSSettings.TLSmode

 
@@ -939,11 +885,11 @@ 
ServerTLSSettings.TLSmode

 
diff --git a/content/en/docs/reference/config/networking/proxy-config/index.html b/content/en/docs/reference/config/networking/proxy-config/index.html
index 1fa1ec799ca63..a316d013e6f68 100644
--- a/content/en/docs/reference/config/networking/proxy-config/index.html
+++ b/content/en/docs/reference/config/networking/proxy-config/index.html
@@ -1,30 +1,25 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: ProxyConfig
 description: Provides configuration for individual workloads.
 location: https://istio.io/docs/reference/config/networking/proxy-config.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.networking.v1beta1.ProxyConfig
 aliases: [/docs/reference/config/networking/v1beta1/proxy-config]
 number_of_entries: 2
 ---
-
ProxyConfig exposes proxy level configuration options. ProxyConfig can be configured on a per-workload basis,
-a per-namespace basis, or mesh-wide. ProxyConfig is not a required resource; there are default values in place, which are documented
+
ProxyConfig exposes proxy level configuration options. ProxyConfig can be configured on a per-workload basis,

+a per-namespace basis, or mesh-wide. ProxyConfig is not a required resource; there are default values in place, which are documented

 inline with each field.

-
 
NOTE: fields in ProxyConfig are not dynamically configured - changes will require restart of workloads to take effect.

-
-
For any namespace, including the root configuration namespace, it is only valid
+
For any namespace, including the root configuration namespace, it is only valid

 to have a single workload selector-less ProxyConfig resource.

-
-
For resources with a workload selector, it is only valid to have one resource selecting
+
For resources with a workload selector, it is only valid to have one resource selecting

 any given workload.

-
-
For mesh level configuration, put the resource in the root configuration namespace for
+
For mesh level configuration, put the resource in the root configuration namespace for

 your Istio installation without a workload selector:

-
 
apiVersion: networking.istio.io/v1beta1
 kind: ProxyConfig
 metadata:
@@ -35,9 +30,7 @@
   image:
     imageType: distroless
 

-
 
For namespace level configuration, put the resource in the desired namespace without a workload selector:

-
 
apiVersion: networking.istio.io/v1beta1
 kind: ProxyConfig
 metadata:
@@ -46,9 +39,7 @@
 spec:
   concurrency: 0
 

-
 
For workload level configuration, set the selector field on the ProxyConfig resource:

-
 
apiVersion: networking.istio.io/v1beta1
 kind: ProxyConfig
 metadata:
@@ -62,9 +53,8 @@
   image:
     imageType: debug
 

-
-
If a ProxyConfig CR is defined that matches a workload it will merge with its proxy.istio.io/config annotation if present,
-with the CR taking precedence over the annotation for overlapping fields. Similarly, if a mesh wide ProxyConfig CR is defined and
+
If a ProxyConfig CR is defined that matches a workload it will merge with its proxy.istio.io/config annotation if present,

+with the CR taking precedence over the annotation for overlapping fields. Similarly, if a mesh wide ProxyConfig CR is defined and

 meshConfig.DefaultConfig is set, the two resources will be merged with the CR taking precedence for overlapping fields.

 
 
ProxyConfig

@@ -85,7 +75,7 @@ 
ProxyConfig

 
@@ -97,8 +87,8 @@ 
ProxyConfig

 
@@ -110,7 +100,7 @@ 
ProxyConfig

 
@@ -134,9 +124,9 @@ 
ProxyConfig

 
 
ProxyImage

 

-
The following values are used to construct proxy image url.
-format: ${hub}/${image_name}/${tag}-${image_type},
-example: docker.io/istio/proxyv2:1.11.1 or docker.io/istio/proxyv2:1.11.1-distroless.
+
The following values are used to construct proxy image url.

+format: ${hub}/${image_name}/${tag}-${image_type},

+example: docker.io/istio/proxyv2:1.11.1 or docker.io/istio/proxyv2:1.11.1-distroless.

 This information was previously part of the Values API.

 
 

 
port
 Port
 
-
The Port on which the proxy should listen for incoming
+
The Port on which the proxy should listen for incoming

 connections.

 
 		bind
 string
 
-
The ip or the Unix domain socket to which the listener should be bound
-to. Format: x.x.x.x or unix:///path/to/uds or unix://@foobar
-(Linux abstract namespace). When using Unix domain sockets, the port
-number should be 0.
-This can be used to restrict the reachability of this server to be gateway internal only.
-This is typically used when a gateway needs to communicate to another mesh service
-e.g. publishing metrics. In such case, the server created with the
+
The ip or the Unix domain socket to which the listener should be bound

+to. Format: x.x.x.x or unix:///path/to/uds or unix://@foobar

+(Linux abstract namespace). When using Unix domain sockets, the port

+number should be 0.

+This can be used to restrict the reachability of this server to be gateway internal only.

+This is typically used when a gateway needs to communicate to another mesh service

+e.g. publishing metrics. In such case, the server created with the

 specified bind will not be available to external gateway clients.

 
 		hosts
 string[]
 
-
One or more hosts exposed by this gateway.
-While typically applicable to
-HTTP services, it can also be used for TCP services using TLS with SNI.
-A host is specified as a dnsName with an optional namespace/ prefix.
-The dnsName should be specified using FQDN format, optionally including
-a wildcard character in the left-most component (e.g., prod/*.example.com).
-Set the dnsName to * to select all VirtualService hosts from the
+
One or more hosts exposed by this gateway.

+While typically applicable to

+HTTP services, it can also be used for TCP services using TLS with SNI.

+A host is specified as a dnsName with an optional namespace/ prefix.

+The dnsName should be specified using FQDN format, optionally including

+a wildcard character in the left-most component (e.g., prod/*.example.com).

+Set the dnsName to * to select all VirtualService hosts from the

 specified namespace (e.g.,prod/*).

-
-
The namespace can be set to * or ., representing any or the current
-namespace, respectively. For example, */foo.example.com selects the
-service from any available namespace while ./foo.example.com only selects
-the service from the namespace of the sidecar. The default, if no namespace/
-is specified, is */, that is, select services from any namespace.
+
The namespace can be set to * or ., representing any or the current

+namespace, respectively. For example, */foo.example.com selects the

+service from any available namespace while ./foo.example.com only selects

+the service from the namespace of the sidecar. The default, if no namespace/

+is specified, is */, that is, select services from any namespace.

 Any associated DestinationRule in the selected namespace will also be used.

-
-
A VirtualService must be bound to the gateway and must have one or
-more hosts that match the hosts specified in a server. The match
-could be an exact match or a suffix match with the server’s hosts. For
-example, if the server’s hosts specifies *.example.com, a
-VirtualService with hosts dev.example.com or prod.example.com will
-match. However, a VirtualService with host example.com or
+
A VirtualService must be bound to the gateway and must have one or

+more hosts that match the hosts specified in a server. The match

+could be an exact match or a suffix match with the server's hosts. For

+example, if the server's hosts specifies *.example.com, a

+VirtualService with hosts dev.example.com or prod.example.com will

+match. However, a VirtualService with host example.com or

 newexample.com will not match.

-
-
NOTE: Only virtual services exported to the gateway’s namespace
-(e.g., exportTo value of *) can be referenced.
-Private configurations (e.g., exportTo set to .) will not be
-available. Refer to the exportTo setting in VirtualService,
+
NOTE: Only virtual services exported to the gateway's namespace

+(e.g., exportTo value of *) can be referenced.

+Private configurations (e.g., exportTo set to .) will not be

+available. Refer to the exportTo setting in VirtualService,

 DestinationRule, and ServiceEntry configurations for details.

 
 		tls
 ServerTLSSettings
 
-
Set of TLS related options that govern the server’s behavior. Use
-these options to control if all http requests should be redirected to
+
Set of TLS related options that govern the server's behavior. Use

+these options to control if all http requests should be redirected to

 https, and the TLS modes to use.

 
 		name
 string
 
-
An optional name of the server, when set must be unique across all servers.
-This will be used for variety of purposes like prefixing stats generated with
+
An optional name of the server, when set must be unique across all servers.

+This will be used for variety of purposes like prefixing stats generated with

 this name etc.

 
 		protocol
 string
 
-
The protocol exposed on the port.
-MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
-TLS implies the connection will be routed based on the SNI header to
+
The protocol exposed on the port.

+MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.

+TLS implies the connection will be routed based on the SNI header to

 the destination without terminating the TLS connection.

 
 		targetPort
 uint32
 
-
The port number on the endpoint where the traffic will be
+
The port number on the endpoint where the traffic will be

 received. Applicable only when used with ServiceEntries.

 
 		httpsRedirect
 bool
 
-
If set to true, the load balancer will send a 301 redirect for
+
If set to true, the load balancer will send a 301 redirect for

 all http connections, asking the clients to use HTTPS.

 
 		mode
 TLSmode
 
-
Optional: Indicates whether connections to this port should be
-secured using TLS. The value of this field determines how TLS is
+
Optional: Indicates whether connections to this port should be

+secured using TLS. The value of this field determines how TLS is

 enforced.

 
 		serverCertificate
 string
 
-
REQUIRED if mode is SIMPLE or MUTUAL. The path to the file
+
REQUIRED if mode is SIMPLE or MUTUAL. The path to the file

 holding the server-side TLS certificate to use.

 
 		privateKey
 string
 
-
REQUIRED if mode is SIMPLE or MUTUAL. The path to the file
-holding the server’s private key.

+
REQUIRED if mode is SIMPLE or MUTUAL. The path to the file

+holding the server's private key.

 
 		
 
@@ -773,8 +720,8 @@ 
ServerTLSSettings

 		caCertificates
 string
 
-
REQUIRED if mode is MUTUAL. The path to a file containing
-certificate authority certificates to use in verifying a presented
+
REQUIRED if mode is MUTUAL. The path to a file containing

+certificate authority certificates to use in verifying a presented

 client side certificate.

 
 		credentialName
 string
 
-
For gateways running on Kubernetes, the name of the secret that
-holds the TLS certs including the CA certificates. Applicable
-only on Kubernetes. The secret (of type generic) should
-contain the following keys and values: key:
-<privateKey> and cert: <serverCert>. For mutual TLS,
-cacert: <CACertificate> can be provided in the same secret or
-a separate secret named <secret>-cacert.
-Secret of type tls for server certificates along with
-ca.crt key for CA certificates is also supported.
-Only one of server certificates and CA certificate
+
For gateways running on Kubernetes, the name of the secret that

+holds the TLS certs including the CA certificates. Applicable

+only on Kubernetes. The secret (of type generic) should

+contain the following keys and values: key: <privateKey> and cert: <serverCert>. For mutual TLS,

+cacert: <CACertificate> can be provided in the same secret or

+a separate secret named <secret>-cacert.

+Secret of type tls for server certificates along with

+ca.crt key for CA certificates is also supported.

+Only one of server certificates and CA certificate

 or credentialName can be specified.

 
 		subjectAltNames
 string[]
 
-
A list of alternate names to verify the subject identity in the
+
A list of alternate names to verify the subject identity in the

 certificate presented by the client.

 
 		verifyCertificateSpki
 string[]
 
-
An optional list of base64-encoded SHA-256 hashes of the SPKIs of
-authorized client certificates.
-Note: When both verify_certificate_hash and verify_certificate_spki
-are specified, a hash matching either value will result in the
+
An optional list of base64-encoded SHA-256 hashes of the SPKIs of

+authorized client certificates.

+Note: When both verify_certificate_hash and verify_certificate_spki

+are specified, a hash matching either value will result in the

 certificate being accepted.

 
 		verifyCertificateHash
 string[]
 
-
An optional list of hex-encoded SHA-256 hashes of the
-authorized client certificates. Both simple and colon separated
-formats are acceptable.
-Note: When both verify_certificate_hash and verify_certificate_spki
-are specified, a hash matching either value will result in the
+
An optional list of hex-encoded SHA-256 hashes of the

+authorized client certificates. Both simple and colon separated

+formats are acceptable.

+Note: When both verify_certificate_hash and verify_certificate_spki

+are specified, a hash matching either value will result in the

 certificate being accepted.

 
 		cipherSuites
 string[]
 
-
Optional: If specified, only support the specified cipher list.
+
Optional: If specified, only support the specified cipher list.

 Otherwise default to the default cipher list supported by Envoy.

 
 

 PASSTHROUGH
 
-
The SNI string presented by the client will be used as the
-match criterion in a VirtualService TLS route to determine
+
The SNI string presented by the client will be used as the

+match criterion in a VirtualService TLS route to determine

 the destination service from the service registry.

 
 

 MUTUAL
 
-
Secure connections to the downstream using mutual TLS by
+
Secure connections to the downstream using mutual TLS by

 presenting server certificates for authentication.

 
 

 AUTO_PASSTHROUGH
 
-
Similar to the passthrough mode, except servers with this TLS
-mode do not require an associated VirtualService to map from
-the SNI value to service in the registry. The destination
-details such as the service/subset/port are encoded in the
-SNI value. The proxy will forward to the upstream (Envoy)
-cluster (a group of endpoints) specified by the SNI
-value. This server is typically used to provide connectivity
-between services in disparate L3 networks that otherwise do
-not have direct connectivity between their respective
-endpoints. Use of this mode assumes that both the source and
+
Similar to the passthrough mode, except servers with this TLS

+mode do not require an associated VirtualService to map from

+the SNI value to service in the registry. The destination

+details such as the service/subset/port are encoded in the

+SNI value. The proxy will forward to the upstream (Envoy)

+cluster (a group of endpoints) specified by the SNI

+value. This server is typically used to provide connectivity

+between services in disparate L3 networks that otherwise do

+not have direct connectivity between their respective

+endpoints. Use of this mode assumes that both the source and

 the destination are using Istio mTLS to secure traffic.

 
 

 ISTIO_MUTUAL
 
-
Secure connections from the downstream using mutual TLS by
-presenting server certificates for authentication.  Compared
-to Mutual mode, this mode uses certificates, representing
-gateway workload identity, generated automatically by Istio
-for mTLS authentication. When this mode is used, all other
+
Secure connections from the downstream using mutual TLS by

+presenting server certificates for authentication.  Compared

+to Mutual mode, this mode uses certificates, representing

+gateway workload identity, generated automatically by Istio

+for mTLS authentication. When this mode is used, all other

 fields in TLSOptions should be empty.

 
 		selector
 WorkloadSelector
 
-
Optional. Selectors specify the set of pods/VMs on which this ProxyConfig resource should be applied.
+
Optional. Selectors specify the set of pods/VMs on which this ProxyConfig resource should be applied.

 If not set, the ProxyConfig resource will be applied to all workloads in the namespace where this resource is defined.

 
 		concurrency
 Int32Value
 
-
The number of worker threads to run.
-If unset, defaults to 2. If set to 0, this will be configured to use all cores on the machine using
+
The number of worker threads to run.

+If unset, defaults to 2. If set to 0, this will be configured to use all cores on the machine using

 CPU requests and limits to choose a value, with limits taking precedence over requests.

 
 		environmentVariables
 map<string, string>
 
-
Additional environment variables for the proxy.
+
Additional environment variables for the proxy.

 Names starting with ISTIO_META_ will be included in the generated bootstrap configuration and sent to the XDS server.

 
 

@@ -153,9 +143,9 @@ 
ProxyImage

 
diff --git a/content/en/docs/reference/config/networking/service-entry/index.html b/content/en/docs/reference/config/networking/service-entry/index.html
index ba591ec4ca918..711bd469d916b 100644
--- a/content/en/docs/reference/config/networking/service-entry/index.html
+++ b/content/en/docs/reference/config/networking/service-entry/index.html
@@ -1,38 +1,35 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Service Entry
 description: Configuration affecting service registry.
 location: https://istio.io/docs/reference/config/networking/service-entry.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.ServiceEntry
 aliases: [/docs/reference/config/networking/v1alpha3/service-entry]
 number_of_entries: 3
 ---
-
ServiceEntry enables adding additional entries into Istio’s
-internal service registry, so that auto-discovered services in the
-mesh can access/route to these manually specified services. A
-service entry describes the properties of a service (DNS name,
-VIPs, ports, protocols, endpoints). These services could be
-external to the mesh (e.g., web APIs) or mesh-internal services
-that are not part of the platform’s service registry (e.g., a set
-of VMs talking to services in Kubernetes). In addition, the
-endpoints of a service entry can also be dynamically selected by
-using the workloadSelector field. These endpoints can be VM
-workloads declared using the WorkloadEntry object or Kubernetes
-pods. The ability to select both pods and VMs under a single
-service allows for migration of services from VMs to Kubernetes
-without having to change the existing DNS names associated with the
+
ServiceEntry enables adding additional entries into Istio's

+internal service registry, so that auto-discovered services in the

+mesh can access/route to these manually specified services. A

+service entry describes the properties of a service (DNS name,

+VIPs, ports, protocols, endpoints). These services could be

+external to the mesh (e.g., web APIs) or mesh-internal services

+that are not part of the platform's service registry (e.g., a set

+of VMs talking to services in Kubernetes). In addition, the

+endpoints of a service entry can also be dynamically selected by

+using the workloadSelector field. These endpoints can be VM

+workloads declared using the WorkloadEntry object or Kubernetes

+pods. The ability to select both pods and VMs under a single

+service allows for migration of services from VMs to Kubernetes

+without having to change the existing DNS names associated with the

 services.

-
-
The following example declares a few external APIs accessed by internal
-applications over HTTPS. The sidecar inspects the SNI value in the
+
The following example declares a few external APIs accessed by internal

+applications over HTTPS. The sidecar inspects the SNI value in the

 ClientHello message to route to the appropriate external service.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -49,11 +46,8 @@
     protocol: TLS
   resolution: DNS
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -70,18 +64,14 @@
     protocol: TLS
   resolution: DNS
 

-
-
{{}}
-{{}}

-
-
The following configuration adds a set of MongoDB instances running on
-unmanaged VMs to Istio’s registry, so that these services can be treated
-as any other service in the mesh. The associated DestinationRule is used
+
{{}}

+{{}}

+
The following configuration adds a set of MongoDB instances running on

+unmanaged VMs to Istio's registry, so that these services can be treated

+as any other service in the mesh. The associated DestinationRule is used

 to initiate mTLS connections to the database instances.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -101,11 +91,8 @@
   - address: 2.2.2.2
   - address: 3.3.3.3
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -125,15 +112,11 @@
   - address: 2.2.2.2
   - address: 3.3.3.3
 

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
and the associated DestinationRule

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -147,11 +130,8 @@
       privateKey: /etc/certs/client_private_key.pem
       caCertificates: /etc/certs/rootcacerts.pem
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -165,17 +145,13 @@
       privateKey: /etc/certs/client_private_key.pem
       caCertificates: /etc/certs/rootcacerts.pem
 

-
-
{{}}
-{{}}

-
-
The following example uses a combination of service entry and TLS
-routing in a virtual service to steer traffic based on the SNI value to
+
{{}}

+{{}}

+
The following example uses a combination of service entry and TLS

+routing in a virtual service to steer traffic based on the SNI value to

 an internal egress firewall.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -191,11 +167,8 @@
     protocol: TLS
   resolution: NONE
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -211,15 +184,11 @@
     protocol: TLS
   resolution: NONE
 

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
And the associated VirtualService to route based on the SNI value.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -237,11 +206,8 @@
     - destination:
         host: internal-egress-firewall.ns1.svc.cluster.local
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -259,25 +225,20 @@
     - destination:
         host: internal-egress-firewall.ns1.svc.cluster.local
 

-
-
{{}}
-{{}}

-
-
The virtual service with TLS match serves to override the default SNI
-match. In the absence of a virtual service, traffic will be forwarded to
+
{{}}

+{{}}

+
The virtual service with TLS match serves to override the default SNI

+match. In the absence of a virtual service, traffic will be forwarded to

 the wikipedia domains.

-
-
The following example demonstrates the use of a dedicated egress gateway
-through which all external service traffic is forwarded.
-The ‘exportTo’ field allows for control over the visibility of a service
-declaration to other namespaces in the mesh. By default, a service is exported
-to all namespaces. The following example restricts the visibility to the
-current namespace, represented by “.”, so that it cannot be used by other
+
The following example demonstrates the use of a dedicated egress gateway

+through which all external service traffic is forwarded.

+The 'exportTo' field allows for control over the visibility of a service

+declaration to other namespaces in the mesh. By default, a service is exported

+to all namespaces. The following example restricts the visibility to the

+current namespace, represented by ".", so that it cannot be used by other

 namespaces.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -295,11 +256,8 @@
     protocol: HTTP
   resolution: DNS
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -317,15 +275,11 @@
     protocol: HTTP
   resolution: DNS
 

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
Define a gateway to handle all egress traffic.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -342,11 +296,8 @@
    hosts:
    - "*"
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -363,20 +314,16 @@
    hosts:
    - "*"
 

-
-
{{}}
-{{}}

-
-
And the associated VirtualService to route from the sidecar to the
-gateway service (istio-egressgateway.istio-system.svc.cluster.local), as
-well as route from the gateway to the external service. Note that the
-virtual service is exported to all namespaces enabling them to route traffic
-through the gateway to the external service. Forcing traffic to go through
+
{{}}

+{{}}

+
And the associated VirtualService to route from the sidecar to the

+gateway service (istio-egressgateway.istio-system.svc.cluster.local), as

+well as route from the gateway to the external service. Note that the

+virtual service is exported to all namespaces enabling them to route traffic

+through the gateway to the external service. Forcing traffic to go through

 a managed middle proxy like this is a common practice.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -406,11 +353,8 @@
     - destination:
         host: example.com
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -440,18 +384,14 @@
     - destination:
         host: example.com
 

-
-
{{}}
-{{}}

-
-
The following example demonstrates the use of wildcards in the hosts for
-external services. If the connection has to be routed to the IP address
-requested by the application (i.e. application resolves DNS and attempts
+
{{}}

+{{}}

+
The following example demonstrates the use of wildcards in the hosts for

+external services. If the connection has to be routed to the IP address

+requested by the application (i.e. application resolves DNS and attempts

 to connect to a specific IP), the discovery mode must be set to NONE.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -466,11 +406,8 @@
     protocol: HTTP
   resolution: NONE
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -485,17 +422,13 @@
     protocol: HTTP
   resolution: NONE
 

-
-
{{}}
-{{}}

-
-
The following example demonstrates a service that is available via a
-Unix Domain Socket on the host of the client. The resolution must be
+
{{}}

+{{}}

+
The following example demonstrates a service that is available via a

+Unix Domain Socket on the host of the client. The resolution must be

 set to STATIC to use Unix address endpoints.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -512,11 +445,8 @@
   endpoints:
   - address: unix:///var/run/example/socket
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -533,21 +463,17 @@
   endpoints:
   - address: unix:///var/run/example/socket
 

-
-
{{}}
-{{}}

-
-
For HTTP-based services, it is possible to create a VirtualService
-backed by multiple DNS addressable endpoints. In such a scenario, the
-application can use the HTTP_PROXY environment variable to transparently
-reroute API calls for the VirtualService to a chosen backend. For
-example, the following configuration creates a non-existent external
-service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
+
{{}}

+{{}}

+
For HTTP-based services, it is possible to create a VirtualService

+backed by multiple DNS addressable endpoints. In such a scenario, the

+application can use the HTTP_PROXY environment variable to transparently

+reroute API calls for the VirtualService to a chosen backend. For

+example, the following configuration creates a non-existent external

+service called foo.bar.com backed by three domains: us.foo.bar.com:8080,

 uk.foo.bar.com:9080, and in.foo.bar.com:7080

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -572,11 +498,8 @@
     ports:
       http: 7080
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -601,22 +524,17 @@
     ports:
       http: 7080
 

-
-
{{}}
-{{}}

-
-
With HTTP_PROXY=http://localhost/, calls from the application to
-http://foo.bar.com will be load balanced across the three domains
-specified above. In other words, a call to http://foo.bar.com/baz would
+
{{}}

+{{}}

+
With HTTP_PROXY=http://localhost/, calls from the application to

+http://foo.bar.com will be load balanced across the three domains

+specified above. In other words, a call to http://foo.bar.com/baz would

 be translated to http://uk.foo.bar.com/baz.

-
-
The following example illustrates the usage of a ServiceEntry
-containing a subject alternate name
+
The following example illustrates the usage of a ServiceEntry

+containing a subject alternate name

 whose format conforms to the SPIFFE standard:

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -637,11 +555,8 @@
   subjectAltNames:
   - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -662,25 +577,21 @@
   subjectAltNames:
   - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
 

-
-
{{}}
-{{}}

-
-
The following example demonstrates the use of ServiceEntry with a
-workloadSelector to handle the migration of a service
-details.bookinfo.com from VMs to Kubernetes. The service has two
-VM-based instances with sidecars as well as a set of Kubernetes
-pods managed by a standard deployment object. Consumers of this
-service in the mesh will be automatically load balanced across the
-VMs and Kubernetes.  VM for the details.bookinfo.com
-service. This VM has sidecar installed and bootstrapped using the
-details-legacy service account. The sidecar receives HTTP traffic
-on port 80 (wrapped in istio mutual TLS) and forwards it to the
+
{{}}

+{{}}

+
The following example demonstrates the use of ServiceEntry with a

+workloadSelector to handle the migration of a service

+details.bookinfo.com from VMs to Kubernetes. The service has two

+VM-based instances with sidecars as well as a set of Kubernetes

+pods managed by a standard deployment object. Consumers of this

+service in the mesh will be automatically load balanced across the

+VMs and Kubernetes.  VM for the details.bookinfo.com

+service. This VM has sidecar installed and bootstrapped using the

+details-legacy service account. The sidecar receives HTTP traffic

+on port 80 (wrapped in istio mutual TLS) and forwards it to the

 application on the localhost on the same port.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: WorkloadEntry
 metadata:
@@ -703,11 +614,8 @@
     app: details
     instance-id: vm2
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: WorkloadEntry
 metadata:
@@ -730,18 +638,14 @@
     app: details
     instance-id: vm2
 

-
-
{{}}
-{{}}

-
-
Assuming there is also a Kubernetes deployment with pod labels
-app: details using the same service account details, the
-following service entry declares a service spanning both VMs and
+
{{}}

+{{}}

+
Assuming there is also a Kubernetes deployment with pod labels

+app: details using the same service account details, the

+following service entry declares a service spanning both VMs and

 Kubernetes:

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -759,11 +663,8 @@
     labels:
       app: details
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -781,13 +682,12 @@
     labels:
       app: details
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}

 
 
ServiceEntry

 

-
ServiceEntry enables adding additional entries into Istio’s internal
+
ServiceEntry enables adding additional entries into Istio's internal

 service registry.

 
 
imageType
 string
 
-
The image type of the image.
-Istio publishes default, debug, and distroless images.
-Other values are allowed if those image types (example: centos) are published to the specified hub.
+
The image type of the image.

+Istio publishes default, debug, and distroless images.

+Other values are allowed if those image types (example: centos) are published to the specified hub.

 supported values: default, debug, distroless.

 
 

@@ -804,31 +704,27 @@ 
ServiceEntry

 
@@ -865,8 +761,8 @@ 
ServiceEntry

 
@@ -878,7 +774,7 @@ 
ServiceEntry

 
@@ -890,9 +786,9 @@ 
ServiceEntry

 
@@ -904,7 +800,7 @@ 
ServiceEntry

 
@@ -916,11 +812,11 @@ 
ServiceEntry

 
@@ -932,21 +828,18 @@ 
ServiceEntry

 
@@ -958,12 +851,11 @@ 
ServiceEntry

 
@@ -976,11 +868,11 @@ 
ServiceEntry

 
 
ServiceEntry.Location

 

-
Location specifies whether the service is part of Istio mesh or
-outside the mesh.  Location determines the behavior of several
-features, such as service-to-service mTLS authentication, policy
-enforcement, etc. When communicating with services outside the mesh,
-Istio’s mTLS authentication is disabled, and policy enforcement is
+
Location specifies whether the service is part of Istio mesh or

+outside the mesh.  Location determines the behavior of several

+features, such as service-to-service mTLS authentication, policy

+enforcement, etc. When communicating with services outside the mesh,

+Istio's mTLS authentication is disabled, and policy enforcement is

 performed on the client-side as opposed to server-side.

 
 
hosts
 string[]
 
-
The hosts associated with the ServiceEntry. Could be a DNS
+
The hosts associated with the ServiceEntry. Could be a DNS

 name with wildcard prefix.

-
 
    
 
  1. The hosts field is used to select matching hosts in VirtualServices and DestinationRules.
    2. 
 
  2. For HTTP traffic the HTTP Host/Authority header will be matched against the hosts field.
    3. 
-
  3. For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value
+
  4. For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value
    
 will be matched against the hosts field.
    5. 
 

-
-
NOTE 1: When resolution is set to type DNS and no endpoints
-are specified, the host field will be used as the DNS name of the
+
NOTE 1: When resolution is set to type DNS and no endpoints

+are specified, the host field will be used as the DNS name of the

 endpoint to route traffic to.

-
-
NOTE 2: If the hostname matches with the name of a service
-from another service registry such as Kubernetes that also
-supplies its own set of endpoints, the ServiceEntry will be
-treated as a decorator of the existing Kubernetes
-service. Properties in the service entry will be added to the
-Kubernetes service if applicable. Currently, the only the
+
NOTE 2: If the hostname matches with the name of a service

+from another service registry such as Kubernetes that also

+supplies its own set of endpoints, the ServiceEntry will be

+treated as a decorator of the existing Kubernetes

+service. Properties in the service entry will be added to the

+Kubernetes service if applicable. Currently, the only the

 following additional properties will be considered by istiod:

-
 
    
-
  1. subjectAltNames: In addition to verifying the SANs of the
-service accounts associated with the pods of the service, the
+
  2. subjectAltNames: In addition to verifying the SANs of the
    
+service accounts associated with the pods of the service, the
    
 SANs specified here will also be verified.
    3. 
 

 
@@ -841,19 +737,19 @@ 
ServiceEntry

 		addresses
 string[]
 
-
The virtual IP addresses associated with the service. Could be CIDR
-prefix. For HTTP traffic, generated route configurations will include http route
-domains for both the addresses and hosts field values and the destination will
-be identified based on the HTTP Host/Authority header.
-If one or more IP addresses are specified,
-the incoming traffic will be identified as belonging to this service
-if the destination IP matches the IP/CIDRs specified in the addresses
-field. If the Addresses field is empty, traffic will be identified
-solely based on the destination port. In such scenarios, the port on
-which the service is being accessed must not be shared by any other
-service in the mesh. In other words, the sidecar will behave as a
-simple TCP proxy, forwarding incoming traffic on a specified port to
-the specified destination endpoint IP/host. Unix domain socket
+
The virtual IP addresses associated with the service. Could be CIDR

+prefix. For HTTP traffic, generated route configurations will include http route

+domains for both the addresses and hosts field values and the destination will

+be identified based on the HTTP Host/Authority header.

+If one or more IP addresses are specified,

+the incoming traffic will be identified as belonging to this service

+if the destination IP matches the IP/CIDRs specified in the addresses

+field. If the Addresses field is empty, traffic will be identified

+solely based on the destination port. In such scenarios, the port on

+which the service is being accessed must not be shared by any other

+service in the mesh. In other words, the sidecar will behave as a

+simple TCP proxy, forwarding incoming traffic on a specified port to

+the specified destination endpoint IP/host. Unix domain socket

 addresses are not supported in this field.

 
 		ports
 Port[]
 
-
The ports associated with the external service. If the
-Endpoints are Unix domain socket addresses, there must be exactly one
+
The ports associated with the external service. If the

+Endpoints are Unix domain socket addresses, there must be exactly one

 port.

 
 		location
 Location
 
-
Specify whether the service should be considered external to the mesh
+
Specify whether the service should be considered external to the mesh

 or part of the mesh.

 
 		resolution
 Resolution
 
-
Service discovery mode for the hosts. Care must be taken
-when setting the resolution mode to NONE for a TCP port without
-accompanying IP addresses. In such cases, traffic to any IP on
+
Service discovery mode for the hosts. Care must be taken

+when setting the resolution mode to NONE for a TCP port without

+accompanying IP addresses. In such cases, traffic to any IP on

 said port will be allowed (i.e. 0.0.0.0:<port>).

 
 		endpoints
 WorkloadEntry[]
 
-
One or more endpoints associated with the service. Only one of
+
One or more endpoints associated with the service. Only one of

 endpoints or workloadSelector can be specified.

 
 		workloadSelector
 WorkloadSelector
 
-
Applicable only for MESH_INTERNAL services. Only one of
-endpoints or workloadSelector can be specified. Selects one
-or more Kubernetes pods or VM workloads (specified using
-WorkloadEntry) based on their labels. The WorkloadEntry object
-representing the VMs should be defined in the same namespace as
+
Applicable only for MESH_INTERNAL services. Only one of

+endpoints or workloadSelector can be specified. Selects one

+or more Kubernetes pods or VM workloads (specified using

+WorkloadEntry) based on their labels. The WorkloadEntry object

+representing the VMs should be defined in the same namespace as

 the ServiceEntry.

 
 		exportTo
 string[]
 
-
A list of namespaces to which this service is exported. Exporting a service
-allows it to be used by sidecars, gateways and virtual services defined in
-other namespaces. This feature provides a mechanism for service owners
-and mesh administrators to control the visibility of services across
+
A list of namespaces to which this service is exported. Exporting a service

+allows it to be used by sidecars, gateways and virtual services defined in

+other namespaces. This feature provides a mechanism for service owners

+and mesh administrators to control the visibility of services across

 namespace boundaries.

-
-
If no namespaces are specified then the service is exported to all
+
If no namespaces are specified then the service is exported to all

 namespaces by default.

-
-
The value “.” is reserved and defines an export to the same namespace that
-the service is declared in. Similarly the value “*” is reserved and
+
The value "." is reserved and defines an export to the same namespace that

+the service is declared in. Similarly the value "*" is reserved and

 defines an export to all namespaces.

-
-
For a Kubernetes Service, the equivalent effect can be achieved by setting
-the annotation “networking.istio.io/exportTo” to a comma-separated list
+
For a Kubernetes Service, the equivalent effect can be achieved by setting

+the annotation "networking.istio.io/exportTo" to a comma-separated list

 of namespace names.

 
 		subjectAltNames
 string[]
 
-
If specified, the proxy will verify that the server certificate’s
+
If specified, the proxy will verify that the server certificate's

 subject alternate name matches one of the specified values.

-
-
NOTE: When using the workloadEntry with workloadSelectors, the
-service account specified in the workloadEntry will also be used
-to derive the additional subject alternate names that should be
+
NOTE: When using the workloadEntry with workloadSelectors, the

+service account specified in the workloadEntry will also be used

+to derive the additional subject alternate names that should be

 verified.

 
 

@@ -994,7 +886,7 @@ 
ServiceEntry.Location

 
@@ -1002,9 +894,9 @@ 
ServiceEntry.Location

 
@@ -1014,14 +906,14 @@ 
ServiceEntry.Location

 
 
ServiceEntry.Resolution

 

-
Resolution determines how the proxy will resolve the IP addresses of
-the network endpoints associated with the service, so that it can
-route to one of them. The resolution mode specified here has no impact
-on how the application resolves the IP address associated with the
-service. The application may still have to use DNS to resolve the
-service to an IP so that the outbound traffic can be captured by the
-Proxy. Alternatively, for HTTP services, the application could
-directly communicate with the proxy (e.g., by setting HTTP_PROXY) to
+
Resolution determines how the proxy will resolve the IP addresses of

+the network endpoints associated with the service, so that it can

+route to one of them. The resolution mode specified here has no impact

+on how the application resolves the IP address associated with the

+service. The application may still have to use DNS to resolve the

+service to an IP so that the outbound traffic can be captured by the

+Proxy. Alternatively, for HTTP services, the application could

+directly communicate with the proxy (e.g., by setting HTTP_PROXY) to

 talk to these services.

 
 

 MESH_EXTERNAL
 
-
Signifies that the service is external to the mesh. Typically used
+
Signifies that the service is external to the mesh. Typically used

 to indicate external services consumed through APIs.

 
 

 MESH_INTERNAL
 
-
Signifies that the service is part of the mesh. Typically used to
-indicate services added explicitly as part of expanding the service
-mesh to include unmanaged infrastructure (e.g., VMs added to a
+
Signifies that the service is part of the mesh. Typically used to

+indicate services added explicitly as part of expanding the service

+mesh to include unmanaged infrastructure (e.g., VMs added to a

 Kubernetes based service mesh).

 
 

@@ -1035,11 +927,11 @@ 
ServiceEntry.Resolution

 
@@ -1047,7 +939,7 @@ 
ServiceEntry.Resolution

 
@@ -1055,12 +947,12 @@ 
ServiceEntry.Resolution

 
@@ -1068,15 +960,15 @@ 
ServiceEntry.Resolution

 
diff --git a/content/en/docs/reference/config/networking/sidecar/index.html b/content/en/docs/reference/config/networking/sidecar/index.html
index 7e0bc14945ff0..469a6c88cc9e7 100644
--- a/content/en/docs/reference/config/networking/sidecar/index.html
+++ b/content/en/docs/reference/config/networking/sidecar/index.html
@@ -1,60 +1,54 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Sidecar
 description: Configuration affecting network reachability of a sidecar.
 location: https://istio.io/docs/reference/config/networking/sidecar.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.Sidecar
 aliases: [/docs/reference/config/networking/v1alpha3/sidecar]
 number_of_entries: 7
 ---
-
Sidecar describes the configuration of the sidecar proxy that mediates
-inbound and outbound communication to the workload instance it is attached to. By
-default, Istio will program all sidecar proxies in the mesh with the
-necessary configuration required to reach every workload instance in the mesh, as
-well as accept traffic on all the ports associated with the
-workload. The Sidecar configuration provides a way to fine tune the set of
-ports, protocols that the proxy will accept when forwarding traffic to
-and from the workload. In addition, it is possible to restrict the set
-of services that the proxy can reach when forwarding outbound traffic
+
Sidecar describes the configuration of the sidecar proxy that mediates

+inbound and outbound communication to the workload instance it is attached to. By

+default, Istio will program all sidecar proxies in the mesh with the

+necessary configuration required to reach every workload instance in the mesh, as

+well as accept traffic on all the ports associated with the

+workload. The Sidecar configuration provides a way to fine tune the set of

+ports, protocols that the proxy will accept when forwarding traffic to

+and from the workload. In addition, it is possible to restrict the set

+of services that the proxy can reach when forwarding outbound traffic

 from workload instances.

-
-
Services and configuration in a mesh are organized into one or more
-namespaces (e.g., a Kubernetes namespace or a CF org/space). A Sidecar
-configuration in a namespace will apply to one or more workload instances in the same
-namespace, selected using the workloadSelector field. In the absence of a
-workloadSelector, it will apply to all workload instances in the same
-namespace. When determining the Sidecar configuration to be applied to a
-workload instance, preference will be given to the resource with a
-workloadSelector that selects this workload instance, over a Sidecar configuration
+
Services and configuration in a mesh are organized into one or more

+namespaces (e.g., a Kubernetes namespace or a CF org/space). A Sidecar

+configuration in a namespace will apply to one or more workload instances in the same

+namespace, selected using the workloadSelector field. In the absence of a

+workloadSelector, it will apply to all workload instances in the same

+namespace. When determining the Sidecar configuration to be applied to a

+workload instance, preference will be given to the resource with a

+workloadSelector that selects this workload instance, over a Sidecar configuration

 without any workloadSelector.

-
-
NOTE 1: Each namespace can have only one Sidecar
-configuration without any workloadSelector that specifies the
-default for all pods in that namespace. It is recommended to use
-the name default for the namespace-wide sidecar. The behavior of
-the system is undefined if more than one selector-less Sidecar
-configurations exist in a given namespace. The behavior of the
-system is undefined if two or more Sidecar configurations with a
+
NOTE 1: Each namespace can have only one Sidecar

+configuration without any workloadSelector that specifies the

+default for all pods in that namespace. It is recommended to use

+the name default for the namespace-wide sidecar. The behavior of

+the system is undefined if more than one selector-less Sidecar

+configurations exist in a given namespace. The behavior of the

+system is undefined if two or more Sidecar configurations with a

 workloadSelector select the same workload instance.

-
-
NOTE 2: A Sidecar configuration in the MeshConfig
-root namespace
-will be applied by default to all namespaces without a Sidecar
-configuration. This global default Sidecar configuration should not have
+
NOTE 2: A Sidecar configuration in the MeshConfig

+root namespace

+will be applied by default to all namespaces without a Sidecar

+configuration. This global default Sidecar configuration should not have

 any workloadSelector.

-
-
The example below declares a global default Sidecar configuration
-in the root namespace called istio-config, that configures
-sidecars in all namespaces to allow egress traffic only to other
-workloads in the same namespace as well as to services in the
+
The example below declares a global default Sidecar configuration

+in the root namespace called istio-config, that configures

+sidecars in all namespaces to allow egress traffic only to other

+workloads in the same namespace as well as to services in the

 istio-system namespace.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -66,11 +60,8 @@
     - "./*"
     - "istio-system/*"
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -82,19 +73,15 @@
     - "./*"
     - "istio-system/*"
 

-
-
{{}}
-{{}}

-
-
The example below declares a Sidecar configuration in the
-prod-us1 namespace that overrides the global default defined
-above, and configures the sidecars in the namespace to allow egress
-traffic to public services in the prod-us1, prod-apis, and the
+
{{}}

+{{}}

+
The example below declares a Sidecar configuration in the

+prod-us1 namespace that overrides the global default defined

+above, and configures the sidecars in the namespace to allow egress

+traffic to public services in the prod-us1, prod-apis, and the

 istio-system namespaces.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -107,11 +94,8 @@
     - "prod-apis/*"
     - "istio-system/*"
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -124,22 +108,18 @@
     - "prod-apis/*"
     - "istio-system/*"
 

-
-
{{}}
-{{}}

-
-
The following example declares a Sidecar configuration in the
-prod-us1 namespace for all pods with labels app: ratings
-belonging to the ratings.prod-us1 service.  The workload accepts
-inbound HTTP traffic on port 9080. The traffic is then forwarded to
-the attached workload instance listening on a Unix domain
-socket. In the egress direction, in addition to the istio-system
-namespace, the sidecar proxies only HTTP traffic bound for port
+
{{}}

+{{}}

+
The following example declares a Sidecar configuration in the

+prod-us1 namespace for all pods with labels app: ratings

+belonging to the ratings.prod-us1 service.  The workload accepts

+inbound HTTP traffic on port 9080. The traffic is then forwarded to

+the attached workload instance listening on a Unix domain

+socket. In the egress direction, in addition to the istio-system

+namespace, the sidecar proxies only HTTP traffic bound for port

 9080 for services in the prod-us1 namespace.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -165,11 +145,8 @@
   - hosts:
     - "istio-system/*"
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -195,28 +172,24 @@
   - hosts:
     - "istio-system/*"
 

-
-
{{}}
-{{}}

-
-
If the workload is deployed without IPTables-based traffic capture,
-the Sidecar configuration is the only way to configure the ports
-on the proxy attached to the workload instance. The following
-example declares a Sidecar configuration in the prod-us1
-namespace for all pods with labels app: productpage belonging to
-the productpage.prod-us1 service. Assuming that these pods are
-deployed without IPtable rules (i.e. the istio-init container)
-and the proxy metadata ISTIO_META_INTERCEPTION_MODE is set to
-NONE, the specification, below, allows such pods to receive HTTP
-traffic on port 9080 (wrapped inside Istio mutual TLS) and forward
-it to the application listening on 127.0.0.1:8080. It also allows
-the application to communicate with a backing MySQL database on
-127.0.0.1:3306, that then gets proxied to the externally hosted
+
{{}}

+{{}}

+
If the workload is deployed without IPTables-based traffic capture,

+the Sidecar configuration is the only way to configure the ports

+on the proxy attached to the workload instance. The following

+example declares a Sidecar configuration in the prod-us1

+namespace for all pods with labels app: productpage belonging to

+the productpage.prod-us1 service. Assuming that these pods are

+deployed without IPtable rules (i.e. the istio-init container)

+and the proxy metadata ISTIO_META_INTERCEPTION_MODE is set to

+NONE, the specification, below, allows such pods to receive HTTP

+traffic on port 9080 (wrapped inside Istio mutual TLS) and forward

+it to the application listening on 127.0.0.1:8080. It also allows

+the application to communicate with a backing MySQL database on

+127.0.0.1:3306, that then gets proxied to the externally hosted

 MySQL service at mysql.foo.com:3306.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -243,11 +216,8 @@
     hosts:
     - "*/mysql.foo.com"
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -274,15 +244,11 @@
     hosts:
     - "*/mysql.foo.com"
 

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
And the associated service entry for routing to mysql.foo.com:3306

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -298,11 +264,8 @@
   location: MESH_EXTERNAL
   resolution: DNS
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -318,26 +281,21 @@
   location: MESH_EXTERNAL
   resolution: DNS
 

-
-
{{}}
-{{}}

-
-
It is also possible to mix and match traffic capture modes in a single
-proxy. For example, consider a setup where internal services are on the
-192.168.0.0/16 subnet. So, IP tables are setup on the VM to capture all
-outbound traffic on 192.168.0.0/16 subnet. Assume that the VM has an
-additional network interface on 172.16.0.0/16 subnet for inbound
-traffic. The following Sidecar configuration allows the VM to expose a
-listener on 172.16.1.32:80 (the VM’s IP) for traffic arriving from the
+
{{}}

+{{}}

+
It is also possible to mix and match traffic capture modes in a single

+proxy. For example, consider a setup where internal services are on the

+192.168.0.0/16 subnet. So, IP tables are setup on the VM to capture all

+outbound traffic on 192.168.0.0/16 subnet. Assume that the VM has an

+additional network interface on 172.16.0.0/16 subnet for inbound

+traffic. The following Sidecar configuration allows the VM to expose a

+listener on 172.16.1.32:80 (the VM's IP) for traffic arriving from the

 172.16.0.0/16 subnet.

-
-
NOTE: The ISTIO_META_INTERCEPTION_MODE metadata on the
-proxy in the VM should contain REDIRECT or TPROXY as its value,
+
NOTE: The ISTIO_META_INTERCEPTION_MODE metadata on the

+proxy in the VM should contain REDIRECT or TPROXY as its value,

 implying that IP tables based traffic capture is active.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -364,11 +322,8 @@
     hosts:
     - "*/*"
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -395,26 +350,22 @@
     hosts:
     - "*/*"
 

-
-
{{}}
-{{}}

-
-
The following example declares a Sidecar configuration in the
-prod-us1 namespace for all pods with labels app: ratings
-belonging to the ratings.prod-us1 service.  The service accepts
-inbound HTTPS traffic on port 8443 and the sidecar proxy terminates
-one way TLS using the given server certificates.
-The traffic is then forwarded to the attached workload instance
-listening on a Unix domain socket.
-It is expected that PeerAuthentication policy would be configured
-in order to set mTLS mode to “DISABLE” on specific
-ports.
-In this example, the mTLS mode is disabled on PORT 80.
+
{{}}

+{{}}

+
The following example declares a Sidecar configuration in the

+prod-us1 namespace for all pods with labels app: ratings

+belonging to the ratings.prod-us1 service.  The service accepts

+inbound HTTPS traffic on port 8443 and the sidecar proxy terminates

+one way TLS using the given server certificates.

+The traffic is then forwarded to the attached workload instance

+listening on a Unix domain socket.

+It is expected that PeerAuthentication policy would be configured

+in order to set mTLS mode to "DISABLE" on specific

+ports.

+In this example, the mTLS mode is disabled on PORT 80.

 This feature is currently experimental.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -435,11 +386,8 @@
       privateKey: "/etc/certs/privatekey.pem"
       serverCertificate: "/etc/certs/servercert.pem"
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: v1
 kind: Service
 metadata:
@@ -455,11 +403,8 @@
   selector:
     app: ratings
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
@@ -475,14 +420,13 @@
     80:
       mode: DISABLE
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}

 
 
Sidecar

 

-
Sidecar describes the configuration of the sidecar proxy that mediates
-inbound and outbound communication of the workload instance to which it is
+
Sidecar describes the configuration of the sidecar proxy that mediates

+inbound and outbound communication of the workload instance to which it is

 attached.

 
 

 NONE
 
-
Assume that incoming connections have already been resolved (to a
-specific destination IP address). Such connections are typically
-routed via the proxy using mechanisms such as IP table REDIRECT/
-eBPF. After performing any routing related transformations, the
-proxy will forward the connection to the IP address to which the
+
Assume that incoming connections have already been resolved (to a

+specific destination IP address). Such connections are typically

+routed via the proxy using mechanisms such as IP table REDIRECT/

+eBPF. After performing any routing related transformations, the

+proxy will forward the connection to the IP address to which the

 connection was bound.

 
 

 STATIC
 
-
Use the static IP addresses specified in endpoints (see below) as the
+
Use the static IP addresses specified in endpoints (see below) as the

 backing instances associated with the service.

 
 

 DNS
 
-
Attempt to resolve the IP address by querying the ambient DNS,
-asynchronously. If no endpoints are specified, the proxy
-will resolve the DNS address specified in the hosts field, if
-wildcards are not used. If endpoints are specified, the DNS
-addresses specified in the endpoints will be resolved to determine
-the destination IP address.  DNS resolution cannot be used with Unix
+
Attempt to resolve the IP address by querying the ambient DNS,

+asynchronously. If no endpoints are specified, the proxy

+will resolve the DNS address specified in the hosts field, if

+wildcards are not used. If endpoints are specified, the DNS

+addresses specified in the endpoints will be resolved to determine

+the destination IP address.  DNS resolution cannot be used with Unix

 domain socket endpoints.

 
 

 DNS_ROUND_ROBIN
 
-
Attempt to resolve the IP address by querying the ambient DNS,
-asynchronously. Unlike DNS, DNS_ROUND_ROBIN only uses the
-first IP address returned when a new connection needs to be initiated
-without relying on complete results of DNS resolution, and connections
-made to hosts will be retained even if DNS records change frequently
-eliminating draining connection pools and connection cycling.
-This is best suited for large web scale services that
-must be accessed via DNS. The proxy will resolve the DNS address
-specified in the hosts field, if wildcards are not used. DNS resolution
+
Attempt to resolve the IP address by querying the ambient DNS,

+asynchronously. Unlike DNS, DNS_ROUND_ROBIN only uses the

+first IP address returned when a new connection needs to be initiated

+without relying on complete results of DNS resolution, and connections

+made to hosts will be retained even if DNS records change frequently

+eliminating draining connection pools and connection cycling.

+This is best suited for large web scale services that

+must be accessed via DNS. The proxy will resolve the DNS address

+specified in the hosts field, if wildcards are not used. DNS resolution

 cannot be used with Unix domain socket endpoints.

 
 

@@ -499,8 +443,8 @@ 
Sidecar

 
@@ -512,11 +456,11 @@ 
Sidecar

 
@@ -528,9 +472,9 @@ 
Sidecar

 
@@ -542,12 +486,12 @@ 
Sidecar

 
@@ -560,7 +504,7 @@ 
Sidecar

 
 
IstioIngressListener

 

-
IstioIngressListener specifies the properties of an inbound
+
IstioIngressListener specifies the properties of an inbound

 traffic listener on the sidecar proxy attached to a workload instance.

 
 
workloadSelector
 WorkloadSelector
 
-
Criteria used to select the specific set of pods/VMs on which this
-Sidecar configuration should be applied. If omitted, the Sidecar
+
Criteria used to select the specific set of pods/VMs on which this

+Sidecar configuration should be applied. If omitted, the Sidecar

 configuration will be applied to all workload instances in the same namespace.

 
 		ingress
 IstioIngressListener[]
 
-
Ingress specifies the configuration of the sidecar for processing
-inbound traffic to the attached workload instance. If omitted, Istio will
-automatically configure the sidecar based on the information about the workload
-obtained from the orchestration platform (e.g., exposed ports, services,
-etc.). If specified, inbound ports are configured if and only if the
+
Ingress specifies the configuration of the sidecar for processing

+inbound traffic to the attached workload instance. If omitted, Istio will

+automatically configure the sidecar based on the information about the workload

+obtained from the orchestration platform (e.g., exposed ports, services,

+etc.). If specified, inbound ports are configured if and only if the

 workload instance is associated with a service.

 
 		egress
 IstioEgressListener[]
 
-
Egress specifies the configuration of the sidecar for processing
-outbound traffic from the attached workload instance to other
-services in the mesh. If not specified, inherits the system
+
Egress specifies the configuration of the sidecar for processing

+outbound traffic from the attached workload instance to other

+services in the mesh. If not specified, inherits the system

 detected defaults from the namespace-wide or the global default Sidecar.

 
 		outboundTrafficPolicy
 OutboundTrafficPolicy
 
-
Configuration for the outbound traffic policy.  If your
-application uses one or more external services that are not known
-apriori, setting the policy to ALLOW_ANY will cause the
-sidecars to route any unknown traffic originating from the
-application to its requested destination. If not specified,
-inherits the system detected defaults from the namespace-wide or
+
Configuration for the outbound traffic policy.  If your

+application uses one or more external services that are not known

+apriori, setting the policy to ALLOW_ANY will cause the

+sidecars to route any unknown traffic originating from the

+application to its requested destination. If not specified,

+inherits the system detected defaults from the namespace-wide or

 the global default Sidecar.

 
 

@@ -588,11 +532,11 @@ 
IstioIngressListener

 
@@ -604,7 +548,7 @@ 
IstioIngressListener

 
@@ -616,13 +560,13 @@ 
IstioIngressListener

 
@@ -634,8 +578,8 @@ 
IstioIngressListener

 
@@ -648,7 +592,7 @@ 
IstioIngressListener

 
 
IstioEgressListener

 

-
IstioEgressListener specifies the properties of an outbound traffic
+
IstioEgressListener specifies the properties of an outbound traffic

 listener on the sidecar proxy attached to a workload instance.

 
 
bind
 string
 
-
The IP(IPv4 or IPv6) to which the listener should be bound.
-Unix domain socket addresses are not allowed in
-the bind field for ingress listeners. If omitted, Istio will
-automatically configure the defaults based on imported services
-and the workload instances to which this configuration is applied
+
The IP(IPv4 or IPv6) to which the listener should be bound.

+Unix domain socket addresses are not allowed in

+the bind field for ingress listeners. If omitted, Istio will

+automatically configure the defaults based on imported services

+and the workload instances to which this configuration is applied

 to.

 
 		captureMode
 CaptureMode
 
-
The captureMode option dictates how traffic to the listener is
+
The captureMode option dictates how traffic to the listener is

 expected to be captured (or not).

 
 		defaultEndpoint
 string
 
-
The IP endpoint or Unix domain socket to which
-traffic should be forwarded to. This configuration can be used to
-redirect traffic arriving at the bind IP:Port on the sidecar to a localhost:port
-or Unix domain socket where the application workload instance is listening for
-connections. Arbitrary IPs are not supported. Format should be one of
-127.0.0.1:PORT, [::1]:PORT (forward to localhost),
-0.0.0.0:PORT, [::]:PORT (forward to the instance IP),
+
The IP endpoint or Unix domain socket to which

+traffic should be forwarded to. This configuration can be used to

+redirect traffic arriving at the bind IP:Port on the sidecar to a localhost:port

+or Unix domain socket where the application workload instance is listening for

+connections. Arbitrary IPs are not supported. Format should be one of

+127.0.0.1:PORT, [::1]:PORT (forward to localhost),

+0.0.0.0:PORT, [::]:PORT (forward to the instance IP),

 or unix:///path/to/socket (forward to Unix domain socket).

 
 		tls
 ServerTLSSettings
 
-
Set of TLS related options that will enable TLS termination on the
-sidecar for requests originating from outside the mesh.
+
Set of TLS related options that will enable TLS termination on the

+sidecar for requests originating from outside the mesh.

 Currently supports only SIMPLE and MUTUAL TLS modes.

 
 

@@ -665,14 +609,14 @@ 
IstioEgressListener

 
@@ -684,12 +628,12 @@ 
IstioEgressListener

 
@@ -701,8 +645,8 @@ 
IstioEgressListener

 
@@ -714,32 +658,29 @@ 
IstioEgressListener

 
@@ -752,14 +693,14 @@ 
IstioEgressListener

 
 
WorkloadSelector

 

-
WorkloadSelector specifies the criteria used to determine if the
-Gateway, Sidecar, EnvoyFilter, ServiceEntry, or DestinationRule
-configuration can be applied to a proxy. The matching criteria
-includes the metadata associated with a proxy, workload instance
-info such as labels attached to the pod/VM, or any other info that
-the proxy provides to Istio during the initial handshake. If
-multiple conditions are specified, all conditions need to match in
-order for the workload instance to be selected. Currently, only
+
WorkloadSelector specifies the criteria used to determine if the

+Gateway, Sidecar, EnvoyFilter, ServiceEntry, or DestinationRule

+configuration can be applied to a proxy. The matching criteria

+includes the metadata associated with a proxy, workload instance

+info such as labels attached to the pod/VM, or any other info that

+the proxy provides to Istio during the initial handshake. If

+multiple conditions are specified, all conditions need to match in

+order for the workload instance to be selected. Currently, only

 label based selection mechanism is supported.

 
 
port
 Port
 
-
The port associated with the listener. If using Unix domain socket,
-use 0 as the port number, with a valid protocol. The port if
-specified, will be used as the default destination port associated
-with the imported hosts. If the port is omitted, Istio will infer the
-listener ports based on the imported hosts. Note that when multiple
-egress listeners are specified, where one or more listeners have
-specific ports while others have no port, the hosts exposed on a
-listener port will be based on the listener with the most specific
+
The port associated with the listener. If using Unix domain socket,

+use 0 as the port number, with a valid protocol. The port if

+specified, will be used as the default destination port associated

+with the imported hosts. If the port is omitted, Istio will infer the

+listener ports based on the imported hosts. Note that when multiple

+egress listeners are specified, where one or more listeners have

+specific ports while others have no port, the hosts exposed on a

+listener port will be based on the listener with the most specific

 port.

 
 		bind
 string
 
-
The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound
-to. Port MUST be specified if bind is not empty. Format: IPv4 or IPv6 address formats or
-unix:///path/to/uds or unix://@foobar (Linux abstract namespace). If
-omitted, Istio will automatically configure the defaults based on imported
-services, the workload instances to which this configuration is applied to and
-the captureMode. If captureMode is NONE, bind will default to
+
The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound

+to. Port MUST be specified if bind is not empty. Format: IPv4 or IPv6 address formats or

+unix:///path/to/uds or unix://@foobar (Linux abstract namespace). If

+omitted, Istio will automatically configure the defaults based on imported

+services, the workload instances to which this configuration is applied to and

+the captureMode. If captureMode is NONE, bind will default to

 127.0.0.1.

 
 		captureMode
 CaptureMode
 
-
When the bind address is an IP, the captureMode option dictates
-how traffic to the listener is expected to be captured (or not).
+
When the bind address is an IP, the captureMode option dictates

+how traffic to the listener is expected to be captured (or not).

 captureMode must be DEFAULT or NONE for Unix domain socket binds.

 
 		hosts
 string[]
 
-
One or more service hosts exposed by the listener
-in namespace/dnsName format. Services in the specified namespace
-matching dnsName will be exposed.
-The corresponding service can be a service in the service registry
-(e.g., a Kubernetes or cloud foundry service) or a service specified
-using a ServiceEntry or VirtualService configuration. Any
+
One or more service hosts exposed by the listener

+in namespace/dnsName format. Services in the specified namespace

+matching dnsName will be exposed.

+The corresponding service can be a service in the service registry

+(e.g., a Kubernetes or cloud foundry service) or a service specified

+using a ServiceEntry or VirtualService configuration. Any

 associated DestinationRule in the same namespace will also be used.

-
-
The dnsName should be specified using FQDN format, optionally including
-a wildcard character in the left-most component (e.g., prod/*.example.com).
-Set the dnsName to * to select all services from the specified namespace
+
The dnsName should be specified using FQDN format, optionally including

+a wildcard character in the left-most component (e.g., prod/*.example.com).

+Set the dnsName to * to select all services from the specified namespace

 (e.g., prod/*).

-
-
The namespace can be set to *, ., or ~, representing any, the current,
-or no namespace, respectively. For example, */foo.example.com selects the
-service from any available namespace while ./foo.example.com only selects
-the service from the namespace of the sidecar. If a host is set to */*,
-Istio will configure the sidecar to be able to reach every service in the
-mesh that is exported to the sidecar’s namespace. The value ~/* can be used
-to completely trim the configuration for sidecars that simply receive traffic
+
The namespace can be set to *, ., or ~, representing any, the current,

+or no namespace, respectively. For example, */foo.example.com selects the

+service from any available namespace while ./foo.example.com only selects

+the service from the namespace of the sidecar. If a host is set to */*,

+Istio will configure the sidecar to be able to reach every service in the

+mesh that is exported to the sidecar's namespace. The value ~/* can be used

+to completely trim the configuration for sidecars that simply receive traffic

 and respond, but make no outbound connections of their own.

-
-
NOTE: Only services and configuration artifacts exported to the sidecar’s
-namespace (e.g., exportTo value of *) can be referenced.
-Private configurations (e.g., exportTo set to .) will
-not be available. Refer to the exportTo setting in VirtualService,
+
NOTE: Only services and configuration artifacts exported to the sidecar's

+namespace (e.g., exportTo value of *) can be referenced.

+Private configurations (e.g., exportTo set to .) will

+not be available. Refer to the exportTo setting in VirtualService,

 DestinationRule, and ServiceEntry configurations for details.

 
 

@@ -776,9 +717,9 @@ 
WorkloadSelector

 
@@ -791,14 +732,14 @@ 
WorkloadSelector

 
 
OutboundTrafficPolicy

 

-
OutboundTrafficPolicy sets the default behavior of the sidecar for
-handling outbound traffic from the application.
-If your application uses one or more external
-services that are not known apriori, setting the policy to ALLOW_ANY
-will cause the sidecars to route any unknown traffic originating from
-the application to its requested destination.  Users are strongly
-encouraged to use ServiceEntry configurations to explicitly declare any external
-dependencies, instead of using ALLOW_ANY, so that traffic to these
+
OutboundTrafficPolicy sets the default behavior of the sidecar for

+handling outbound traffic from the application.

+If your application uses one or more external

+services that are not known apriori, setting the policy to ALLOW_ANY

+will cause the sidecars to route any unknown traffic originating from

+the application to its requested destination.  Users are strongly

+encouraged to use ServiceEntry configurations to explicitly declare any external

+dependencies, instead of using ALLOW_ANY, so that traffic to these

 services can be monitored.

 
 
labels
 map<string, string>
 
-
One or more labels that indicate a specific set of pods/VMs
-on which the configuration should be applied. The scope of
-label search is restricted to the configuration namespace in which the
+
One or more labels that indicate a specific set of pods/VMs

+on which the configuration should be applied. The scope of

+label search is restricted to the configuration namespace in which the

 the resource is present.

 
 

@@ -836,7 +777,7 @@ 
OutboundTrafficPolicy.Mode

 
@@ -844,7 +785,7 @@ 
OutboundTrafficPolicy.Mode

 
@@ -854,7 +795,7 @@ 
OutboundTrafficPolicy.Mode

 
 
CaptureMode

 

-
CaptureMode describes how traffic to a listener is expected to be
+
CaptureMode describes how traffic to a listener is expected to be

 captured. Applicable only when the listener is bound to an IP.

 
 

 REGISTRY_ONLY
 
-
Outbound traffic will be restricted to services defined in the
+
Outbound traffic will be restricted to services defined in the

 service registry as well as those defined through ServiceEntry configurations.

 
 

 ALLOW_ANY
 
-
Outbound traffic to unknown destinations will be allowed, in case
+
Outbound traffic to unknown destinations will be allowed, in case

 there are no services or ServiceEntry configurations for the destination port.

 
 

@@ -882,10 +823,10 @@ 
CaptureMode

 
diff --git a/content/en/docs/reference/config/networking/virtual-service/index.html b/content/en/docs/reference/config/networking/virtual-service/index.html
index a9106ff481a16..857e045e37e18 100644
--- a/content/en/docs/reference/config/networking/virtual-service/index.html
+++ b/content/en/docs/reference/config/networking/virtual-service/index.html
@@ -1,60 +1,50 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Virtual Service
 description: Configuration affecting label/content routing, sni routing, etc.
 location: https://istio.io/docs/reference/config/networking/virtual-service.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.VirtualService
 aliases: [/docs/reference/config/networking/v1alpha3/virtual-service]
 number_of_entries: 27
 ---
-
Configuration affecting traffic routing. Here are a few terms useful to define
+
Configuration affecting traffic routing. Here are a few terms useful to define

 in the context of traffic routing.

-
-
Service a unit of application behavior bound to a unique name in a
-service registry. Services consist of multiple network endpoints
+
Service a unit of application behavior bound to a unique name in a

+service registry. Services consist of multiple network endpoints

 implemented by workload instances running on pods, containers, VMs etc.

-
-
Service versions (a.k.a. subsets) - In a continuous deployment
-scenario, for a given service, there can be distinct subsets of
-instances running different variants of the application binary. These
-variants are not necessarily different API versions. They could be
-iterative changes to the same service, deployed in different
-environments (prod, staging, dev, etc.). Common scenarios where this
-occurs include A/B testing, canary rollouts, etc. The choice of a
-particular version can be decided based on various criterion (headers,
-url, etc.) and/or by weights assigned to each version. Each service has
+
Service versions (a.k.a. subsets) - In a continuous deployment

+scenario, for a given service, there can be distinct subsets of

+instances running different variants of the application binary. These

+variants are not necessarily different API versions. They could be

+iterative changes to the same service, deployed in different

+environments (prod, staging, dev, etc.). Common scenarios where this

+occurs include A/B testing, canary rollouts, etc. The choice of a

+particular version can be decided based on various criterion (headers,

+url, etc.) and/or by weights assigned to each version. Each service has

 a default version consisting of all its instances.

-
 
Source - A downstream client calling a service.

-
-
Host - The address used by a client when attempting to connect to a
+
Host - The address used by a client when attempting to connect to a

 service.

-
-
Access model - Applications address only the destination service
-(Host) without knowledge of individual service versions (subsets). The
-actual choice of the version is determined by the proxy/sidecar, enabling the
-application code to decouple itself from the evolution of dependent
+
Access model - Applications address only the destination service

+(Host) without knowledge of individual service versions (subsets). The

+actual choice of the version is determined by the proxy/sidecar, enabling the

+application code to decouple itself from the evolution of dependent

 services.

-
-
A VirtualService defines a set of traffic routing rules to apply when a host is
-addressed. Each routing rule defines matching criteria for traffic of a specific
-protocol. If the traffic is matched, then it is sent to a named destination service
+
A VirtualService defines a set of traffic routing rules to apply when a host is

+addressed. Each routing rule defines matching criteria for traffic of a specific

+protocol. If the traffic is matched, then it is sent to a named destination service

 (or subset/version of it) defined in the registry.

-
-
The source of traffic can also be matched in a routing rule. This allows routing
+
The source of traffic can also be matched in a routing rule. This allows routing

 to be customized for specific client contexts.

-
-
The following example on Kubernetes, routes all HTTP traffic by default to
-pods of the reviews service with label “version: v1”. In addition,
-HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will
-be rewritten to /newcatalog and sent to pods with label “version: v2”.

-
-
{{}}
-{{}}

-
+
The following example on Kubernetes, routes all HTTP traffic by default to

+pods of the reviews service with label "version: v1". In addition,

+HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will

+be rewritten to /newcatalog and sent to pods with label "version: v2".

+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -81,11 +71,8 @@
         host: reviews.prod.svc.cluster.local
         subset: v1
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -112,17 +99,13 @@
         host: reviews.prod.svc.cluster.local
         subset: v1
 

-
-
{{}}
-{{}}

-
-
A subset/version of a route destination is identified with a reference
-to a named service subset which must be declared in a corresponding
+
{{}}

+{{}}

+
A subset/version of a route destination is identified with a reference

+to a named service subset which must be declared in a corresponding

 DestinationRule.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -137,11 +120,8 @@
     labels:
       version: v2
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -156,9 +136,8 @@
     labels:
       version: v2
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}

 
 
VirtualService

 

@@ -178,34 +157,30 @@ 
VirtualService

 

@@ -217,18 +192,18 @@ 
VirtualService

 
@@ -240,10 +215,10 @@ 
VirtualService

 
@@ -255,14 +230,14 @@ 
VirtualService

 
@@ -274,8 +249,8 @@ 
VirtualService

 
@@ -287,17 +262,15 @@ 
VirtualService

 
@@ -310,30 +283,26 @@ 
VirtualService

 
 
Destination

 

-
Destination indicates the network addressable service to which the
-request/connection will be sent after processing a routing rule. The
-destination.host should unambiguously refer to a service in the service
-registry. Istio’s service registry is composed of all the services found
-in the platform’s service registry (e.g., Kubernetes services, Consul
-services), as well as services declared through the
+
Destination indicates the network addressable service to which the

+request/connection will be sent after processing a routing rule. The

+destination.host should unambiguously refer to a service in the service

+registry. Istio's service registry is composed of all the services found

+in the platform's service registry (e.g., Kubernetes services, Consul

+services), as well as services declared through the

 ServiceEntry resource.

-
-
Note for Kubernetes users: When short names are used (e.g. “reviews”
-instead of “reviews.default.svc.cluster.local”), Istio will interpret
-the short name based on the namespace of the rule, not the service. A
-rule in the “default” namespace containing a host “reviews will be
-interpreted as “reviews.default.svc.cluster.local”, irrespective of the
-actual namespace associated with the reviews service. To avoid potential
-misconfigurations, it is recommended to always use fully qualified
+
Note for Kubernetes users: When short names are used (e.g. "reviews"

+instead of "reviews.default.svc.cluster.local"), Istio will interpret

+the short name based on the namespace of the rule, not the service. A

+rule in the "default" namespace containing a host "reviews will be

+interpreted as "reviews.default.svc.cluster.local", irrespective of the

+actual namespace associated with the reviews service. To avoid potential

+misconfigurations, it is recommended to always use fully qualified

 domain names over short names.

-
-
The following Kubernetes example routes all traffic by default to pods
-of the reviews service with label “version: v1” (i.e., subset v1), and
+
The following Kubernetes example routes all traffic by default to pods

+of the reviews service with label "version: v1" (i.e., subset v1), and

 some to subset v2, in a Kubernetes environment.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -359,11 +328,8 @@ 
Destination

         host: reviews # interpreted as reviews.foo.svc.cluster.local
         subset: v1
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -389,15 +355,11 @@ 
Destination

         host: reviews # interpreted as reviews.foo.svc.cluster.local
         subset: v1
 

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
And the associated DestinationRule

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -413,11 +375,8 @@ 
Destination

     labels:
       version: v2
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -433,23 +392,19 @@ 
Destination

     labels:
       version: v2
 

-
-
{{}}
-{{}}

-
-
The following VirtualService sets a timeout of 5s for all calls to
-productpage.prod.svc.cluster.local service in Kubernetes. Notice that
-there are no subsets defined in this rule. Istio will fetch all
-instances of productpage.prod.svc.cluster.local service from the service
-registry and populate the sidecar’s load balancing pool. Also, notice
-that this rule is set in the istio-system namespace but uses the fully
-qualified domain name of the productpage service,
-productpage.prod.svc.cluster.local. Therefore the rule’s namespace does
+
{{}}

+{{}}

+
The following VirtualService sets a timeout of 5s for all calls to

+productpage.prod.svc.cluster.local service in Kubernetes. Notice that

+there are no subsets defined in this rule. Istio will fetch all

+instances of productpage.prod.svc.cluster.local service from the service

+registry and populate the sidecar's load balancing pool. Also, notice

+that this rule is set in the istio-system namespace but uses the fully

+qualified domain name of the productpage service,

+productpage.prod.svc.cluster.local. Therefore the rule's namespace does

 not have an impact in resolving the name of the productpage service.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -464,11 +419,8 @@ 
Destination

     - destination:
         host: productpage.prod.svc.cluster.local
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -483,19 +435,15 @@ 
Destination

     - destination:
         host: productpage.prod.svc.cluster.local
 

-
-
{{}}
-{{}}

-
-
To control routing for traffic bound to services outside the mesh, external
-services must first be added to Istio’s internal service registry using the
-ServiceEntry resource. VirtualServices can then be defined to control traffic
-bound to these external services. For example, the following rules define a
+
{{}}

+{{}}

+
To control routing for traffic bound to services outside the mesh, external

+services must first be added to Istio's internal service registry using the

+ServiceEntry resource. VirtualServices can then be defined to control traffic

+bound to these external services. For example, the following rules define a

 Service for wikipedia.org and set a timeout of 5s for HTTP requests.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -523,11 +471,8 @@ 
Destination

     - destination:
         host: wikipedia.org
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -555,9 +500,8 @@ 
Destination

     - destination:
         host: wikipedia.org
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}

 
 

 NONE
 
-
No traffic capture. When used in an egress listener, the application is
-expected to explicitly communicate with the listener port or Unix
-domain socket. When used in an ingress listener, care needs to be taken
-to ensure that the listener port is not in use by other processes on
+
No traffic capture. When used in an egress listener, the application is

+expected to explicitly communicate with the listener port or Unix

+domain socket. When used in an ingress listener, care needs to be taken

+to ensure that the listener port is not in use by other processes on

 the host.

 
 		hosts
 string[]
 
-
The destination hosts to which traffic is being sent. Could
-be a DNS name with wildcard prefix or an IP address.  Depending on the
-platform, short-names can also be used instead of a FQDN (i.e. has no
-dots in the name). In such a scenario, the FQDN of the host would be
+
The destination hosts to which traffic is being sent. Could

+be a DNS name with wildcard prefix or an IP address.  Depending on the

+platform, short-names can also be used instead of a FQDN (i.e. has no

+dots in the name). In such a scenario, the FQDN of the host would be

 derived based on the underlying platform.

-
-
A single VirtualService can be used to describe all the traffic
-properties of the corresponding hosts, including those for multiple
-HTTP and TCP ports. Alternatively, the traffic properties of a host
-can be defined using more than one VirtualService, with certain
-caveats. Refer to the
-Operations Guide
+
A single VirtualService can be used to describe all the traffic

+properties of the corresponding hosts, including those for multiple

+HTTP and TCP ports. Alternatively, the traffic properties of a host

+can be defined using more than one VirtualService, with certain

+caveats. Refer to the

+Operations Guide

 for details.

-
-
Note for Kubernetes users: When short names are used (e.g. “reviews”
-instead of “reviews.default.svc.cluster.local”), Istio will interpret
-the short name based on the namespace of the rule, not the service. A
-rule in the “default” namespace containing a host “reviews” will be
-interpreted as “reviews.default.svc.cluster.local”, irrespective of
-the actual namespace associated with the reviews service. To avoid
-potential misconfigurations, it is recommended to always use fully
+
Note for Kubernetes users: When short names are used (e.g. "reviews"

+instead of "reviews.default.svc.cluster.local"), Istio will interpret

+the short name based on the namespace of the rule, not the service. A

+rule in the "default" namespace containing a host "reviews" will be

+interpreted as "reviews.default.svc.cluster.local", irrespective of

+the actual namespace associated with the reviews service. To avoid

+potential misconfigurations, it is recommended to always use fully

 qualified domain names over short names.

-
-
The hosts field applies to both HTTP and TCP services. Service inside
-the mesh, i.e., those found in the service registry, must always be
-referred to using their alphanumeric names. IP addresses are allowed
+
The hosts field applies to both HTTP and TCP services. Service inside

+the mesh, i.e., those found in the service registry, must always be

+referred to using their alphanumeric names. IP addresses are allowed

 only for services defined via the Gateway.

-
 
Note: It must be empty for a delegate VirtualService.

 
 		gateways
 string[]
 
-
The names of gateways and sidecars that should apply these routes.
-Gateways in other namespaces may be referred to by
-<gateway namespace>/<gateway name>; specifying a gateway with no
-namespace qualifier is the same as specifying the VirtualService’s
-namespace. A single VirtualService is used for sidecars inside the mesh as
-well as for one or more gateways. The selection condition imposed by this
-field can be overridden using the source field in the match conditions
-of protocol-specific routes. The reserved word mesh is used to imply
-all the sidecars in the mesh. When this field is omitted, the default
-gateway (mesh) will be used, which would apply the rule to all
-sidecars in the mesh. If a list of gateway names is provided, the
-rules will apply only to the gateways. To apply the rules to both
+
The names of gateways and sidecars that should apply these routes.

+Gateways in other namespaces may be referred to by

+<gateway namespace>/<gateway name>; specifying a gateway with no

+namespace qualifier is the same as specifying the VirtualService's

+namespace. A single VirtualService is used for sidecars inside the mesh as

+well as for one or more gateways. The selection condition imposed by this

+field can be overridden using the source field in the match conditions

+of protocol-specific routes. The reserved word mesh is used to imply

+all the sidecars in the mesh. When this field is omitted, the default

+gateway (mesh) will be used, which would apply the rule to all

+sidecars in the mesh. If a list of gateway names is provided, the

+rules will apply only to the gateways. To apply the rules to both

 gateways and sidecars, specify mesh as one of the gateway names.

 
 		http
 HTTPRoute[]
 
-
An ordered list of route rules for HTTP traffic. HTTP routes will be
-applied to platform service ports named ‘http-’/‘http2-’/‘grpc-*’, gateway
-ports with protocol HTTP/HTTP2/GRPC/ TLS-terminated-HTTPS and service
-entry ports using HTTP/HTTP2/GRPC protocols.  The first rule matching
+
An ordered list of route rules for HTTP traffic. HTTP routes will be

+applied to platform service ports named 'http-'/'http2-'/'grpc-*', gateway

+ports with protocol HTTP/HTTP2/GRPC/ TLS-terminated-HTTPS and service

+entry ports using HTTP/HTTP2/GRPC protocols.  The first rule matching

 an incoming request is used.

 
 		tls
 TLSRoute[]
 
-
An ordered list of route rule for non-terminated TLS & HTTPS
-traffic. Routing is typically performed using the SNI value presented
-by the ClientHello message. TLS routes will be applied to platform
-service ports named ‘https-’, ‘tls-’, unterminated gateway ports using
-HTTPS/TLS protocols (i.e. with “passthrough” TLS mode) and service
-entry ports using HTTPS/TLS protocols.  The first rule matching an
-incoming request is used.  NOTE: Traffic ‘https-’ or ‘tls-’ ports
-without associated virtual service will be treated as opaque TCP
+
An ordered list of route rule for non-terminated TLS & HTTPS

+traffic. Routing is typically performed using the SNI value presented

+by the ClientHello message. TLS routes will be applied to platform

+service ports named 'https-', 'tls-', unterminated gateway ports using

+HTTPS/TLS protocols (i.e. with "passthrough" TLS mode) and service

+entry ports using HTTPS/TLS protocols.  The first rule matching an

+incoming request is used.  NOTE: Traffic 'https-' or 'tls-' ports

+without associated virtual service will be treated as opaque TCP

 traffic.

 
 		tcp
 TCPRoute[]
 
-
An ordered list of route rules for opaque TCP traffic. TCP routes will
-be applied to any port that is not a HTTP or TLS port. The first rule
+
An ordered list of route rules for opaque TCP traffic. TCP routes will

+be applied to any port that is not a HTTP or TLS port. The first rule

 matching an incoming request is used.

 
 		exportTo
 string[]
 
-
A list of namespaces to which this virtual service is exported. Exporting a
-virtual service allows it to be used by sidecars and gateways defined in
-other namespaces. This feature provides a mechanism for service owners
-and mesh administrators to control the visibility of virtual services
+
A list of namespaces to which this virtual service is exported. Exporting a

+virtual service allows it to be used by sidecars and gateways defined in

+other namespaces. This feature provides a mechanism for service owners

+and mesh administrators to control the visibility of virtual services

 across namespace boundaries.

-
-
If no namespaces are specified then the virtual service is exported to all
+
If no namespaces are specified then the virtual service is exported to all

 namespaces by default.

-
-
The value “.” is reserved and defines an export to the same namespace that
-the virtual service is declared in. Similarly the value “*” is reserved and
+
The value "." is reserved and defines an export to the same namespace that

+the virtual service is declared in. Similarly the value "*" is reserved and

 defines an export to all namespaces.

 
 

@@ -573,19 +517,18 @@ 
Destination

 
@@ -597,8 +540,8 @@ 
Destination

 
@@ -610,8 +553,8 @@ 
Destination

 
@@ -624,7 +567,7 @@ 
Destination

 
 
HTTPRoute

 

-
Describes match conditions and actions for routing HTTP/1.1, HTTP2, and
+
Describes match conditions and actions for routing HTTP/1.1, HTTP2, and

 gRPC traffic. See VirtualService for usage examples.

 
 

 
host
 string
 
-
The name of a service from the service registry. Service
-names are looked up from the platform’s service registry (e.g.,
-Kubernetes services, Consul services, etc.) and from the hosts
-declared by ServiceEntry. Traffic forwarded to
+
The name of a service from the service registry. Service

+names are looked up from the platform's service registry (e.g.,

+Kubernetes services, Consul services, etc.) and from the hosts

+declared by ServiceEntry. Traffic forwarded to

 destinations that are not found in either of the two, will be dropped.

-
-
Note for Kubernetes users: When short names are used (e.g. “reviews”
-instead of “reviews.default.svc.cluster.local”), Istio will interpret
-the short name based on the namespace of the rule, not the service. A
-rule in the “default” namespace containing a host “reviews will be
-interpreted as “reviews.default.svc.cluster.local”, irrespective of
-the actual namespace associated with the reviews service. To avoid
-potential misconfiguration, it is recommended to always use fully
+
Note for Kubernetes users: When short names are used (e.g. "reviews"

+instead of "reviews.default.svc.cluster.local"), Istio will interpret

+the short name based on the namespace of the rule, not the service. A

+rule in the "default" namespace containing a host "reviews will be

+interpreted as "reviews.default.svc.cluster.local", irrespective of

+the actual namespace associated with the reviews service. To avoid

+potential misconfiguration, it is recommended to always use fully

 qualified domain names over short names.

 
 		subset
 string
 
-
The name of a subset within the service. Applicable only to services
-within the mesh. The subset must be defined in a corresponding
+
The name of a subset within the service. Applicable only to services

+within the mesh. The subset must be defined in a corresponding

 DestinationRule.

 
 		port
 PortSelector
 
-
Specifies the port on the host that is being addressed. If a service
-exposes only a single port it is not required to explicitly select the
+
Specifies the port on the host that is being addressed. If a service

+exposes only a single port it is not required to explicitly select the

 port.

 
 

@@ -641,9 +584,9 @@ 
HTTPRoute

 
@@ -655,9 +598,9 @@ 
HTTPRoute

 
@@ -669,9 +612,9 @@ 
HTTPRoute

 
@@ -683,9 +626,9 @@ 
HTTPRoute

 
@@ -697,10 +640,9 @@ 
HTTPRoute

 
@@ -712,18 +654,15 @@ 
HTTPRoute

 
@@ -770,8 +709,8 @@ 
HTTPRoute

 
@@ -783,11 +722,11 @@ 
HTTPRoute

 
@@ -799,8 +738,8 @@ 
HTTPRoute

 
@@ -812,8 +751,8 @@ 
HTTPRoute

 
@@ -837,10 +776,9 @@ 
HTTPRoute

 
 
Delegate

 

-
Describes the delegate VirtualService.
-The following routing rules forward the traffic to /productpage by a delegate VirtualService named productpage,
+
Describes the delegate VirtualService.

+The following routing rules forward the traffic to /productpage by a delegate VirtualService named productpage,

 forward the traffic to /reviews by a delegate VirtualService named reviews.

-
 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -864,7 +802,6 @@ 
Delegate

         name: reviews
         namespace: nsB
 

-
 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -882,7 +819,6 @@ 
Delegate

     - destination:
         host: productpage.nsA.svc.cluster.local
 

-
 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -920,8 +856,8 @@ 
Delegate

 
name
 string
 
-
The name assigned to the route for debugging purposes. The
-route’s name will be concatenated with the match’s name and will
-be logged in the access logs for requests matching this
+
The name assigned to the route for debugging purposes. The

+route's name will be concatenated with the match's name and will

+be logged in the access logs for requests matching this

 route/match.

 
 		match
 HTTPMatchRequest[]
 
-
Match conditions to be satisfied for the rule to be
-activated. All conditions inside a single match block have AND
-semantics, while the list of match blocks have OR semantics. The rule
+
Match conditions to be satisfied for the rule to be

+activated. All conditions inside a single match block have AND

+semantics, while the list of match blocks have OR semantics. The rule

 is matched if any one of the match blocks succeed.

 
 		route
 HTTPRouteDestination[]
 
-
A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
-The forwarding target can be one of several versions of a service (see
-glossary in beginning of document). Weights associated with the
+
A HTTP rule can either return a direct_response, redirect or forward (default) traffic.

+The forwarding target can be one of several versions of a service (see

+glossary in beginning of document). Weights associated with the

 service version determine the proportion of traffic it receives.

 
 		redirect
 HTTPRedirect
 
-
A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
-If traffic passthrough option is specified in the rule,
-route/redirect will be ignored. The redirect primitive can be used to
+
A HTTP rule can either return a direct_response, redirect or forward (default) traffic.

+If traffic passthrough option is specified in the rule,

+route/redirect will be ignored. The redirect primitive can be used to

 send a HTTP 301 redirect to a different URI or Authority.

 
 		directResponse
 HTTPDirectResponse
 
-
A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
-Direct Response is used to specify a fixed response that should
+
A HTTP rule can either return a direct_response, redirect or forward (default) traffic.

+Direct Response is used to specify a fixed response that should

 be sent to clients.

-
 
It can be set only when Route and Redirect are empty.

 
 		delegate
 Delegate
 
-
Delegate is used to specify the particular VirtualService which
+
Delegate is used to specify the particular VirtualService which

 can be used to define delegate HTTPRoute.

-
-
It can be set only when Route and Redirect are empty, and the route
-rules of the delegate VirtualService will be merged with that in the
+
It can be set only when Route and Redirect are empty, and the route

+rules of the delegate VirtualService will be merged with that in the

 current one.

-
 
NOTE:

-
 
    
 
  1. Only one level delegation is supported.
    2. 
-
  2. The delegate’s HTTPMatchRequest must be a strict subset of the root’s,
+
  3. The delegate's HTTPMatchRequest must be a strict subset of the root's,
    
 otherwise there is a conflict and the HTTPRoute will not take effect.
    4. 
 

 
@@ -736,7 +675,7 @@ 
HTTPRoute

 		rewrite
 HTTPRewrite
 
-
Rewrite HTTP URIs and Authority headers. Rewrite cannot be used with
+
Rewrite HTTP URIs and Authority headers. Rewrite cannot be used with

 Redirect primitive. Rewrite will be performed before forwarding.

 
 		fault
 HTTPFaultInjection
 
-
Fault injection policy to apply on HTTP traffic at the client side.
-Note that timeouts or retries will not be enabled when faults are
+
Fault injection policy to apply on HTTP traffic at the client side.

+Note that timeouts or retries will not be enabled when faults are

 enabled on the client side.

 
 		mirror
 Destination
 
-
Mirror HTTP traffic to a another destination in addition to forwarding
-the requests to the intended destination. Mirrored traffic is on a
-best effort basis where the sidecar/gateway will not wait for the
-mirrored cluster to respond before returning the response from the
-original destination.  Statistics will be generated for the mirrored
+
Mirror HTTP traffic to a another destination in addition to forwarding

+the requests to the intended destination. Mirrored traffic is on a

+best effort basis where the sidecar/gateway will not wait for the

+mirrored cluster to respond before returning the response from the

+original destination.  Statistics will be generated for the mirrored

 destination.

 
 		mirrorPercentage
 Percent
 
-
Percentage of the traffic to be mirrored by the mirror field.
-If this field is absent, all the traffic (100%) will be mirrored.
+
Percentage of the traffic to be mirrored by the mirror field.

+If this field is absent, all the traffic (100%) will be mirrored.

 Max value is 100.

 
 		corsPolicy
 CorsPolicy
 
-
Cross-Origin Resource Sharing policy (CORS). Refer to
-CORS
+
Cross-Origin Resource Sharing policy (CORS). Refer to

+CORS

 for further details about cross origin resource sharing.

 
 		namespace
 string
 
-
Namespace specifies the namespace where the delegate VirtualService resides.
-By default, it is same to the root’s.

+
Namespace specifies the namespace where the delegate VirtualService resides.

+By default, it is same to the root's.

 
 		
 
@@ -933,17 +869,15 @@ 
Delegate

 
 
Headers

 

-
Message headers can be manipulated when Envoy forwards requests to,
-or responses from, a destination service. Header manipulation rules can
-be specified for a specific route destination or for all destinations.
-The following VirtualService adds a test header with the value true
-to requests that are routed to any reviews service destination.
-It also removes the foo response header, but only from responses
+
Message headers can be manipulated when Envoy forwards requests to,

+or responses from, a destination service. Header manipulation rules can

+be specified for a specific route destination or for all destinations.

+The following VirtualService adds a test header with the value true

+to requests that are routed to any reviews service destination.

+It also removes the foo response header, but only from responses

 coming from the v1 subset (version) of the reviews service.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -970,11 +904,8 @@ 
Headers

           - foo
       weight: 75
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1001,9 +932,8 @@ 
Headers

           - foo
       weight: 75
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}

 
 
@@ -1019,7 +949,7 @@ 
Headers

@@ -1031,7 +961,7 @@ 
Headers

@@ -1044,14 +974,12 @@ 
Headers
TLSRoute

-
Describes match conditions and actions for routing unterminated TLS
-traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
-traffic arriving at port 443 of gateway called “mygateway” to internal
+
Describes match conditions and actions for routing unterminated TLS

+traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS

+traffic arriving at port 443 of gateway called "mygateway" to internal

 services in the mesh based on the SNI value.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1077,11 +1005,8 @@ 
TLSRoute

     - destination:
         host: reviews.prod.svc.cluster.local
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1107,9 +1032,8 @@ 
TLSRoute

     - destination:
         host: reviews.prod.svc.cluster.local
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}

 
 

 
 
request
 HeaderOperations
 
-
Header manipulation rules to apply before forwarding a request
+
Header manipulation rules to apply before forwarding a request

 to the destination service

 
 		
 response
 HeaderOperations
 
-
Header manipulation rules to apply before returning a response
+
Header manipulation rules to apply before returning a response

 to the caller

 
 		
 
 
 

@@ -1125,9 +1049,9 @@ 
TLSRoute

@@ -1151,13 +1075,11 @@ 
TLSRoute
TCPRoute

-
Describes match conditions and actions for routing TCP traffic. The
-following routing rule forwards traffic arriving at port 27017 for
+
Describes match conditions and actions for routing TCP traffic. The

+following routing rule forwards traffic arriving at port 27017 for

 mongo.prod.svc.cluster.local to another Mongo server on port 5555.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1174,11 +1096,8 @@ 
TCPRoute

         port:
           number: 5555
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1195,9 +1114,8 @@ 
TCPRoute

         port:
           number: 5555
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}

 
 

 
 
match
 TLSMatchAttributes[]
 
-
Match conditions to be satisfied for the rule to be
-activated. All conditions inside a single match block have AND
-semantics, while the list of match blocks have OR semantics. The rule
+
Match conditions to be satisfied for the rule to be

+activated. All conditions inside a single match block have AND

+semantics, while the list of match blocks have OR semantics. The rule

 is matched if any one of the match blocks succeed.

 
 		
 
 
 

@@ -1213,9 +1131,9 @@ 
TCPRoute

@@ -1239,15 +1157,13 @@ 
TCPRoute
HTTPMatchRequest

-
HttpMatchRequest specifies a set of criterion to be met in order for the
-rule to be applied to the HTTP request. For example, the following
-restricts the rule to match only requests where the URL path
-starts with /ratings/v2/ and the request contains a custom end-user header
+
HttpMatchRequest specifies a set of criterion to be met in order for the

+rule to be applied to the HTTP request. For example, the following

+restricts the rule to match only requests where the URL path

+starts with /ratings/v2/ and the request contains a custom end-user header

 with value jason.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1267,11 +1183,8 @@ 
HTTPMatchRequest

     - destination:
         host: ratings.prod.svc.cluster.local
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1291,11 +1204,9 @@ 
HTTPMatchRequest

     - destination:
         host: ratings.prod.svc.cluster.local
 

-
-
{{}}
-{{}}

-
-
HTTPMatchRequest CANNOT be empty.
+
{{}}

+{{}}

+
HTTPMatchRequest CANNOT be empty.

 Note: No regex string match can be set when delegate VirtualService is specified.

 
 

 
 
match
 L4MatchAttributes[]
 
-
Match conditions to be satisfied for the rule to be
-activated. All conditions inside a single match block have AND
-semantics, while the list of match blocks have OR semantics. The rule
+
Match conditions to be satisfied for the rule to be

+activated. All conditions inside a single match block have AND

+semantics, while the list of match blocks have OR semantics. The rule

 is matched if any one of the match blocks succeed.

 
 		
 
 
 

@@ -1312,8 +1223,8 @@ 
HTTPMatchRequest

@@ -1325,18 +1236,20 @@ 
HTTPMatchRequest

@@ -1348,15 +1261,18 @@ 
HTTPMatchRequest

@@ -1368,15 +1284,18 @@ 
HTTPMatchRequest

@@ -1388,15 +1307,18 @@ 
HTTPMatchRequest

@@ -1408,20 +1330,21 @@ 
HTTPMatchRequest

@@ -1433,8 +1356,8 @@ 
HTTPMatchRequest

@@ -1446,9 +1369,9 @@ 
HTTPMatchRequest

@@ -1460,8 +1383,8 @@ 
HTTPMatchRequest

@@ -1474,21 +1397,22 @@ 
HTTPMatchRequest

@@ -1501,8 +1425,7 @@ 
HTTPMatchRequest

@@ -1514,7 +1437,7 @@ 
HTTPMatchRequest

@@ -1526,8 +1449,8 @@ 
HTTPMatchRequest

@@ -1539,11 +1462,11 @@ 
HTTPMatchRequest

@@ -1556,16 +1479,14 @@ 
HTTPMatchRequest
HTTPRouteDestination

-
Each routing rule is associated with one or more service versions (see
-glossary in beginning of document). Weights associated with the version
-determine the proportion of traffic it receives. For example, the
-following rule will route 25% of traffic for the “reviews” service to
-instances with the “v2” tag and the remaining traffic (i.e., 75%) to
-“v1”.

-
-
{{}}
-{{}}

-
+
Each routing rule is associated with one or more service versions (see

+glossary in beginning of document). Weights associated with the version

+determine the proportion of traffic it receives. For example, the

+following rule will route 25% of traffic for the "reviews" service to

+instances with the "v2" tag and the remaining traffic (i.e., 75%) to

+"v1".

+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1584,11 +1505,8 @@ 
HTTPRouteDestination

         subset: v1
       weight: 75
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1607,15 +1525,11 @@ 
HTTPRouteDestination

         subset: v1
       weight: 75
 

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
And the associated DestinationRule

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -1630,11 +1544,8 @@ 
HTTPRouteDestination

     labels:
       version: v2
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -1649,17 +1560,13 @@ 
HTTPRouteDestination

     labels:
       version: v2
 

-
-
{{}}
-{{}}

-
-
Traffic can also be split across two entirely different services without
-having to define new subsets. For example, the following rule forwards 25% of
+
{{}}

+{{}}

+
Traffic can also be split across two entirely different services without

+having to define new subsets. For example, the following rule forwards 25% of

 traffic to reviews.com to dev.reviews.com

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1676,11 +1583,8 @@ 
HTTPRouteDestination

         host: reviews.com
       weight: 75
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1697,9 +1601,8 @@ 
HTTPRouteDestination

         host: reviews.com
       weight: 75
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}

 
 

 
name
 string
 
-
The name assigned to a match. The match’s name will be
-concatenated with the parent route’s name and will be logged in
+
The name assigned to a match. The match's name will be

+concatenated with the parent route's name and will be logged in

 the access logs for requests matching this route.

 
 		
 uri
 StringMatch
 
-
URI to match
+
URI to match

 values are case-sensitive and formatted as follows:

-
 
    
-
  • exact: "value" for exact string match
    • 
-
-
  • prefix: "value" for prefix-based match
    • 
-
-
  • regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
    • 
+
  • 
+
    exact: "value" for exact string match
    
+
    • 
+
  • 
+
    prefix: "value" for prefix-based match
    
+
    • 
+
  • 
+
    regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
    
+
    • 
 

-
-
Note: Case-insensitive matching could be enabled via the
+
Note: Case-insensitive matching could be enabled via the

 ignore_uri_case flag.

 
 		
 scheme
 StringMatch
 
-
URI Scheme
+
URI Scheme

 values are case-sensitive and formatted as follows:

-
 
    
-
  • exact: "value" for exact string match
    • 
-
-
  • prefix: "value" for prefix-based match
    • 
-
-
  • regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
    • 
+
  • 
+
    exact: "value" for exact string match
    
+
    • 
+
  • 
+
    prefix: "value" for prefix-based match
    
+
    • 
+
  • 
+
    regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
    
+
    • 
 

 
 		
 method
 StringMatch
 
-
HTTP Method
+
HTTP Method

 values are case-sensitive and formatted as follows:

-
 
    
-
  • exact: "value" for exact string match
    • 
-
-
  • prefix: "value" for prefix-based match
    • 
-
-
  • regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
    • 
+
  • 
+
    exact: "value" for exact string match
    
+
    • 
+
  • 
+
    prefix: "value" for prefix-based match
    
+
    • 
+
  • 
+
    regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
    
+
    • 
 

 
 		
 authority
 StringMatch
 
-
HTTP Authority
+
HTTP Authority

 values are case-sensitive and formatted as follows:

-
 
    
-
  • exact: "value" for exact string match
    • 
-
-
  • prefix: "value" for prefix-based match
    • 
-
-
  • regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
    • 
+
  • 
+
    exact: "value" for exact string match
    
+
    • 
+
  • 
+
    prefix: "value" for prefix-based match
    
+
    • 
+
  • 
+
    regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
    
+
    • 
 

 
 		
 headers
 map<string, StringMatch>
 
-
The header keys must be lowercase and use hyphen as the separator,
+
The header keys must be lowercase and use hyphen as the separator,

 e.g. x-request-id.

-
 
Header values are case-sensitive and formatted as follows:

-
 
    
-
  • exact: "value" for exact string match
    • 
-
-
  • prefix: "value" for prefix-based match
    • 
-
-
  • regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
    • 
+
  • 
+
    exact: "value" for exact string match
    
+
    • 
+
  • 
+
    prefix: "value" for prefix-based match
    
+
    • 
+
  • 
+
    regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
    
+
    • 
 

-
-
If the value is empty and only the name of header is specfied, presence of the header is checked.
+
If the value is empty and only the name of header is specfied, presence of the header is checked.

 Note: The keys uri, scheme, method, and authority will be ignored.

 
 		
 port
 uint32
 
-
Specifies the ports on the host that is being addressed. Many services
-only expose a single port or label ports with the protocols they support,
+
Specifies the ports on the host that is being addressed. Many services

+only expose a single port or label ports with the protocols they support,

 in these cases it is not required to explicitly select the port.

 
 		
 sourceLabels
 map<string, string>
 
-
One or more labels that constrain the applicability of a rule to source (client) workloads
-with the given labels. If the VirtualService has a list of gateways specified
-in the top-level gateways field, it must include the reserved gateway
+
One or more labels that constrain the applicability of a rule to source (client) workloads

+with the given labels. If the VirtualService has a list of gateways specified

+in the top-level gateways field, it must include the reserved gateway

 mesh for this field to be applicable.

 
 		
 gateways
 string[]
 
-
Names of gateways where the rule should be applied. Gateway names
-in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
+
Names of gateways where the rule should be applied. Gateway names

+in the top-level gateways field of the VirtualService (if any) are overridden. The gateway

 match is independent of sourceLabels.

 
 		
 map<string, StringMatch>
 
 
Query parameters for matching.

-
 
Ex:

-
 
    
-
  • For a query parameter like “?key=true”, the map key would be “key” and
-the string match could be defined as exact: "true".
    • 
-
-
  • For a query parameter like “?key”, the map key would be “key” and the
-string match could be defined as exact: "".
    • 
-
-
  • For a query parameter like “?key=123”, the map key would be “key” and the
-string match could be defined as regex: "\d+$". Note that this
-configuration will only match values like “123” but not “a123” or “123a”.
    • 
+
  • 
+
    For a query parameter like "?key=true", the map key would be "key" and
    
+the string match could be defined as exact: "true".
    
+
    • 
+
  • 
+
    For a query parameter like "?key", the map key would be "key" and the
    
+string match could be defined as exact: "".
    
+
    • 
+
  • 
+
    For a query parameter like "?key=123", the map key would be "key" and the
    
+string match could be defined as regex: "\d+$". Note that this
    
+configuration will only match values like "123" but not "a123" or "123a".
    
+
    • 
 

-
 
Note: prefix matching is currently not supported.

 
 		
 bool
 
 
Flag to specify whether the URI matching should be case-insensitive.

-
-
Note: The case will be ignored only in the case of exact and prefix
+
Note: The case will be ignored only in the case of exact and prefix

 URI matches.

 
 		
 withoutHeaders
 map<string, StringMatch>
 
-
withoutHeader has the same syntax with the header, but has opposite meaning.
+
withoutHeader has the same syntax with the header, but has opposite meaning.

 If a header is matched with a matching rule among withoutHeader, the traffic becomes not matched one.

 
 		
 sourceNamespace
 string
 
-
Source namespace constraining the applicability of a rule to workloads in that namespace.
-If the VirtualService has a list of gateways specified in the top-level gateways field,
+
Source namespace constraining the applicability of a rule to workloads in that namespace.

+If the VirtualService has a list of gateways specified in the top-level gateways field,

 it must include the reserved gateway mesh for this field to be applicable.

 
 		
 statPrefix
 string
 
-
The human readable prefix to use when emitting statistics for this route.
-The statistics are generated with prefix route..
-This should be set for highly critical routes that one wishes to get “per-route” statistics on.
-This prefix is only for proxy-level statistics (envoy*) and not service-level (istio*) statistics.
-Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-route-stat-prefix
+
The human readable prefix to use when emitting statistics for this route.

+The statistics are generated with prefix route.<stat_prefix>.

+This should be set for highly critical routes that one wishes to get "per-route" statistics on.

+This prefix is only for proxy-level statistics (envoy_) and not service-level (istio_) statistics.

+Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-route-stat-prefix

 for statistics that are generated when this is configured.

 
 		
 
 
 

@@ -1715,7 +1618,7 @@ 
HTTPRouteDestination

@@ -1727,8 +1630,8 @@ 
HTTPRouteDestination

@@ -1768,7 +1671,7 @@ 
RouteDestination

@@ -1780,8 +1683,8 @@ 
RouteDestination

@@ -1794,7 +1697,7 @@ 
RouteDestination
L4MatchAttributes

-
L4 connection match attributes. Note that L4 connection matching support
+
L4 connection match attributes. Note that L4 connection matching support

 is incomplete.

 
 

 
 
destination
 Destination
 
-
Destination uniquely identifies the instances of a service
+
Destination uniquely identifies the instances of a service

 to which the request/connection should be forwarded to.

 
 		
 weight
 int32
 
-
Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests.
-If there is only one destination in a rule, it will receive all traffic.
+
Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests.

+If there is only one destination in a rule, it will receive all traffic.

 Otherwise, if weight is 0, the destination will not receive any traffic.

 
 		
 destination
 Destination
 
-
Destination uniquely identifies the instances of a service
+
Destination uniquely identifies the instances of a service

 to which the request/connection should be forwarded to.

 
 		
 weight
 int32
 
-
Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests.
-If there is only one destination in a rule, it will receive all traffic.
+
Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests.

+If there is only one destination in a rule, it will receive all traffic.

 Otherwise, if weight is 0, the destination will not receive any traffic.

 
 		
 
 
 

@@ -1811,7 +1714,7 @@ 
L4MatchAttributes

@@ -1823,8 +1726,8 @@ 
L4MatchAttributes

@@ -1836,9 +1739,9 @@ 
L4MatchAttributes

@@ -1850,8 +1753,8 @@ 
L4MatchAttributes

@@ -1863,8 +1766,8 @@ 
L4MatchAttributes

@@ -1893,10 +1796,10 @@ 
TLSMatchAttributes

@@ -1919,9 +1822,9 @@ 
TLSMatchAttributes

@@ -1933,9 +1836,9 @@ 
TLSMatchAttributes

@@ -1947,8 +1850,8 @@ 
TLSMatchAttributes

@@ -1960,8 +1863,8 @@ 
TLSMatchAttributes

@@ -1974,15 +1877,13 @@ 
TLSMatchAttributes
HTTPRedirect

-
HTTPRedirect can be used to send a 301 redirect response to the caller,
-where the Authority/Host and the URI in the response can be swapped with
-the specified values. For example, the following rule redirects
-requests for /v1/getProductRatings API on the ratings service to
+
HTTPRedirect can be used to send a 301 redirect response to the caller,

+where the Authority/Host and the URI in the response can be swapped with

+the specified values. For example, the following rule redirects

+requests for /v1/getProductRatings API on the ratings service to

 /v1/bookRatings provided by the bookratings service.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1999,11 +1900,8 @@ 
HTTPRedirect

       authority: newratings.default.svc.cluster.local
   ...
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2020,9 +1918,8 @@ 
HTTPRedirect

       authority: newratings.default.svc.cluster.local
   ...
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}

 
 

 
destinationSubnets
 string[]
 
-
IPv4 or IPv6 ip addresses of destination with optional subnet.  E.g.,
+
IPv4 or IPv6 ip addresses of destination with optional subnet.  E.g.,

 a.b.c.d/xx form or just a.b.c.d.

 
 		
 port
 uint32
 
-
Specifies the port on the host that is being addressed. Many services
-only expose a single port or label ports with the protocols they support,
+
Specifies the port on the host that is being addressed. Many services

+only expose a single port or label ports with the protocols they support,

 in these cases it is not required to explicitly select the port.

 
 		
 sourceLabels
 map<string, string>
 
-
One or more labels that constrain the applicability of a rule to
-workloads with the given labels. If the VirtualService has a list of
-gateways specified in the top-level gateways field, it should include the reserved gateway
+
One or more labels that constrain the applicability of a rule to

+workloads with the given labels. If the VirtualService has a list of

+gateways specified in the top-level gateways field, it should include the reserved gateway

 mesh in order for this field to be applicable.

 
 		
 gateways
 string[]
 
-
Names of gateways where the rule should be applied. Gateway names
-in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
+
Names of gateways where the rule should be applied. Gateway names

+in the top-level gateways field of the VirtualService (if any) are overridden. The gateway

 match is independent of sourceLabels.

 
 		
 sourceNamespace
 string
 
-
Source namespace constraining the applicability of a rule to workloads in that namespace.
-If the VirtualService has a list of gateways specified in the top-level gateways field,
+
Source namespace constraining the applicability of a rule to workloads in that namespace.

+If the VirtualService has a list of gateways specified in the top-level gateways field,

 it must include the reserved gateway mesh for this field to be applicable.

 
 		
 sniHosts
 string[]
 
-
SNI (server name indicator) to match on. Wildcard prefixes
-can be used in the SNI value, e.g., *.com will match foo.example.com
-as well as example.com. An SNI value must be a subset (i.e., fall
-within the domain) of the corresponding virtual serivce’s hosts.

+
SNI (server name indicator) to match on. Wildcard prefixes

+can be used in the SNI value, e.g., *.com will match foo.example.com

+as well as example.com. An SNI value must be a subset (i.e., fall

+within the domain) of the corresponding virtual serivce's hosts.

 
 		
 
@@ -1907,7 +1810,7 @@ 
TLSMatchAttributes

 		destinationSubnets
 string[]
 
-
IPv4 or IPv6 ip addresses of destination with optional subnet.  E.g.,
+
IPv4 or IPv6 ip addresses of destination with optional subnet.  E.g.,

 a.b.c.d/xx form or just a.b.c.d.

 
 		
 port
 uint32
 
-
Specifies the port on the host that is being addressed. Many services
-only expose a single port or label ports with the protocols they
-support, in these cases it is not required to explicitly select the
+
Specifies the port on the host that is being addressed. Many services

+only expose a single port or label ports with the protocols they

+support, in these cases it is not required to explicitly select the

 port.

 
 		
 sourceLabels
 map<string, string>
 
-
One or more labels that constrain the applicability of a rule to
-workloads with the given labels. If the VirtualService has a list of
-gateways specified in the top-level gateways field, it should include the reserved gateway
+
One or more labels that constrain the applicability of a rule to

+workloads with the given labels. If the VirtualService has a list of

+gateways specified in the top-level gateways field, it should include the reserved gateway

 mesh in order for this field to be applicable.

 
 		
 gateways
 string[]
 
-
Names of gateways where the rule should be applied. Gateway names
-in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
+
Names of gateways where the rule should be applied. Gateway names

+in the top-level gateways field of the VirtualService (if any) are overridden. The gateway

 match is independent of sourceLabels.

 
 		
 sourceNamespace
 string
 
-
Source namespace constraining the applicability of a rule to workloads in that namespace.
-If the VirtualService has a list of gateways specified in the top-level gateways field,
+
Source namespace constraining the applicability of a rule to workloads in that namespace.

+If the VirtualService has a list of gateways specified in the top-level gateways field,

 it must include the reserved gateway mesh for this field to be applicable.

 
 		
 
 
 

@@ -2038,8 +1935,8 @@ 
HTTPRedirect

@@ -2051,7 +1948,7 @@ 
HTTPRedirect

@@ -2074,9 +1971,11 @@ 
HTTPRedirect

@@ -2101,7 +2000,7 @@ 
HTTPRedirect

@@ -2114,13 +2013,11 @@ 
HTTPRedirect
HTTPDirectResponse

-
HTTPDirectResponse can be used to send a fixed response to clients.
-For example, the following rule returns a fixed 503 status with a body
+
HTTPDirectResponse can be used to send a fixed response to clients.

+For example, the following rule returns a fixed 503 status with a body

 to requests for /v1/getProductRatings API.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2138,11 +2035,8 @@ 
HTTPDirectResponse

         string: "unknown error"
   ...
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2160,16 +2054,12 @@ 
HTTPDirectResponse

         string: "unknown error"
   ...
 

-
-
{{}}
-{{}}

-
-
It is also possible to specify a binary response body.
+
{{}}

+{{}}

+
It is also possible to specify a binary response body.

 This is mostly useful for non text-based protocols such as gRPC.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2187,11 +2077,8 @@ 
HTTPDirectResponse

         bytes: "dW5rbm93biBlcnJvcg==" # "unknown error" in base64
   ...
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2209,17 +2096,13 @@ 
HTTPDirectResponse

         bytes: "dW5rbm93biBlcnJvcg==" # "unknown error" in base64
   ...
 

-
-
{{}}
-{{}}

-
-
It is good practice to add headers in the HTTPRoute
-as well as the direct_response, for example to specify
+
{{}}

+{{}}

+
It is good practice to add headers in the HTTPRoute

+as well as the direct_response, for example to specify

 the returned Content-Type.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2241,11 +2124,8 @@ 
HTTPDirectResponse

           content-type: "appliation/json"
   ...
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2267,9 +2147,8 @@ 
HTTPDirectResponse

           content-type: "text/plain"
   ...
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}

 
 

 
 
uri
 string
 
-
On a redirect, overwrite the Path portion of the URL with this
-value. Note that the entire path will be replaced, irrespective of the
+
On a redirect, overwrite the Path portion of the URL with this

+value. Note that the entire path will be replaced, irrespective of the

 request URI being matched as an exact path or prefix.

 
 		
 authority
 string
 
-
On a redirect, overwrite the Authority/Host portion of the URL with
+
On a redirect, overwrite the Authority/Host portion of the URL with

 this value.

 
 		
 derivePort
 RedirectPortSelection (oneof)
 
-
On a redirect, dynamically set the port:
-* FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.
-* FROM_REQUEST_PORT: automatically use the port of the request.

+
On a redirect, dynamically set the port:

+
    
+
  • FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.
    • 
+
  • FROM_REQUEST_PORT: automatically use the port of the request.
    • 
+

 
 		
 
@@ -2087,9 +1986,9 @@ 
HTTPRedirect

 		scheme
 string
 
-
On a redirect, overwrite the scheme portion of the URL with this value.
-For example, http or https.
-If unset, the original scheme will be used.
+
On a redirect, overwrite the scheme portion of the URL with this value.

+For example, http or https.

+If unset, the original scheme will be used.

 If derivePort is set to FROM_PROTOCOL_DEFAULT, this will impact the port used as well

 
 		
 redirectCode
 uint32
 
-
On a redirect, Specifies the HTTP status code to use in the redirect
+
On a redirect, Specifies the HTTP status code to use in the redirect

 response. The default response code is MOVED_PERMANENTLY (301).

 
 		
 
 
 

@@ -2296,7 +2175,7 @@ 
HTTPDirectResponse

@@ -2346,15 +2225,13 @@ 
HTTPBody
HTTPRewrite

-
HTTPRewrite can be used to rewrite specific parts of a HTTP request
-before forwarding the request to the destination. Rewrite primitive can
-be used only with HTTPRouteDestination. The following example
-demonstrates how to rewrite the URL prefix for api call (/ratings) to
+
HTTPRewrite can be used to rewrite specific parts of a HTTP request

+before forwarding the request to the destination. Rewrite primitive can

+be used only with HTTPRouteDestination. The following example

+demonstrates how to rewrite the URL prefix for api call (/ratings) to

 ratings service before making the actual API call.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2373,11 +2250,8 @@ 
HTTPRewrite

         host: ratings.prod.svc.cluster.local
         subset: v1
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2396,9 +2270,8 @@ 
HTTPRewrite

         host: ratings.prod.svc.cluster.local
         subset: v1
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}

 
 

 
 
body
 HTTPBody
 
-
Specifies the content of the response body. If this setting is omitted,
+
Specifies the content of the response body. If this setting is omitted,

 no body is included in the generated response.

 
 		
 
 
 

@@ -2414,8 +2287,8 @@ 
HTTPRewrite

@@ -2439,7 +2312,7 @@ 
HTTPRewrite
StringMatch

-
Describes how to match a given string in HTTP headers. Match is
+
Describes how to match a given string in HTTP headers. Match is

 case-sensitive.

 
 

 
 
uri
 string
 
-
rewrite the path (or the prefix) portion of the URI with this
-value. If the original URI was matched based on prefix, the value
+
rewrite the path (or the prefix) portion of the URI with this

+value. If the original URI was matched based on prefix, the value

 provided in this field will replace the corresponding matched prefix.

 
 		
 
 
 

@@ -2478,7 +2351,7 @@ 
StringMatch

 
regex
 string (oneof)
 
-
RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).

+
RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).

 
 		
 
@@ -2490,15 +2363,13 @@ 
StringMatch

 
 
HTTPRetry

 

-
Describes the retry policy to use when a HTTP request fails. For
-example, the following rule sets the maximum number of retries to 3 when
-calling ratings:v1 service, with a 2s timeout per retry attempt.
-A retry will be attempted if there is a connect-failure, refused_stream
+
Describes the retry policy to use when a HTTP request fails. For

+example, the following rule sets the maximum number of retries to 3 when

+calling ratings:v1 service, with a 2s timeout per retry attempt.

+A retry will be attempted if there is a connect-failure, refused_stream

 or when the upstream server responds with Service Unavailable(503).

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2516,11 +2387,8 @@ 
HTTPRetry

       perTryTimeout: 2s
       retryOn: connect-failure,refused-stream,503
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2538,9 +2406,8 @@ 
HTTPRetry

       perTryTimeout: 2s
       retryOn: gateway-error,connect-failure,refused-stream
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}

 
 
@@ -2556,10 +2423,10 @@ 
HTTPRetry

@@ -2571,9 +2438,9 @@ 
HTTPRetry

@@ -2585,10 +2452,10 @@ 
HTTPRetry

@@ -2600,7 +2467,7 @@ 
HTTPRetry

@@ -2613,17 +2480,15 @@ 
HTTPRetry
CorsPolicy

-
Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
-service. Refer to CORS
-for further details about cross origin resource sharing. For example,
-the following rule restricts cross origin requests to those originating
-from example.com domain using HTTP POST/GET, and sets the
-Access-Control-Allow-Credentials header to false. In addition, it only
+
Describes the Cross-Origin Resource Sharing (CORS) policy, for a given

+service. Refer to CORS

+for further details about cross origin resource sharing. For example,

+the following rule restricts cross origin requests to those originating

+from example.com domain using HTTP POST/GET, and sets the

+Access-Control-Allow-Credentials header to false. In addition, it only

 exposes X-Foo-bar header and sets an expiry period of 1 day.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2647,11 +2512,8 @@ 
CorsPolicy

       - X-Foo-Bar
       maxAge: "24h"
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2675,9 +2537,8 @@ 
CorsPolicy

       - X-Foo-Bar
       maxAge: "24h"
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}

 
 

 
 
attempts
 int32
 
-
Number of retries to be allowed for a given request. The interval
-between retries will be determined automatically (25ms+). When request
-timeout of the HTTP route
-or per_try_timeout is configured, the actual number of retries attempted also depends on
+
Number of retries to be allowed for a given request. The interval

+between retries will be determined automatically (25ms+). When request

+timeout of the HTTP route

+or per_try_timeout is configured, the actual number of retries attempted also depends on

 the specified request timeout and per_try_timeout values.

 
 		
 perTryTimeout
 Duration
 
-
Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST BE >=1ms.
-Default is same value as request
-timeout of the HTTP route,
+
Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST BE >=1ms.

+Default is same value as request

+timeout of the HTTP route,

 which means no timeout.

 
 		
 retryOn
 string
 
-
Specifies the conditions under which retry takes place.
-One or more policies can be specified using a ‘,’ delimited list.
-If retry_on specifies a valid HTTP status, it will be added to retriable_status_codes retry policy.
-See the retry policies
+
Specifies the conditions under which retry takes place.

+One or more policies can be specified using a ‘,’ delimited list.

+If retry_on specifies a valid HTTP status, it will be added to retriable_status_codes retry policy.

+See the retry policies

 and gRPC retry policies for more details.

 
 		
 retryRemoteLocalities
 BoolValue
 
-
Flag to specify whether the retries should retry to other localities.
+
Flag to specify whether the retries should retry to other localities.

 See the retry plugin configuration for more details.

 
 		
 
 
 

@@ -2693,8 +2554,8 @@ 
CorsPolicy

@@ -2706,7 +2567,7 @@ 
CorsPolicy

@@ -2718,7 +2579,7 @@ 
CorsPolicy

@@ -2730,7 +2591,7 @@ 
CorsPolicy

@@ -2742,7 +2603,7 @@ 
CorsPolicy

@@ -2754,8 +2615,8 @@ 
CorsPolicy

@@ -2768,13 +2629,12 @@ 
CorsPolicy
HTTPFaultInjection

-
HTTPFaultInjection can be used to specify one or more faults to inject
-while forwarding HTTP requests to the destination specified in a route.
-Fault specification is part of a VirtualService rule. Faults include
-aborting the Http request from downstream service, and/or delaying
+
HTTPFaultInjection can be used to specify one or more faults to inject

+while forwarding HTTP requests to the destination specified in a route.

+Fault specification is part of a VirtualService rule. Faults include

+aborting the Http request from downstream service, and/or delaying

 proxying of requests. A fault rule MUST HAVE delay or abort or both.

-
-
Note: Delay and abort faults are independent of one another, even if
+
Note: Delay and abort faults are independent of one another, even if

 both are specified simultaneously.

 
 

 
 
allowOrigins
 StringMatch[]
 
-
String patterns that match allowed origins.
-An origin is allowed if any of the string matchers match.
+
String patterns that match allowed origins.

+An origin is allowed if any of the string matchers match.

 If a match is found, then the outgoing Access-Control-Allow-Origin would be set to the origin as provided by the client.

 
 		
 allowMethods
 string[]
 
-
List of HTTP methods allowed to access the resource. The content will
+
List of HTTP methods allowed to access the resource. The content will

 be serialized into the Access-Control-Allow-Methods header.

 
 		
 allowHeaders
 string[]
 
-
List of HTTP headers that can be used when requesting the
+
List of HTTP headers that can be used when requesting the

 resource. Serialized to Access-Control-Allow-Headers header.

 
 		
 exposeHeaders
 string[]
 
-
A list of HTTP headers that the browsers are allowed to
+
A list of HTTP headers that the browsers are allowed to

 access. Serialized into Access-Control-Expose-Headers header.

 
 		
 maxAge
 Duration
 
-
Specifies how long the results of a preflight request can be
+
Specifies how long the results of a preflight request can be

 cached. Translates to the Access-Control-Max-Age header.

 
 		
 allowCredentials
 BoolValue
 
-
Indicates whether the caller is allowed to send the actual request
-(not the preflight) using credentials. Translates to
+
Indicates whether the caller is allowed to send the actual request

+(not the preflight) using credentials. Translates to

 Access-Control-Allow-Credentials header.

 
 		
 
 
 

@@ -2791,7 +2651,7 @@ 
HTTPFaultInjection

@@ -2803,7 +2663,7 @@ 
HTTPFaultInjection

@@ -2816,7 +2676,7 @@ 
HTTPFaultInjection
PortSelector

-
PortSelector specifies the number of a port to be used for
+
PortSelector specifies the number of a port to be used for

 matching or selection for final routing.

 
 

 
delay
 Delay
 
-
Delay requests before forwarding, emulating various failures such as
+
Delay requests before forwarding, emulating various failures such as

 network issues, overloaded upstream service, etc.

 
 		
 abort
 Abort
 
-
Abort Http request attempts and return error codes back to downstream
+
Abort Http request attempts and return error codes back to downstream

 service, giving the impression that the upstream service is faulty.

 
 		
 
 
 

@@ -2898,7 +2758,7 @@ 
Headers.HeaderOperations

@@ -2922,14 +2782,12 @@ 
Headers.HeaderOperations
HTTPFaultInjection.Delay

-
Delay specification is used to inject latency into the request
-forwarding path. The following example will introduce a 5 second delay
-in 1 out of every 1000 requests to the “v1” version of the “reviews”
+
Delay specification is used to inject latency into the request

+forwarding path. The following example will introduce a 5 second delay

+in 1 out of every 1000 requests to the "v1" version of the "reviews"

 service from all pods with label env: prod

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2951,11 +2809,8 @@ 
HTTPFaultInjection.Delay

           value: 0.1
         fixedDelay: 5s
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2977,12 +2832,10 @@ 
HTTPFaultInjection.Delay

           value: 0.1
         fixedDelay: 5s
 

-
-
{{}}
-{{}}

-
-
The fixedDelay field is used to indicate the amount of delay in seconds.
-The optional percentage field can be used to only delay a certain
+
{{}}

+{{}}

+
The fixedDelay field is used to indicate the amount of delay in seconds.

+The optional percentage field can be used to only delay a certain

 percentage of requests. If left unspecified, all request will be delayed.

 
 

 
add
 map<string, string>
 
-
Append the given values to the headers specified by keys
+
Append the given values to the headers specified by keys

 (will create a comma-separated list of values)

 
 		
 
 
 

@@ -2999,7 +2852,7 @@ 
HTTPFaultInjection.Delay

@@ -3022,8 +2875,8 @@ 
HTTPFaultInjection.Delay

@@ -3036,13 +2889,11 @@ 
HTTPFaultInjection.Delay
HTTPFaultInjection.Abort

-
Abort specification is used to prematurely abort a request with a
-pre-specified error code. The following example will return an HTTP 400
-error code for 1 out of every 1000 requests to the “ratings” service “v1”.

-
-
{{}}
-{{}}

-
+
Abort specification is used to prematurely abort a request with a

+pre-specified error code. The following example will return an HTTP 400

+error code for 1 out of every 1000 requests to the "ratings" service "v1".

+
{{}}

+{{}}

 
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -3061,11 +2912,8 @@ 
HTTPFaultInjection.Abort

           value: 0.1
         httpStatus: 400
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}

 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -3084,13 +2932,11 @@ 
HTTPFaultInjection.Abort

           value: 0.1
         httpStatus: 400
 

-
-
{{}}
-{{}}

-
-
The httpStatus field is used to indicate the HTTP status code to
-return to the caller. The optional percentage field can be used to only
-abort a certain percentage of requests. If not specified, all requests are
+
{{}}

+{{}}

+
The httpStatus field is used to indicate the HTTP status code to

+return to the caller. The optional percentage field can be used to only

+abort a certain percentage of requests. If not specified, all requests are

 aborted.

 
 

 
fixedDelay
 Duration (oneof)
 
-
Add a fixed delay before forwarding the request. Format:
+
Add a fixed delay before forwarding the request. Format:

 1h/1m/1s/1ms. MUST be >=1ms.

 
 		
 percent
 int32
 
-
Percentage of requests on which the delay will be injected (0-100).
-Use of integer percent value is deprecated. Use the double percentage
+
Percentage of requests on which the delay will be injected (0-100).

+Use of integer percent value is deprecated. Use the double percentage

 field instead.

 
 		
 
 
 

@@ -3118,9 +2964,9 @@ 
HTTPFaultInjection.Abort

@@ -3145,7 +2991,6 @@ 
HTTPFaultInjection.Abort
google.protobuf.UInt32Value

 
Wrapper message for uint32.

-
 
The JSON representation for UInt32Value is JSON number.

 
 

 
grpcStatus
 string (oneof)
 
-
GRPC status code to use to abort the request. The supported
-codes are documented in https://github.com/grpc/grpc/blob/master/doc/statuscodes.md
-Note: If you want to return the status “Unavailable”, then you should
+
GRPC status code to use to abort the request. The supported

+codes are documented in https://github.com/grpc/grpc/blob/master/doc/statuscodes.md

+Note: If you want to return the status "Unavailable", then you should

 specify the code as UNAVAILABLE(all caps), but not 14.

 
 		
 
 

diff --git a/content/en/docs/reference/config/networking/workload-entry/index.html b/content/en/docs/reference/config/networking/workload-entry/index.html
index 1c0a579a84359..73dfc1e017da1 100644
--- a/content/en/docs/reference/config/networking/workload-entry/index.html
+++ b/content/en/docs/reference/config/networking/workload-entry/index.html
@@ -1,41 +1,37 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Workload Entry
 description: Configuration affecting VMs onboarded into the mesh.
 location: https://istio.io/docs/reference/config/networking/workload-entry.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.WorkloadEntry
 aliases: [/docs/reference/config/networking/v1alpha3/workload-entry]
 number_of_entries: 1
 ---
-
WorkloadEntry enables operators to describe the properties of a
-single non-Kubernetes workload such as a VM or a bare metal server
-as it is onboarded into the mesh. A WorkloadEntry must be
-accompanied by an Istio ServiceEntry that selects the workload
-through the appropriate labels and provides the service definition
-for a MESH_INTERNAL service (hostnames, port properties, etc.). A
-ServiceEntry object can select multiple workload entries as well
-as Kubernetes pods based on the label selector specified in the
+
WorkloadEntry enables operators to describe the properties of a

+single non-Kubernetes workload such as a VM or a bare metal server

+as it is onboarded into the mesh. A WorkloadEntry must be

+accompanied by an Istio ServiceEntry that selects the workload

+through the appropriate labels and provides the service definition

+for a MESH_INTERNAL service (hostnames, port properties, etc.). A

+ServiceEntry object can select multiple workload entries as well

+as Kubernetes pods based on the label selector specified in the

 service entry.

-
-
When a workload connects to istiod, the status field in the
-custom resource will be updated to indicate the health of the
-workload along with other details, similar to how Kubernetes
+
When a workload connects to istiod, the status field in the

+custom resource will be updated to indicate the health of the

+workload along with other details, similar to how Kubernetes

 updates the status of a pod.

-
-
The following example declares a workload entry representing a VM
-for the details.bookinfo.com service. This VM has sidecar
-installed and bootstrapped using the details-legacy service
-account. The service is exposed on port 80 to applications in the
-mesh. The HTTP traffic to this service is wrapped in Istio mutual
-TLS and sent to sidecars on VMs on target port 8080, that in turn
+
The following example declares a workload entry representing a VM

+for the details.bookinfo.com service. This VM has sidecar

+installed and bootstrapped using the details-legacy service

+account. The service is exposed on port 80 to applications in the

+mesh. The HTTP traffic to this service is wrapped in Istio mutual

+TLS and sent to sidecars on VMs on target port 8080, that in turn

 forward it to the application on localhost on the same port.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}
apiVersion: networking.istio.io/v1alpha3
 kind: WorkloadEntry
 metadata:
@@ -51,11 +47,8 @@
     app: details-legacy
     instance-id: vm1
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}
apiVersion: networking.istio.io/v1beta1
 kind: WorkloadEntry
 metadata:
@@ -71,15 +64,11 @@
     app: details-legacy
     instance-id: vm1
 

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}
and the associated service entry

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -98,11 +87,8 @@
     labels:
       app: details-legacy
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}
apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -121,19 +107,15 @@
     labels:
       app: details-legacy
 

-
-
{{}}
-{{}}

-
-
The following example declares the same VM workload using
-its fully qualified DNS name. The service entry’s resolution
-mode should be changed to DNS to indicate that the client-side
-sidecars should dynamically resolve the DNS name at runtime before
+
{{}}

+{{}}

+
The following example declares the same VM workload using

+its fully qualified DNS name. The service entry's resolution

+mode should be changed to DNS to indicate that the client-side

+sidecars should dynamically resolve the DNS name at runtime before

 forwarding the request.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}
apiVersion: networking.istio.io/v1alpha3
 kind: WorkloadEntry
 metadata:
@@ -149,11 +131,8 @@
     app: details-legacy
     instance-id: vm1
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}
apiVersion: networking.istio.io/v1beta1
 kind: WorkloadEntry
 metadata:
@@ -169,15 +148,11 @@
     app: details-legacy
     instance-id: vm1
 

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}
and the associated service entry

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}
apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -196,11 +171,8 @@
     labels:
       app: details-legacy
 

-
-
{{}}

-
-
{{}}

-
+
{{}}

+
{{}}
apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -219,9 +191,8 @@
     labels:
       app: details-legacy
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}
WorkloadEntry

@@ -241,9 +212,9 @@ 
WorkloadEntry

 

@@ -255,19 +226,17 @@ 
WorkloadEntry

@@ -290,13 +259,13 @@ 
WorkloadEntry

@@ -308,22 +277,22 @@ 
WorkloadEntry

@@ -335,7 +304,7 @@ 
WorkloadEntry

@@ -347,9 +316,9 @@ 
WorkloadEntry

diff --git a/content/en/docs/reference/config/networking/workload-group/index.html b/content/en/docs/reference/config/networking/workload-group/index.html
index 6797e88414615..73e9f034fed92 100644
--- a/content/en/docs/reference/config/networking/workload-group/index.html
+++ b/content/en/docs/reference/config/networking/workload-group/index.html
@@ -1,32 +1,29 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Workload Group
 description: Describes a collection of workload instances.
 location: https://istio.io/docs/reference/config/networking/workload-group.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.WorkloadGroup
 aliases: [/docs/reference/config/networking/v1alpha3/workload-group]
 number_of_entries: 7
 ---
-
WorkloadGroup describes a collection of workload instances.
-It provides a specification that the workload instances can use to bootstrap
-their proxies, including the metadata and identity. It is only intended to
-be used with non-k8s workloads like Virtual Machines, and is meant to mimic
-the existing sidecar injection and deployment specification model used for
+
WorkloadGroup describes a collection of workload instances.

+It provides a specification that the workload instances can use to bootstrap

+their proxies, including the metadata and identity. It is only intended to

+be used with non-k8s workloads like Virtual Machines, and is meant to mimic

+the existing sidecar injection and deployment specification model used for

 Kubernetes workloads to bootstrap Istio proxies.

-
-
The following example declares a workload group representing a collection
-of workloads that will be registered under reviews in namespace
-bookinfo. The set of labels will be associated with each workload
-instance during the bootstrap process, and the ports 3550 and 8080
-will be associated with the workload group and use service account default.
+
The following example declares a workload group representing a collection

+of workloads that will be registered under reviews in namespace

+bookinfo. The set of labels will be associated with each workload

+instance during the bootstrap process, and the ports 3550 and 8080

+will be associated with the workload group and use service account default.

 app.kubernetes.io/version is just an arbitrary example of a label.

-
-
{{}}
-{{}}

-
+
{{}}

+{{}}
apiVersion: networking.istio.io/v1alpha3
 kind: WorkloadGroup
 metadata:
@@ -57,17 +54,16 @@
      - name: Lit-Header
        value: Im-The-Best
 

-
-
{{}}
-{{}}

+
{{}}

+{{}}
WorkloadGroup

-
WorkloadGroup enables specifying the properties of a single workload for bootstrap and
-provides a template for WorkloadEntry, similar to how Deployment specifies properties
-of workloads via Pod templates. A WorkloadGroup can have more than one WorkloadEntry.
-WorkloadGroup has no relationship to resources which control service registry like ServiceEntry
-and as such doesn’t configure host name for these workloads.

+
WorkloadGroup enables specifying the properties of a single workload for bootstrap and

+provides a template for WorkloadEntry, similar to how Deployment specifies properties

+of workloads via Pod templates. A WorkloadGroup can have more than one WorkloadEntry.

+WorkloadGroup has no relationship to resources which control service registry like ServiceEntry

+and as such doesn't configure host name for these workloads.

 
 

 
 
 
 
 
 
 
 
 
 
 
 
 
address
 string
 
-
Address associated with the network endpoint without the
-port.  Domain names can be used if and only if the resolution is set
-to DNS, and must be fully-qualified without wildcards. Use the form
+
Address associated with the network endpoint without the

+port.  Domain names can be used if and only if the resolution is set

+to DNS, and must be fully-qualified without wildcards. Use the form

 unix:///absolute/path/to/socket for Unix domain socket endpoints.

 
 		
 ports
 map<string, uint32>
 
-
Set of ports associated with the endpoint. If the port map is
-specified, it must be a map of servicePortName to this endpoint’s
-port, such that traffic to the service port will be forwarded to
-the endpoint port that maps to the service’s portName. If
-omitted, and the targetPort is specified as part of the service’s
-port specification, traffic to the service port will be forwarded
-to one of the endpoints on the specified targetPort. If both
-the targetPort and endpoint’s port map are not specified, traffic
-to a service port will be forwarded to one of the endpoints on
+
Set of ports associated with the endpoint. If the port map is

+specified, it must be a map of servicePortName to this endpoint's

+port, such that traffic to the service port will be forwarded to

+the endpoint port that maps to the service's portName. If

+omitted, and the targetPort is specified as part of the service's

+port specification, traffic to the service port will be forwarded

+to one of the endpoints on the specified targetPort. If both

+the targetPort and endpoint's port map are not specified, traffic

+to a service port will be forwarded to one of the endpoints on

 the same port.

-
 
NOTE 1: Do not use for unix:// addresses.

-
 
NOTE 2: endpoint port map takes precedence over targetPort.

 
 		
 network
 string
 
-
Network enables Istio to group endpoints resident in the same L3
-domain/network. All endpoints in the same network are assumed to be
-directly reachable from one another. When endpoints in different
-networks cannot reach each other directly, an Istio Gateway can be
-used to establish connectivity (usually using the
-AUTO_PASSTHROUGH mode in a Gateway Server). This is
-an advanced configuration used typically for spanning an Istio mesh
+
Network enables Istio to group endpoints resident in the same L3

+domain/network. All endpoints in the same network are assumed to be

+directly reachable from one another. When endpoints in different

+networks cannot reach each other directly, an Istio Gateway can be

+used to establish connectivity (usually using the

+AUTO_PASSTHROUGH mode in a Gateway Server). This is

+an advanced configuration used typically for spanning an Istio mesh

 over multiple clusters.

 
 		
 locality
 string
 
-
The locality associated with the endpoint. A locality corresponds
-to a failure domain (e.g., country/region/zone). Arbitrary failure
-domain hierarchies can be represented by separating each
-encapsulating failure domain by /. For example, the locality of an
-an endpoint in US, in US-East-1 region, within availability zone
-az-1, in data center rack r11 can be represented as
-us/us-east-1/az-1/r11. Istio will configure the sidecar to route to
-endpoints within the same locality as the sidecar. If none of the
-endpoints in the locality are available, endpoints parent locality
-(but within the same network ID) will be chosen. For example, if
-there are two endpoints in same network (networkID “n1”), say e1
-with locality us/us-east-1/az-1/r11 and e2 with locality
-us/us-east-1/az-2/r12, a sidecar from us/us-east-1/az-1/r11 locality
-will prefer e1 from the same locality over e2 from a different
-locality. Endpoint e2 could be the IP associated with a gateway
-(that bridges networks n1 and n2), or the IP associated with a
+
The locality associated with the endpoint. A locality corresponds

+to a failure domain (e.g., country/region/zone). Arbitrary failure

+domain hierarchies can be represented by separating each

+encapsulating failure domain by /. For example, the locality of an

+an endpoint in US, in US-East-1 region, within availability zone

+az-1, in data center rack r11 can be represented as

+us/us-east-1/az-1/r11. Istio will configure the sidecar to route to

+endpoints within the same locality as the sidecar. If none of the

+endpoints in the locality are available, endpoints parent locality

+(but within the same network ID) will be chosen. For example, if

+there are two endpoints in same network (networkID "n1"), say e1

+with locality us/us-east-1/az-1/r11 and e2 with locality

+us/us-east-1/az-2/r12, a sidecar from us/us-east-1/az-1/r11 locality

+will prefer e1 from the same locality over e2 from a different

+locality. Endpoint e2 could be the IP associated with a gateway

+(that bridges networks n1 and n2), or the IP associated with a

 standard service endpoint.

 
 		
 weight
 uint32
 
-
The load balancing weight associated with the endpoint. Endpoints
+
The load balancing weight associated with the endpoint. Endpoints

 with higher weights will receive proportionally higher traffic.

 
 		
 serviceAccount
 string
 
-
The service account associated with the workload if a sidecar
-is present in the workload. The service account must be present
-in the same namespace as the configuration ( WorkloadEntry or a
+
The service account associated with the workload if a sidecar

+is present in the workload. The service account must be present

+in the same namespace as the configuration ( WorkloadEntry or a

 ServiceEntry)

 
 		
 
 
 
 

@@ -83,7 +79,7 @@ 
WorkloadGroup

@@ -95,10 +91,10 @@ 
WorkloadGroup

@@ -110,7 +106,7 @@ 
WorkloadGroup

@@ -148,7 +144,7 @@ 
ReadinessProbe

@@ -160,7 +156,7 @@ 
ReadinessProbe

@@ -172,7 +168,7 @@ 
ReadinessProbe

@@ -184,7 +180,7 @@ 
ReadinessProbe

@@ -196,7 +192,7 @@ 
ReadinessProbe

@@ -267,8 +263,8 @@ 
HTTPHealthCheckConfig

@@ -403,7 +399,7 @@ 
ExecHealthCheckConfig
WorkloadGroup.ObjectMeta

-
ObjectMeta describes metadata that will be attached to a WorkloadEntry.
+
ObjectMeta describes metadata that will be attached to a WorkloadEntry.

 It is a subset of the supported Kubernetes metadata.

 
 

 
 
metadata
 ObjectMeta
 
-
Metadata that will be used for all corresponding WorkloadEntries.
+
Metadata that will be used for all corresponding WorkloadEntries.

 User labels for a workload group should be set here in metadata rather than in template.

 
 		
 template
 WorkloadEntry
 
-
Template to be used for the generation of WorkloadEntry resources that belong to this WorkloadGroup.
-Please note that address and labels fields should not be set in the template, and an empty serviceAccount
-should default to default. The workload identities (mTLS certificates) will be bootstrapped using the
-specified service account’s token. Workload entries in this group will be in the same namespace as the
+
Template to be used for the generation of WorkloadEntry resources that belong to this WorkloadGroup.

+Please note that address and labels fields should not be set in the template, and an empty serviceAccount

+should default to default. The workload identities (mTLS certificates) will be bootstrapped using the

+specified service account's token. Workload entries in this group will be in the same namespace as the

 workload group, and inherit the labels and annotations from the above metadata field.

 
 		
 probe
 ReadinessProbe
 
-
ReadinessProbe describes the configuration the user must provide for healthchecking on their workload.
+
ReadinessProbe describes the configuration the user must provide for healthchecking on their workload.

 This configuration mirrors K8S in both syntax and logic for the most part.

 
 		
 timeoutSeconds
 int32
 
-
Number of seconds after which the probe times out.
+
Number of seconds after which the probe times out.

 Defaults to 1 second. Minimum value is 1 second.

 
 		
 periodSeconds
 int32
 
-
How often (in seconds) to perform the probe.
+
How often (in seconds) to perform the probe.

 Default to 10 seconds. Minimum value is 1 second.

 
 		
 successThreshold
 int32
 
-
Minimum consecutive successes for the probe to be considered successful after having failed.
+
Minimum consecutive successes for the probe to be considered successful after having failed.

 Defaults to 1 second.

 
 		
 failureThreshold
 int32
 
-
Minimum consecutive failures for the probe to be considered failed after having succeeded.
+
Minimum consecutive failures for the probe to be considered failed after having succeeded.

 Defaults to 3 seconds.

 
 		
 httpGet
 HTTPHealthCheckConfig (oneof)
 
-
httpGet is performed to a given endpoint
+
httpGet is performed to a given endpoint

 and the status/able to connect determines health.

 
 		
 host
 string
 
-
Host name to connect to, defaults to the pod IP. You probably want to set
-“Host” in httpHeaders instead.

+
Host name to connect to, defaults to the pod IP. You probably want to set

+"Host" in httpHeaders instead.

 
 		
 
@@ -290,7 +286,7 @@ 
HTTPHealthCheckConfig

 		httpHeaders
 HTTPHeader[]
 
-
Headers the proxy will pass on to make the request.
+
Headers the proxy will pass on to make the request.

 Allows repeated headers.

 
 		
 
 
 

diff --git a/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html b/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html
index b7e5be6495b9c..cbdf0aced391b 100644
--- a/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html
+++ b/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html
@@ -1,29 +1,25 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Wasm Plugin
 description: Extend the functionality provided by the Istio proxy through WebAssembly filters.
 location: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.extensions.v1alpha1.WasmPlugin
 aliases: [/docs/reference/config/extensions/v1alpha1/wasm-plugin]
 number_of_entries: 6
 ---
-
WasmPlugins provides a mechanism to extend the functionality provided by
+
WasmPlugins provides a mechanism to extend the functionality provided by

 the Istio proxy through WebAssembly filters.

-
-
Order of execution (as part of Envoy’s filter chain) is determined by
-phase and priority settings, allowing the configuration of complex
-interactions between user-supplied WasmPlugins and Istio’s internal
+
Order of execution (as part of Envoy's filter chain) is determined by

+phase and priority settings, allowing the configuration of complex

+interactions between user-supplied WasmPlugins and Istio's internal

 filters.

-
 
Examples:

-
-
AuthN Filter deployed to ingress-gateway that implements an OpenID flow
-and populates the Authorization header with a JWT to be consumed by
+
AuthN Filter deployed to ingress-gateway that implements an OpenID flow

+and populates the Authorization header with a JWT to be consumed by

 Istio AuthN.

-
 
apiVersion: extensions.istio.io/v1alpha1
 kind: WasmPlugin
 metadata:
@@ -40,9 +36,7 @@
     openid_server: authn
     openid_realm: ingress
 

-
 
This is the same as the last example, but using an OCI image.

-
 
apiVersion: extensions.istio.io/v1alpha1
 kind: WasmPlugin
 metadata:
@@ -60,9 +54,7 @@
     openid_server: authn
     openid_realm: ingress
 

-
 
This is the same as the last example, but using VmConfig to configure environment variables in the VM.

-
 
apiVersion: extensions.istio.io/v1alpha1
 kind: WasmPlugin
 metadata:
@@ -86,9 +78,7 @@
     - name: TRUST_DOMAIN
       value: "cluster.local"
 

-
 
This is also the same as the last example, but the Wasm module is pulled via https and updated for each time when this plugin resource is changed.

-
 
apiVersion: extensions.istio.io/v1alpha1
 kind: WasmPlugin
 metadata:
@@ -111,22 +101,19 @@
     - name: TRUST_DOMAIN
       value: "cluster.local"
 

-
-
And a more complex example that deploys three WasmPlugins and orders them
-using phase and priority. The (hypothetical) setup is that the
-openid-connect filter performs an OpenID Connect flow to authenticate the
-user, writing a signed JWT into the Authorization header of the request,
-which can be verified by the Istio authn plugin. Then, the acl-check plugin
-kicks in, passing the JWT to a policy server, which in turn responds with a
-signed token that contains information about which files and functions of the
-system are available to the user that was previously authenticated. The
-acl-check filter writes this token to a header. Finally, the check-header
-filter verifies the token in that header and makes sure that the token’s
-contents (the permitted ‘function’) matches its plugin configuration.

-
-
The resulting filter chain looks like this:
+
And a more complex example that deploys three WasmPlugins and orders them

+using phase and priority. The (hypothetical) setup is that the

+openid-connect filter performs an OpenID Connect flow to authenticate the

+user, writing a signed JWT into the Authorization header of the request,

+which can be verified by the Istio authn plugin. Then, the acl-check plugin

+kicks in, passing the JWT to a policy server, which in turn responds with a

+signed token that contains information about which files and functions of the

+system are available to the user that was previously authenticated. The

+acl-check filter writes this token to a header. Finally, the check-header

+filter verifies the token in that header and makes sure that the token's

+contents (the permitted 'function') matches its plugin configuration.

+
The resulting filter chain looks like this:

 -> openid-connect -> istio.authn -> acl-check -> check-header -> router

-
 
apiVersion: extensions.istio.io/v1alpha1
 kind: WasmPlugin
 metadata:
@@ -144,7 +131,6 @@
     openid_server: authn
     openid_realm: ingress
 

-
 
apiVersion: extensions.istio.io/v1alpha1
 kind: WasmPlugin
 metadata:
@@ -163,7 +149,6 @@
     acl_server: some_server
     set_header: authz_complete
 

-
 
apiVersion: extensions.istio.io/v1alpha1
 kind: WasmPlugin
 metadata:
@@ -186,7 +171,7 @@
 
 
WasmPlugin

 

-
WasmPlugins provides a mechanism to extend the functionality provided by
+
WasmPlugins provides a mechanism to extend the functionality provided by

 the Istio proxy through WebAssembly filters.

 
 

@@ -203,11 +188,11 @@ 
WasmPlugin

 
@@ -219,10 +204,10 @@ 
WasmPlugin

 
@@ -234,10 +219,10 @@ 
WasmPlugin

 
@@ -249,11 +234,11 @@ 
WasmPlugin

 
@@ -265,9 +250,9 @@ 
WasmPlugin

 
@@ -290,8 +275,8 @@ 
WasmPlugin

 
@@ -314,11 +299,11 @@ 
WasmPlugin

 
@@ -330,7 +315,7 @@ 
WasmPlugin

 
@@ -343,7 +328,7 @@ 
WasmPlugin

 
 
VmConfig

 

-
Configuration for a Wasm VM.
+
Configuration for a Wasm VM.

 more details can be found here.

 
 
selector
 WorkloadSelector
 
-
Criteria used to select the specific set of pods/VMs on which
-this plugin configuration should be applied. If omitted, this
-configuration will be applied to all workload instances in the same
-namespace. If the WasmPlugin is present in the config root
-namespace, it will be applied to all applicable workloads in any
+
Criteria used to select the specific set of pods/VMs on which

+this plugin configuration should be applied. If omitted, this

+configuration will be applied to all workload instances in the same

+namespace. If the WasmPlugin is present in the config root

+namespace, it will be applied to all applicable workloads in any

 namespace.

 
 		url
 string
 
-
URL of a Wasm module or OCI container. If no scheme is present,
-defaults to oci://, referencing an OCI image. Other valid schemes
-are file:// for referencing .wasm module files present locally
-within the proxy container, and http[s]:// for .wasm module files
+
URL of a Wasm module or OCI container. If no scheme is present,

+defaults to oci://, referencing an OCI image. Other valid schemes

+are file:// for referencing .wasm module files present locally

+within the proxy container, and http[s]:// for .wasm module files

 hosted remotely.

 
 		sha256
 string
 
-
SHA256 checksum that will be used to verify Wasm module or OCI container.
-If the url field already references a SHA256 (using the @sha256:
-notation), it must match the value of this field. If an OCI image is
-referenced by tag and this field is set, its checksum will be verified
+
SHA256 checksum that will be used to verify Wasm module or OCI container.

+If the url field already references a SHA256 (using the @sha256:

+notation), it must match the value of this field. If an OCI image is

+referenced by tag and this field is set, its checksum will be verified

 against the contents of this field after pulling.

 
 		imagePullPolicy
 PullPolicy
 
-
The pull behaviour to be applied when fetching Wasm module by either
-OCI image or http/https. Only relevant when referencing Wasm module without
-any digest, including the digest in OCI image URL or sha256 field in vm_config.
-Defaults to IfNotPresent, except when an OCI image is referenced in the url
-and the latest tag is used, in which case Always is the default,
+
The pull behaviour to be applied when fetching Wasm module by either

+OCI image or http/https. Only relevant when referencing Wasm module without

+any digest, including the digest in OCI image URL or sha256 field in vm_config.

+Defaults to IfNotPresent, except when an OCI image is referenced in the url

+and the latest tag is used, in which case Always is the default,

 mirroring K8s behaviour.

 
 		imagePullSecret
 string
 
-
Credentials to use for OCI image pulling.
-Name of a K8s Secret in the same namespace as the WasmPlugin that
-contains a docker pull secret which is to be used to authenticate
+
Credentials to use for OCI image pulling.

+Name of a K8s Secret in the same namespace as the WasmPlugin that

+contains a docker pull secret which is to be used to authenticate

 against the registry when pulling the image.

 
 		pluginName
 string
 
-
The plugin name to be used in the Envoy configuration (used to be called
-rootID). Some .wasm modules might require this value to select the Wasm
+
The plugin name to be used in the Envoy configuration (used to be called

+rootID). Some .wasm modules might require this value to select the Wasm

 plugin to execute.

 
 		priority
 Int64Value
 
-
Determines ordering of WasmPlugins in the same phase.
-When multiple WasmPlugins are applied to the same workload in the
-same phase, they will be applied by priority, in descending order.
-If priority is not set, or two WasmPlugins exist with the same
-value, the ordering will be deterministically derived from name and
+
Determines ordering of WasmPlugins in the same phase.

+When multiple WasmPlugins are applied to the same workload in the

+same phase, they will be applied by priority, in descending order.

+If priority is not set, or two WasmPlugins exist with the same

+value, the ordering will be deterministically derived from name and

 namespace of the WasmPlugins. Defaults to 0.

 
 		vmConfig
 VmConfig
 
-
Configuration for a Wasm VM.
+
Configuration for a Wasm VM.

 more details can be found here.

 
 

@@ -360,7 +345,7 @@ 
VmConfig

 
@@ -387,7 +372,7 @@ 
EnvVar

 
@@ -399,8 +384,8 @@ 
EnvVar

 
@@ -470,7 +455,7 @@ 
PluginPhase

 
 
PullPolicy

 

-
The pull behaviour to be applied when fetching a Wam module,
+
The pull behaviour to be applied when fetching a Wam module,

 mirroring K8s behaviour.

 
 
env
 EnvVar[]
 
-
Specifies environment variables to be injected to this VM.
+
Specifies environment variables to be injected to this VM.

 Note that if a key does not exist, it will be ignored.

 
 		name
 string
 
-
Required
+
Required

 Name of the environment variable. Must be a C_IDENTIFIER.

 
 		valueFrom
 EnvValueSource
 
-
Required
-Source for the environment variable’s value.

+
Required

+Source for the environment variable's value.

 
 		
 
@@ -411,9 +396,9 @@ 
EnvVar

 		value
 string
 
-
Value for the environment variable.
-Note that if value_from is HOST, it will be ignored.
-Defaults to “”.

+
Value for the environment variable.

+Note that if value_from is HOST, it will be ignored.

+Defaults to "".

 
 		
 
@@ -438,8 +423,8 @@ 
PluginPhase

 

 UNSPECIFIED_PHASE
 
-
Control plane decides where to insert the plugin. This will generally
-be at the end of the filter chain, right before the Router.
+
Control plane decides where to insert the plugin. This will generally

+be at the end of the filter chain, right before the Router.

 Do not specify PluginPhase if the plugin is independent of others.

 
 

@@ -484,7 +469,7 @@ 
PullPolicy

 
@@ -492,8 +477,8 @@ 
PullPolicy

 
@@ -501,7 +486,7 @@ 
PullPolicy

 
@@ -529,7 +514,7 @@ 
EnvValueSource

 
diff --git a/content/en/docs/reference/config/security/authorization-policy/index.html b/content/en/docs/reference/config/security/authorization-policy/index.html
index 27d4181081ff6..df3a10b883f67 100644
--- a/content/en/docs/reference/config/security/authorization-policy/index.html
+++ b/content/en/docs/reference/config/security/authorization-policy/index.html
@@ -1,10 +1,10 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Authorization Policy
 description: Configuration for access control on workloads.
 location: https://istio.io/docs/reference/config/security/authorization-policy.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.security.v1beta1.AuthorizationPolicy
 weight: 20
@@ -12,11 +12,9 @@
 number_of_entries: 9
 ---
 
Istio Authorization Policy enables access control on workloads in the mesh.

-
-
Authorization policy supports CUSTOM, DENY and ALLOW actions for access control. When CUSTOM, DENY and ALLOW actions
-are used for a workload at the same time, the CUSTOM action is evaluated first, then the DENY action, and finally the ALLOW action.
+
Authorization policy supports CUSTOM, DENY and ALLOW actions for access control. When CUSTOM, DENY and ALLOW actions

+are used for a workload at the same time, the CUSTOM action is evaluated first, then the DENY action, and finally the ALLOW action.

 The evaluation is determined by the following rules:

-
 
    
 
  1. If there are any CUSTOM policies that match the request, evaluate and deny the request if the evaluation result is deny.
    2. 
 
  2. If there are any DENY policies that match the request, deny the request.
    3. 
@@ -24,39 +22,28 @@
 
  3. If any of the ALLOW policies match the request, allow the request.
    4. 
 
  4. Deny the request.
    5. 
 

-
-
Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.
-AUDIT policies do not affect whether requests are allowed or denied to the workload.
+
Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.

+AUDIT policies do not affect whether requests are allowed or denied to the workload.

 Requests will be allowed or denied based solely on CUSTOM, DENY and ALLOW actions.

-
-
A request will be internally marked that it should be audited if there is an AUDIT policy on the workload that matches the request.
-A separate plugin must be configured and enabled to actually fulfill the audit decision and complete the audit behavior.
-The request will not be audited if there are no such supporting plugins enabled.
+
A request will be internally marked that it should be audited if there is an AUDIT policy on the workload that matches the request.

+A separate plugin must be configured and enabled to actually fulfill the audit decision and complete the audit behavior.

+The request will not be audited if there are no such supporting plugins enabled.

 Currently, the only supported plugin is the Stackdriver plugin.

-
 
Here is an example of Istio Authorization Policy:

-
-
It sets the action to “ALLOW” to create an allow policy. The default action is “ALLOW”
+
It sets the action to "ALLOW" to create an allow policy. The default action is "ALLOW"

 but it is useful to be explicit in the policy.

-
 
It allows requests from:

-
 
    
-
  • service account “cluster.local/ns/default/sa/sleep” or
    • 
-
  • namespace “test”
    • 
+
  • service account "cluster.local/ns/default/sa/sleep" or
    • 
+
  • namespace "test"
    • 
 

-
 
to access the workload with:

-
 
    
-
  • “GET” method at paths of prefix “/info” or,
    • 
-
  • “POST” method at path “/data”.
    • 
+
  • "GET" method at paths of prefix "/info" or,
    • 
+
  • "POST" method at path "/data".
    • 
 

-
-
when the request has a valid JWT token issued by “https://accounts.google.com”.

-
+
when the request has a valid JWT token issued by "https://accounts.google.com".

 
Any other requests will be denied.

-
 
apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -81,11 +68,9 @@
     - key: request.auth.claims[iss]
       values: ["https://accounts.google.com"]
 

-
-
The following is another example that sets action to “DENY” to create a deny policy.
-It denies requests from the “dev” namespace to the “POST” method on all workloads
-in the “foo” namespace.

-
+
The following is another example that sets action to "DENY" to create a deny policy.

+It denies requests from the "dev" namespace to the "POST" method on all workloads

+in the "foo" namespace.

 
apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -101,10 +86,8 @@
     - operation:
         methods: ["POST"]
 

-
-
The following authorization policy sets the action to “AUDIT”. It will audit any GET requests to the path with the
-prefix “/user/profile”.

-
+
The following authorization policy sets the action to "AUDIT". It will audit any GET requests to the path with the

+prefix "/user/profile".

 
apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -121,21 +104,16 @@
         methods: ["GET"]
         paths: ["/user/profile/*"]
 

-
-
Authorization Policy scope (target) is determined by “metadata/namespace” and
-an optional “selector”.

-
+
Authorization Policy scope (target) is determined by "metadata/namespace" and

+an optional "selector".

 
    
-
  • “metadata/namespace” tells which namespace the policy applies. If set to root
+
  • "metadata/namespace" tells which namespace the policy applies. If set to root
    
 namespace, the policy applies to all namespaces in a mesh.
    • 
-
  • workload “selector” can be used to further restrict where a policy applies.
    • 
+
  • workload "selector" can be used to further restrict where a policy applies.
    • 
 

-
 
For example,

-
-
The following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
+
The following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies

 all requests to workloads in namespace foo.

-
 
apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -144,9 +122,7 @@
 spec:
   {}
 

-
 
The following authorization policy allows all requests to workloads in namespace foo.

-
 
apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -156,10 +132,8 @@
  rules:
  - {}
 

-
-
The following authorization policy applies to workloads containing label “app: httpbin” in namespace bar. It allows
+
The following authorization policy applies to workloads containing label "app: httpbin" in namespace bar. It allows

 nothing and effectively denies all requests to the selected workloads.

-
 
apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -170,10 +144,8 @@
     matchLabels:
       app: httpbin
 

-
-
The following authorization policy applies to workloads containing label “version: v1” in all namespaces in the mesh.
-(Assuming the root namespace is configured to “istio-system”).

-
+
The following authorization policy applies to workloads containing label "version: v1" in all namespaces in the mesh.

+(Assuming the root namespace is configured to "istio-system").

 
apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -203,10 +175,9 @@ 
AuthorizationPolicy

 

@@ -219,8 +190,7 @@ 
AuthorizationPolicy

 
@@ -255,17 +225,15 @@ 
AuthorizationPolicy

 
 
Rule

 

-
Rule matches requests from a list of sources that perform a list of operations subject to a
-list of conditions. A match occurs when at least one source, one operation and all conditions
+
Rule matches requests from a list of sources that perform a list of operations subject to a

+list of conditions. A match occurs when at least one source, one operation and all conditions

 matches the request. An empty rule is always matched.

-
 
Any string field in the rule supports Exact, Prefix, Suffix and Presence match:

-
 
    
-
  • Exact match: “abc” will match on value “abc”.
    • 
-
  • Prefix match: “abc*” will match on value “abc” and “abcd”.
    • 
-
  • Suffix match: “*abc” will match on value “abc” and “xabc”.
    • 
-
  • Presence match: “*” will match when value is not empty.
    • 
+
  • Exact match: "abc" will match on value "abc".
    • 
+
  • Prefix match: "abc*" will match on value "abc" and "abcd".
    • 
+
  • Suffix match: "*abc" will match on value "abc" and "xabc".
    • 
+
  • Presence match: "*" will match when value is not empty.
    • 
 

 
 

 UNSPECIFIED_POLICY
 
-
Defaults to IfNotPresent, except for OCI images with tag latest, for which
+
Defaults to IfNotPresent, except for OCI images with tag latest, for which

 the default will be Always.

 
 

 IfNotPresent
 
-
If an existing version of the image has been pulled before, that
-will be used. If no version of the image is present locally, we
+
If an existing version of the image has been pulled before, that

+will be used. If no version of the image is present locally, we

 will pull the latest version.

 
 

 Always
 
-
We will always pull the latest version of an image when changing
+
We will always pull the latest version of an image when changing

 this plugin. Note that the change includes metadata field as well.

 
 

 HOST
 
-
Istio-proxy’s environment variables exposed to this VM.

+
Istio-proxy's environment variables exposed to this VM.

 
 		
 
selector
 WorkloadSelector
 
-
Optional. The selector decides where to apply the authorization policy. The selector will match with workloads
-in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector
+
Optional. The selector decides where to apply the authorization policy. The selector will match with workloads

+in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector

 will additionally match with workloads in all namespaces.

-
 
If not set, the selector will match all workloads.

 
 		Rule[]
 
 
Optional. A list of rules to match the request. A match occurs when at least one rule matches the request.

-
-
If not set, the match will never occur. This is equivalent to setting a default of deny for the target workloads if
+
If not set, the match will never occur. This is equivalent to setting a default of deny for the target workloads if

 the action is ALLOW.

 
 

@@ -283,7 +251,6 @@ 
Rule

 
@@ -296,7 +263,6 @@ 
Rule

 
@@ -309,7 +275,6 @@ 
Rule

 
@@ -322,12 +287,10 @@ 
Rule

 
 
Source

 

-
Source specifies the source identities of a request. Fields in the source are
+
Source specifies the source identities of a request. Fields in the source are

 ANDed together.

-
-
For example, the following source matches if the principal is “admin” or “dev”
-and the namespace is “prod” or “test” and the ip is not “1.2.3.4”.

-
+
For example, the following source matches if the principal is "admin" or "dev"

+and the namespace is "prod" or "test" and the ip is not "1.2.3.4".

 
principals: ["admin", "dev"]
 namespaces: ["prod", "test"]
 notIpBlocks: ["1.2.3.4"]
@@ -347,10 +310,9 @@ 
Source

 

@@ -373,10 +335,9 @@ 
Source

 
@@ -399,9 +360,8 @@ 
Source

 
@@ -424,9 +384,8 @@ 
Source

 
@@ -449,13 +408,12 @@ 
Source

 
@@ -479,12 +437,10 @@ 
Source

 
 
Operation

 

-
Operation specifies the operations of a request. Fields in the operation are
+
Operation specifies the operations of a request. Fields in the operation are

 ANDed together.

-
-
For example, the following operation matches if the host has suffix “.example.com”
-and the method is “GET” or “HEAD” and the path doesn’t have prefix “/admin”.

-
+
For example, the following operation matches if the host has suffix ".example.com"

+and the method is "GET" or "HEAD" and the path doesn't have prefix "/admin".

 
hosts: ["*.example.com"]
 methods: ["GET", "HEAD"]
 notPaths: ["/admin*"]
@@ -504,10 +460,9 @@ 
Operation

 

@@ -531,7 +486,6 @@ 
Operation

 
@@ -554,9 +508,8 @@ 
Operation

 
@@ -579,10 +532,9 @@ 
Operation

 
@@ -622,7 +574,7 @@ 
Condition

 
@@ -634,7 +586,7 @@ 
Condition

 
@@ -646,7 +598,7 @@ 
Condition

 
@@ -673,7 +625,7 @@ 
AuthorizationPolicy.ExtensionProv
 

@@ -776,20 +728,17 @@ 
AuthorizationPolicy.Action

 
@@ -114,9 +102,8 @@ 
JWTRule

 
@@ -128,15 +115,13 @@ 
JWTRule

 
@@ -148,14 +133,12 @@ 
JWTRule

 
@@ -167,8 +150,8 @@ 
JWTRule

 
@@ -219,9 +202,9 @@ 
JWTHeader

 
@@ -130,7 +120,7 @@ 
PeerAuthentication

 
diff --git a/content/en/docs/reference/config/security/request_authentication/index.html b/content/en/docs/reference/config/security/request_authentication/index.html
index ce1720e4f7a9b..a08d8e82fd1f8 100644
--- a/content/en/docs/reference/config/security/request_authentication/index.html
+++ b/content/en/docs/reference/config/security/request_authentication/index.html
@@ -1,10 +1,10 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: RequestAuthentication
 description: Request authentication configuration for workloads.
 location: https://istio.io/docs/reference/config/security/request_authentication.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.security.v1beta1.RequestAuthentication
 aliases: [/docs/reference/config/security/v1beta1/request_authentication]
@@ -12,17 +12,15 @@
 ---
 
RequestAuthentication

 

-
RequestAuthentication defines what request authentication methods are supported by a workload.
-It will reject a request if the request contains invalid authentication information, based on the
-configured authentication rules. A request that does not contain any authentication credentials
-will be accepted but will not have any authenticated identity. To restrict access to authenticated
-requests only, this should be accompanied by an authorization rule.
+
RequestAuthentication defines what request authentication methods are supported by a workload.

+It will reject a request if the request contains invalid authentication information, based on the

+configured authentication rules. A request that does not contain any authentication credentials

+will be accepted but will not have any authenticated identity. To restrict access to authenticated

+requests only, this should be accompanied by an authorization rule.

 Examples:

-
 
    
 
  • Require JWT for all request for workloads that have label app:httpbin
    • 
 

-
 
apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
@@ -50,13 +48,11 @@ 
RequestAuthentication

     - source:
         requestPrincipals: ["*"]
 

-
 
    
-
  • A policy in the root namespace (“istio-system” by default) applies to workloads in all namespaces
-in a mesh. The following policy makes all workloads only accept requests that contain a
+
  • A policy in the root namespace ("istio-system" by default) applies to workloads in all namespaces
    
+in a mesh. The following policy makes all workloads only accept requests that contain a
    
 valid JWT token.
    • 
 

-
 
apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
@@ -78,13 +74,11 @@ 
RequestAuthentication

     - source:
         requestPrincipals: ["*"]
 

-
 
    
-
  • The next example shows how to set a different JWT requirement for a different host. The RequestAuthentication
-declares it can accept JWTs issued by either issuer-foo or issuer-bar (the public key set is implicitly
+
  • The next example shows how to set a different JWT requirement for a different host. The RequestAuthentication
    
+declares it can accept JWTs issued by either issuer-foo or issuer-bar (the public key set is implicitly
    
 set from the OpenID Connect spec).
    • 
 

-
 
apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
@@ -121,13 +115,11 @@ 
RequestAuthentication

     - operation:
         hosts: ["another-host.com"]
 

-
 
    
-
  • You can fine tune the authorization policy to set different requirement per path. For example,
-to require JWT on all paths, except /healthz, the same RequestAuthentication can be used, but the
+
  • You can fine tune the authorization policy to set different requirement per path. For example,
    
+to require JWT on all paths, except /healthz, the same RequestAuthentication can be used, but the
    
 authorization policy could be:
    • 
 

-
 
apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -145,24 +137,19 @@ 
RequestAuthentication

     - operation:
         paths: ["/healthz"]
 

-
-
[Experimental] Routing based on derived metadata
-is now supported. A prefix ‘@’ is used to denote a match against internal metadata instead of the headers in the request.
+
[Experimental] Routing based on derived metadata

+is now supported. A prefix '@' is used to denote a match against internal metadata instead of the headers in the request.

 Currently this feature is only supported for the following metadata:

-
 
    
-
  • request.auth.claims.{claim-name}[.{sub-claim}]* which are extracted from validated JWT tokens. The claim name
+
  • request.auth.claims.{claim-name}[.{sub-claim}]* which are extracted from validated JWT tokens. The claim name
    
 currently does not support the . character. Examples: request.auth.claims.sub and request.auth.claims.name.givenName.
    • 
 

-
 
The use of matches against JWT claim metadata is only supported in Gateways. The following example shows:

-
 
    
 
  • RequestAuthentication to decode and validate a JWT. This also makes the @request.auth.claims available for use in the VirtualService.
    • 
 
  • AuthorizationPolicy to check for valid principals in the request. This makes the JWT required for the request.
    • 
-
  • VirtualService to route the request based on the “sub” claim.
    • 
+
  • VirtualService to route the request based on the "sub" claim.
    • 
 

-
 
apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
@@ -230,10 +217,9 @@ 
RequestAuthentication

 

@@ -245,12 +231,12 @@ 
RequestAuthentication

 
diff --git a/content/en/docs/reference/config/telemetry/index.html b/content/en/docs/reference/config/telemetry/index.html
index d56375ebdf4c5..a804b1b146268 100644
--- a/content/en/docs/reference/config/telemetry/index.html
+++ b/content/en/docs/reference/config/telemetry/index.html
@@ -1,38 +1,30 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Telemetry
 description: Telemetry configuration for workloads.
 location: https://istio.io/docs/reference/config/telemetry.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.telemetry.v1alpha1.Telemetry
 aliases: [/docs/reference/config/telemetry/v1alpha1/telemetry]
 number_of_entries: 18
 ---
 
Telemetry defines how the telemetry is generated for workloads within a mesh.

-
-
For mesh level configuration, put the resource in root configuration
+
For mesh level configuration, put the resource in root configuration

 namespace for your Istio installation without a workload selector.

-
-
For any namespace, including the root configuration namespace, it is only
+
For any namespace, including the root configuration namespace, it is only

 valid to have a single workload selector-less Telemetry resource.

-
-
For resources with a workload selector, it is only valid to have one resource
+
For resources with a workload selector, it is only valid to have one resource

 selecting any given workload.

-
 
The hierarchy of Telemetry configuration is as follows:

-
 
    
 
  1. Workload-specific configuration
    2. 
 
  2. Namespace-specific configuration
    3. 
 
  3. Root namespace configuration
    4. 
 

-
 
Examples:

-
 
Policy to enable random sampling for 10% of traffic:

-
 
apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
@@ -43,10 +35,8 @@
   tracing:
   - randomSamplingPercentage: 10.00
 

-
-
Policy to disable trace reporting for the “foo” workload (note: tracing
+
Policy to disable trace reporting for the "foo" workload (note: tracing

 context will still be propagated):

-
 
apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
@@ -59,9 +49,7 @@
   tracing:
   - disableSpanReporting: true
 

-
 
Policy to select the alternate zipkin provider for trace reporting:

-
 
apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
@@ -76,9 +64,7 @@
     - name: "zipkin-alternate"
     randomSamplingPercentage: 10.00
 

-
 
Policy to add a custom tag from a literal value:

-
 
apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
@@ -93,9 +79,7 @@
         literal:
           value: "foo"
 

-
 
Policy to disable server-side metrics for Stackdriver for an entire mesh:

-
 
apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
@@ -112,9 +96,7 @@
         mode: SERVER
       disabled: true
 

-
 
Policy to add dimensions to all Prometheus metrics for the foo namespace:

-
 
apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
@@ -133,10 +115,8 @@
         request_host:
           value: "request.host"
 

-
-
Policy to remove the response_code dimension on some Prometheus metrics for
+
Policy to remove the response_code dimension on some Prometheus metrics for

 the bar.foo workload:

-
 
apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
@@ -171,9 +151,7 @@
         response_code:
           operation: REMOVE
 

-
 
Policy to enable access logging for the entire mesh:

-
 
apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
@@ -189,9 +167,7 @@
     # cases where a parent configuration has marked as `disabled: true`. In
     # those cases, `disabled: false` must be set explicitly to override.
 

-
 
Policy to disable access logging for the foo namespace:

-
 
apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
@@ -220,8 +196,8 @@ 
Telemetry

 

@@ -233,7 +209,7 @@ 
Telemetry

 
@@ -245,7 +221,7 @@ 
Telemetry

 
@@ -257,7 +233,7 @@ 
Telemetry

 
@@ -270,14 +246,13 @@ 
Telemetry

 
 
Tracing

 

-
Tracing configures tracing behavior for workloads within a mesh.
-It can be used to enable/disable tracing, as well as to set sampling
+
Tracing configures tracing behavior for workloads within a mesh.

+It can be used to enable/disable tracing, as well as to set sampling

 rates and custom tag extraction.

-
-
Tracing configuration support overrides of the fields providers,
-random_sampling_percentage, disable_span_reporting, and custom_tags at
-each level in the configuration hierarchy, with missing values filled in
-from parent resources. However, when specified, custom_tags will
+
Tracing configuration support overrides of the fields providers,

+random_sampling_percentage, disable_span_reporting, and custom_tags at

+each level in the configuration hierarchy, with missing values filled in

+from parent resources. However, when specified, custom_tags will

 fully replace any values provided by parent configuration.

 
 
From[]
 
 
Optional. from specifies the source of a request.

-
 
If not set, any source is allowed.

 
 		To[]
 
 
Optional. to specifies the operation of a request.

-
 
If not set, any operation is allowed.

 
 		Condition[]
 
 
Optional. when specifies a list of additional conditions of a request.

-
 
If not set, any condition is allowed.

 
 		principals
 string[]
 
-
Optional. A list of peer identities derived from the peer certificate. The peer identity is in the format of
-"<TRUST_DOMAIN>/ns/<NAMESPACE>/sa/<SERVICE_ACCOUNT>", for example, "cluster.local/ns/default/sa/productpage".
+
Optional. A list of peer identities derived from the peer certificate. The peer identity is in the format of

+"<TRUST_DOMAIN>/ns/<NAMESPACE>/sa/<SERVICE_ACCOUNT>", for example, "cluster.local/ns/default/sa/productpage".

 This field requires mTLS enabled and is the same as the source.principal attribute.

-
 
If not set, any principal is allowed.

 
 		requestPrincipals
 string[]
 
-
Optional. A list of request identities derived from the JWT. The request identity is in the format of
-"<ISS>/<SUB>", for example, "example.com/sub-1". This field requires request authentication enabled and is the
+
Optional. A list of request identities derived from the JWT. The request identity is in the format of

+"<ISS>/<SUB>", for example, "example.com/sub-1". This field requires request authentication enabled and is the

 same as the request.auth.principal attribute.

-
 
If not set, any request principal is allowed.

 
 		namespaces
 string[]
 
-
Optional. A list of namespaces derived from the peer certificate.
+
Optional. A list of namespaces derived from the peer certificate.

 This field requires mTLS enabled and is the same as the source.namespace attribute.

-
 
If not set, any namespace is allowed.

 
 		ipBlocks
 string[]
 
-
Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. “1.2.3.4”) and
-CIDR (e.g. “1.2.3.0/24”) are supported. This is the same as the source.ip attribute.

-
+
Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. "1.2.3.4") and

+CIDR (e.g. "1.2.3.0/24") are supported. This is the same as the source.ip attribute.

 
If not set, any IP is allowed.

 
 		remoteIpBlocks
 string[]
 
-
Optional. A list of IP blocks, populated from X-Forwarded-For header or proxy protocol.
-To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig
-when you install Istio or using an annotation on the ingress gateway.  See the documentation here:
-Configuring Gateway Network Topology.
-Single IP (e.g. “1.2.3.4”) and CIDR (e.g. “1.2.3.0/24”) are supported.
+
Optional. A list of IP blocks, populated from X-Forwarded-For header or proxy protocol.

+To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig

+when you install Istio or using an annotation on the ingress gateway.  See the documentation here:

+Configuring Gateway Network Topology.

+Single IP (e.g. "1.2.3.4") and CIDR (e.g. "1.2.3.0/24") are supported.

 This is the same as the remote.ip attribute.

-
 
If not set, any IP is allowed.

 
 		hosts
 string[]
 
-
Optional. A list of hosts as specified in the HTTP request. The match is case-insensitive.
-See the security best practices for
+
Optional. A list of hosts as specified in the HTTP request. The match is case-insensitive.

+See the security best practices for

 recommended usage of this field.

-
 
If not set, any host is allowed. Must be used only with HTTP.

 
 		string[]
 
 
Optional. A list of ports as specified in the connection.

-
 
If not set, any port is allowed.

 
 		methods
 string[]
 
-
Optional. A list of methods as specified in the HTTP request.
-For gRPC service, this will always be “POST”.

-
+
Optional. A list of methods as specified in the HTTP request.

+For gRPC service, this will always be "POST".

 
If not set, any method is allowed. Must be used only with HTTP.

 
 		paths
 string[]
 
-
Optional. A list of paths as specified in the HTTP request. See the Authorization Policy Normalization
-for details of the path normalization.
-For gRPC service, this will be the fully-qualified name in the form of “/package.service/method”.

-
+
Optional. A list of paths as specified in the HTTP request. See the Authorization Policy Normalization

+for details of the path normalization.

+For gRPC service, this will be the fully-qualified name in the form of "/package.service/method".

 
If not set, any path is allowed. Must be used only with HTTP.

 
 		key
 string
 
-
The name of an Istio attribute.
+
The name of an Istio attribute.

 See the full list of supported attributes.

 
 		values
 string[]
 
-
Optional. A list of allowed values for the attribute.
+
Optional. A list of allowed values for the attribute.

 Note: at least one of values or not_values must be set.

 
 		notValues
 string[]
 
-
Optional. A list of negative match of values for the attribute.
+
Optional. A list of negative match of values for the attribute.

 Note: at least one of values or not_values must be set.

 
 		name
 string
 
-
Specifies the name of the extension provider. The list of available providers is defined in the MeshConfig.
+
Specifies the name of the extension provider. The list of available providers is defined in the MeshConfig.

 Note, currently at most 1 extension provider is allowed per workload. Different workloads can use different extension provider.

 
 

 CUSTOM
 
-
The CUSTOM action allows an extension to handle the user request if the matching rules evaluate to true.
-The extension is evaluated independently and before the native ALLOW and DENY actions. When used together, A request
-is allowed if and only if all the actions return allow, in other words, the extension cannot bypass the
-authorization decision made by ALLOW and DENY action.
-Extension behavior is defined by the named providers declared in MeshConfig. The authorization policy refers to
-the extension by specifying the name of the provider.
-One example use case of the extension is to integrate with a custom external authorization system to delegate
+
The CUSTOM action allows an extension to handle the user request if the matching rules evaluate to true.

+The extension is evaluated independently and before the native ALLOW and DENY actions. When used together, A request

+is allowed if and only if all the actions return allow, in other words, the extension cannot bypass the

+authorization decision made by ALLOW and DENY action.

+Extension behavior is defined by the named providers declared in MeshConfig. The authorization policy refers to

+the extension by specifying the name of the provider.

+One example use case of the extension is to integrate with a custom external authorization system to delegate

 the authorization decision to it.

-
 
Note: The CUSTOM action is currently an alpha feature and is subject to breaking changes in later versions.

-
-
The following authorization policy applies to an ingress gateway and delegates the authorization check to a named extension
-“my-custom-authz” if the request path has prefix “/admin/”.

-
+
The following authorization policy applies to an ingress gateway and delegates the authorization check to a named extension

+"my-custom-authz" if the request path has prefix "/admin/".

 
apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
diff --git a/content/en/docs/reference/config/security/jwt/index.html b/content/en/docs/reference/config/security/jwt/index.html
index b40e1998f099d..1140a31a09e45 100644
--- a/content/en/docs/reference/config/security/jwt/index.html
+++ b/content/en/docs/reference/config/security/jwt/index.html
@@ -1,10 +1,10 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: JWTRule
 description: Configuration to validate JWT.
 location: https://istio.io/docs/reference/config/security/jwt.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.security.v1beta1.JWTRule
 aliases: [/docs/reference/config/security/v1beta1/jwt]
@@ -12,27 +12,22 @@
 ---
 
JWTRule

 

-
JSON Web Token (JWT) token format for authentication as defined by
-RFC 7519. See OAuth 2.0 and
-OIDC 1.0 for how this is used in the whole
+
JSON Web Token (JWT) token format for authentication as defined by

+RFC 7519. See OAuth 2.0 and

+OIDC 1.0 for how this is used in the whole

 authentication flow.

-
 
Examples:

-
-
Spec for a JWT that is issued by https://example.com, with the audience claims must be either
-bookstore_android.apps.example.com or bookstore_web.apps.example.com.
-The token should be presented at the Authorization header (default). The JSON Web Key Set (JWKS)
+
Spec for a JWT that is issued by https://example.com, with the audience claims must be either

+bookstore_android.apps.example.com or bookstore_web.apps.example.com.

+The token should be presented at the Authorization header (default). The JSON Web Key Set (JWKS)

 will be discovered following OpenID Connect protocol.

-
 
issuer: https://example.com
 audiences:
 - bookstore_android.apps.example.com
   bookstore_web.apps.example.com
 

-
-
This example specifies a token in a non-default location (x-goog-iap-jwt-assertion header). It also
+
This example specifies a token in a non-default location (x-goog-iap-jwt-assertion header). It also

 defines the URI to fetch JWKS explicitly.

-
 
issuer: https://example.com
 jwksUri: https://example.com/.secret/jwks.json
 fromHeaders:
@@ -53,12 +48,11 @@ 
JWTRule

 
issuer
 string
 
-
Identifies the issuer that issued the JWT. See
-issuer
+
Identifies the issuer that issued the JWT. See

+issuer

 A JWT with different iss claim will be rejected.

-
-
Example: https://foobar.auth0.com
-Example: 1234567-compute@developer.gserviceaccount.com

+
Example: https://foobar.auth0.com

+Example: 1234567-compute@developer.gserviceaccount.com

 
 		
 
@@ -69,15 +63,12 @@ 
JWTRule

 		audiences
 string[]
 
-
The list of JWT
-audiences.
-that are allowed to access. A JWT containing any of these
+
The list of JWT

+audiences.

+that are allowed to access. A JWT containing any of these

 audiences will be accepted.

-
 
The service name will be accepted if audiences is empty.

-
 
Example:

-
 
audiences:
 - bookstore_android.apps.example.com
   bookstore_web.apps.example.com
@@ -92,17 +83,14 @@ 
JWTRule

 
jwksUri
 string
 
-
URL of the provider’s public key set to validate signature of the
+
URL of the provider's public key set to validate signature of the

 JWT. See OpenID Discovery.

-
-
Optional if the key set document can either (a) be retrieved from
-OpenID
-Discovery of
-the issuer or (b) inferred from the email domain of the issuer (e.g. a
+
Optional if the key set document can either (a) be retrieved from

+OpenID

+Discovery of

+the issuer or (b) inferred from the email domain of the issuer (e.g. a

 Google service account).

-
 
Example: https://www.googleapis.com/oauth2/v1/certs

-
 
Note: Only one of jwksUri and jwks should be used.

 
 		jwks
 string
 
-
JSON Web Key Set of public keys to validate signature of the JWT.
-See https://auth0.com/docs/jwks.

-
+
JSON Web Key Set of public keys to validate signature of the JWT.

+See https://auth0.com/docs/jwks.

 
Note: Only one of jwksUri and jwks should be used.

 
 		fromHeaders
 JWTHeader[]
 
-
List of header locations from which JWT is expected. For example, below is the location spec
-if JWT is expected to be found in x-jwt-assertion header, and have “Bearer ” prefix:

-
+
List of header locations from which JWT is expected. For example, below is the location spec

+if JWT is expected to be found in x-jwt-assertion header, and have "Bearer " prefix:

 
  fromHeaders:
   - name: x-jwt-assertion
     prefix: "Bearer "
 

-
-
Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
+
Note: Requests with multiple tokens (at different locations) are not supported, the output principal of

 such requests is undefined.

 
 		fromParams
 string[]
 
-
List of query parameters from which JWT is expected. For example, if JWT is provided via query
-parameter my_token (e.g /path?my_token=), the config is:

-
+
List of query parameters from which JWT is expected. For example, if JWT is provided via query

+parameter my_token (e.g /path?my_token=), the config is:

 
  fromParams:
   - "my_token"
 

-
-
Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
+
Note: Requests with multiple tokens (at different locations) are not supported, the output principal of

 such requests is undefined.

 
 		outputPayloadToHeader
 string
 
-
This field specifies the header name to output a successfully verified JWT payload to the
-backend. The forwarded data is base64_encoded(jwt_payload_in_JSON). If it is not specified,
+
This field specifies the header name to output a successfully verified JWT payload to the

+backend. The forwarded data is base64_encoded(jwt_payload_in_JSON). If it is not specified,

 the payload will not be emitted.

 
 		prefix
 string
 
-
The prefix that should be stripped before decoding the token.
-For example, for “Authorization: Bearer ”, prefix=“Bearer ” with a space at the end.
-If the header doesn’t have this exact prefix, it is considered invalid.

+
The prefix that should be stripped before decoding the token.

+For example, for "Authorization: Bearer ", prefix="Bearer " with a space at the end.

+If the header doesn't have this exact prefix, it is considered invalid.

 
 		
 
diff --git a/content/en/docs/reference/config/security/peer_authentication/index.html b/content/en/docs/reference/config/security/peer_authentication/index.html
index bc294237e6ce4..da546d9c40c95 100644
--- a/content/en/docs/reference/config/security/peer_authentication/index.html
+++ b/content/en/docs/reference/config/security/peer_authentication/index.html
@@ -1,10 +1,10 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: PeerAuthentication
 description: Peer authentication configuration for workloads.
 location: https://istio.io/docs/reference/config/security/peer_authentication.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.security.v1beta1.PeerAuthentication
 aliases: [/docs/reference/config/security/v1beta1/peer_authentication]
@@ -13,11 +13,8 @@
 
PeerAuthentication

 

 
PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.

-
 
Examples:

-
 
Policy to allow mTLS traffic for all workloads under namespace foo:

-
 
apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
@@ -27,12 +24,9 @@ 
PeerAuthentication

   mtls:
     mode: STRICT
 

-
 
For mesh level, put the policy in root-namespace according to your Istio installation.

-
-
Policies to allow both mTLS & plaintext traffic for all workloads under namespace foo, but
+
Policies to allow both mTLS & plaintext traffic for all workloads under namespace foo, but

 require mTLS for workload finance.

-
 
apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
@@ -54,10 +48,8 @@ 
PeerAuthentication

   mtls:
     mode: STRICT
 

-
-
Policy to allow mTLS strict for all workloads, but leave port 8080 to
+
Policy to allow mTLS strict for all workloads, but leave port 8080 to

 plaintext:

-
 
apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
@@ -73,10 +65,8 @@ 
PeerAuthentication

     8080:
       mode: DISABLE
 

-
-
Policy to inherit mTLS mode from namespace (or mesh) settings, and overwrite
+
Policy to inherit mTLS mode from namespace (or mesh) settings, and overwrite

 settings for port 8080

-
 
apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
@@ -107,7 +97,7 @@ 
PeerAuthentication

 
selector
 WorkloadSelector
 
-
The selector determines the workloads to apply the ChannelAuthentication on.
+
The selector determines the workloads to apply the ChannelAuthentication on.

 If not set, the policy will be applied to all workloads in the same namespace as the policy.

 
 		portLevelMtls
 map<uint32, MutualTLS>
 
-
Port specific mutual TLS settings. These only apply when a workload selector
+
Port specific mutual TLS settings. These only apply when a workload selector

 is specified.

 
 		selector
 WorkloadSelector
 
-
Optional. The selector decides where to apply the request authentication policy. The selector will match with workloads
-in the same namespace as the request authentication policy. If the request authentication policy is in the root namespace,
+
Optional. The selector decides where to apply the request authentication policy. The selector will match with workloads

+in the same namespace as the request authentication policy. If the request authentication policy is in the root namespace,

 the selector will additionally match with workloads in all namespaces.

-
 
If not set, the selector will match all workloads.

 
 		jwtRules
 JWTRule[]
 
-
Define the list of JWTs that can be validated at the selected workloads’ proxy. A valid token
-will be used to extract the authenticated identity.
-Each rule will be activated only when a token is presented at the location recognized by the
-rule. The token will be validated based on the JWT rule config. If validation fails, the request will
-be rejected.
-Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
+
Define the list of JWTs that can be validated at the selected workloads' proxy. A valid token

+will be used to extract the authenticated identity.

+Each rule will be activated only when a token is presented at the location recognized by the

+rule. The token will be validated based on the JWT rule config. If validation fails, the request will

+be rejected.

+Note: Requests with multiple tokens (at different locations) are not supported, the output principal of

 such requests is undefined.

 
 		selector
 WorkloadSelector
 
-
Optional. The selector decides where to apply the Telemetry policy.
-If not set, the Telemetry policy will be applied to all workloads in the
+
Optional. The selector decides where to apply the Telemetry policy.

+If not set, the Telemetry policy will be applied to all workloads in the

 same namespace as the Telemetry policy.

 
 		tracing
 Tracing[]
 
-
Optional. Tracing configures the tracing behavior for all
+
Optional. Tracing configures the tracing behavior for all

 selected workloads.

 
 		metrics
 Metrics[]
 
-
Optional. Metrics configure the metrics behavior for all
+
Optional. Metrics configure the metrics behavior for all

 selected workloads.

 
 		accessLogging
 AccessLogging[]
 
-
Optional. AccessLogging configures the access logging behavior for all
+
Optional. AccessLogging configures the access logging behavior for all

 selected workloads.

 
 

@@ -305,10 +280,10 @@ 
Tracing

 
@@ -320,14 +295,13 @@ 
Tracing

 
@@ -339,8 +313,8 @@ 
Tracing

 
@@ -364,7 +338,7 @@ 
Tracing

 
 
ProviderRef

 

-
Used to bind Telemetry configuration to specific providers for
+
Used to bind Telemetry configuration to specific providers for

 targeted customization.

 
 
providers
 ProviderRef[]
 
-
Optional. Name of provider(s) to use for span reporting. If a provider is
-not specified, the default tracing
-provider will be
-used. NOTE: At the moment, only a single provider can be specified in a
+
Optional. Name of provider(s) to use for span reporting. If a provider is

+not specified, the default tracing

+provider will be

+used. NOTE: At the moment, only a single provider can be specified in a

 given Tracing rule.

 
 		randomSamplingPercentage
 DoubleValue
 
-
Controls the rate at which traffic will be selected for tracing if no
-prior sampling decision has been made. If a prior sampling decision has
-been made, that decision will be respected. However, if no sampling
-decision has been made (example: no x-b3-sampled tracing header was
-present in the requests), the traffic will be selected for telemetry
+
Controls the rate at which traffic will be selected for tracing if no

+prior sampling decision has been made. If a prior sampling decision has

+been made, that decision will be respected. However, if no sampling

+decision has been made (example: no x-b3-sampled tracing header was

+present in the requests), the traffic will be selected for telemetry

 generation at the percentage specified.

-
-
Defaults to 0%. Valid values [0.00-100.00]. Can be specified in 0.01%
+
Defaults to 0%. Valid values [0.00-100.00]. Can be specified in 0.01%

 increments.

 
 		disableSpanReporting
 BoolValue
 
-
Controls span reporting. If set to true, no spans will be reported for
-impacted workloads. This does NOT impact context propagation or trace
+
Controls span reporting. If set to true, no spans will be reported for

+impacted workloads. This does NOT impact context propagation or trace

 sampling behavior.

 
 

@@ -385,7 +359,7 @@ 
ProviderRef

 
 
 
@@ -393,8 +367,8 @@ 
ProviderRef

 
 
Metrics

 

-
Metrics defines the workload-level overrides for metrics generation behavior
-within a mesh. It can be used to enable/disable metrics generation, as well
+
Metrics defines the workload-level overrides for metrics generation behavior

+within a mesh. It can be used to enable/disable metrics generation, as well

 as to customize the dimensions of the generated metrics.

 
 

-No
+Yes
 
 

 

@@ -411,9 +385,9 @@ 
Metrics

 
@@ -426,17 +400,17 @@ 
Metrics

 
@@ -449,7 +423,7 @@ 
Metrics

 
 
MetricSelector

 

-
Provides a mechanism for matching metrics for the application of override
+
Provides a mechanism for matching metrics for the application of override

 behaviors.

 
 
providers
 ProviderRef[]
 
-
Optional. Name of providers to which this configuration should apply.
-If a provider is not specified, the default metrics
-provider will be
+
Optional. Name of providers to which this configuration should apply.

+If a provider is not specified, the default metrics

+provider will be

 used.

 
 		MetricsOverrides[]
 
 
Optional. Ordered list of overrides to metrics generation behavior.

-
-
Specified overrides will be applied in order. They will be applied on
-top of inherited overrides from other resources in the hierarchy in the
-following order:
-1. Mesh-scoped overrides
-2. Namespace-scoped overrides
-3. Workload-scoped overrides

-
-
Because overrides are applied in order, users are advised to order their
-overrides from least specific to most specific matches. That is, it is
-a best practice to list any universal overrides first, with tailored
+
Specified overrides will be applied in order. They will be applied on

+top of inherited overrides from other resources in the hierarchy in the

+following order:

+
    
+
  1. Mesh-scoped overrides
    2. 
+
  2. Namespace-scoped overrides
    3. 
+
  3. Workload-scoped overrides
    4. 
+

+
Because overrides are applied in order, users are advised to order their

+overrides from least specific to most specific matches. That is, it is

+a best practice to list any universal overrides first, with tailored

 overrides following them.

 
 

@@ -477,7 +451,7 @@ 
MetricSelector

 
@@ -489,7 +463,7 @@ 
MetricSelector

 
@@ -502,7 +476,7 @@ 
MetricSelector

 
 
MetricsOverrides

 

-
MetricsOverrides defines custom metric generation behavior for an individual
+
MetricsOverrides defines custom metric generation behavior for an individual

 metric or the set of all standard metrics.

 
 
customMetric
 string (oneof)
 
-
Allows free-form specification of a metric. No validation of custom
+
Allows free-form specification of a metric. No validation of custom

 metrics is provided.

 
 		mode
 WorkloadMode
 
-
Controls which mode of metrics generation is selected: CLIENT and/or
+
Controls which mode of metrics generation is selected: CLIENT and/or

 SERVER.

 
 

@@ -519,11 +493,10 @@ 
MetricsOverrides

 
@@ -535,9 +508,9 @@ 
MetricsOverrides

 
@@ -549,12 +522,12 @@ 
MetricsOverrides

 
match
 MetricSelector
 
-
Match allows provides the scope of the override. It can be used to select
-individual metrics, as well as the workload modes (server and/or client)
+
Match allows provides the scope of the override. It can be used to select

+individual metrics, as well as the workload modes (server and/or client)

 in which the metrics will be generated.

-
-
If match is not specified, the overrides will apply to all metrics for
+
If match is not specified, the overrides will apply to all metrics for

 both modes of operation (client and server).

 
 		disabled
 BoolValue
 
-
Optional. Must explicitly set this to “true” to turn off metrics reporting
-for the listed metrics. If disabled has been set to “true” in a parent
-configuration, it must explicitly be set to “false” to turn metrics
+
Optional. Must explicitly set this to "true" to turn off metrics reporting

+for the listed metrics. If disabled has been set to "true" in a parent

+configuration, it must explicitly be set to "false" to turn metrics

 reporting on in the workloads selected by the Telemetry resource.

 
 		tagOverrides
 map<string, TagOverride>
 
-
Optional. Collection of tag names and tag expressions to override in the
-selected metric(s).
-The key in the map is the name of the tag.
-The value in the map is the operation to perform on the the tag.
-WARNING: some providers may not support adding/removing tags.
-See also: https://istio.io/latest/docs/reference/config/metrics/#labels

+
Optional. Collection of tag names and tag expressions to override in the

+selected metric(s).

+The key in the map is the name of the tag.

+The value in the map is the operation to perform on the the tag.

+WARNING: some providers may not support adding/removing tags.

+See also: https://istio.io/latest/docs/reference/config/metrics/#labels

 
 		
 
@@ -566,8 +539,8 @@ 
MetricsOverrides

 
 
AccessLogging

 

-
Access logging defines the workload-level overrides for access log
-generation. It can be used to select provider or enable/disable access log
+
Access logging defines the workload-level overrides for access log

+generation. It can be used to select provider or enable/disable access log

 generation for a workload.

 
 
@@ -595,8 +568,8 @@ 
AccessLogging

@@ -608,10 +581,10 @@ 
AccessLogging

@@ -623,7 +596,7 @@ 
AccessLogging

@@ -636,7 +609,7 @@ 
AccessLogging
Tracing.TracingSelector

-
TracingSelector provides a coarse-grained ability to configure tracing
+
TracingSelector provides a coarse-grained ability to configure tracing

 behavior based on certain traffic metadata (such as traffic direction).

 
 

 
providers
 ProviderRef[]
 
-
Optional. Name of providers to which this configuration should apply.
-If a provider is not specified, the default logging
+
Optional. Name of providers to which this configuration should apply.

+If a provider is not specified, the default logging

 provider will be used.

 
 		
 disabled
 BoolValue
 
-
Controls logging. If set to true, no access logs will be generated for
-impacted workloads (for the specified providers).
-NOTE: currently default behavior will be controlled by the provider(s)
-selected above. Customization controls will be added to this API in
+
Controls logging. If set to true, no access logs will be generated for

+impacted workloads (for the specified providers).

+NOTE: currently default behavior will be controlled by the provider(s)

+selected above. Customization controls will be added to this API in

 future releases.

 
 		
 filter
 Filter
 
-
Optional. If specified, this filter will be used to select specific
+
Optional. If specified, this filter will be used to select specific

 requests/connections for logging.

 
 		
 
 
 

@@ -653,7 +626,7 @@ 
Tracing.TracingSelector

@@ -666,12 +639,11 @@ 
Tracing.TracingSelector
Tracing.CustomTag

-
CustomTag defines a tag to be added to a trace span that is based on
-an operator-supplied value. This value can either be a hard-coded value,
-a value taken from an environment variable known to the sidecar proxy, or
+
CustomTag defines a tag to be added to a trace span that is based on

+an operator-supplied value. This value can either be a hard-coded value,

+a value taken from an environment variable known to the sidecar proxy, or

 from a request header.

-
-
NOTE: when specified, custom_tags will fully replace any values provided
+
NOTE: when specified, custom_tags will fully replace any values provided

 by parent configuration.

 
 

 
mode
 WorkloadMode
 
-
This determines whether or not to apply the tracing configuration
+
This determines whether or not to apply the tracing configuration

 based on the direction of traffic relative to the proxied workload.

 
 		
 
 
 

@@ -710,7 +682,7 @@ 
Tracing.CustomTag

@@ -774,7 +746,7 @@ 
Tracing.Environment

@@ -812,7 +784,7 @@ 
Tracing.RequestHeader

@@ -825,8 +797,8 @@ 
Tracing.RequestHeader
MetricsOverrides.TagOverride

-
TagOverride specifies an operation to perform on a metric dimension (also
-known as a label). Tags may be added, removed, or have their default
+
TagOverride specifies an operation to perform on a metric dimension (also

+known as a label). Tags may be added, removed, or have their default

 values overridden.

 
 

 
header
 RequestHeader (oneof)
 
-
RequestHeader adds the value of an header from the request to each
+
RequestHeader adds the value of an header from the request to each

 span.

 
 		
 defaultValue
 string
 
-
Optional. If the environment variable is not found, this value will be
+
Optional. If the environment variable is not found, this value will be

 used instead.

 
 		
 defaultValue
 string
 
-
Optional. If the header is not found, this value will be
+
Optional. If the header is not found, this value will be

 used instead.

 
 		
 
 
 

@@ -854,13 +826,13 @@ 
MetricsOverrides.TagOverride

@@ -873,11 +845,11 @@ 
MetricsOverrides.TagOverride
AccessLogging.LogSelector

-
LogSelector provides a coarse-grained ability to configure logging behavior
-based on certain traffic metadata (such as traffic direction). LogSelector
-applies to traffic metadata which is not represented in the attribute set
-currently supported by Filters. It allows control planes to limit the
-configuration sent to individual workloads. Finer-grained logging behavior
+
LogSelector provides a coarse-grained ability to configure logging behavior

+based on certain traffic metadata (such as traffic direction). LogSelector

+applies to traffic metadata which is not represented in the attribute set

+currently supported by Filters. It allows control planes to limit the

+configuration sent to individual workloads. Finer-grained logging behavior

 can be further configured via filter.

 
 

 
value
 string
 
-
Value is only considered if the operation is UPSERT.
-Values are CEL expressions over
-attributes. Examples include: “string(destination.port)” and
-“request.host”. Istio exposes all standard Envoy
-attributes.
-Additionally, Istio exposes node metadata as attributes.
-More information is provided in the customization
+
Value is only considered if the operation is UPSERT.

+Values are CEL expressions over

+attributes. Examples include: "string(destination.port)" and

+"request.host". Istio exposes all standard Envoy

+attributes.

+Additionally, Istio exposes node metadata as attributes.

+More information is provided in the customization

 docs.

 
 		
 
 
 

@@ -894,7 +866,7 @@ 
AccessLogging.LogSelector

@@ -924,9 +896,7 @@ 
AccessLogging.Filter

 
mode
 WorkloadMode
 
-
This determines whether or not to apply the access logging configuration
+
This determines whether or not to apply the access logging configuration

 based on the direction of traffic relative to the proxied workload.

 
 		
 string
 
 
CEL expression for selecting when requests/connections should be logged.

-
 
Examples:

-
 
    
 
  • response.code >= 400
    • 
 
  • connection.mtls && request.url_path.contains('v1beta3')
    • 
@@ -942,9 +912,9 @@ 
    AccessLogging.Filter
    
 
 
    MetricSelector.IstioMetric
    
 
    
-
    Curated list of known metric types that is supported by Istio metric
-providers. See also:
-https://istio.io/latest/docs/reference/config/metrics/#metrics
    
+
    Curated list of known metric types that is supported by Istio metric
    
+providers. See also:
    
+https://istio.io/latest/docs/reference/config/metrics/#metrics
    
 
 
@@ -957,7 +927,7 @@ 
    MetricSelector.IstioMetric
    
@@ -965,13 +935,10 @@ 
    MetricSelector.IstioMetric
    
@@ -1113,8 +1058,7 @@ 
    MetricSelector.IstioMetric
    
@@ -1135,7 +1079,7 @@ 
    MetricsOverrides.TagOverride.Ope
 
    
@@ -1143,7 +1087,7 @@ 
    MetricsOverrides.TagOverride.Ope
 
    
@@ -1153,11 +1097,11 @@ 
    MetricsOverrides.TagOverride.Ope
 
 
    WorkloadMode
    
-
    WorkloadMode allows selection of the role of the underlying workload in
-network traffic. A workload is considered as acting as a SERVER if it is
-the destination of the traffic (that is, traffic direction, from the
-perspective of the workload is inbound). If the workload is the source of
-the network traffic, it is considered to be in CLIENT mode (traffic is
+
    WorkloadMode allows selection of the role of the underlying workload in
    
+network traffic. A workload is considered as acting as a SERVER if it is
    
+the destination of the traffic (that is, traffic direction, from the
    
+perspective of the workload is inbound). If the workload is the source of
    
+the network traffic, it is considered to be in CLIENT mode (traffic is
    
 outbound from the workload).
    
 
 
    
 
 
    
 ALL_METRICS
 
-
    Use of this enum indicates that the override should apply to all Istio
+
    Use of this enum indicates that the override should apply to all Istio
    
 default metrics.
    
 
     		
 
    
 REQUEST_COUNT
 
-
    Counter of requests to/from an application, generated for HTTP, HTTP/2,
+
    Counter of requests to/from an application, generated for HTTP, HTTP/2,
    
 and GRPC traffic.
    
-
 
    The Prometheus provider exports this metric as: istio_requests_total.
    
-
 
    The Stackdriver provider exports this metric as:
    
-
 
      
 
    • istio.io/service/server/request_count (SERVER mode)
      • 
 
    • istio.io/service/client/request_count (CLIENT mode)
      • 
@@ -982,14 +949,11 @@ 
      MetricSelector.IstioMetric
      
 
    
 REQUEST_DURATION
 
-
    Histogram of request durations, generated for HTTP, HTTP/2, and GRPC
+
    Histogram of request durations, generated for HTTP, HTTP/2, and GRPC
    
 traffic.
    
-
-
    The Prometheus provider exports this metric as:
+
    The Prometheus provider exports this metric as:
    
 istio_request_duration_milliseconds.
    
-
 
    The Stackdriver provider exports this metric as:
    
-
 
      
 
    • istio.io/service/server/response_latencies (SERVER mode)
      • 
 
    • istio.io/service/client/roundtrip_latencies (CLIENT mode)
      • 
@@ -1000,13 +964,10 @@ 
      MetricSelector.IstioMetric
      
 
    
 REQUEST_SIZE
 
-
    Histogram of request body sizes, generated for HTTP, HTTP/2, and GRPC
+
    Histogram of request body sizes, generated for HTTP, HTTP/2, and GRPC
    
 traffic.
    
-
 
    The Prometheus provider exports this metric as: istio_request_bytes.
    
-
 
    The Stackdriver provider exports this metric as:
    
-
 
      
 
    • istio.io/service/server/request_bytes (SERVER mode)
      • 
 
    • istio.io/service/client/request_bytes (CLIENT mode)
      • 
@@ -1017,13 +978,10 @@ 
      MetricSelector.IstioMetric
      
 
    
 RESPONSE_SIZE
 
-
    Histogram of response body sizes, generated for HTTP, HTTP/2, and GRPC
+
    Histogram of response body sizes, generated for HTTP, HTTP/2, and GRPC
    
 traffic.
    
-
 
    The Prometheus provider exports this metric as: istio_response_bytes.
    
-
 
    The Stackdriver provider exports this metric as:
    
-
 
      
 
    • istio.io/service/server/response_bytes (SERVER mode)
      • 
 
    • istio.io/service/client/response_bytes (CLIENT mode)
      • 
@@ -1035,12 +993,9 @@ 
      MetricSelector.IstioMetric
      
 
    		TCP_OPENED_CONNECTIONS
 
 
    Counter of TCP connections opened over lifetime of workload.
    
-
-
    The Prometheus provider exports this metric as:
+
    The Prometheus provider exports this metric as:
    
 istio_tcp_connections_opened_total.
    
-
 
    The Stackdriver provider exports this metric as:
    
-
 
      
 
    • istio.io/service/server/connection_open_count (SERVER mode)
      • 
 
    • istio.io/service/client/connection_open_count (CLIENT mode)
      • 
@@ -1052,12 +1007,9 @@ 
      MetricSelector.IstioMetric
      
 
    		TCP_CLOSED_CONNECTIONS
 
 
    Counter of TCP connections closed over lifetime of workload.
    
-
-
    The Prometheus provider exports this metric as:
+
    The Prometheus provider exports this metric as:
    
 istio_tcp_connections_closed_total.
    
-
 
    The Stackdriver provider exports this metric as:
    
-
 
      
 
    • istio.io/service/server/connection_close_count (SERVER mode)
      • 
 
    • istio.io/service/client/connection_close_count (CLIENT mode)
      • 
@@ -1069,12 +1021,9 @@ 
      MetricSelector.IstioMetric
      
 
    		TCP_SENT_BYTES
 
 
    Counter of bytes sent during a response over a TCP connection.
    
-
-
    The Prometheus provider exports this metric as:
+
    The Prometheus provider exports this metric as:
    
 istio_tcp_sent_bytes_total.
    
-
 
    The Stackdriver provider exports this metric as:
    
-
 
      
 
    • istio.io/service/server/sent_bytes_count (SERVER mode)
      • 
 
    • istio.io/service/client/sent_bytes_count (CLIENT mode)
      • 
@@ -1086,12 +1035,9 @@ 
      MetricSelector.IstioMetric
      
 
    		TCP_RECEIVED_BYTES
 
 
    Counter of bytes received during a request over a TCP connection.
    
-
-
    The Prometheus provider exports this metric as:
+
    The Prometheus provider exports this metric as:
    
 istio_tcp_received_bytes_total.
    
-
 
    The Stackdriver provider exports this metric as:
    
-
 
      
 
    • istio.io/service/server/received_bytes_count (SERVER mode)
      • 
 
    • istio.io/service/client/received_bytes_count (CLIENT mode)
      • 
@@ -1103,8 +1049,7 @@ 
      MetricSelector.IstioMetric
      
 
    		GRPC_REQUEST_MESSAGES
 
 
    Counter incremented for every gRPC messages sent from a client.
    
-
-
    The Prometheus provider exports this metric as:
+
    The Prometheus provider exports this metric as:
    
 istio_request_messages_total
    
 
     		
 GRPC_RESPONSE_MESSAGES
 
 
    Counter incremented for every gRPC messages sent from a server.
    
-
-
    The Prometheus provider exports this metric as:
+
    The Prometheus provider exports this metric as:
    
 istio_response_messages_total
    
 
 
    
 UPSERT
 
-
    Insert or Update the tag with the provided value expression. The
+
    Insert or Update the tag with the provided value expression. The
    
 value field MUST be specified if UPSERT is used as the operation.
    
 
 
    
 REMOVE
 
-
    Specifies that the tag should not be included in the metric when
+
    Specifies that the tag should not be included in the metric when
    
 generated.
    
 
     		
 
    
@@ -1171,7 +1115,7 @@ 
    WorkloadMode
    
@@ -1179,7 +1123,7 @@ 
    WorkloadMode
    
@@ -1187,7 +1131,7 @@ 
    WorkloadMode
    
diff --git a/content/en/docs/reference/config/type/workload-selector/index.html b/content/en/docs/reference/config/type/workload-selector/index.html
index ec2818ed29712..b070f64ded174 100644
--- a/content/en/docs/reference/config/type/workload-selector/index.html
+++ b/content/en/docs/reference/config/type/workload-selector/index.html
@@ -1,20 +1,20 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Workload Selector
 description: Definition of a workload selector.
 location: https://istio.io/docs/reference/config/type/workload-selector.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 number_of_entries: 3
 ---
 
    WorkloadSelector
    
-
    WorkloadSelector specifies the criteria used to determine if a policy can be applied
-to a proxy. The matching criteria includes the metadata associated with a proxy,
-workload instance info such as labels attached to the pod/VM, or any other info
-that the proxy provides to Istio during the initial handshake. If multiple conditions are
-specified, all conditions need to match in order for the workload instance to be
+
    WorkloadSelector specifies the criteria used to determine if a policy can be applied
    
+to a proxy. The matching criteria includes the metadata associated with a proxy,
    
+workload instance info such as labels attached to the pod/VM, or any other info
    
+that the proxy provides to Istio during the initial handshake. If multiple conditions are
    
+specified, all conditions need to match in order for the workload instance to be
    
 selected. Currently, only label based selection mechanism is supported.
    
 
 
    
 
    
 CLIENT_AND_SERVER
 
-
    Selects for scenarios when the workload is either the
+
    Selects for scenarios when the workload is either the
    
 source or destination of the network traffic.
    
 
     		
 
    
 CLIENT
 
-
    Selects for scenarios when the workload is the
+
    Selects for scenarios when the workload is the
    
 source of the network traffic.
    
 
     		
 
    
 SERVER
 
-
    Selects for scenarios when the workload is the
+
    Selects for scenarios when the workload is the
    
 destination of the network traffic.
    
 
     		
 
    
@@ -31,8 +31,8 @@ 
    WorkloadSelector
    
@@ -45,7 +45,7 @@ 
    WorkloadSelector
    PortSelector
    
-
    PortSelector is the criteria for specifying if a policy can be applied to
+
    PortSelector is the criteria for specifying if a policy can be applied to
    
 a listener having a specific port.
    
 
 
    
 
    matchLabels
 map<string, string>
 
-
    One or more labels that indicate a specific set of pods/VMs
-on which a policy should be applied. The scope of label search is restricted to
+
    One or more labels that indicate a specific set of pods/VMs
    
+on which a policy should be applied. The scope of label search is restricted to
    
 the configuration namespace in which the resource is present.
    
 
     		
 
 
 
    
@@ -74,11 +74,11 @@ 
    PortSelector
    WorkloadMode
    
-
    WorkloadMode allows selection of the role of the underlying workload in
-network traffic. A workload is considered as acting as a SERVER if it is
-the destination of the traffic (that is, traffic direction, from the
-perspective of the workload is inbound). If the workload is the source of
-the network traffic, it is considered to be in CLIENT mode (traffic is
+
    WorkloadMode allows selection of the role of the underlying workload in
    
+network traffic. A workload is considered as acting as a SERVER if it is
    
+the destination of the traffic (that is, traffic direction, from the
    
+perspective of the workload is inbound). If the workload is the source of
    
+the network traffic, it is considered to be in CLIENT mode (traffic is
    
 outbound from the workload).
    
 
 
    
 
 
 
    
@@ -99,8 +99,8 @@ 
    WorkloadMode
    
@@ -108,7 +108,7 @@ 
    WorkloadMode
    
@@ -116,7 +116,7 @@ 
    WorkloadMode
    
diff --git a/content/zh/docs/reference/config/annotations/index.html b/content/zh/docs/reference/config/annotations/index.html
index e3446f8dbc3cd..3cf883b198a3a 100644
--- a/content/zh/docs/reference/config/annotations/index.html
+++ b/content/zh/docs/reference/config/annotations/index.html
@@ -1,6 +1,6 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Resource Annotations
 description: Resource annotations used by Istio.
 location: https://istio.io/docs/reference/config/annotations/
diff --git a/content/zh/docs/reference/config/istio.analysis.v1alpha1/index.html b/content/zh/docs/reference/config/istio.analysis.v1alpha1/index.html
index 65f537b02cca2..10c9ba25ee134 100644
--- a/content/zh/docs/reference/config/istio.analysis.v1alpha1/index.html
+++ b/content/zh/docs/reference/config/istio.analysis.v1alpha1/index.html
@@ -1,10 +1,10 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Analysis Messages
 description: Describes the structure of messages generated by Istio analyzers.
 location: https://istio.io/docs/reference/config/istio.analysis.v1alpha1.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 weight: 20
 number_of_entries: 7
@@ -13,7 +13,7 @@
 
 
    AnalysisMessageBase
    
-
    AnalysisMessageBase describes some common information that is needed for all
+
    AnalysisMessageBase describes some common information that is needed for all
    
 messages. All information should be static with respect to the error code.
    
 
 
    
 
    
 CLIENT
 
-
    Selects for scenarios when the workload is the
-source of the network traffic. In addition,
+
    Selects for scenarios when the workload is the
    
+source of the network traffic. In addition,
    
 if the workload is a gateway, selects this.
    
 
     		
 
    
 SERVER
 
-
    Selects for scenarios when the workload is the
+
    Selects for scenarios when the workload is the
    
 destination of the network traffic.
    
 
     		
 
    
 CLIENT_AND_SERVER
 
-
    Selects for scenarios when the workload is either the
+
    Selects for scenarios when the workload is either the
    
 source or destination of the network traffic.
    
 
     		
 
    
@@ -50,9 +50,9 @@ 
    AnalysisMessageBase
    
@@ -65,10 +65,10 @@ 
    AnalysisMessageBase
    AnalysisMessageWeakSchema
    
-
    AnalysisMessageWeakSchema is the set of information that’s needed to define a
-weakly-typed schema. The purpose of this proto is to provide a mechanism for
-validating istio/istio/galley/pkg/config/analysis/msg/messages.yaml to make
-sure that we don’t allow committing underspecified types.
    
+
    AnalysisMessageWeakSchema is the set of information that's needed to define a
    
+weakly-typed schema. The purpose of this proto is to provide a mechanism for
    
+validating istio/istio/galley/pkg/config/analysis/msg/messages.yaml to make
    
+sure that we don't allow committing underspecified types.
    
 
 
    
 
    documentationUrl
 string
 
-
    A url pointing to the Istio documentation for this specific error type.
-Should be of the form
-^http(s)?://(preliminary\.)?istio.io/docs/reference/config/analysis/
+
    A url pointing to the Istio documentation for this specific error type.
    
+Should be of the form
    
+^http(s)?://(preliminary\.)?istio.io/docs/reference/config/analysis/
    
 Required.
    
 
     		
 
 
 
    
@@ -106,8 +106,8 @@ 
    AnalysisMessageWeakSchema
    
@@ -131,11 +131,11 @@ 
    AnalysisMessageWeakSchema
    GenericAnalysisMessage
    
-
    GenericAnalysisMessage is an instance of an AnalysisMessage defined by a
-schema, whose metaschema is AnalysisMessageWeakSchema. (Names are hard.) Code
-should be able to perform validation of arguments as needed by using the
-message type information to look at the AnalysisMessageWeakSchema and examine the
-list of args at runtime. Developers can also create stronger-typed versions
+
    GenericAnalysisMessage is an instance of an AnalysisMessage defined by a
    
+schema, whose metaschema is AnalysisMessageWeakSchema. (Names are hard.) Code
    
+should be able to perform validation of arguments as needed by using the
    
+message type information to look at the AnalysisMessageWeakSchema and examine the
    
+list of args at runtime. Developers can also create stronger-typed versions
    
 of GenericAnalysisMessage for well-known and stable message types.
    
 
 
    
 
 
    template
 string
 
-
    A go-style template string (https://golang.org/pkg/fmt/#hdr-Printing)
-defining how to combine the args for a  particular message into a log line.
+
    A go-style template string (https://golang.org/pkg/fmt/#hdr-Printing)
    
+defining how to combine the args for a  particular message into a log line.
    
 Required.
    
 
     		
 
 
 
    
@@ -174,11 +174,11 @@ 
    GenericAnalysisMessage
    
@@ -191,7 +191,7 @@ 
    GenericAnalysisMessage
    InternalErrorAnalysisMessage
    
-
    InternalErrorAnalysisMessage is a strongly-typed message representing some
+
    InternalErrorAnalysisMessage is a strongly-typed message representing some
    
 error in Istio code that prevented us from performing analysis at all.
    
 
 
    
 
    resourcePaths
 string[]
 
-
    A list of strings specifying the resource identifiers that were the cause
-of message generation. A “path” here is a (NAMESPACE\/)?RESOURCETYPE/NAME
-tuple that uniquely identifies a particular resource. There doesn’t seem to
-be a single concept for this, but this is intuitively taken from
-https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology
+
    A list of strings specifying the resource identifiers that were the cause
    
+of message generation. A "path" here is a (NAMESPACE/)?RESOURCETYPE/NAME
    
+tuple that uniquely identifies a particular resource. There doesn't seem to
    
+be a single concept for this, but this is intuitively taken from
    
+https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology
    
 At least one is required.
    
 
     		
 
 
 
    
@@ -231,9 +231,9 @@ 
    InternalErrorAnalysisMessage
    AnalysisMessageBase.Type
    
-
    A unique identifier for the type of message. Name is intended to be
-human-readable, code is intended to be machine readable. There should be a
-one-to-one mapping between name and code. (i.e. do not re-use names or
+
    A unique identifier for the type of message. Name is intended to be
    
+human-readable, code is intended to be machine readable. There should be a
    
+one-to-one mapping between name and code. (i.e. do not re-use names or
    
 codes between message types.)
    
 
 
    
 
 
 
    
@@ -250,8 +250,8 @@ 
    AnalysisMessageBase.Type
    
@@ -263,8 +263,8 @@ 
    AnalysisMessageBase.Type
    
@@ -302,9 +302,9 @@ 
    AnalysisMessageWeakSchema.ArgType
    goType
@@ -317,7 +317,7 @@ 
    AnalysisMessageWeakSchema.ArgType
    AnalysisMessageBase.Level
    
-
    The values here are chosen so that more severe messages get sorted higher,
+
    The values here are chosen so that more severe messages get sorted higher,
    
 as well as leaving space in between to add more later
    
 
 
    
 
    name
 string
 
-
    A human-readable name for the message type. e.g. “InternalError”,
-“PodMissingProxy”. This should be the same for all messages of the same type.
+
    A human-readable name for the message type. e.g. "InternalError",
    
+"PodMissingProxy". This should be the same for all messages of the same type.
    
 Required.
    
 
     		
 code
 string
 
-
    A 7 character code matching ^IST[0-9]{4}$ intended to uniquely identify
-the message type. (e.g. “IST0001” is mapped to the “InternalError” message
+
    A 7 character code matching ^IST[0-9]{4}$ intended to uniquely identify
    
+the message type. (e.g. "IST0001" is mapped to the "InternalError" message
    
 type.) 0000-0100 are reserved. Required.
    
 
     		
 string
 
-
    Required. Should be a golang type, used in code generation.
-Ideally this will change to a less language-pinned type before this gets
-out of alpha, but for compatibility with current istio/istio code it’s
+
    Required. Should be a golang type, used in code generation.
    
+Ideally this will change to a less language-pinned type before this gets
    
+out of alpha, but for compatibility with current istio/istio code it's
    
 go_type for now.
    
 
     		
 
 
    
diff --git a/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html b/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
index 5df69d2b20357..cc5af4388de0f 100644
--- a/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
+++ b/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
@@ -1,10 +1,10 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Global Mesh Options
 description: Configuration affecting the service mesh as a whole.
 location: https://istio.io/docs/reference/config/istio.mesh.v1alpha1.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 weight: 20
 number_of_entries: 55
@@ -29,7 +29,7 @@ 
    MeshConfig
    
@@ -52,7 +52,7 @@ 
    MeshConfig
    
@@ -64,15 +64,15 @@ 
    MeshConfig
    
@@ -95,8 +95,8 @@ 
    MeshConfig
    
@@ -108,7 +108,7 @@ 
    MeshConfig
    
@@ -120,7 +120,7 @@ 
    MeshConfig
    
@@ -132,10 +132,10 @@ 
    MeshConfig
    
@@ -147,7 +147,7 @@ 
    MeshConfig
    
@@ -159,7 +159,7 @@ 
    MeshConfig
    
@@ -171,8 +171,8 @@ 
    MeshConfig
    
@@ -195,9 +195,9 @@ 
    MeshConfig
    
@@ -209,9 +209,9 @@ 
    MeshConfig
    
@@ -223,10 +223,10 @@ 
    MeshConfig
    
@@ -238,17 +238,17 @@ 
    MeshConfig
    
@@ -260,8 +260,8 @@ 
    MeshConfig
    
@@ -273,16 +273,16 @@ 
    MeshConfig
    
@@ -294,7 +294,7 @@ 
    MeshConfig
    
@@ -306,14 +306,12 @@ 
    MeshConfig
    
@@ -325,9 +323,9 @@ 
    MeshConfig
    
@@ -339,30 +337,26 @@ 
    MeshConfig
    
@@ -374,10 +368,9 @@ 
    MeshConfig
    
@@ -389,10 +382,9 @@ 
    MeshConfig
    
@@ -404,13 +396,12 @@ 
    MeshConfig
    
@@ -433,7 +424,7 @@ 
    MeshConfig
    
@@ -445,9 +436,9 @@ 
    MeshConfig
    
@@ -459,22 +450,18 @@ 
    MeshConfig
    
@@ -550,7 +533,7 @@ 
    MeshConfig
    
@@ -573,15 +556,16 @@ 
    MeshConfig
    
@@ -606,12 +589,12 @@ 
    MeshConfig
    
@@ -623,13 +606,13 @@ 
    MeshConfig
    
@@ -653,8 +636,8 @@ 
    MeshConfig
    ConfigSource
    
-
    ConfigSource describes information about a configuration store inside a
-mesh. A single control plane instance can interact with one or more data
+
    ConfigSource describes information about a configuration store inside a
    
+mesh. A single control plane instance can interact with one or more data
    
 sources.
    
 
 
    
 
    proxyListenPort
 int32
 
-
    Port on which Envoy should listen for incoming connections from
+
    Port on which Envoy should listen for incoming connections from
    
 other services. Default port is 15001.
    
 
     		
 connectTimeout
 Duration
 
-
    Connection timeout used by Envoy. (MUST BE >=1ms)
+
    Connection timeout used by Envoy. (MUST BE >=1ms)
    
 Default timeout is 10s.
    
 
     		
 protocolDetectionTimeout
 Duration
 
-
    Automatic protocol detection uses a set of heuristics to
-determine whether the connection is using TLS or not (on the
-server side), as well as the application protocol being used
-(e.g., http vs tcp). These heuristics rely on the client sending
-the first bits of data. For server first protocols like MySQL,
-MongoDB, etc. Envoy will timeout on the protocol detection after
-the specified period, defaulting to non mTLS plain TCP
-traffic. Set this field to tweak the period that Envoy will wait
-for the client to send the first bits of data. (MUST BE >=1ms or
+
    Automatic protocol detection uses a set of heuristics to
    
+determine whether the connection is using TLS or not (on the
    
+server side), as well as the application protocol being used
    
+(e.g., http vs tcp). These heuristics rely on the client sending
    
+the first bits of data. For server first protocols like MySQL,
    
+MongoDB, etc. Envoy will timeout on the protocol detection after
    
+the specified period, defaulting to non mTLS plain TCP
    
+traffic. Set this field to tweak the period that Envoy will wait
    
+for the client to send the first bits of data. (MUST BE >=1ms or
    
 0s to disable). Default detection timeout is 0s (no timeout).
    
 
     		
 ingressClass
 string
 
-
    Class of ingress resources to be processed by Istio ingress
-controller. This corresponds to the value of
+
    Class of ingress resources to be processed by Istio ingress
    
+controller. This corresponds to the value of
    
 kubernetes.io/ingress.class annotation.
    
 
     		
 ingressService
 string
 
-
    Name of the Kubernetes service used for the istio ingress controller.
+
    Name of the Kubernetes service used for the istio ingress controller.
    
 If no ingress controller is specified, the default value istio-ingressgateway is used.
    
 
     		
 ingressControllerMode
 IngressControllerMode
 
-
    Defines whether to use Istio ingress controller for annotated or all ingress resources.
+
    Defines whether to use Istio ingress controller for annotated or all ingress resources.
    
 Default mode is STRICT.
    
 
     		
 ingressSelector
 string
 
-
    Defines which gateway deployment to use as the Ingress controller. This field corresponds to
-the Gateway.selector field, and will be set as istio: INGRESS_SELECTOR.
-By default, ingressgateway is used, which will select the default IngressGateway as it has the
-istio: ingressgateway labels.
+
    Defines which gateway deployment to use as the Ingress controller. This field corresponds to
    
+the Gateway.selector field, and will be set as istio: INGRESS_SELECTOR.
    
+By default, ingressgateway is used, which will select the default IngressGateway as it has the
    
+istio: ingressgateway labels.
    
 It is recommended that this is the same value as ingress_service.
    
 
     		
 enableTracing
 bool
 
-
    Flag to control generation of trace spans and request IDs.
+
    Flag to control generation of trace spans and request IDs.
    
 Requires a trace span collector defined in the proxy configuration.
    
 
     		
 accessLogFile
 string
 
-
    File address for the proxy access log (e.g. /dev/stdout).
+
    File address for the proxy access log (e.g. /dev/stdout).
    
 Empty value disables access logging.
    
 
     		
 accessLogFormat
 string
 
-
    Format for the proxy access log
-Empty value results in proxy’s default access log format
    
+
    Format for the proxy access log
    
+Empty value results in proxy's default access log format
    
 
     		
 
@@ -183,7 +183,7 @@ 
    MeshConfig
    
     		accessLogEncoding
 AccessLogEncoding
 
-
    Encoding for the proxy access log (TEXT or JSON).
+
    Encoding for the proxy access log (TEXT or JSON).
    
 Default value is TEXT.
    
 
     		
 enableEnvoyAccessLogService
 bool
 
-
    This flag enables Envoy’s gRPC Access Log Service.
-See Access Log Service
-for details about Envoy’s gRPC Access Log Service API.
+
    This flag enables Envoy's gRPC Access Log Service.
    
+See Access Log Service
    
+for details about Envoy's gRPC Access Log Service API.
    
 Default value is false.
    
 
     		
 disableEnvoyListenerLog
 bool
 
-
    This flag disables Envoy Listener logs.
-See Listener Access Log
-Istio Enables Envoy’s listener access logs on “NoRoute” response flag.
+
    This flag disables Envoy Listener logs.
    
+See Listener Access Log
    
+Istio Enables Envoy's listener access logs on "NoRoute" response flag.
    
 Default value is false.
    
 
     		
 defaultConfig
 ProxyConfig
 
-
    Default proxy config used by gateway and sidecars.
-In case of Kubernetes, the proxy config is applied once during the injection process,
-and remain constant for the duration of the pod. The rest of the mesh config can be changed
-at runtime and config gets distributed dynamically.
+
    Default proxy config used by gateway and sidecars.
    
+In case of Kubernetes, the proxy config is applied once during the injection process,
    
+and remain constant for the duration of the pod. The rest of the mesh config can be changed
    
+at runtime and config gets distributed dynamically.
    
 On Kubernetes, this can be overridden on individual pods with the proxy.istio.io/config annotation.
    
 
     		
 outboundTrafficPolicy
 OutboundTrafficPolicy
 
-
    Set the default behavior of the sidecar for handling outbound
-traffic from the application.  If your application uses one or
-more external services that are not known apriori, setting the
-policy to ALLOW_ANY will cause the sidecars to route any unknown
-traffic originating from the application to its requested
-destination. Users are strongly encouraged to use ServiceEntries
-to explicitly declare any external dependencies, instead of using
-ALLOW_ANY, so that traffic to these services can be
-monitored. Can be overridden at a Sidecar level by setting the
-OutboundTrafficPolicy in the Sidecar
-API.
+
    Set the default behavior of the sidecar for handling outbound
    
+traffic from the application.  If your application uses one or
    
+more external services that are not known apriori, setting the
    
+policy to ALLOW_ANY will cause the sidecars to route any unknown
    
+traffic originating from the application to its requested
    
+destination. Users are strongly encouraged to use ServiceEntries
    
+to explicitly declare any external dependencies, instead of using
    
+ALLOW_ANY, so that traffic to these services can be
    
+monitored. Can be overridden at a Sidecar level by setting the
    
+OutboundTrafficPolicy in the Sidecar
    
+API    .
    
 Default mode is ALLOW_ANY which means outbound traffic to unknown destinations will be allowed.
    
 
     		
 configSources
 ConfigSource[]
 
-
    ConfigSource describes a source of configuration data for networking
-rules, and other Istio configuration artifacts. Multiple data sources
+
    ConfigSource describes a source of configuration data for networking
    
+rules, and other Istio configuration artifacts. Multiple data sources
    
 can be configured for a single control plane.
    
 
     		
 enableAutoMtls
 BoolValue
 
-
    This flag is used to enable mutual TLS automatically for service to service communication
-within the mesh, default true.
-If set to true, and a given service does not have a corresponding DestinationRule configured,
-or its DestinationRule does not have ClientTLSSettings specified, Istio configures client side
-TLS configuration appropriately. More specifically,
-If the upstream authentication policy is in STRICT mode, use Istio provisioned certificate
-for mutual TLS to connect to upstream.
-If upstream service is in plain text mode, use plain text.
-If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
-mutual TLS when server sides are capable of accepting mutual TLS traffic.
+
    This flag is used to enable mutual TLS automatically for service to service communication
    
+within the mesh, default true.
    
+If set to true, and a given service does not have a corresponding DestinationRule configured,
    
+or its DestinationRule does not have ClientTLSSettings specified, Istio configures client side
    
+TLS configuration appropriately. More specifically,
    
+If the upstream authentication policy is in STRICT mode, use Istio provisioned certificate
    
+for mutual TLS to connect to upstream.
    
+If upstream service is in plain text mode, use plain text.
    
+If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
    
+mutual TLS when server sides are capable of accepting mutual TLS traffic.
    
 If service DestinationRule exists and has ClientTLSSettings specified, that is always used instead.
    
 
     		
 trustDomain
 string
 
-
    The trust domain corresponds to the trust root of a system.
+
    The trust domain corresponds to the trust root of a system.
    
 Refer to SPIFFE-ID
    
 
     		
 trustDomainAliases
 string[]
 
-
    The trust domain aliases represent the aliases of trust_domain.
+
    The trust domain aliases represent the aliases of trust_domain.
    
 For example, if we have
    
-
 
    trustDomain: td1
 trustDomainAliases: ["td2", "td3"]
 
    
-
-
    Any service with the identity td1/ns/foo/sa/a-service-account, td2/ns/foo/sa/a-service-account,
+
    Any service with the identity td1/ns/foo/sa/a-service-account, td2/ns/foo/sa/a-service-account,
    
 or td3/ns/foo/sa/a-service-account will be treated the same in the Istio mesh.
    
 
     		
 caCertificates
 CertificateData[]
 
-
    The extra root certificates for workload-to-workload communication.
-The plugin certificates (the ‘cacerts’ secret) or self-signed certificates (the ‘istio-ca-secret’ secret)
-are automatically added by Istiod.
+
    The extra root certificates for workload-to-workload communication.
    
+The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret)
    
+are automatically added by Istiod.
    
 The CA certificate that signs the workload certificates is automatically added by Istio Agent.
    
 
     		
 defaultServiceExportTo
 string[]
 
-
    The default value for the ServiceEntry.export_to field and services
-imported through container registry integrations, e.g. this applies to
-Kubernetes Service resources. The value is a list of namespace names and
+
    The default value for the ServiceEntry.export_to field and services
    
+imported through container registry integrations, e.g. this applies to
    
+Kubernetes Service resources. The value is a list of namespace names and
    
 reserved namespace aliases. The allowed namespace aliases are:
    
-
 
    * - All Namespaces
 . - Current Namespace
 ~ - No Namespace
 
    
-
-
    If not set the system will use “*” as the default value which implies that
+
    If not set the system will use "*" as the default value which implies that
    
 services are exported to all namespaces.
    
-
-
    All namespaces is a reasonable default for implementations that don’t
-need to restrict access or visibility of services across namespace
-boundaries. If that requirement is present it is generally good practice to
-make the default Current namespace so that services are only visible
-within their own namespaces by default. Operators can then expand the
-visibility of services to other namespaces as needed. Use of No Namespace
-is expected to be rare but can have utility for deployments where
-dependency management needs to be precise even within the scope of a single
+
    All namespaces is a reasonable default for implementations that don't
    
+need to restrict access or visibility of services across namespace
    
+boundaries. If that requirement is present it is generally good practice to
    
+make the default Current namespace so that services are only visible
    
+within their own namespaces by default. Operators can then expand the
    
+visibility of services to other namespaces as needed. Use of No Namespace
    
+is expected to be rare but can have utility for deployments where
    
+dependency management needs to be precise even within the scope of a single
    
 namespace.
    
-
-
    For further discussion see the reference documentation for ServiceEntry,
+
    For further discussion see the reference documentation for ServiceEntry,
    
 Sidecar, and Gateway.
    
 
     		
 defaultVirtualServiceExportTo
 string[]
 
-
    The default value for the VirtualService.export_to field. Has the same
+
    The default value for the VirtualService.export_to field. Has the same
    
 syntax as default_service_export_to.
    
-
-
    If not set the system will use “*” as the default value which implies that
+
    If not set the system will use "*" as the default value which implies that
    
 virtual services are exported to all namespaces
    
 
     		
 defaultDestinationRuleExportTo
 string[]
 
-
    The default value for the DestinationRule.export_to field. Has the same
+
    The default value for the DestinationRule.export_to field. Has the same
    
 syntax as default_service_export_to.
    
-
-
    If not set the system will use “*” as the default value which implies that
+
    If not set the system will use "*" as the default value which implies that
    
 destination rules are exported to all namespaces
    
 
     		
 rootNamespace
 string
 
-
    The namespace to treat as the administrative root namespace for
-Istio configuration. When processing a leaf namespace Istio will search for
-declarations in that namespace first and if none are found it will
-search in the root namespace. Any matching declaration found in the root
+
    The namespace to treat as the administrative root namespace for
    
+Istio configuration. When processing a leaf namespace Istio will search for
    
+declarations in that namespace first and if none are found it will
    
+search in the root namespace. Any matching declaration found in the root
    
 namespace is processed as if it were declared in the leaf namespace.
    
-
-
    The precise semantics of this processing are documented on each resource
+
    The precise semantics of this processing are documented on each resource
    
 type.
    
 
     		
 dnsRefreshRate
 Duration
 
-
    Configures DNS refresh rate for Envoy clusters of type STRICT_DNS
+
    Configures DNS refresh rate for Envoy clusters of type STRICT_DNS
    
 Default refresh rate is 5s.
    
 
     		
 h2UpgradePolicy
 H2UpgradePolicy
 
-
    Specify if http1.1 connections should be upgraded to http2 by default.
-if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE.
-If one or more services or namespaces do not have sidecar(s), then this should be set to DO_NOT_UPGRADE.
+
    Specify if http1.1 connections should be upgraded to http2 by default.
    
+if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE.
    
+If one or more services or namespaces do not have sidecar(s), then this should be set to DO_NOT_UPGRADE.
    
 It can be enabled by destination using the destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy override.
    
 
     		
 inboundClusterStatName
 string
 
-
    Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for
-network filters like TCP and Redis.
-By default, Istio emits statistics with the pattern inbound|<port>|<port-name>|<service-FQDN>.
+
    Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for
    
+network filters like TCP and Redis.
    
+By default, Istio emits statistics with the pattern inbound|<port>|<port-name>|<service-FQDN>.
    
 For example inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local. This can be used to override that pattern.
    
-
 
    A Pattern can be composed of various pre-defined variables. The following variables are supported.
    
-
 
      
 
    • %SERVICE% - Will be substituted with name of the service.
      • 
 
    • %SERVICE_FQDN% - Will be substituted with FQDN of the service.
      • 
 
    • %SERVICE_PORT% - Will be substituted with port of the service.
      • 
 
    • %SERVICE_PORT_NAME% - Will be substituted with port name of the service.
      • 
 
    
-
 
    Following are some examples of supported patterns for reviews:
    
-
 
      
 
    • %SERVICE_FQDN%_%SERVICE_PORT% will use reviews.prod.svc.cluster.local_7443 as the stats name.
      • 
 
    • %SERVICE% will use reviews.prod as the stats name.
      • 
@@ -489,13 +476,11 @@ 
      MeshConfig
      
 
    		outboundClusterStatName
 string
 
-
    Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for
-network filters like TCP and Redis.
-By default, Istio emits statistics with the pattern outbound|<port>|<subsetname>|<service-FQDN>.
+
    Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for
    
+network filters like TCP and Redis.
    
+By default, Istio emits statistics with the pattern outbound|<port>|<subsetname>|<service-FQDN>.
    
 For example outbound|8080|v2|reviews.prod.svc.cluster.local. This can be used to override that pattern.
    
-
 
    A Pattern can be composed of various pre-defined variables. The following variables are supported.
    
-
 
      
 
    • %SERVICE% - Will be substituted with name of the service.
      • 
 
    • %SERVICE_FQDN% - Will be substituted with FQDN of the service.
      • 
@@ -503,9 +488,7 @@ 
      MeshConfig
      
 
    • %SERVICE_PORT_NAME% - Will be substituted with port name of the service.
      • 
 
    • %SUBSET_NAME% - Will be substituted with subset.
      • 
 
    
-
 
    Following are some examples of supported patterns for reviews:
    
-
 
      
 
    • %SERVICE_FQDN%_%SERVICE_PORT% will use reviews.prod.svc.cluster.local_7443 as the stats name.
      • 
 
    • %SERVICE% will use reviews.prod as the stats name.
      • 
@@ -531,14 +514,14 @@ 
      MeshConfig
      
 
    		enablePrometheusMerge
 BoolValue
 
-
    If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
-and Istio agent. The sidecar injection will replace prometheus.io annotations present on the pod
-and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
-This relies on the annotations prometheus.io/scrape, prometheus.io/port, and
-prometheus.io/path annotations.
-If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide.
-In this case, it is recommended to disable aggregation on that deployment with the
-prometheus.istio.io/merge-metrics: "false" annotation.
+
    If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
    
+and Istio agent. The sidecar injection will replace prometheus.io annotations present on the pod
    
+and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
    
+This relies on the annotations prometheus.io/scrape, prometheus.io/port, and
    
+prometheus.io/path annotations.
    
+If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide.
    
+In this case, it is recommended to disable aggregation on that deployment with the
    
+prometheus.istio.io/merge-metrics: "false" annotation.
    
 If not specified, this will be enabled by default.
    
 
     		
 extensionProviders
 ExtensionProvider[]
 
-
    Defines a list of extension providers that extend Istio’s functionality. For example, the AuthorizationPolicy
+
    Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy
    
 can be used with an extension provider to delegate the authorization decision to a custom authorization system.
    
 
     		
 discoverySelectors
 LabelSelector[]
 
-
    A list of Kubernetes selectors that specify the set of namespaces that Istio considers when
-computing configuration updates for sidecars. This can be used to reduce Istio’s computational load
-by limiting the number of entities (including services, pods, and endpoints) that are watched and processed.
-If omitted, Istio will use the default behavior of processing all namespaces in the cluster.
-Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector.
-The following example selects any namespace that matches either below:
-1. The namespace has both of these labels: env: prod and region: us-east1
-2. The namespace has label app equal to cassandra or spark.
    
-
+
    A list of Kubernetes selectors that specify the set of namespaces that Istio considers when
    
+computing configuration updates for sidecars. This can be used to reduce Istio's computational load
    
+by limiting the number of entities (including services, pods, and endpoints) that are watched and processed.
    
+If omitted, Istio will use the default behavior of processing all namespaces in the cluster.
    
+Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector.
    
+The following example selects any namespace that matches either below:
    
+
      
+
    1. The namespace has both of these labels: env: prod and region: us-east1
      2. 
+
    2. The namespace has label app equal to cassandra or spark.
      3. 
+
    
 
    discoverySelectors:
   - matchLabels:
       env: prod
@@ -593,8 +577,7 @@ 
    MeshConfig
    
         - cassandra
         - spark
 
    
-
-
    Refer to the kubernetes selector docs
+
    Refer to the kubernetes selector docs
    
 for additional detail on selector semantics.
    
 
     		
 pathNormalization
 ProxyPathNormalization
 
-
    ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are
-normalized by the sidecars and gateways.
-The normalized paths will be used in all aspects through the requests’ lifetime on the
-sidecars and gateways, which includes routing decisions in outbound direction (client proxy),
-authorization policy match and enforcement in inbound direction (server proxy), and the URL
-path proxied to the upstream service.
+
    ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are
    
+normalized by the sidecars and gateways.
    
+The normalized paths will be used in all aspects through the requests' lifetime on the
    
+sidecars and gateways, which includes routing decisions in outbound direction (client proxy),
    
+authorization policy match and enforcement in inbound direction (server proxy), and the URL
    
+path proxied to the upstream service.
    
 If not set, the NormalizationType.DEFAULT configuration will be used.
    
 
     		
 defaultHttpRetryPolicy
 HTTPRetry
 
-
    Configure the default HTTP retry policy.
-The default number of retry attempts is set at 2 for these errors:
-  “connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes”.
-Setting the number of attempts to 0 disables retry policy globally.
-This setting can be overriden on a per-host basis using the Virtual Service
-API.
-All settings in the retry policy except perTryTimeout can currently be
+
    Configure the default HTTP retry policy.
    
+The default number of retry attempts is set at 2 for these errors:
    
+"connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes".
    
+Setting the number of attempts to 0 disables retry policy globally.
    
+This setting can be overriden on a per-host basis using the Virtual Service
    
+API.
    
+All settings in the retry policy except perTryTimeout can currently be
    
 configured globally via this field.
    
 
     		
 
 
 
    
@@ -671,9 +654,9 @@ 
    ConfigSource
    
@@ -685,8 +668,8 @@ 
    ConfigSource
    
@@ -759,10 +742,10 @@ 
    MeshConfig.CertificateData
    
@@ -774,8 +757,8 @@ 
    MeshConfig.CertificateData
    
@@ -787,14 +770,14 @@ 
    MeshConfig.CertificateData
    
@@ -821,8 +804,8 @@ 
    MeshConfig.ThriftConfig
    
@@ -860,8 +843,8 @@ 
    MeshConfig.CA
    
@@ -873,13 +856,15 @@ 
    MeshConfig.CA
    
@@ -902,7 +887,7 @@ 
    MeshConfig.CA
    
@@ -973,9 +958,9 @@ 
    MeshConfig.ExtensionProvider
    
@@ -1098,10 +1083,9 @@ 
    MeshConfig.ExtensionProvider
    MeshConfig.DefaultProviders
    
-
    Holds the name references to the providers that will be used by default
+
    Holds the name references to the providers that will be used by default
    
 in other Istio configuration resources if the provider is not specified.
    
-
-
    These names must match a provider defined in extension_providers that is
+
    These names must match a provider defined in extension_providers that is
    
 one of the supported tracing providers.
    
 
 
    
 
    address
 string
 
-
    Address of the server implementing the Istio Mesh Configuration
-protocol (MCP). Can be IP address or a fully qualified DNS name.
-Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or
+
    Address of the server implementing the Istio Mesh Configuration
    
+protocol (MCP). Can be IP address or a fully qualified DNS name.
    
+Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or
    
 fs:/// to specify a file-based backend with absolute path to the directory.
    
 
     		
 tlsSettings
 ClientTLSSettings
 
-
    Use the tls_settings to specify the tls mode to use. If the MCP server
-uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
+
    Use the tls_settings to specify the tls mode to use. If the MCP server
    
+uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
    
 mode as ISTIO_MUTUAL.
    
 
     		
 spiffeBundleUrl
 string (oneof)
 
-
    The SPIFFE bundle endpoint URL that complies to:
-https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle
-The endpoint should support authentication based on Web PKI:
-https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki
+
    The SPIFFE bundle endpoint URL that complies to:
    
+https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle
    
+The endpoint should support authentication based on Web PKI:
    
+https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki
    
 The certificate is retrieved from the endpoint.
    
 
     		
 certSigners
 string[]
 
-
    Optional. Specify the kubernetes signers (External CA) that use this trustAnchor
-when Istiod is acting as RA(registration authority)
+
    Optional. Specify the kubernetes signers (External CA) that use this trustAnchor
    
+when Istiod is acting as RA(registration authority)
    
 If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.
    
 
     		
 trustDomains
 string[]
 
-
    Optional. Specify the list of trust domains to which this trustAnchor data belongs.
-If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
-and its aliases.
-Note that we can have multiple trustAnchor data for a same trust_domain.
-In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
-If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers.
-If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers.
-If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains.
+
    Optional. Specify the list of trust domains to which this trustAnchor data belongs.
    
+If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
    
+and its aliases.
    
+Note that we can have multiple trustAnchor data for a same trust_domain.
    
+In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
    
+If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers.
    
+If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers.
    
+If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains.
    
 If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains.
    
 
     		
 rateLimitUrl
 string
 
-
    Specify thrift rate limit service URL. If pilot has thrift protocol support enabled,
-this will enable the rate limit service for destinations that have matching rate
+
    Specify thrift rate limit service URL. If pilot has thrift protocol support enabled,
    
+this will enable the rate limit service for destinations that have matching rate
    
 limit configurations.
    
 
     		
 address
 string
 
-
    REQUIRED. Address of the CA server implementing the Istio CA gRPC API.
-Can be IP address or a fully qualified DNS name with port
+
    REQUIRED. Address of the CA server implementing the Istio CA gRPC API.
    
+Can be IP address or a fully qualified DNS name with port
    
 Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000
    
 
     		
 tlsSettings
 ClientTLSSettings
 
-
    Use the tls_settings to specify the tls mode to use.
-Regarding tls_settings:
-- DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
-DISABLE MODE can also be used for testing
-- TLS MUTUAL MODE be on by default. If the CA certificates
-(cert bundle to verify the CA server’s certificate) is omitted, Istiod will
-use the system root certs to verify the CA server’s certificate.
    
+
    Use the tls_settings to specify the tls mode to use.
    
+Regarding tls_settings:
    
+
      
+
    • DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
      
+DISABLE MODE can also be used for testing
      • 
+
    • TLS MUTUAL MODE be on by default. If the CA certificates
      
+(cert bundle to verify the CA server's certificate) is omitted, Istiod will
      
+use the system root certs to verify the CA server's certificate.
      • 
+
    
 
     		
 
@@ -890,7 +875,7 @@ 
    MeshConfig.CA
    
     		requestTimeout
 Duration
 
-
    timeout for forward CSR requests from Istiod to External CA
+
    timeout for forward CSR requests from Istiod to External CA
    
 Default: 10s
    
 
     		
 istiodSide
 bool
 
-
    Use istiod_side to specify CA Server integrate to Istiod side or Agent side
+
    Use istiod_side to specify CA Server integrate to Istiod side or Agent side
    
 Default: true
    
 
     		
 lightstep
 LightstepTracingProvider (oneof)
 
-
    Configures a Lightstep tracing provider.
-Note: For Istio 1.15+, configuring this provider will result in
-using an OpenTelemetryTracingProvider configured specially for
+
    Configures a Lightstep tracing provider.
    
+Note: For Istio 1.15+, configuring this provider will result in
    
+using an OpenTelemetryTracingProvider configured specially for
    
 Lightstep. This is part of the Lightstep transition to OpenTelemetry.
    
 
     		
 
 
 
    
@@ -1190,11 +1174,11 @@ 
    MeshConfig.TLSConfig
    
@@ -1223,24 +1207,21 @@ 
    MeshConfig.ServiceSettings.Settings
 
    
@@ -1267,10 +1248,10 @@ 
    Mesh
 
    
@@ -1282,9 +1263,9 @@ 
    Mesh
 
    
@@ -1296,9 +1277,9 @@ 
    Mesh
 
    
@@ -1325,12 +1306,11 @@ 
    Mes
 
    
@@ -1365,9 +1345,9 @@ 
    Mes
 
    
@@ -1460,16 +1443,17 @@ 
    Mes
 
    
@@ -1578,8 +1563,8 @@ 
    Mes
 
    
@@ -1591,8 +1576,8 @@ 
    Mes
 
    
@@ -1671,8 +1655,8 @@ 
    MeshConfig.Extension
 
 
    MeshConfig.ExtensionProvider.LightstepTracingProvider
    
-
    Defines configuration for a Lightstep tracer.
-Note: Lightstep has moved to OpenTelemetry-based integrations. Istio 1.15+
+
    Defines configuration for a Lightstep tracer.
    
+Note: Lightstep has moved to OpenTelemetry-based integrations. Istio 1.15+
    
 will generate OpenTelemetry-compatible configuration when using this option.
    
 
 
    
 
    minProtocolVersion
 TLSProtocol
 
-
    Optional: the minimum TLS protocol version. The default minimum
-TLS version will be TLS 1.2. As servers may not be Envoy and be
-set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the
-minimum TLS version for clients may also be TLS 1.2.
-In the current Istio implementation, the maximum TLS protocol version
+
    Optional: the minimum TLS protocol version. The default minimum
    
+TLS version will be TLS 1.2. As servers may not be Envoy and be
    
+set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the
    
+minimum TLS version for clients may also be TLS 1.2.
    
+In the current Istio implementation, the maximum TLS protocol version
    
 is TLS 1.3.
    
 
     		clusterLocal
 bool
 
-
    If true, specifies that the client and service endpoints must reside in the same cluster.
-By default, in multi-cluster deployments, the Istio control plane assumes all service
-endpoints to be reachable from any client in any of the clusters which are part of the
-mesh. This configuration option limits the set of service endpoints visible to a client
+
    If true, specifies that the client and service endpoints must reside in the same cluster.
    
+By default, in multi-cluster deployments, the Istio control plane assumes all service
    
+endpoints to be reachable from any client in any of the clusters which are part of the
    
+mesh. This configuration option limits the set of service endpoints visible to a client
    
 to be cluster scoped.
    
-
 
    There are some common scenarios when this can be useful:
    
-
 
      
-
    • A service (or group of services) is inherently local to the cluster and has local storage
+
    • A service (or group of services) is inherently local to the cluster and has local storage
      
 for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).
      • 
-
    • A mesh administrator wants to slowly migrate services to Istio. They might start by first
-having services cluster-local and then slowly transition them to mesh-wide. They could do
-this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group
+
    • A mesh administrator wants to slowly migrate services to Istio. They might start by first
      
+having services cluster-local and then slowly transition them to mesh-wide. They could do
      
+this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group
      
 (e.g. *.myns.svc.cluster.local).
      • 
 
    
-
-
    By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all
+
    By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all
    
 services in the kube-system namespace to be cluster-local, unless explicitly overridden here.
    
 
     		maxRequestBytes
 uint32
 
-
    Sets the maximum size of a message body that the ext-authz filter will hold in memory.
-If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
-Otherwise the request will be sent to the provider with a partial message.
-Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
+
    Sets the maximum size of a message body that the ext-authz filter will hold in memory.
    
+If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
    
+Otherwise the request will be sent to the provider with a partial message.
    
+Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
    
 fail_open is set to true.
    
 
     		allowPartialMessage
 bool
 
-
    When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
-The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
-A “x-envoy-auth-partial-body: false|true” metadata header will be added to the authorization request message
+
    When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
    
+The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
    
+A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
    
 indicating if the body data is partial.
    
 
     		packAsBytes
 bool
 
-
    If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
-in the raw_body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
-Otherwise, it will be filled with UTF-8 string in the body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
+
    If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
    
+in the raw_body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
    
+Otherwise, it will be filled with UTF-8 string in the body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
    
 This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.
    
 
     		service
 string
 
-
    REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service.
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
+
    REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service.
    
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
    
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
    
 service defined by the Kubernetes service or ServiceEntry.
    
-
-
    Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.
    
+
    Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".
    
 
     		
 
@@ -1352,8 +1332,8 @@ 
    Mes
 
    		timeout
 Duration
 
-
    The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
-When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
+
    The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
    
+When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
    
 In this situation, the response sent back to the client will depend on the configured fail_open field.
    
 
     		pathPrefix
 string
 
-
    Sets a prefix to the value of authorization request header Path.
-For example, setting this to “/check” for an original user request at path “/admin” will cause the
-authorization check request to be sent to the authorization service at the path “/check/admin” instead of “/admin”.
    
+
    Sets a prefix to the value of authorization request header Path.
    
+For example, setting this to "/check" for an original user request at path "/admin" will cause the
    
+authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin".
    
 
     		
 
@@ -1378,9 +1358,9 @@ 
    Mes
 
    		failOpen
 bool
 
-
    If true, the user request will be allowed even if the communication with the authorization service has failed,
-or if the authorization service has returned a HTTP 5xx error.
-Default is false and the request will be rejected with “Forbidden” response.
    
+
    If true, the user request will be allowed even if the communication with the authorization service has failed,
    
+or if the authorization service has returned a HTTP 5xx error.
    
+Default is false and the request will be rejected with "Forbidden" response.
    
 
     		
 
@@ -1391,8 +1371,8 @@ 
    Mes
 
    		statusOnError
 string
 
-
    Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
-The default status is “403” (HTTP Forbidden).
    
+
    Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
    
+The default status is "403" (HTTP Forbidden).
    
 
     		
 
@@ -1414,18 +1394,21 @@ 
    Mes
 
    		includeRequestHeadersInCheck
 string[]
 
-
    List of client request headers that should be included in the authorization request sent to the authorization service.
-Note that in addition to the headers specified here following headers are included by default:
-1. Host, Method, Path and Content-Length are automatically sent.
-2. Content-Length will be set to 0 and the request will not have a message body. However, the authorization
-request can include the buffered client request body (controlled by include_request_body_in_check setting),
-consequently the value of Content-Length of the authorization request reflects the size of its payload size.
    
-
-
    Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
-https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
-- Exact match: “abc” will match on value “abc”.
-- Prefix match: “abc*” will match on value “abc” and “abcd”.
-- Suffix match: “*abc” will match on value “abc” and “xabc”.
    
+
    List of client request headers that should be included in the authorization request sent to the authorization service.
    
+Note that in addition to the headers specified here following headers are included by default:
    
+
      
+
    1. Host, Method, Path and Content-Length are automatically sent.
      2. 
+
    2. Content-Length will be set to 0 and the request will not have a message body. However, the authorization
      
+request can include the buffered client request body (controlled by include_request_body_in_check setting),
      
+consequently the value of Content-Length of the authorization request reflects the size of its payload size.
      3. 
+
    
+
    Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
    
+https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
    
+
      
+
    • Exact match: "abc" will match on value "abc".
      • 
+
    • Prefix match: "abc*" will match on value "abc" and "abcd".
      • 
+
    • Suffix match: "*abc" will match on value "abc" and "xabc".
      • 
+
    
 
     		
 
@@ -1436,8 +1419,8 @@ 
    Mes
 
    		includeAdditionalHeadersInCheck
 map<string, string>
 
-
    Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
-Key is the header name and value is the header value.
+
    Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
    
+Key is the header name and value is the header value.
    
 Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden.
    
 
     		headersToUpstreamOnAllow
 string[]
 
-
    List of headers from the authorization service that should be added or overridden in the original request and
-forwarded to the upstream when the authorization check result is allowed (HTTP code 200).
-If not specified, the original request will not be modified and forwarded to backend as-is.
+
    List of headers from the authorization service that should be added or overridden in the original request and
    
+forwarded to the upstream when the authorization check result is allowed (HTTP code 200).
    
+If not specified, the original request will not be modified and forwarded to backend as-is.
    
 Note, any existing headers will be overridden.
    
-
-
    Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
-https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
-- Exact match: “abc” will match on value “abc”.
-- Prefix match: “abc*” will match on value “abc” and “abcd”.
-- Suffix match: “*abc” will match on value “abc” and “xabc”.
    
+
    Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
    
+https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
    
+
      
+
    • Exact match: "abc" will match on value "abc".
      • 
+
    • Prefix match: "abc*" will match on value "abc" and "abcd".
      • 
+
    • Suffix match: "*abc" will match on value "abc" and "xabc".
      • 
+
    
 
     		
 
@@ -1480,19 +1464,20 @@ 
    Mes
 
    		headersToDownstreamOnDeny
 string[]
 
-
    List of headers from the authorization service that should be forwarded to downstream when the authorization
-check result is not allowed (HTTP code other than 200).
-If not specified, all the authorization response headers, except Authority (Host) will be in the response to
-the downstream.
-When a header is included in this list, Path, Status, Content-Length, WWWAuthenticate and Location are
-automatically added.
+
    List of headers from the authorization service that should be forwarded to downstream when the authorization
    
+check result is not allowed (HTTP code other than 200).
    
+If not specified, all the authorization response headers, except Authority (Host) will be in the response to
    
+the downstream.
    
+When a header is included in this list, Path, Status, Content-Length, WWWAuthenticate and Location are
    
+automatically added.
    
 Note, the body from the authorization service is always included in the response to downstream.
    
-
-
    Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
-https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
-- Exact match: “abc” will match on value “abc”.
-- Prefix match: “abc*” will match on value “abc” and “abcd”.
-- Suffix match: “*abc” will match on value “abc” and “xabc”.
    
+
    Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
    
+https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
    
+
      
+
    • Exact match: "abc" will match on value "abc".
      • 
+
    • Prefix match: "abc*" will match on value "abc" and "abcd".
      • 
+
    • Suffix match: "*abc" will match on value "abc" and "xabc".
      • 
+
    
 
     		
 
@@ -1503,16 +1488,17 @@ 
    Mes
 
    		headersToDownstreamOnAllow
 string[]
 
-
    List of headers from the authorization service that should be forwarded to downstream when the authorization
-check result is allowed (HTTP code 200).
-If not specified, the original response will not be modified and forwarded to downstream as-is.
+
    List of headers from the authorization service that should be forwarded to downstream when the authorization
    
+check result is allowed (HTTP code 200).
    
+If not specified, the original response will not be modified and forwarded to downstream as-is.
    
 Note, any existing headers will be overridden.
    
-
-
    Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
-https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
-- Exact match: “abc” will match on value “abc”.
-- Prefix match: “abc*” will match on value “abc” and “abcd”.
-- Suffix match: “*abc” will match on value “abc” and “xabc”.
    
+
    Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
    
+https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
    
+
      
+
    • Exact match: "abc" will match on value "abc".
      • 
+
    • Prefix match: "abc*" will match on value "abc" and "abcd".
      • 
+
    • Suffix match: "*abc" will match on value "abc" and "xabc".
      • 
+
    
 
     		
 
@@ -1538,12 +1524,11 @@ 
    Mes
 
    		service
 string
 
-
    REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service.
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
+
    REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service.
    
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
    
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
    
 service defined by the Kubernetes service or ServiceEntry.
    
-
-
    Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.
    
+
    Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".
    
 
     		
 
@@ -1565,8 +1550,8 @@ 
    Mes
 
    		timeout
 Duration
 
-
    The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
-When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
+
    The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
    
+When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
    
 In this situation, the response sent back to the client will depend on the configured fail_open field.
    
 
     		failOpen
 bool
 
-
    If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed,
-or if the authorization service has returned a HTTP 5xx error.
+
    If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed,
    
+or if the authorization service has returned a HTTP 5xx error.
    
 Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately.
    
 
     		statusOnError
 string
 
-
    Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
-The default status is “403” (HTTP Forbidden).
    
+
    Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
    
+The default status is "403" (HTTP Forbidden).
    
 
     		
 
@@ -1631,12 +1616,11 @@ 
    MeshConfig.Extension
 
    		service
 string
 
-
    REQUIRED. Specifies the service that the Zipkin API.
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
+
    REQUIRED. Specifies the service that the Zipkin API.
    
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
    
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
    
 service defined by the Kubernetes service or ServiceEntry.
    
-
-
    Example: “zipkin.default.svc.cluster.local” or “bar/zipkin.example.com”.
    
+
    Example: "zipkin.default.svc.cluster.local" or "bar/zipkin.example.com".
    
 
     		
 
@@ -1658,7 +1642,7 @@ 
    MeshConfig.Extension
 
    		maxTagLength
 uint32
 
-
    Optional. Controls the overall path length allowed in a reported span.
+
    Optional. Controls the overall path length allowed in a reported span.
    
 NOTE: currently only controls max length of the path tag.
    
 
     		
 
    
@@ -1689,12 +1673,11 @@ 
    MeshConfig.Extens
 
    
@@ -1756,12 +1739,11 @@ 
    MeshConfig.Extensio
 
    
@@ -1812,12 +1794,11 @@ 
    MeshConfig.Exten
 
    service
 string
 
-
    REQUIRED. Specifies the service for the Lightstep collector.
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
+
    REQUIRED. Specifies the service for the Lightstep collector.
    
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
    
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
    
 service defined by the Kubernetes service or ServiceEntry.
    
-
-
    Example: “lightstep.default.svc.cluster.local” or “bar/lightstep.example.com”.
    
+
    Example: "lightstep.default.svc.cluster.local" or "bar/lightstep.example.com".
    
 
     		
 
@@ -1727,7 +1710,7 @@ 
    MeshConfig.Extens
 
    		maxTagLength
 uint32
 
-
    Optional. Controls the overall path length allowed in a reported span.
+
    Optional. Controls the overall path length allowed in a reported span.
    
 NOTE: currently only controls max length of the path tag.
    
 
     		service
 string
 
-
    REQUIRED. Specifies the service for the Datadog agent.
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
+
    REQUIRED. Specifies the service for the Datadog agent.
    
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
    
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
    
 service defined by the Kubernetes service or ServiceEntry.
    
-
-
    Example: “datadog.default.svc.cluster.local” or “bar/datadog.example.com”.
    
+
    Example: "datadog.default.svc.cluster.local" or "bar/datadog.example.com".
    
 
     		
 
@@ -1783,7 +1765,7 @@ 
    MeshConfig.Extensio
 
    		maxTagLength
 uint32
 
-
    Optional. Controls the overall path length allowed in a reported span.
+
    Optional. Controls the overall path length allowed in a reported span.
    
 NOTE: currently only controls max length of the path tag.
    
 
     		service
 string
 
-
    REQUIRED. Specifies the service for the SkyWalking receiver.
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
+
    REQUIRED. Specifies the service for the SkyWalking receiver.
    
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
    
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
    
 service defined by the Kubernetes service or ServiceEntry.
    
-
-
    Example: “skywalking.default.svc.cluster.local” or “bar/skywalking.example.com”.
    
+
    Example: "skywalking.default.svc.cluster.local" or "bar/skywalking.example.com".
    
 
     		
 
@@ -1852,9 +1833,8 @@ 
    MeshConfig.Exten
 
    MeshConfig.ExtensionProvider.StackdriverProvider
    
 
    
 
    Defines configuration for Stackdriver.
    
-
-
    WARNING: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used
-alongside any OpenCensus provider configuration. This is due to a limitation in the implementation of OpenCensus
+
    WARNING: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used
    
+alongside any OpenCensus provider configuration. This is due to a limitation in the implementation of OpenCensus
    
 driver in Envoy.
    
 
 
@@ -1871,7 +1851,7 @@ 
    MeshConfig.ExtensionPr
 
    
@@ -1896,14 +1876,12 @@ 
    MeshConfig.ExtensionPr
 
    MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider
    
 
    Defines configuration for an OpenCensus tracer writing to an OpenCensus backend.
    
-
-
    WARNING: OpenCensusAgentTracingProviders should be used with extreme care. Configuration of
-OpenCensus providers CANNOT be changed during the course of proxy’s lifetime due to a limitation
-in the implementation of OpenCensus driver in Envoy. This means only a single provider configuration
-may be used for OpenCensus at any given time for a proxy or group of proxies AND that any change to the provider
+
    WARNING: OpenCensusAgentTracingProviders should be used with extreme care. Configuration of
    
+OpenCensus providers CANNOT be changed during the course of proxy's lifetime due to a limitation
    
+in the implementation of OpenCensus driver in Envoy. This means only a single provider configuration
    
+may be used for OpenCensus at any given time for a proxy or group of proxies AND that any change to the provider
    
 configuration MUST be accompanied by a restart of all proxies that will use that configuration.
    
-
-
    NOTE: Stackdriver tracing uses OpenCensus configuraiton under the hood and, as a result, cannot be used
+
    NOTE: Stackdriver tracing uses OpenCensus configuraiton under the hood and, as a result, cannot be used
    
 alongside OpenCensus provider configuration.
    
 
 
    maxTagLength
 uint32
 
-
    Optional. Controls the overall path length allowed in a reported span.
+
    Optional. Controls the overall path length allowed in a reported span.
    
 NOTE: currently only controls max length of the path tag.
    
 
     		
 
    
@@ -1920,12 +1898,11 @@ 
    MeshConfig.
 
    
@@ -1961,7 +1938,7 @@ 
    MeshConfig.
 
    
@@ -1977,7 +1954,7 @@ 
    MeshConfig.Exten
 
 
    MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider
    
-
    Defines configuration for Envoy-based access logging that writes to
+
    Defines configuration for Envoy-based access logging that writes to
    
 local files (and/or standard streams).
    
 
 
    service
 string
 
-
    REQUIRED. Specifies the service for the OpenCensusAgent.
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
+
    REQUIRED. Specifies the service for the OpenCensusAgent.
    
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
    
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
    
 service defined by the Kubernetes service or ServiceEntry.
    
-
-
    Example: “ocagent.default.svc.cluster.local” or “bar/ocagent.example.com”.
    
+
    Example: "ocagent.default.svc.cluster.local" or "bar/ocagent.example.com".
    
 
     		
 
@@ -1947,9 +1924,9 @@ 
    MeshConfig.
 
    		context
 TraceContext[]
 
-
    Specifies the set of context propagation headers used for distributed
-tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified,
-the proxy will attempt to read each header for each request and will
+
    Specifies the set of context propagation headers used for distributed
    
+tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified,
    
+the proxy will attempt to read each header for each request and will
    
 write all headers.
    
 
     		maxTagLength
 uint32
 
-
    Optional. Controls the overall path length allowed in a reported span.
+
    Optional. Controls the overall path length allowed in a reported span.
    
 NOTE: currently only controls max length of the path tag.
    
 
     		
 
    
@@ -1994,8 +1971,8 @@ 
    MeshConfig.Exte
 
    
@@ -2019,7 +1996,7 @@ 
    MeshConfig.Exte
 
 
    MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider
    
-
    Defines configuration for an Envoy Access Logging Service
+
    Defines configuration for an Envoy Access Logging Service
    
 integration for HTTP traffic.
    
 
 
    path
 string
 
-
    Path to a local file to write the access log entries.
-This may be used to write to streams, via /dev/stderr and /dev/stdout
+
    Path to a local file to write the access log entries.
    
+This may be used to write to streams, via /dev/stderr and /dev/stdout
    
 If unspecified, defaults to /dev/stdout.
    
 
     		
 
    
@@ -2036,12 +2013,11 @@ 
    MeshConfig.Exte
 
    service
 string
 
-
    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
+
    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
    
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
    
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
    
 service defined by the Kubernetes service or ServiceEntry.
    
-
-
    Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.
    
+
    Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
    
 
     		
 
@@ -2063,10 +2039,12 @@ 
    MeshConfig.Exte
 
    		logName
 string
 
-
    Optional. The friendly name of the access log.
-Defaults:
--  “http_envoy_accesslog”
--  “listener_envoy_accesslog”
    
+
    Optional. The friendly name of the access log.
    
+Defaults:
    
+
      
+
    • "http_envoy_accesslog"
      • 
+
    • "listener_envoy_accesslog"
      • 
+
    
 
     		
 
@@ -2122,7 +2100,7 @@ 
    MeshConfig.Exte
 
 
    MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider
    
 
    
-
    Defines configuration for an Envoy Access Logging Service
+
    Defines configuration for an Envoy Access Logging Service
    
 integration for TCP traffic.
    
 
 
@@ -2139,12 +2117,11 @@ 
    MeshConfig.Exten
 
    
@@ -2325,15 +2302,13 @@ 
    MeshC
 
    
@@ -2378,16 +2353,14 @@ 
    Me
 
    service
 string
 
-
    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
+
    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
    
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
    
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
    
 service defined by the Kubernetes service or ServiceEntry.
    
-
-
    Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.
    
+
    Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
    
 
     		
 
@@ -2166,10 +2143,12 @@ 
    MeshConfig.Exten
 
    		logName
 string
 
-
    Optional. The friendly name of the access log.
-Defaults:
-- “tcp_envoy_accesslog”
-- “listener_envoy_accesslog”
    
+
    Optional. The friendly name of the access log.
    
+Defaults:
    
+
      
+
    • "tcp_envoy_accesslog"
      • 
+
    • "listener_envoy_accesslog"
      • 
+
    
 
     		
 
@@ -2208,12 +2187,11 @@ 
    MeshConfig.E
 
    		service
 string
 
-
    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
+
    REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
    
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
    
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
    
 service defined by the Kubernetes service or ServiceEntry.
    
-
-
    Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.
    
+
    Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
    
 
     		
 
@@ -2235,9 +2213,11 @@ 
    MeshConfig.E
 
    		logName
 string
 
-
    Optional. The friendly name of the access log.
-Defaults:
-- “otel_envoy_accesslog”
    
+
    Optional. The friendly name of the access log.
    
+Defaults:
    
+
      
+
    • "otel_envoy_accesslog"
      • 
+
    
 
     		
 
@@ -2248,8 +2228,8 @@ 
    MeshConfig.E
 
    		logFormat
 LogFormat
 
-
    Optional. Format for the proxy access log
-Empty value results in proxy’s default access log format, following Envoy access logging formatting.
    
+
    Optional. Format for the proxy access log
    
+Empty value results in proxy's default access log format, following Envoy access logging formatting.
    
 
     		
 
@@ -2275,14 +2255,13 @@ 
    MeshConfig.Ext
 
    		labels
 map<string, string>
 
-
    Collection of tag names and tag expressions to include in the log
-entry. Conflicts are resolved by the tag name by overriding previously
+
    Collection of tag names and tag expressions to include in the log
    
+entry. Conflicts are resolved by the tag name by overriding previously
    
 supplied values.
    
-
-
    Example:
-  labels:
-    path: request.url_path
-    foo: request.headers[‘x-foo’]
    
+
    Example:
    
+labels:
    
+path: request.url_path
    
+foo: request.headers['x-foo']
    
 
     		
 
@@ -2308,12 +2287,10 @@ 
    MeshC
 
    		text
 string (oneof)
 
-
    Textual format for the envoy access logs. Envoy command operators may be
-used in the format. The format string documentation
+
    Textual format for the envoy access logs. Envoy command operators may be
    
+used in the format. The format string documentation
    
 provides more information.
    
-
-
    NOTE: Istio will insert a newline (‘\n’) on all formats (if missing).
    
-
+
    NOTE: Istio will insert a newline ('\n') on all formats (if missing).
    
 
    Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"
    
 
     		labels
 Struct (oneof)
 
-
    JSON structured format for the envoy access logs. Envoy command operators
-can be used as values for fields within the Struct. Values are rendered
-as strings, numbers, or boolean values, as appropriate
-(see: format dictionaries). Nested JSON is
-supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
+
    JSON structured format for the envoy access logs. Envoy command operators
    
+can be used as values for fields within the Struct. Values are rendered
    
+as strings, numbers, or boolean values, as appropriate
    
+(see: format dictionaries). Nested JSON is
    
+supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
    
 Use labels: {} for default envoy JSON log format.
    
-
 
    Example:
    
-
 
    labels:
   status: "%RESPONSE_CODE%"
   message: "%LOCAL_REPLY_BODY%"
@@ -2363,10 +2338,10 @@ 
    Me
 
    		text
 string
 
-
    Textual format for the envoy access logs. Envoy command operators may be
-used in the format. The format string documentation
-provides more information.
-Alias to body filed in Open Telemetry
+
    Textual format for the envoy access logs. Envoy command operators may be
    
+used in the format. The format string documentation
    
+provides more information.
    
+Alias to body filed in Open Telemetry
    
 Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"
    
 
     		labels
 Struct
 
-
    Optional. Additional attributes that describe the specific event occurrence.
-Structured format for the envoy access logs. Envoy command operators
-can be used as values for fields within the Struct. Values are rendered
-as strings, numbers, or boolean values, as appropriate
-(see: format dictionaries). Nested JSON is
-supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
+
    Optional. Additional attributes that describe the specific event occurrence.
    
+Structured format for the envoy access logs. Envoy command operators
    
+can be used as values for fields within the Struct. Values are rendered
    
+as strings, numbers, or boolean values, as appropriate
    
+(see: format dictionaries). Nested JSON is
    
+supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
    
 Alias to attributes filed in Open Telemetry
    
-
 
    Example:
    
-
 
    labels:
   status: "%RESPONSE_CODE%"
   message: "%LOCAL_REPLY_BODY%"
@@ -2403,9 +2376,9 @@ 
    Me
 
 
    k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector
    
 
    
-
    A label selector is a label query over a set of resources. The result of matchLabels and
-matchExpressions are ANDed. An empty label selector matches all objects. A null
-label selector matches no objects.
+
    A label selector is a label query over a set of resources. The result of matchLabels and
    
+matchExpressions are ANDed. An empty label selector matches all objects. A null
    
+label selector matches no objects.
    
 +structType=atomic
    
 
 
@@ -2422,9 +2395,9 @@ 
    k8s.io.apimachinery.
 
    
@@ -2436,7 +2409,7 @@ 
    k8s.io.apimachinery.
 
    
@@ -2476,8 +2449,8 @@ 
    Tracing
    
@@ -2522,7 +2495,7 @@ 
    Tracing
    
@@ -2534,8 +2507,8 @@ 
    Tracing
    
@@ -2548,7 +2521,7 @@ 
    Tracing
    PrivateKeyProvider
    
-
    PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured
+
    PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured
    
 mesh wide or individual per-workload basis.
    
 
 
    matchLabels
 map<string, string>
 
-
    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-map is equivalent to an element of matchExpressions, whose key field is “key”, the
-operator is “In”, and the values array contains only “value”. The requirements are ANDed.
+
    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
    
+map is equivalent to an element of matchExpressions, whose key field is "key", the
    
+operator is "In", and the values array contains only "value". The requirements are ANDed.
    
 +optional
    
 
     		matchExpressions
 LabelSelectorRequirement[]
 
-
    matchExpressions is a list of label selector requirements. The requirements are ANDed.
+
    matchExpressions is a list of label selector requirements. The requirements are ANDed.
    
 +optional
    
 
     		
 lightstep
 Lightstep (oneof)
 
-
    Use a Lightstep tracer.
-NOTE: For Istio 1.15+, this configuration option will result
+
    Use a Lightstep tracer.
    
+NOTE: For Istio 1.15+, this configuration option will result
    
 in using OpenTelemetry-based Lightstep integration.
    
 
     		
 sampling
 double
 
-
    The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation,
+
    The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation,
    
 if not requested by the client or not forced. Default is 1.0.
    
 
     		
 tlsSettings
 ClientTLSSettings
 
-
    Use the tls_settings to specify the tls mode to use. If the remote tracing service
-uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
+
    Use the tls_settings to specify the tls mode to use. If the remote tracing service
    
+uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
    
 mode as ISTIO_MUTUAL.
    
 
     		
 
 
 
    
@@ -2575,27 +2548,22 @@ 
    PrivateKeyProvider
    ProxyConfig
    
-
    ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis
-as well as by the mesh-wide defaults.
+
    ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis
    
+as well as by the mesh-wide defaults.
    
 To set the mesh wide defaults, configure the defaultConfig section of meshConfig. For example:
    
-
 
    meshConfig:
   defaultConfig:
     discoveryAddress: istiod:15012
 
    
-
 
    This can also be configured on a per-workload basis by configuring the proxy.istio.io/config annotation on the pod. For example:
    
-
 
    annotations:
   proxy.istio.io/config: |
     discoveryAddress: istiod:15012
 
    
-
-
    If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults.
-This is different than a deep merge provided by protobuf.
-For example, "tracing": { "sampling": 5 } would completely override a setting configuring a tracing provider
+
    If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults.
    
+This is different than a deep merge provided by protobuf.
    
+For example, "tracing": { "sampling": 5 } would completely override a setting configuring a tracing provider
    
 such as "tracing": { "zipkin": { "address": "..." } }.
    
-
 
    Note: fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.
    
 
 
    
 
 
 
    
@@ -2612,7 +2580,7 @@ 
    ProxyConfig
    
@@ -2635,18 +2603,17 @@ 
    ProxyConfig
    
@@ -2658,7 +2625,7 @@ 
    ProxyConfig
    
@@ -2670,8 +2637,8 @@ 
    ProxyConfig
    
@@ -2683,9 +2650,9 @@ 
    ProxyConfig
    
@@ -2697,7 +2664,7 @@ 
    ProxyConfig
    
@@ -2720,7 +2687,7 @@ 
    ProxyConfig
    
@@ -2732,7 +2699,7 @@ 
    ProxyConfig
    
@@ -2744,7 +2711,7 @@ 
    ProxyConfig
    
@@ -2756,10 +2723,10 @@ 
    ProxyConfig
    
@@ -2771,9 +2738,9 @@ 
    ProxyConfig
    
@@ -2818,10 +2785,10 @@ 
    ProxyConfig
    
@@ -2857,7 +2824,7 @@ 
    ProxyConfig
    
@@ -2869,7 +2836,7 @@ 
    ProxyConfig
    
@@ -2881,9 +2848,9 @@ 
    ProxyConfig
    
@@ -2895,10 +2862,10 @@ 
    ProxyConfig
    
@@ -2910,8 +2877,8 @@ 
    ProxyConfig
    
@@ -2923,8 +2890,8 @@ 
    ProxyConfig
    
@@ -2936,18 +2903,17 @@ 
    ProxyConfig
    
@@ -2969,10 +2934,10 @@ 
    ProxyConfig
    
@@ -3019,8 +2984,8 @@ 
    ProxyConfig
    
@@ -3059,8 +3024,8 @@ 
    RemoteService
    
@@ -3140,9 +3105,9 @@ 
    Tracing.Datadog
    Tracing.Stackdriver
    
-
    Stackdriver defines configuration for a Stackdriver tracer.
-See Envoy’s OpenCensus trace configuration
-and
+
    Stackdriver defines configuration for a Stackdriver tracer.
    
+See Envoy's OpenCensus trace configuration
    
+and
    
 OpenCensus trace config for details.
    
 
 
    
 
    configPath
 string
 
-
    Path to the generated configuration file directory.
+
    Path to the generated configuration file directory.
    
 Proxy agent generates the actual configuration and stores it in this directory.
    
 
     		
 serviceCluster
 string (oneof)
 
-
    Service cluster defines the name for the service_cluster that is
-shared by all Envoy instances. This setting corresponds to
---service-cluster flag in Envoy.  In a typical Envoy deployment, the
-service-cluster flag is used to identify the caller, for
+
    Service cluster defines the name for the service_cluster that is
    
+shared by all Envoy instances. This setting corresponds to
    
+--service-cluster flag in Envoy.  In a typical Envoy deployment, the
    
+service-cluster flag is used to identify the caller, for
    
 source-based routing scenarios.
    
-
-
    Since Istio does not assign a local service/service version to each
-Envoy instance, the name is same for all of them.  However, the
-source/caller’s identity (e.g., IP address) is encoded in the
---service-node flag when launching Envoy.  When the RDS service
-receives API calls from Envoy, it uses the value of the service-node
-flag to compute routes that are relative to the service instances
+
    Since Istio does not assign a local service/service version to each
    
+Envoy instance, the name is same for all of them.  However, the
    
+source/caller's identity (e.g., IP address) is encoded in the
    
+--service-node flag when launching Envoy.  When the RDS service
    
+receives API calls from Envoy, it uses the value of the service-node
    
+flag to compute routes that are relative to the service instances
    
 located at that IP address.
    
 
     		
 tracingServiceName
 TracingServiceName (oneof)
 
-
    Used by Envoy proxies to assign the values for the service names in trace
+
    Used by Envoy proxies to assign the values for the service names in trace
    
 spans.
    
 
     		
 drainDuration
 Duration
 
-
    The time in seconds that Envoy will drain connections during a hot
-restart. MUST be >=1s (e.g., 1s/1m/1h)
+
    The time in seconds that Envoy will drain connections during a hot
    
+restart. MUST be >=1s (e.g., 1s/1m/1h)
    
 Default drain duration is 45s.
    
 
     		
 parentShutdownDuration
 Duration
 
-
    The time in seconds that Envoy will wait before shutting down the
-parent process during a hot restart. MUST be >=1s (e.g., 1s/1m/1h).
-MUST BE greater than drain_duration parameter.
+
    The time in seconds that Envoy will wait before shutting down the
    
+parent process during a hot restart. MUST be >=1s (e.g., 1s/1m/1h).
    
+MUST BE greater than drain_duration parameter.
    
 Default shutdown duration is 60s.
    
 
     		
 discoveryAddress
 string
 
-
    Address of the discovery service exposing xDS with mTLS connection.
+
    Address of the discovery service exposing xDS with mTLS connection.
    
 The inject configuration may override this value.
    
 
     		
 proxyAdminPort
 int32
 
-
    Port on which Envoy should listen for administrative commands.
+
    Port on which Envoy should listen for administrative commands.
    
 Default port is 15000.
    
 
     		
 controlPlaneAuthPolicy
 AuthenticationPolicy
 
-
    AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
+
    AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
    
 Default is set to MUTUAL_TLS.
    
 
     		
 customConfigFile
 string
 
-
    File path of custom proxy configuration, currently used by proxies
+
    File path of custom proxy configuration, currently used by proxies
    
 in front of Mixer and Pilot.
    
 
     		
 statNameLength
 int32
 
-
    Maximum length of name field in Envoy’s metrics. The length of the name field
-is determined by the length of a name field in a service and the set of labels that
-comprise a particular version of the service. The default value is set to 189 characters.
-Envoy’s internal metrics take up 67 characters, for a total of 256 character name per metric.
+
    Maximum length of name field in Envoy's metrics. The length of the name field
    
+is determined by the length of a name field in a service and the set of labels that
    
+comprise a particular version of the service. The default value is set to 189 characters.
    
+Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric.
    
 Increase the value of this field if you find that the metrics from Envoys are truncated.
    
 
     		
 concurrency
 Int32Value
 
-
    The number of worker threads to run.
-If unset, this will be automatically determined based on CPU requests/limits.
-If set to 0, all cores on the machine will be used.
+
    The number of worker threads to run.
    
+If unset, this will be automatically determined based on CPU requests/limits.
    
+If set to 0, all cores on the machine will be used.
    
 Default is 2 worker threads.
    
 
     		
 envoyAccessLogService
 RemoteService
 
-
    Address of the service to which access logs from Envoys should be
-sent. (e.g. accesslog-service:15000). See Access Log
-Service
-for details about Envoy’s gRPC Access Log Service API.
    
+
    Address of the service to which access logs from Envoys should be
    
+sent. (e.g. accesslog-service:15000). See Access Log
    
+Service
    
+for details about Envoy's gRPC Access Log Service API.
    
 
     		
 
@@ -2832,9 +2799,9 @@ 
    ProxyConfig
    
     		envoyMetricsService
 RemoteService
 
-
    Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000).
-See Metric Service
-for details about Envoy’s Metrics Service API.
    
+
    Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000).
    
+See Metric Service
    
+for details about Envoy's Metrics Service API.
    
 
     		
 
@@ -2845,7 +2812,7 @@ 
    ProxyConfig
    
     		proxyMetadata
 map<string, string>
 
-
    Additional environment variables for the proxy.
+
    Additional environment variables for the proxy.
    
 Names starting with ISTIO_META_ will be included in the generated bootstrap and sent to the XDS server.
    
 
     		
 runtimeValues
 map<string, string>
 
-
    Envoy runtime configuration to set during bootstrapping.
+
    Envoy runtime configuration to set during bootstrapping.
    
 This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.
    
 
     		
 statusPort
 int32
 
-
    Port on which the agent should listen for administrative commands such as readiness probe.
+
    Port on which the agent should listen for administrative commands such as readiness probe.
    
 Default is set to port 15020.
    
 
     		
 extraStatTags
 string[]
 
-
    An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be
-added by configuring the telemetry extension. Each additional tag needs to be present in this list.
-Extra tags emitted by the telemetry extensions must be listed here so that they can be processed
+
    An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be
    
+added by configuring the telemetry extension. Each additional tag needs to be present in this list.
    
+Extra tags emitted by the telemetry extensions must be listed here so that they can be processed
    
 and exposed as Prometheus metrics.
    
 
     		
 terminationDrainDuration
 Duration
 
-
    The amount of time allowed for connections to complete on proxy shutdown.
-On receiving SIGTERM or SIGINT, istio-agent tells the active Envoy to start draining,
-preventing any new connections and allowing existing connections to complete. It then
-sleeps for the termination_drain_duration and then kills any remaining active Envoy processes.
+
    The amount of time allowed for connections to complete on proxy shutdown.
    
+On receiving SIGTERM or SIGINT, istio-agent tells the active Envoy to start draining,
    
+preventing any new connections and allowing existing connections to complete. It then
    
+sleeps for the termination_drain_duration and then kills any remaining active Envoy processes.
    
 If not set, a default of 5s will be applied.
    
 
     		
 meshId
 string
 
-
    The unique identifier for the service mesh
-All control planes running in the same service mesh should specify the same mesh ID.
+
    The unique identifier for the service mesh
    
+All control planes running in the same service mesh should specify the same mesh ID.
    
 Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.
    
 
     		
 readinessProbe
 ReadinessProbe
 
-
    VM Health Checking readiness probe. This health check config exactly mirrors the
-kubernetes readiness probe configuration both in schema and logic.
+
    VM Health Checking readiness probe. This health check config exactly mirrors the
    
+kubernetes readiness probe configuration both in schema and logic.
    
 Only one health check method of 3 can be set at a time.
    
 
     		
 proxyStatsMatcher
 ProxyStatsMatcher
 
-
    Proxy stats matcher defines configuration for reporting custom Envoy stats.
-To reduce memory and CPU overhead from Envoy stats system, Istio proxies by
-default create and expose only a subset of Envoy stats. This option is to
-control creation of additional Envoy stats with prefix, suffix, and regex
-expressions match on the name of the stats. This replaces the stats
-inclusion annotations
-(sidecar.istio.io/statsInclusionPrefixes,
-sidecar.istio.io/statsInclusionRegexps, and
-sidecar.istio.io/statsInclusionSuffixes). For example, to enable stats
-for circuit breaker, retry, and upstream connections, you can specify stats
+
    Proxy stats matcher defines configuration for reporting custom Envoy stats.
    
+To reduce memory and CPU overhead from Envoy stats system, Istio proxies by
    
+default create and expose only a subset of Envoy stats. This option is to
    
+control creation of additional Envoy stats with prefix, suffix, and regex
    
+expressions match on the name of the stats. This replaces the stats
    
+inclusion annotations
    
+(sidecar.istio.io/statsInclusionPrefixes,
    
+sidecar.istio.io/statsInclusionRegexps, and
    
+sidecar.istio.io/statsInclusionSuffixes). For example, to enable stats
    
+for circuit breaker, retry, and upstream connections, you can specify stats
    
 matcher as follow:
    
-
 
    proxyStatsMatcher:
   inclusionRegexps:
     - .*circuit_breakers.*
@@ -2955,9 +2921,8 @@ 
    ProxyConfig
    
     - upstream_rq_retry
     - upstream_cx
 
    
-
-
    Note including more Envoy stats might increase number of time series
-collected by prometheus significantly. Care needs to be taken on Prometheus
+
    Note including more Envoy stats might increase number of time series
    
+collected by prometheus significantly. Care needs to be taken on Prometheus
    
 resource provision and configuration to reduce cardinality.
    
 
     		
 holdApplicationUntilProxyStarts
 BoolValue
 
-
    Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior.
-This feature adds hooks to delay application startup until the pod proxy
-is ready to accept traffic, mitigating some startup race conditions.
-Default value is ‘false’.
    
+
    Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior.
    
+This feature adds hooks to delay application startup until the pod proxy
    
+is ready to accept traffic, mitigating some startup race conditions.
    
+Default value is 'false'.
    
 
     		
 
@@ -2983,9 +2948,9 @@ 
    ProxyConfig
    
     		caCertificatesPem
 string[]
 
-
    The PEM data of the extra root certificates for workload-to-workload communication.
-This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA.
-The plugin certificates (the ‘cacerts’ secret), self-signed certificates (the ‘istio-ca-secret’ secret)
+
    The PEM data of the extra root certificates for workload-to-workload communication.
    
+This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA.
    
+The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret)
    
 are added automatically by Istiod.
    
 
     		
 zipkinAddress
 string
 
-
    Address of the Zipkin service (e.g. zipkin:9411).
-DEPRECATED: Use tracing instead.
    
+
    Address of the Zipkin service (e.g. zipkin:9411).
    
+DEPRECATED: Use tracing instead.
    
 
     		
 
@@ -3046,8 +3011,8 @@ 
    RemoteService
    
     		address
 string
 
-
    Address of a remove service used for various purposes (access log
-receiver, metrics receiver, etc.). Can be IP address or a fully
+
    Address of a remove service used for various purposes (access log
    
+receiver, metrics receiver, etc.). Can be IP address or a fully
    
 qualified DNS name.
    
 
     		
 tlsSettings
 ClientTLSSettings
 
-
    Use the tls_settings to specify the tls mode to use. If the remote service
-uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
+
    Use the tls_settings to specify the tls mode to use. If the remote service
    
+uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
    
 mode as ISTIO_MUTUAL.
    
 
     		
 
 
 
    
@@ -3160,11 +3125,11 @@ 
    Tracing.Stackdriver
    Tracing.OpenCensusAgent
    
-
    OpenCensusAgent defines configuration for an OpenCensus tracer writing to
-an OpenCensus agent backend. See
-Envoy’s OpenCensus trace configuration
-and
-OpenCensus trace config
+
    OpenCensusAgent defines configuration for an OpenCensus tracer writing to
    
+an OpenCensus agent backend. See
    
+Envoy's OpenCensus trace configuration
    
+and
    
+OpenCensus trace config
    
 for details.
    
 
 
    
 
 
 
    
@@ -3181,9 +3146,9 @@ 
    Tracing.OpenCensusAgent
    
@@ -3195,9 +3160,9 @@ 
    Tracing.OpenCensusAgent
    
@@ -3226,11 +3191,11 @@ 
    PrivateKeyProvider.CryptoMb
    
@@ -3243,7 +3208,7 @@ 
    PrivateKeyProvider.CryptoMb
    ProxyConfig.ProxyStatsMatcher
    
-
    Proxy stats name matchers for stats creation. Note this is in addition to
+
    Proxy stats name matchers for stats creation. Note this is in addition to
    
 the minimum Envoy stats that Istio generates by default.
    
 
 
    
 
    address
 string
 
-
    gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or
-unix:path). See gRPC naming
-docs for
+
    gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or
    
+unix:path). See gRPC naming
    
+docs     for
    
 details.
    
 
     		
 context
 TraceContext[]
 
-
    Specifies the set of context propagation headers used for distributed
-tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified,
-the proxy will attempt to read each header for each request and will
+
    Specifies the set of context propagation headers used for distributed
    
+tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified,
    
+the proxy will attempt to read each header for each request and will
    
 write all headers.
    
 
     		
 pollDelay
 Duration
 
-
    How long to wait until the per-thread processing queue should be processed. If the processing queue
-gets full (eight sign or decrypt requests are received) it is processed immediately.
-However, if the queue is not filled before the delay has expired, the requests already in the queue
-are processed, even if the queue is not full.
-In effect, this value controls the balance between latency and throughput.
+
    How long to wait until the per-thread processing queue should be processed. If the processing queue
    
+gets full (eight sign or decrypt requests are received) it is processed immediately.
    
+However, if the queue is not filled before the delay has expired, the requests already in the queue
    
+are processed, even if the queue is not full.
    
+In effect, this value controls the balance between latency and throughput.
    
 The duration needs to be set to a non-zero value.
    
 
     		
 
 
 
    
@@ -3294,10 +3259,10 @@ 
    ProxyConfig.ProxyStatsMatcher
    Network
    
-
    Network provides information about the endpoints in a routable L3
-network. A single routable L3 network can have one or more service
-registries. Note that the network has no relation to the locality of the
-endpoint. The endpoint locality will be obtained from the service
+
    Network provides information about the endpoints in a routable L3
    
+network. A single routable L3 network can have one or more service
    
+registries. Note that the network has no relation to the locality of the
    
+endpoint. The endpoint locality will be obtained from the service
    
 registry.
    
 
 
    
 
 
 
    
@@ -3314,8 +3279,8 @@ 
    Network
    
@@ -3339,11 +3304,9 @@ 
    Network
    MeshNetworks
    
-
    MeshNetworks (config map) provides information about the set of networks
+
    MeshNetworks (config map) provides information about the set of networks
    
 inside a mesh and how to route to endpoints in each network. For example
    
-
 
    MeshNetworks(file/config map):
    
-
 
    networks:
   network1:
     endpoints:
@@ -3372,8 +3335,8 @@ 
    MeshNetworks
    
 
    
@@ -3386,27 +3349,26 @@ 
    MeshNetworks
    
 
 
    Network.NetworkEndpoints
    
 
    
-
    NetworkEndpoints describes how the network associated with an endpoint
-should be inferred. An endpoint will be assigned to a network based on
+
    NetworkEndpoints describes how the network associated with an endpoint
    
+should be inferred. An endpoint will be assigned to a network based on
    
 the following rules:
    
-
 
      
-
    1. Implicitly: If the registry explicitly provides information about
-the network to which the endpoint belongs to. In some cases, its
-possible to indicate the network associated with the endpoint by
-adding the ISTIO_META_NETWORK environment variable to the sidecar.
      2. 
-
-
    2. Explicitly:
      3. 
+
    3. 
+
      Implicitly: If the registry explicitly provides information about
      
+the network to which the endpoint belongs to. In some cases, its
      
+possible to indicate the network associated with the endpoint by
      
+adding the ISTIO_META_NETWORK environment variable to the sidecar.
      
+
      4. 
+
    4. 
+
      Explicitly:
      
+
      a. By matching the registry name with one of the "fromRegistry"
      
+in the mesh config. A "from_registry" can only be assigned to a
      
+single network.
      
+
      b. By matching the IP against one of the CIDR ranges in a mesh
      
+config network. The CIDR ranges must not overlap and be assigned to
      
+a single network.
      
+
      5. 
 
    
-
-
    a. By matching the registry name with one of the “fromRegistry”
-   in the mesh config. A “from_registry” can only be assigned to a
-   single network.
    
-
-
    b. By matching the IP against one of the CIDR ranges in a mesh
-   config network. The CIDR ranges must not overlap and be assigned to
-   a single network.
    
-
 
    (2) will override (1) if both are present.
    
 
 
    
 
    endpoints
 NetworkEndpoints[]
 
-
    The list of endpoints in the network (obtained through the
-constituent service registries or from CIDR ranges). All endpoints in
+
    The list of endpoints in the network (obtained through the
    
+constituent service registries or from CIDR ranges). All endpoints in
    
 the network are directly accessible to one another.
    
 
     		
 
 
 networks
 map<string, Network>
 
-
    The set of networks inside this mesh. Each network should
-have a unique name and information about how to infer the endpoints in
+
    The set of networks inside this mesh. Each network should
    
+have a unique name and information about how to infer the endpoints in
    
 the network as well as the gateways associated with the network.
    
 
 
    
@@ -3423,7 +3385,7 @@ 
    Network.NetworkEndpoints
    
     
@@ -3435,9 +3397,9 @@ 
    Network.NetworkEndpoints
    
     
@@ -3450,8 +3412,8 @@ 
    Network.NetworkEndpoints
    
 
 
    Network.IstioNetworkGateway
    
 
    
-
    The gateway associated with this network. Traffic from remote networks
-will arrive at the specified gateway:port. All incoming traffic must
+
    The gateway associated with this network. Traffic from remote networks
    
+will arrive at the specified gateway:port. All incoming traffic must
    
 use mTLS.
    
 
 
    fromCidr
 string (oneof)
 
-
    A CIDR range for the set of endpoints in this network. The CIDR
+
    A CIDR range for the set of endpoints in this network. The CIDR
    
 ranges for endpoints from different networks must not overlap.
    
 
     		fromRegistry
 string (oneof)
 
-
    Add all endpoints from the specified registry into this network.
-The names of the registries should correspond to the kubeconfig file name
-inside the secret that was used to configure the registry (Kubernetes
+
    Add all endpoints from the specified registry into this network.
    
+The names of the registries should correspond to the kubeconfig file name
    
+inside the secret that was used to configure the registry (Kubernetes
    
 multicluster) or supplied by MCP server.
    
 
 
    
@@ -3468,12 +3430,12 @@ 
    Network.IstioNetworkGateway
    
     
@@ -3530,7 +3492,7 @@ 
    MeshConfig.OutboundTrafficPolicy.
 
    
@@ -3538,7 +3500,7 @@ 
    MeshConfig.OutboundTrafficPolicy.
 
    
@@ -3548,7 +3510,7 @@ 
    MeshConfig.OutboundTrafficPolicy.
 
 
    MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContext
    
 
    
-
    TraceContext selects the context propagation headers used for
+
    TraceContext selects the context propagation headers used for
    
 distributed tracing.
    
 
 
    registryServiceName
 string (oneof)
 
-
    A fully qualified domain name of the gateway service.  Pilot will
-lookup the service from the service registries in the network and
-obtain the endpoint IPs of the gateway from the service
-registry. Note that while the service name is a fully qualified
-domain name, it need not be resolvable outside the orchestration
-platform for the registry. e.g., this could be
+
    A fully qualified domain name of the gateway service.  Pilot will
    
+lookup the service from the service registries in the network and
    
+obtain the endpoint IPs of the gateway from the service
    
+registry. Note that while the service name is a fully qualified
    
+domain name, it need not be resolvable outside the orchestration
    
+platform for the registry. e.g., this could be
    
 istio-ingressgateway.istio-system.svc.cluster.local.
    
 
 
    
 REGISTRY_ONLY
 
-
    outbound traffic will be restricted to services defined in the
+
    outbound traffic will be restricted to services defined in the
    
 service registry as well as those defined through ServiceEntries
    
 
 
    
 ALLOW_ANY
 
-
    outbound traffic to unknown destinations will be allowed, in case
+
    outbound traffic to unknown destinations will be allowed, in case
    
 there are no services or ServiceEntries for the destination port
    
 
 
    
@@ -3562,8 +3524,8 @@ 
    
 
    
@@ -3578,7 +3540,7 @@ 
    
 
    
@@ -3586,9 +3548,9 @@ 
    
 
    
@@ -3623,8 +3585,8 @@ 
    MeshConfig.ProxyPat
 
    
@@ -3632,7 +3594,7 @@ 
    MeshConfig.ProxyPat
 
    
@@ -3640,8 +3602,8 @@ 
    MeshConfig.ProxyPat
 
    
@@ -3712,10 +3674,10 @@ 
    MeshConfig.IngressControllerMode
    
     
@@ -3723,10 +3685,10 @@ 
    MeshConfig.IngressControllerMode
    
     
@@ -3805,8 +3767,8 @@ 
    Resource
    
     
@@ -3816,7 +3778,7 @@ 
    Resource
    
 
 
    Tracing.OpenCensusAgent.TraceContext
    
 
    
-
    TraceContext selects the context propagation headers used for
+
    TraceContext selects the context propagation headers used for
    
 distributed tracing.
    
 
 
    W3C_TRACE_CONTEXT
 
-
    Use W3C Trace Context propagation using the traceparent HTTP header.
-See the
+
    Use W3C Trace Context propagation using the traceparent HTTP header.
    
+See the
    
 Trace Context documentation for details.
    
 
     		CLOUD_TRACE_CONTEXT
 
-
    Use Cloud Trace context propagation using the
+
    Use Cloud Trace context propagation using the
    
 X-Cloud-Trace-Context http header.
    
 
     		B3
 
-
    Use multi-header B3 context propagation using the X-B3-TraceId,
-X-B3-SpanId, and X-B3-Sampled HTTP headers. See
-B3 header propagation README
+
    Use multi-header B3 context propagation using the X-B3-TraceId,
    
+X-B3-SpanId, and X-B3-Sampled HTTP headers. See
    
+B3 header propagation README
    
 for details.
    
 
 
    
 BASE
 
-
    Normalize according to RFC 3986.
-For Envoy proxies, this is the normalize_path option.
+
    Normalize according to RFC 3986.
    
+For Envoy proxies, this is the normalize_path option.
    
 For example, /a/../b normalizes to /b.
    
 
 
    
 MERGE_SLASHES
 
-
    In addition to the BASE normalization, consecutive slashes are also merged.
+
    In addition to the BASE normalization, consecutive slashes are also merged.
    
 For example, /a//b normalizes to a/b.
    
 
 
    
 DECODE_AND_MERGE_SLASHES
 
-
    In addition to normalization in MERGE_SLASHES, slash characters are UTF-8 decoded (case insensitive) prior to merging.
-This means %2F, %2f, %5C, and %5c sequences in the request path will be rewritten to / or \.
+
    In addition to normalization in MERGE_SLASHES, slash characters are UTF-8 decoded (case insensitive) prior to merging.
    
+This means %2F, %2f, %5C, and %5c sequences in the request path will be rewritten to / or \.
    
 For example, /a%2f/b normalizes to a/b.
    
 
 
    
 DEFAULT
 
-
    Istio ingress controller will act on ingress resources that do not
-contain any annotation or whose annotations match the value
-specified in the ingress_class parameter described earlier. Use this
-mode if Istio ingress controller will be the default ingress
+
    Istio ingress controller will act on ingress resources that do not
    
+contain any annotation or whose annotations match the value
    
+specified in the ingress_class parameter described earlier. Use this
    
+mode if Istio ingress controller will be the default ingress
    
 controller for the entire Kubernetes cluster.
    
 
 
    
 STRICT
 
-
    Istio ingress controller will only act on ingress resources whose
-annotations match the value specified in the ingress_class parameter
-described earlier. Use this mode if Istio ingress controller will be
-a secondary ingress controller (e.g., in addition to a
+
    Istio ingress controller will only act on ingress resources whose
    
+annotations match the value specified in the ingress_class parameter
    
+described earlier. Use this mode if Istio ingress controller will be
    
+a secondary ingress controller (e.g., in addition to a
    
 cloud-provided ingress controller).
    
 
 
    
 SERVICE_REGISTRY
 
-
    Set to only receive service entries that are generated by the platform.
-These auto generated service entries are combination of services and endpoints
+
    Set to only receive service entries that are generated by the platform.
    
+These auto generated service entries are combination of services and endpoints
    
 that are generated by a specific platform e.g. k8
    
 
 
    
@@ -3830,8 +3792,8 @@ 
    Tracing.OpenCensusAgent.TraceConte
 
    
@@ -3846,7 +3808,7 @@ 
    Tracing.OpenCensusAgent.TraceConte
 
    
@@ -3854,9 +3816,9 @@ 
    Tracing.OpenCensusAgent.TraceConte
 
    
@@ -3866,8 +3828,8 @@ 
    Tracing.OpenCensusAgent.TraceConte
 
 
    ProxyConfig.TracingServiceName
    
 
    
-
    Allows specification of various Istio-supported naming schemes for the
-Envoy service_cluster value. The servce_cluster value is primarily used
+
    Allows specification of various Istio-supported naming schemes for the
    
+Envoy service_cluster value. The servce_cluster value is primarily used
    
 by Envoys to provide service names for tracing spans.
    
 
 
    
 W3C_TRACE_CONTEXT
 
-
    Use W3C Trace Context propagation using the traceparent HTTP header.
-See the
+
    Use W3C Trace Context propagation using the traceparent HTTP header.
    
+See the
    
 Trace Context documentation for details.
    
 
 
    
 CLOUD_TRACE_CONTEXT
 
-
    Use Cloud Trace context propagation using the
+
    Use Cloud Trace context propagation using the
    
 X-Cloud-Trace-Context http header.
    
 
 
    
 B3
 
-
    Use multi-header B3 context propagation using the X-B3-TraceId,
-X-B3-SpanId, and X-B3-Sampled HTTP headers. See
-B3 header propagation README
+
    Use multi-header B3 context propagation using the X-B3-TraceId,
    
+X-B3-SpanId, and X-B3-Sampled HTTP headers. See
    
+B3 header propagation README
    
 for details.
    
 
 
    
@@ -3881,7 +3843,7 @@ 
    ProxyConfig.TracingServiceName
    
     
@@ -3905,8 +3867,8 @@ 
    ProxyConfig.TracingServiceName
    
 
 
    ProxyConfig.InboundInterceptionMode
    
 
    
-
    The mode used to redirect inbound traffic to Envoy.
-This setting has no effect on outbound traffic: iptables REDIRECT is always used for
+
    The mode used to redirect inbound traffic to Envoy.
    
+This setting has no effect on outbound traffic: iptables REDIRECT is always used for
    
 outbound connections.
    
 
 
    
 APP_LABEL_AND_NAMESPACE
 
-
    Default scheme. Uses the app label and workload namespace to construct
+
    Default scheme. Uses the app label and workload namespace to construct
    
 a cluster name. If the app label does not exist istio-proxy is used.
    
 
 
    
@@ -3920,7 +3882,7 @@ 
    ProxyConfig.InboundInterceptionMode
 
    
@@ -3928,9 +3890,9 @@ 
    ProxyConfig.InboundInterceptionMode
 
    
@@ -3938,7 +3900,7 @@ 
    ProxyConfig.InboundInterceptionMode
 
    
@@ -3948,8 +3910,8 @@ 
    ProxyConfig.InboundInterceptionMode
 
 
    AuthenticationPolicy
    
 
    
-
    AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
-It can be set for two different scopes, mesh-wide or set on a per-pod basis using the ProxyConfig annotation.
+
    AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
    
+It can be set for two different scopes, mesh-wide or set on a per-pod basis using the ProxyConfig annotation.
    
 Mesh policy cannot be INHERIT.
    
 
 
    
 REDIRECT
 
-
    The REDIRECT mode uses iptables REDIRECT to NAT and redirect to Envoy. This mode loses
+
    The REDIRECT mode uses iptables REDIRECT to NAT and redirect to Envoy. This mode loses
    
 source IP addresses during redirection.
    
 
 
    
 TPROXY
 
-
    The TPROXY mode uses iptables TPROXY to redirect to Envoy. This mode preserves both the
-source and destination IP addresses and ports, so that they can be used for advanced
-filtering and manipulation. This mode also configures the sidecar to run with the
+
    The TPROXY mode uses iptables TPROXY to redirect to Envoy. This mode preserves both the
    
+source and destination IP addresses and ports, so that they can be used for advanced
    
+filtering and manipulation. This mode also configures the sidecar to run with the
    
 CAP_NET_ADMIN capability, which is required to use TPROXY.
    
 
 
    
 NONE
 
-
    The NONE mode does not configure redirect to Envoy at all. This is an advanced
+
    The NONE mode does not configure redirect to Envoy at all. This is an advanced
    
 configuration that typically requires changes to user applications.
    
 
 
    
@@ -3977,7 +3939,7 @@ 
    AuthenticationPolicy
    
     
diff --git a/content/zh/docs/reference/config/istio.operator.v1alpha1/index.html b/content/zh/docs/reference/config/istio.operator.v1alpha1/index.html
index 65502923c5988..93f058bd5aab4 100644
--- a/content/zh/docs/reference/config/istio.operator.v1alpha1/index.html
+++ b/content/zh/docs/reference/config/istio.operator.v1alpha1/index.html
@@ -1,27 +1,26 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: IstioOperator Options
 description: Configuration affecting Istio control plane installation version and shape.
 location: https://istio.io/docs/reference/config/istio.operator.v1alpha1.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 weight: 20
 number_of_entries: 74
 ---
-
    Configuration affecting Istio control plane installation version and shape.
-Note: unlike other Istio protos, field names must use camelCase. This is asserted in tests.
-Without camelCase, the json tag on the Go struct will not match the user’s JSON representation.
-This leads to Kubernetes merge libraries, which rely on this tag, to fail.
+
    Configuration affecting Istio control plane installation version and shape.
    
+Note: unlike other Istio protos, field names must use camelCase. This is asserted in tests.
    
+Without camelCase, the json tag on the Go struct will not match the user's JSON representation.
    
+This leads to Kubernetes merge libraries, which rely on this tag, to fail.
    
 All other usages use jsonpb which does not use the json tag.
    
 
 
    IstioOperatorSpec
    
 
    
-
    IstioOperatorSpec defines the desired installed state of Istio components.
-The spec is a used to define a customization of the default profile values that are supplied with each Istio release.
-Because the spec is a customization API, specifying an empty IstioOperatorSpec results in a default Istio
+
    IstioOperatorSpec defines the desired installed state of Istio components.
    
+The spec is a used to define a customization of the default profile values that are supplied with each Istio release.
    
+Because the spec is a customization API, specifying an empty IstioOperatorSpec results in a default Istio
    
 component values.
    
-
 
    apiVersion: install.istio.io/v1alpha1
 kind: IstioOperator
 spec:
@@ -53,12 +52,10 @@ 
    IstioOperatorSpec
    
 
    
@@ -71,7 +68,6 @@ 
    IstioOperatorSpec
    
     
@@ -121,7 +117,7 @@ 
    IstioOperatorSpec
    
     
@@ -133,7 +129,7 @@ 
    IstioOperatorSpec
    
     
@@ -156,7 +152,7 @@ 
    IstioOperatorSpec
    
     
@@ -168,9 +164,9 @@ 
    IstioOperatorSpec
    
     
@@ -193,8 +189,8 @@ 
    IstioOperatorSpec
    
     
@@ -224,7 +220,6 @@ 
    InstallStatus
    
     
@@ -667,7 +662,7 @@ 
    KubernetesResourcesSpec
    
     
@@ -679,7 +674,7 @@ 
    KubernetesResourcesSpec
    
     
@@ -691,7 +686,7 @@ 
    KubernetesResourcesSpec
    
     
@@ -703,7 +698,7 @@ 
    KubernetesResourcesSpec
    
     
@@ -715,7 +710,7 @@ 
    KubernetesResourcesSpec
    
     
@@ -727,7 +722,7 @@ 
    KubernetesResourcesSpec
    
     
@@ -739,7 +734,7 @@ 
    KubernetesResourcesSpec
    
     
@@ -751,8 +746,8 @@ 
    KubernetesResourcesSpec
    
     
@@ -764,7 +759,7 @@ 
    KubernetesResourcesSpec
    
     
@@ -776,7 +771,7 @@ 
    KubernetesResourcesSpec
    
     
@@ -788,7 +783,7 @@ 
    KubernetesResourcesSpec
    
     
@@ -800,7 +795,7 @@ 
    KubernetesResourcesSpec
    
     
@@ -812,7 +807,7 @@ 
    KubernetesResourcesSpec
    
     
@@ -824,7 +819,7 @@ 
    KubernetesResourcesSpec
    
     
@@ -836,7 +831,7 @@ 
    KubernetesResourcesSpec
    
     
@@ -848,8 +843,8 @@ 
    KubernetesResourcesSpec
    
     
@@ -861,7 +856,7 @@ 
    KubernetesResourcesSpec
    
     
@@ -923,7 +918,7 @@ 
    K8sObjectOverlay
    
     
@@ -2265,7 +2260,7 @@ 
    ObjectMetricSource
    
     
@@ -3631,9 +3626,9 @@ 
    SeccompProfile
    
 
 
    IntOrString
    
 
    
-
    IntOrString is a type that can hold an int32 or a string.  When used in
-JSON or YAML marshalling and unmarshalling, it produces or consumes the
-inner type.  This allows you to have, for example, a JSON field that can
+
    IntOrString is a type that can hold an int32 or a string.  When used in
    
+JSON or YAML marshalling and unmarshalling, it produces or consumes the
    
+inner type.  This allows you to have, for example, a JSON field that can
    
 accept a name or number.
    
 
 
    
 INHERIT
 
-
    Use the policy defined by the parent scope. Should not be used for mesh
+
    Use the policy defined by the parent scope. Should not be used for mesh
    
 policy.
    
 
     		string
 
 
    Path or name for the profile e.g.
    
-
 
      
 
    • minimal (looks in profiles dir for a file called minimal.yaml)
      • 
 
    • /tmp/istio/install/values/custom/custom-install.yaml (local file path)
      • 
 
    
-
 
    default profile is used if this field is unset.
    
 
     		string
 
 
    Path for the install package. e.g.
    
-
 
      
 
    • /tmp/istio-installer/nightly (local file path)
      • 
 
    
@@ -107,9 +103,9 @@ 
    IstioOperatorSpec
    
     		namespace
 string
 
-
    Namespace to install control plane resources into. If unset, Istio will be installed into the same namespace
-as the IstioOperator CR. You must also set values.global.istioNamespace if you wish to install Istio in
-a custom namespace.
+
    Namespace to install control plane resources into. If unset, Istio will be installed into the same namespace
    
+as the IstioOperator CR. You must also set values.global.istioNamespace if you wish to install Istio in
    
+a custom namespace.
    
 If you have enabled CNI, you must  exclude this namespace by adding it to the list values.cni.excludeNamespaces.
    
 
     		revision
 string
 
-
    Identify the revision this installation is associated with.
+
    Identify the revision this installation is associated with.
    
 This option is currently experimental.
    
 
     		defaultRevision
 bool
 
-
    Identify whether this revision is the default revision for the cluster
+
    Identify whether this revision is the default revision for the cluster
    
 This option is currently experimental.
    
 
     		components
 IstioComponentSetSpec
 
-
    Kubernetes resource settings, enablement and component-specific settings that are not internal to the
+
    Kubernetes resource settings, enablement and component-specific settings that are not internal to the
    
 component.
    
 
     		values
 Struct
 
-
    Overrides for default values.yaml. This is a validated pass-through to Helm templates.
-See the Helm installation options for schema details.
-Anything that is available in IstioOperatorSpec should be set above rather than using the passthrough. This
+
    Overrides for default values.yaml. This is a validated pass-through to Helm templates.
    
+See the Helm installation options for schema details.
    
+Anything that is available in IstioOperatorSpec should be set above rather than using the passthrough. This
    
 includes Kubernetes resource settings for components in KubernetesResourcesSpec.
    
 
     		addonComponents
 map<string, ExternalComponentSpec>
 
-
    Deprecated.
-Users should manage the installation of addon components on their own.
+
    Deprecated.
    
+Users should manage the installation of addon components on their own.
    
 Refer to samples/addons for demo installation of addon components.
    
 
     		Status
 
 
    Overall status of all components controlled by the operator.
    
-
 
      
 
    • If all components have status NONE, overall status is NONE.
      • 
 
    • If all components are HEALTHY, overall status is HEALTHY.
      • 
@@ -655,7 +650,7 @@ 
      KubernetesResourcesSpec
      
 
    		affinity
 Affinity
 
-
    k8s affinity.
+
    k8s affinity.
    
 https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
    
 
     		env
 EnvVar[]
 
-
    Deployment environment variables.
+
    Deployment environment variables.
    
 https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/
    
 
     		hpaSpec
 HorizontalPodAutoscalerSpec
 
-
    k8s HorizontalPodAutoscaler settings.
+
    k8s HorizontalPodAutoscaler settings.
    
 https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
    
 
     		imagePullPolicy
 string
 
-
    k8s imagePullPolicy.
+
    k8s imagePullPolicy.
    
 https://kubernetes.io/docs/concepts/containers/images/
    
 
     		nodeSelector
 map<string, string>
 
-
    k8s nodeSelector.
+
    k8s nodeSelector.
    
 https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
    
 
     		podDisruptionBudget
 PodDisruptionBudgetSpec
 
-
    k8s PodDisruptionBudget settings.
+
    k8s PodDisruptionBudget settings.
    
 https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#how-disruption-budgets-work
    
 
     		podAnnotations
 map<string, string>
 
-
    k8s pod annotations.
+
    k8s pod annotations.
    
 https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
    
 
     		priorityClassName
 string
 
-
    k8s priority_class_name. Default for all resources unless overridden.
+
    k8s priority_class_name. Default for all resources unless overridden.
    
 https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
    
 
     		readinessProbe
 ReadinessProbe
 
-
    k8s readinessProbe settings.
-https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
+
    k8s readinessProbe settings.
    
+https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
    
 k8s.io.api.core.v1.Probe readiness_probe = 9;
    
 
     		replicaCount
 uint32
 
-
    k8s Deployment replicas setting.
+
    k8s Deployment replicas setting.
    
 https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
    
 
     		resources
 Resources
 
-
    k8s resources settings.
+
    k8s resources settings.
    
 https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
    
 
     		service
 ServiceSpec
 
-
    k8s Service settings.
+
    k8s Service settings.
    
 https://kubernetes.io/docs/concepts/services-networking/service/
    
 
     		strategy
 DeploymentStrategy
 
-
    k8s deployment strategy.
+
    k8s deployment strategy.
    
 https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
    
 
     		tolerations
 Toleration[]
 
-
    k8s toleration
+
    k8s toleration
    
 https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
    
 
     		serviceAnnotations
 map<string, string>
 
-
    k8s service annotations.
+
    k8s service annotations.
    
 https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
    
 
     		securityContext
 PodSecurityContext
 
-
    k8s pod security context
+
    k8s pod security context
    
 https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
    
 
     		volumes
 Volume[]
 
-
    k8s volume
-https://kubernetes.io/docs/concepts/storage/volumes/
+
    k8s volume
    
+https://kubernetes.io/docs/concepts/storage/volumes/
    
 Volumes defines the collection of Volume to inject into the pod.
    
 
     		volumeMounts
 VolumeMount[]
 
-
    k8s volumeMounts
+
    k8s volumeMounts
    
 VolumeMounts defines the collection of VolumeMount to inject into containers.
    
 
     		name
 string
 
-
    Name of resource.
+
    Name of resource.
    
 Namespace is always the component namespace.
    
 
     		target
 Value
 
-
    Type changes from CrossVersionObjectReference to ResourceMetricTarget in autoscaling v2beta2/v2 compared with v2beta1
+
    Type changes from CrossVersionObjectReference to ResourceMetricTarget in autoscaling v2beta2/v2 compared with v2beta1
    
 Change it to dynamic type to keep backward compatible
    
 
 
    
@@ -3736,9 +3731,9 @@ 
    K8sObjectOverlay.PathValue
    
     
@@ -3750,10 +3745,10 @@ 
    K8sObjectOverlay.PathValue
    
     
@@ -3766,11 +3761,10 @@ 
    K8sObjectOverlay.PathValue
    
 
 
    google.protobuf.Value
    
 
    
-
    Value represents a dynamically typed value which can be either
-null, a number, a string, a boolean, a recursive struct value, or a
-list of values. A producer of value is expected to set one of that
+
    Value represents a dynamically typed value which can be either
    
+null, a number, a string, a boolean, a recursive struct value, or a
    
+list of values. A producer of value is expected to set one of that
    
 variants, absence of any variant indicates an error.
    
-
 
    The JSON representation for Value is JSON value.
    
 
 
    path
 string
 
-
    Path of the form a.[key1:value1].b.[:value2]
-Where [key1:value1] is a selector for a key-value pair to identify a list element and [:value] is a value
-selector to identify a list element in a leaf list.
+
    Path of the form a.[key1:value1].b.[:value2]
    
+Where [key1:value1] is a selector for a key-value pair to identify a list element and [:value] is a value
    
+selector to identify a list element in a leaf list.
    
 All path intermediate nodes must exist.
    
 
     		value
 Value
 
-
    Value to add, delete or replace.
-For add, the path should be a new leaf.
-For delete, value should be unset.
-For replace, path should reference an existing node.
+
    Value to add, delete or replace.
    
+For add, the path should be a new leaf.
    
+For delete, value should be unset.
    
+For replace, path should reference an existing node.
    
 All values are strings but are converted into appropriate type based on schema.
    
 
 
    
@@ -3870,9 +3864,9 @@ 
    k8s.io.api.core.v1.Volume
    
     
@@ -3924,8 +3918,8 @@ 
    k8s.io.api.core.v1.VolumeMount
    
     
@@ -3937,8 +3931,8 @@ 
    k8s.io.api.core.v1.VolumeMount
    
     
@@ -3962,10 +3956,10 @@ 
    k8s.io.api.core.v1.VolumeMount
    
     
@@ -3977,10 +3971,10 @@ 
    k8s.io.api.core.v1.VolumeMount
    
     
@@ -3993,9 +3987,9 @@ 
    k8s.io.api.core.v1.VolumeMount
    
 
 
    k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector
    
 
    
-
    A label selector is a label query over a set of resources. The result of matchLabels and
-matchExpressions are ANDed. An empty label selector matches all objects. A null
-label selector matches no objects.
+
    A label selector is a label query over a set of resources. The result of matchLabels and
    
+matchExpressions are ANDed. An empty label selector matches all objects. A null
    
+label selector matches no objects.
    
 +structType=atomic
    
 
 
    name
 string
 
-
    name of the volume.
-Must be a DNS_LABEL and unique within the pod.
-More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
    
+
    name of the volume.
    
+Must be a DNS_LABEL and unique within the pod.
    
+More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
    
 
     		
 
@@ -3883,8 +3877,8 @@ 
    k8s.io.api.core.v1.Volume
    
     		volumeSource
 VolumeSource
 
-
    volumeSource represents the location and type of the mounted volume.
-If not specified, the Volume is implied to be an EmptyDir.
+
    volumeSource represents the location and type of the mounted volume.
    
+If not specified, the Volume is implied to be an EmptyDir.
    
 This implied behavior is deprecated and will be removed in a future version.
    
 
     		readOnly
 bool
 
-
    Mounted read-only if true, read-write otherwise (false or unspecified).
-Defaults to false.
+
    Mounted read-only if true, read-write otherwise (false or unspecified).
    
+Defaults to false.
    
 +optional
    
 
     		mountPath
 string
 
-
    Path within the container at which the volume should be mounted.  Must
-not contain ‘:’.
    
+
    Path within the container at which the volume should be mounted.  Must
    
+not contain ':'.
    
 
     		
 
@@ -3949,8 +3943,8 @@ 
    k8s.io.api.core.v1.VolumeMount
    
     		subPath
 string
 
-
    Path within the volume from which the container’s volume should be mounted.
-Defaults to “” (volume’s root).
+
    Path within the volume from which the container's volume should be mounted.
    
+Defaults to "" (volume's root).
    
 +optional
    
 
     		mountPropagation
 string
 
-
    mountPropagation determines how mounts are propagated from the host
-to container and the other way around.
-When not set, MountPropagationNone is used.
-This field is beta in 1.10.
+
    mountPropagation determines how mounts are propagated from the host
    
+to container and the other way around.
    
+When not set, MountPropagationNone is used.
    
+This field is beta in 1.10.
    
 +optional
    
 
     		subPathExpr
 string
 
-
    Expanded path within the volume from which the container’s volume should be mounted.
-Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container’s environment.
-Defaults to “” (volume’s root).
-SubPathExpr and SubPath are mutually exclusive.
+
    Expanded path within the volume from which the container's volume should be mounted.
    
+Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
    
+Defaults to "" (volume's root).
    
+SubPathExpr and SubPath are mutually exclusive.
    
 +optional
    
 
 
    
@@ -4012,9 +4006,9 @@ 
    k8s.io.apimachinery.
 
    
@@ -4026,7 +4020,7 @@ 
    k8s.io.apimachinery.
 
    
@@ -4087,8 +4081,8 @@ 
    InstallStatus.Status
    
     
diff --git a/content/zh/docs/reference/config/labels/index.html b/content/zh/docs/reference/config/labels/index.html
index 2bf14acebd388..f23adff55a40e 100644
--- a/content/zh/docs/reference/config/labels/index.html
+++ b/content/zh/docs/reference/config/labels/index.html
@@ -1,6 +1,6 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Resource Labels
 description: Resource labels used by Istio.
 location: https://istio.io/docs/reference/config/labels/
diff --git a/content/zh/docs/reference/config/meta/v1beta1/istio-status/index.html b/content/zh/docs/reference/config/meta/v1beta1/istio-status/index.html
index ea2e6136e5d29..6a34bde2c4e70 100644
--- a/content/zh/docs/reference/config/meta/v1beta1/istio-status/index.html
+++ b/content/zh/docs/reference/config/meta/v1beta1/istio-status/index.html
@@ -1,10 +1,10 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Istio Status
 description: Common status field for all istio collections.
 location: https://istio.io/docs/reference/config/meta/v1beta1/istio-status.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 number_of_entries: 2
 ---
@@ -24,10 +24,10 @@ 
    IstioStatus
    
     
@@ -39,9 +39,9 @@ 
    IstioStatus
    
     
@@ -53,9 +53,9 @@ 
    IstioStatus
    
     
@@ -93,7 +93,7 @@ 
    IstioCondition
    
     
@@ -105,7 +105,7 @@ 
    IstioCondition
    
     
@@ -117,7 +117,7 @@ 
    IstioCondition
    
     
@@ -129,7 +129,7 @@ 
    IstioCondition
    
     
@@ -141,7 +141,7 @@ 
    IstioCondition
    
     
diff --git a/content/zh/docs/reference/config/networking/destination-rule/index.html b/content/zh/docs/reference/config/networking/destination-rule/index.html
index 047efa4780180..cdfa4d0dead34 100644
--- a/content/zh/docs/reference/config/networking/destination-rule/index.html
+++ b/content/zh/docs/reference/config/networking/destination-rule/index.html
@@ -1,25 +1,23 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Destination Rule
 description: Configuration affecting load balancing, outlier detection, etc.
 location: https://istio.io/docs/reference/config/networking/destination-rule.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.DestinationRule
 aliases: [/zh/docs/reference/config/networking/v1alpha3/destination-rule]
 number_of_entries: 23
 ---
-
    DestinationRule defines policies that apply to traffic intended for a
-service after routing has occurred. These rules specify configuration
-for load balancing, connection pool size from the sidecar, and outlier
-detection settings to detect and evict unhealthy hosts from the load
-balancing pool. For example, a simple load balancing policy for the
+
    DestinationRule defines policies that apply to traffic intended for a
    
+service after routing has occurred. These rules specify configuration
    
+for load balancing, connection pool size from the sidecar, and outlier
    
+detection settings to detect and evict unhealthy hosts from the load
    
+balancing pool. For example, a simple load balancing policy for the
    
 ratings service would look as follows:
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -30,11 +28,8 @@
     loadBalancer:
       simple: LEAST_REQUEST
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -45,19 +40,15 @@
     loadBalancer:
       simple: LEAST_REQUEST
 
    
-
-
    {{}}
-{{}}
    
-
-
    Version specific policies can be specified by defining a named
-subset and overriding the settings specified at the service level. The
-following rule uses a round robin load balancing policy for all traffic
-going to a subset named testversion that is composed of endpoints (e.g.,
+
    {{}}
    
+{{}}
    
+
    Version specific policies can be specified by defining a named
    
+subset and overriding the settings specified at the service level. The
    
+following rule uses a round robin load balancing policy for all traffic
    
+going to a subset named testversion that is composed of endpoints (e.g.,
    
 pods) with labels (version:v3).
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -75,11 +66,8 @@
       loadBalancer:
         simple: ROUND_ROBIN
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -97,21 +85,16 @@
       loadBalancer:
         simple: ROUND_ROBIN
 
    
-
-
    {{}}
-{{}}
    
-
-
    Note: Policies specified for subsets will not take effect until
+
    {{}}
    
+{{}}
    
+
    Note: Policies specified for subsets will not take effect until
    
 a route rule explicitly sends traffic to this subset.
    
-
-
    Traffic policies can be customized to specific ports as well. The
-following rule uses the least connection load balancing policy for all
-traffic to port 80, while uses a round robin load balancing setting for
+
    Traffic policies can be customized to specific ports as well. The
    
+following rule uses the least connection load balancing policy for all
    
+traffic to port 80, while uses a round robin load balancing setting for
    
 traffic to the port 9080.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -129,11 +112,8 @@
       loadBalancer:
         simple: ROUND_ROBIN
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -151,17 +131,13 @@
       loadBalancer:
         simple: ROUND_ROBIN
 
    
-
-
    {{}}
-{{}}
    
-
-
    Destination Rules can be customized to specific workloads as well.
-The following example shows how a destination rule can be applied to a
+
    {{}}
    
+{{}}
    
+
    Destination Rules can be customized to specific workloads as well.
    
+The following example shows how a destination rule can be applied to a
    
 specific workload using the workloadSelector configuration.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -181,10 +157,8 @@
         credentialName: client-credential
         mode: MUTUAL
 
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -204,13 +178,12 @@
         credentialName: client-credential
         mode: MUTUAL
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    
 
 
    DestinationRule
    
 
    
-
    DestinationRule defines policies that apply to traffic intended for a service
+
    DestinationRule defines policies that apply to traffic intended for a service
    
 after routing has occurred.
    
 
 
    matchLabels
 map<string, string>
 
-
    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-map is equivalent to an element of matchExpressions, whose key field is “key”, the
-operator is “In”, and the values array contains only “value”. The requirements are ANDed.
+
    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
    
+map is equivalent to an element of matchExpressions, whose key field is "key", the
    
+operator is "In", and the values array contains only "value". The requirements are ANDed.
    
 +optional
    
 
     		matchExpressions
 LabelSelectorRequirement[]
 
-
    matchExpressions is a list of label selector requirements. The requirements are ANDed.
+
    matchExpressions is a list of label selector requirements. The requirements are ANDed.
    
 +optional
    
 
 
    
 ACTION_REQUIRED
 
-
    Overall status only and would not be set as a component status.
-Action is needed from the user for reconciliation to proceed
+
    Overall status only and would not be set as a component status.
    
+Action is needed from the user for reconciliation to proceed
    
 e.g. There are proxies still pointing to the control plane revision when try to remove an IstioOperator CR.
    
 
     		conditions
 IstioCondition[]
 
-
    Current service state of pod.
-More info: https://istio.io/docs/reference/config/config-status/
-+optional
-+patchMergeKey=type
+
    Current service state of pod.
    
+More info: https://istio.io/docs/reference/config/config-status/
    
++optional
    
++patchMergeKey=type
    
 +patchStrategy=merge
    
 
     		validationMessages
 AnalysisMessageBase[]
 
-
    Includes any errors or warnings detected by Istio’s analyzers.
-+optional
-+patchMergeKey=type
+
    Includes any errors or warnings detected by Istio's analyzers.
    
++optional
    
++patchMergeKey=type
    
 +patchStrategy=merge
    
 
     		observedGeneration
 int64
 
-
    Resource Generation to which the Reconciled Condition refers.
-When this value is not equal to the object’s metadata generation, reconciled condition  calculation for the current
-generation is still in progress.  See https://istio.io/latest/docs/reference/config/config-status/ for more info.
+
    Resource Generation to which the Reconciled Condition refers.
    
+When this value is not equal to the object's metadata generation, reconciled condition  calculation for the current
    
+generation is still in progress.  See https://istio.io/latest/docs/reference/config/config-status/ for more info.
    
 +optional
    
 
     		status
 string
 
-
    Status is the status of the condition.
+
    Status is the status of the condition.
    
 Can be True, False, Unknown.
    
 
     		lastProbeTime
 Timestamp
 
-
    Last time we probed the condition.
+
    Last time we probed the condition.
    
 +optional
    
 
     		lastTransitionTime
 Timestamp
 
-
    Last time the condition transitioned from one status to another.
+
    Last time the condition transitioned from one status to another.
    
 +optional
    
 
     		reason
 string
 
-
    Unique, one-word, CamelCase reason for the condition’s last transition.
+
    Unique, one-word, CamelCase reason for the condition's last transition.
    
 +optional
    
 
     		message
 string
 
-
    Human-readable message indicating details about last transition.
+
    Human-readable message indicating details about last transition.
    
 +optional
    
 
 
    
@@ -227,21 +200,19 @@ 
    DestinationRule
    
     
@@ -253,7 +224,7 @@ 
    DestinationRule
    
     
@@ -265,7 +236,7 @@ 
    DestinationRule
    
     
@@ -277,19 +248,17 @@ 
    DestinationRule
    
     
@@ -301,14 +270,14 @@ 
    DestinationRule
    
 
    host
 string
 
-
    The name of a service from the service registry. Service
-names are looked up from the platform’s service registry (e.g.,
-Kubernetes services, Consul services, etc.) and from the hosts
-declared by ServiceEntries. Rules defined for
+
    The name of a service from the service registry. Service
    
+names are looked up from the platform's service registry (e.g.,
    
+Kubernetes services, Consul services, etc.) and from the hosts
    
+declared by ServiceEntries. Rules defined for
    
 services that do not exist in the service registry will be ignored.
    
-
-
    Note for Kubernetes users: When short names are used (e.g. “reviews”
-instead of “reviews.default.svc.cluster.local”), Istio will interpret
-the short name based on the namespace of the rule, not the service. A
-rule in the “default” namespace containing a host “reviews” will be
-interpreted as “reviews.default.svc.cluster.local”, irrespective of
-the actual namespace associated with the reviews service. To avoid
-potential misconfigurations, it is recommended to always use fully
+
    Note for Kubernetes users: When short names are used (e.g. "reviews"
    
+instead of "reviews.default.svc.cluster.local"), Istio will interpret
    
+the short name based on the namespace of the rule, not the service. A
    
+rule in the "default" namespace containing a host "reviews" will be
    
+interpreted as "reviews.default.svc.cluster.local", irrespective of
    
+the actual namespace associated with the reviews service. To avoid
    
+potential misconfigurations, it is recommended to always use fully
    
 qualified domain names over short names.
    
-
 
    Note that the host field applies to both HTTP and TCP services.
    
 
     		trafficPolicy
 TrafficPolicy
 
-
    Traffic policies to apply (load balancing policy, connection pool
+
    Traffic policies to apply (load balancing policy, connection pool
    
 sizes, outlier detection).
    
 
     		subsets
 Subset[]
 
-
    One or more named sets that represent individual versions of a
+
    One or more named sets that represent individual versions of a
    
 service. Traffic policies can be overridden at subset level.
    
 
     		exportTo
 string[]
 
-
    A list of namespaces to which this destination rule is exported.
-The resolution of a destination rule to apply to a service occurs in the
-context of a hierarchy of namespaces. Exporting a destination rule allows
-it to be included in the resolution hierarchy for services in
-other namespaces. This feature provides a mechanism for service owners
-and mesh administrators to control the visibility of destination rules
+
    A list of namespaces to which this destination rule is exported.
    
+The resolution of a destination rule to apply to a service occurs in the
    
+context of a hierarchy of namespaces. Exporting a destination rule allows
    
+it to be included in the resolution hierarchy for services in
    
+other namespaces. This feature provides a mechanism for service owners
    
+and mesh administrators to control the visibility of destination rules
    
 across namespace boundaries.
    
-
-
    If no namespaces are specified then the destination rule is exported to all
+
    If no namespaces are specified then the destination rule is exported to all
    
 namespaces by default.
    
-
-
    The value “.” is reserved and defines an export to the same namespace that
-the destination rule is declared in. Similarly, the value “*” is reserved and
+
    The value "." is reserved and defines an export to the same namespace that
    
+the destination rule is declared in. Similarly, the value "*" is reserved and
    
 defines an export to all namespaces.
    
 
     		workloadSelector
 WorkloadSelector
 
-
    Criteria used to select the specific set of pods/VMs on which this
- DestinationRule configuration should be applied. If specified, the DestinationRule
- configuration will be applied only to the workload instances matching the workload selector
- label in the same namespace. Workload selectors do not apply across namespace boundaries.
- If omitted, the DestinationRule falls back to its default behavior.
- For example, if specific sidecars need to have egress TLS settings for services outside
- of the mesh, instead of every sidecar in the mesh needing to have the
- configuration (which is the default behaviour), a workload selector can be specified.
    
+
    Criteria used to select the specific set of pods/VMs on which this
    
+DestinationRule configuration should be applied. If specified, the DestinationRule
    
+configuration will be applied only to the workload instances matching the workload selector
    
+label in the same namespace. Workload selectors do not apply across namespace boundaries.
    
+If omitted, the DestinationRule falls back to its default behavior.
    
+For example, if specific sidecars need to have egress TLS settings for services outside
    
+of the mesh, instead of every sidecar in the mesh needing to have the
    
+configuration (which is the default behaviour), a workload selector can be specified.
    
 
     		
 
@@ -320,7 +289,7 @@ 
    DestinationRule
    
 
 
    TrafficPolicy
    
 
    
-
    Traffic policies to apply for a specific destination, across all
+
    Traffic policies to apply for a specific destination, across all
    
 destination ports. See DestinationRule for examples.
    
 
 
@@ -381,10 +350,10 @@ 
    TrafficPolicy
    
@@ -396,9 +365,9 @@ 
    TrafficPolicy
    
 
    portLevelSettings
 PortTrafficPolicy[]
 
-
    Traffic policies specific to individual ports. Note that port level
-settings will override the destination-level settings. Traffic
-settings specified at the destination-level will not be inherited when
-overridden by port-level settings, i.e. default values will be applied
+
    Traffic policies specific to individual ports. Note that port level
    
+settings will override the destination-level settings. Traffic
    
+settings specified at the destination-level will not be inherited when
    
+overridden by port-level settings, i.e. default values will be applied
    
 to fields omitted in port-level traffic policies.
    
 
     		
 tunnel
 TunnelSettings
 
-
    Configuration of tunneling TCP over other transport or application layers
-for the host configured in the DestinationRule.
-Tunnel settings can be applied to TCP or TLS routes and can’t be applied to HTTP routes.
    
+
    Configuration of tunneling TCP over other transport or application layers
    
+for the host configured in the DestinationRule.
    
+Tunnel settings can be applied to TCP or TLS routes and can't be applied to HTTP routes.
    
 
     		
 
@@ -410,18 +379,16 @@ 
    TrafficPolicy
    
 
 
    Subset
    
 
    
-
    A subset of endpoints of a service. Subsets can be used for scenarios
-like A/B testing, or routing to a specific version of a service. Refer
-to VirtualService documentation for examples of using
-subsets in these scenarios. In addition, traffic policies defined at the
-service-level can be overridden at a subset-level. The following rule
-uses a round robin load balancing policy for all traffic going to a
-subset named testversion that is composed of endpoints (e.g., pods) with
+
    A subset of endpoints of a service. Subsets can be used for scenarios
    
+like A/B testing, or routing to a specific version of a service. Refer
    
+to VirtualService documentation for examples of using
    
+subsets in these scenarios. In addition, traffic policies defined at the
    
+service-level can be overridden at a subset-level. The following rule
    
+uses a round robin load balancing policy for all traffic going to a
    
+subset named testversion that is composed of endpoints (e.g., pods) with
    
 labels (version:v3).
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -439,11 +406,8 @@ 
    Subset
    
       loadBalancer:
         simple: ROUND_ROBIN
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -461,17 +425,14 @@ 
    Subset
    
       loadBalancer:
         simple: ROUND_ROBIN
 
    
-
-
    {{}}
-{{}}
    
-
-
    Note: Policies specified for subsets will not take effect until
+
    {{}}
    
+{{}}
    
+
    Note: Policies specified for subsets will not take effect until
    
 a route rule explicitly sends traffic to this subset.
    
-
-
    One or more labels are typically required to identify the subset destination,
-however, when the corresponding DestinationRule represents a host that
-supports multiple SNI hosts (e.g., an egress gateway), a subset without labels
-may be meaningful. In this case a traffic policy with ClientTLSSettings
+
    One or more labels are typically required to identify the subset destination,
    
+however, when the corresponding DestinationRule represents a host that
    
+supports multiple SNI hosts (e.g., an egress gateway), a subset without labels
    
+may be meaningful. In this case a traffic policy with ClientTLSSettings
    
 can be used to identify a specific SNI host corresponding to the named subset.
    
 
 
@@ -488,7 +449,7 @@ 
    Subset
    
@@ -500,7 +461,7 @@ 
    Subset
    
@@ -512,9 +473,9 @@ 
    Subset
    
@@ -527,17 +488,14 @@ 
    Subset
    LoadBalancerSettings
    
-
    Load balancing policies to apply for a specific destination. See Envoy’s
-load balancing
-documentation
+
    Load balancing policies to apply for a specific destination. See Envoy's
    
+load balancing
    
+documentation
    
 for more details.
    
-
-
    For example, the following rule uses a round robin load balancing policy
+
    For example, the following rule uses a round robin load balancing policy
    
 for all traffic going to the ratings service.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -548,11 +506,8 @@ 
    LoadBalancerSettings
    
     loadBalancer:
       simple: ROUND_ROBIN
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -563,17 +518,13 @@ 
    LoadBalancerSettings
    
     loadBalancer:
       simple: ROUND_ROBIN
 
    
-
-
    {{}}
-{{}}
    
-
-
    The following example sets up sticky sessions for the ratings service
-hashing-based load balancer for the same ratings service using the
+
    {{}}
    
+{{}}
    
+
    The following example sets up sticky sessions for the ratings service
    
+hashing-based load balancer for the same ratings service using the
    
 the User cookie as the hash key.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -587,11 +538,8 @@ 
    LoadBalancerSettings
    
           name: user
           ttl: 0s
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -605,9 +553,8 @@ 
    LoadBalancerSettings
    
           name: user
           ttl: 0s
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    
 
 
    
 
    name
 string
 
-
    Name of the subset. The service name and the subset name can
+
    Name of the subset. The service name and the subset name can
    
 be used for traffic splitting in a route rule.
    
 
     		
 labels
 map<string, string>
 
-
    Labels apply a filter over the endpoints of a service in the
+
    Labels apply a filter over the endpoints of a service in the
    
 service registry. See route rules for examples of usage.
    
 
     		
 trafficPolicy
 TrafficPolicy
 
-
    Traffic policies that apply to this subset. Subsets inherit the
-traffic policies specified at the DestinationRule level. Settings
-specified at the subset level will override the corresponding settings
+
    Traffic policies that apply to this subset. Subsets inherit the
    
+traffic policies specified at the DestinationRule level. Settings
    
+specified at the subset level will override the corresponding settings
    
 specified at the DestinationRule level.
    
 
     		
 
 
 
    
@@ -641,7 +588,7 @@ 
    LoadBalancerSettings
    
@@ -653,10 +600,10 @@ 
    LoadBalancerSettings
    
@@ -669,18 +616,15 @@ 
    LoadBalancerSettings
    ConnectionPoolSettings
    
-
    Connection pool settings for an upstream host. The settings apply to
-each individual host in the upstream service.  See Envoy’s circuit
-breaker
-for more details. Connection pool settings can be applied at the TCP
+
    Connection pool settings for an upstream host. The settings apply to
    
+each individual host in the upstream service.  See Envoy's circuit
    
+breaker
    
+for more details. Connection pool settings can be applied at the TCP
    
 level as well as at HTTP level.
    
-
-
    For example, the following rule sets a limit of 100 connections to redis
+
    For example, the following rule sets a limit of 100 connections to redis
    
 service called myredissrv with a connect timeout of 30ms
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -696,11 +640,8 @@ 
    ConnectionPoolSettings
    
           time: 7200s
           interval: 75s
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -716,9 +657,8 @@ 
    ConnectionPoolSettings
    
           time: 7200s
           interval: 75s
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    
 
 
    
 
 
    localityLbSetting
 LocalityLoadBalancerSetting
 
-
    Locality load balancer settings, this will override mesh wide settings in entirety, meaning no merging would be performed
+
    Locality load balancer settings, this will override mesh wide settings in entirety, meaning no merging would be performed
    
 between this object and the object one in MeshConfig
    
 
     		
 warmupDurationSecs
 Duration
 
-
    Represents the warmup duration of Service. If set, the newly created endpoint of service
-remains in warmup mode starting from its creation time for the duration of this window and
-Istio progressively increases amount of traffic for that endpoint instead of sending proportional amount of traffic.
-This should be enabled for services that require warm up time to serve full production load with reasonable latency.
+
    Represents the warmup duration of Service. If set, the newly created endpoint of service
    
+remains in warmup mode starting from its creation time for the duration of this window and
    
+Istio progressively increases amount of traffic for that endpoint instead of sending proportional amount of traffic.
    
+This should be enabled for services that require warm up time to serve full production load with reasonable latency.
    
 Currently this is only supported for ROUND_ROBIN and LEAST_REQUEST load balancers.
    
 
     		
 
 
 
    
@@ -757,25 +697,22 @@ 
    ConnectionPoolSettings
    OutlierDetection
    
-
    A Circuit breaker implementation that tracks the status of each
-individual host in the upstream service.  Applicable to both HTTP and
-TCP services.  For HTTP services, hosts that continually return 5xx
-errors for API calls are ejected from the pool for a pre-defined period
-of time. For TCP services, connection timeouts or connection
-failures to a given host counts as an error when measuring the
-consecutive errors metric. See Envoy’s outlier
-detection
+
    A Circuit breaker implementation that tracks the status of each
    
+individual host in the upstream service.  Applicable to both HTTP and
    
+TCP services.  For HTTP services, hosts that continually return 5xx
    
+errors for API calls are ejected from the pool for a pre-defined period
    
+of time. For TCP services, connection timeouts or connection
    
+failures to a given host counts as an error when measuring the
    
+consecutive errors metric. See Envoy's outlier
    
+detection
    
 for more details.
    
-
-
    The following rule sets a connection pool size of 100 HTTP1 connections
-with no more than 10 req/connection to the “reviews” service. In addition,
-it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
-hosts to be scanned every 5 mins so that any host that fails 7 consecutive
+
    The following rule sets a connection pool size of 100 HTTP1 connections
    
+with no more than 10 req/connection to the "reviews" service. In addition,
    
+it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
    
+hosts to be scanned every 5 mins so that any host that fails 7 consecutive
    
 times with a 502, 503, or 504 error code will be ejected for 15 minutes.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -794,11 +731,8 @@ 
    OutlierDetection
    
       interval: 5m
       baseEjectionTime: 15m
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -817,9 +751,8 @@ 
    OutlierDetection
    
       interval: 5m
       baseEjectionTime: 15m
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    
 
 
    
 
 
 
 
    
@@ -835,13 +768,13 @@ 
    OutlierDetection
    
@@ -853,8 +786,8 @@ 
    OutlierDetection
    
@@ -866,18 +799,17 @@ 
    OutlierDetection
    
@@ -889,17 +821,16 @@ 
    OutlierDetection
    
@@ -911,7 +842,7 @@ 
    OutlierDetection
    
@@ -923,10 +854,10 @@ 
    OutlierDetection
    
@@ -938,7 +869,7 @@ 
    OutlierDetection
    
@@ -950,12 +881,12 @@ 
    OutlierDetection
    
@@ -968,16 +899,13 @@ 
    OutlierDetection
    ClientTLSSettings
    
-
    SSL/TLS related settings for upstream connections. See Envoy’s TLS
-context
+
    SSL/TLS related settings for upstream connections. See Envoy's TLS
    
+context
    
 for more details. These settings are common to both HTTP and TCP upstreams.
    
-
-
    For example, the following rule configures a client to use mutual TLS
+
    For example, the following rule configures a client to use mutual TLS
    
 for connections to upstream database cluster.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -991,11 +919,8 @@ 
    ClientTLSSettings
    
       privateKey: /etc/certs/client_private_key.pem
       caCertificates: /etc/certs/rootcacerts.pem
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -1009,16 +934,12 @@ 
    ClientTLSSettings
    
       privateKey: /etc/certs/client_private_key.pem
       caCertificates: /etc/certs/rootcacerts.pem
 
    
-
-
    {{}}
-{{}}
    
-
-
    The following rule configures a client to use TLS when talking to a
+
    {{}}
    
+{{}}
    
+
    The following rule configures a client to use TLS when talking to a
    
 foreign service whose domain matches *.foo.com.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -1029,11 +950,8 @@ 
    ClientTLSSettings
    
     tls:
       mode: SIMPLE
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -1044,16 +962,12 @@ 
    ClientTLSSettings
    
     tls:
       mode: SIMPLE
 
    
-
-
    {{}}
-{{}}
    
-
-
    The following rule configures a client to use Istio mutual TLS when talking
+
    {{}}
    
+{{}}
    
+
    The following rule configures a client to use Istio mutual TLS when talking
    
 to rating services.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -1064,11 +978,8 @@ 
    ClientTLSSettings
    
     tls:
       mode: ISTIO_MUTUAL
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -1079,9 +990,8 @@ 
    ClientTLSSettings
    
     tls:
       mode: ISTIO_MUTUAL
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    
 
 
    
 
 
    splitExternalLocalOriginErrors
 bool
 
-
    Determines whether to distinguish local origin failures from external errors. If set to true
-consecutive_local_origin_failure is taken into account for outlier detection calculations.
-This should be used when you want to derive the outlier detection status based on the errors
-seen locally such as failure to connect, timeout while connecting etc. rather than the status code
-retuned by upstream service. This is especially useful when the upstream service explicitly returns
-a 5xx for some requests and you want to ignore those responses from upstream service while determining
-the outlier detection status of a host.
+
    Determines whether to distinguish local origin failures from external errors. If set to true
    
+consecutive_local_origin_failure is taken into account for outlier detection calculations.
    
+This should be used when you want to derive the outlier detection status based on the errors
    
+seen locally such as failure to connect, timeout while connecting etc. rather than the status code
    
+retuned by upstream service. This is especially useful when the upstream service explicitly returns
    
+a 5xx for some requests and you want to ignore those responses from upstream service while determining
    
+the outlier detection status of a host.
    
 Defaults to false.
    
 
     		
 consecutiveLocalOriginFailures
 UInt32Value
 
-
    The number of consecutive locally originated failures before ejection
-occurs. Defaults to 5. Parameter takes effect only when split_external_local_origin_errors
+
    The number of consecutive locally originated failures before ejection
    
+occurs. Defaults to 5. Parameter takes effect only when split_external_local_origin_errors
    
 is set to true.
    
 
     		
 consecutiveGatewayErrors
 UInt32Value
 
-
    Number of gateway errors before a host is ejected from the connection pool.
-When the upstream host is accessed over HTTP, a 502, 503, or 504 return
-code qualifies as a gateway error. When the upstream host is accessed over
-an opaque TCP connection, connect timeouts and connection error/failure
-events qualify as a gateway error.
+
    Number of gateway errors before a host is ejected from the connection pool.
    
+When the upstream host is accessed over HTTP, a 502, 503, or 504 return
    
+code qualifies as a gateway error. When the upstream host is accessed over
    
+an opaque TCP connection, connect timeouts and connection error/failure
    
+events qualify as a gateway error.
    
 This feature is disabled by default or when set to the value 0.
    
-
-
    Note that consecutive_gateway_errors and consecutive_5xx_errors can be
-used separately or together. Because the errors counted by
-consecutive_gateway_errors are also included in consecutive_5xx_errors,
-if the value of consecutive_gateway_errors is greater than or equal to
-the value of consecutive_5xx_errors, consecutive_gateway_errors will have
+
    Note that consecutive_gateway_errors and consecutive_5xx_errors can be
    
+used separately or together. Because the errors counted by
    
+consecutive_gateway_errors are also included in consecutive_5xx_errors,
    
+if the value of consecutive_gateway_errors is greater than or equal to
    
+the value of consecutive_5xx_errors, consecutive_gateway_errors will have
    
 no effect.
    
 
     		
 consecutive5xxErrors
 UInt32Value
 
-
    Number of 5xx errors before a host is ejected from the connection pool.
-When the upstream host is accessed over an opaque TCP connection, connect
-timeouts, connection error/failure and request failure events qualify as a
-5xx error.
+
    Number of 5xx errors before a host is ejected from the connection pool.
    
+When the upstream host is accessed over an opaque TCP connection, connect
    
+timeouts, connection error/failure and request failure events qualify as a
    
+5xx error.
    
 This feature defaults to 5 but can be disabled by setting the value to 0.
    
-
-
    Note that consecutive_gateway_errors and consecutive_5xx_errors can be
-used separately or together. Because the errors counted by
-consecutive_gateway_errors are also included in consecutive_5xx_errors,
-if the value of consecutive_gateway_errors is greater than or equal to
-the value of consecutive_5xx_errors, consecutive_gateway_errors will have
+
    Note that consecutive_gateway_errors and consecutive_5xx_errors can be
    
+used separately or together. Because the errors counted by
    
+consecutive_gateway_errors are also included in consecutive_5xx_errors,
    
+if the value of consecutive_gateway_errors is greater than or equal to
    
+the value of consecutive_5xx_errors, consecutive_gateway_errors will have
    
 no effect.
    
 
     		
 interval
 Duration
 
-
    Time interval between ejection sweep analysis. format:
+
    Time interval between ejection sweep analysis. format:
    
 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.
    
 
     		
 baseEjectionTime
 Duration
 
-
    Minimum ejection duration. A host will remain ejected for a period
-equal to the product of minimum ejection duration and the number of
-times the host has been ejected. This technique allows the system to
-automatically increase the ejection period for unhealthy upstream
+
    Minimum ejection duration. A host will remain ejected for a period
    
+equal to the product of minimum ejection duration and the number of
    
+times the host has been ejected. This technique allows the system to
    
+automatically increase the ejection period for unhealthy upstream
    
 servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.
    
 
     		
 maxEjectionPercent
 int32
 
-
    Maximum % of hosts in the load balancing pool for the upstream
+
    Maximum % of hosts in the load balancing pool for the upstream
    
 service that can be ejected. Defaults to 10%.
    
 
     		
 minHealthPercent
 int32
 
-
    Outlier detection will be enabled as long as the associated load balancing
-pool has at least min_health_percent hosts in healthy mode. When the
-percentage of healthy hosts in the load balancing pool drops below this
-threshold, outlier detection will be disabled and the proxy will load balance
-across all hosts in the pool (healthy and unhealthy). The threshold can be
-disabled by setting it to 0%. The default is 0% as it’s not typically
+
    Outlier detection will be enabled as long as the associated load balancing
    
+pool has at least min_health_percent hosts in healthy mode. When the
    
+percentage of healthy hosts in the load balancing pool drops below this
    
+threshold, outlier detection will be disabled and the proxy will load balance
    
+across all hosts in the pool (healthy and unhealthy). The threshold can be
    
+disabled by setting it to 0%. The default is 0% as it's not typically
    
 applicable in k8s environments with few pods per service.
    
 
     		
 
 
 
    
@@ -1097,7 +1007,7 @@ 
    ClientTLSSettings
    
@@ -1109,8 +1019,8 @@ 
    ClientTLSSettings
    
@@ -1122,8 +1032,8 @@ 
    ClientTLSSettings
    
@@ -1135,9 +1045,9 @@ 
    ClientTLSSettings
    
@@ -1149,21 +1059,20 @@ 
    ClientTLSSettings
    
@@ -1175,13 +1084,13 @@ 
    ClientTLSSettings
    
@@ -1193,9 +1102,9 @@ 
    ClientTLSSettings
    
@@ -1207,17 +1116,16 @@ 
    ClientTLSSettings
    
@@ -1230,22 +1138,20 @@ 
    ClientTLSSettings
    LocalityLoadBalancerSetting
    
-
    Locality-weighted load balancing allows administrators to control the
-distribution of traffic to endpoints based on the localities of where the
-traffic originates and where it will terminate. These localities are
-specified using arbitrary labels that designate a hierarchy of localities in
-{region}/{zone}/{sub-zone} form. For additional detail refer to
-Locality Weight
+
    Locality-weighted load balancing allows administrators to control the
    
+distribution of traffic to endpoints based on the localities of where the
    
+traffic originates and where it will terminate. These localities are
    
+specified using arbitrary labels that designate a hierarchy of localities in
    
+{region}/{zone}/{sub-zone} form. For additional detail refer to
    
+Locality Weight
    
 The following example shows how to setup locality weights mesh-wide.
    
-
-
    Given a mesh with workloads and their service deployed to “us-west/zone1/”
-and “us-west/zone2/”. This example specifies that when traffic accessing a
-service originates from workloads in “us-west/zone1/”, 80% of the traffic
-will be sent to endpoints in “us-west/zone1/”, i.e the same zone, and the
-remaining 20% will go to endpoints in “us-west/zone2/”. This setup is
-intended to favor routing traffic to endpoints in the same locality.
-A similar setting is specified for traffic originating in “us-west/zone2/”.
    
-
+
    Given a mesh with workloads and their service deployed to "us-west/zone1/"
    
+and "us-west/zone2/    ". This example specifies that when traffic accessing a
    
+service originates from workloads in "us-west/zone1/", 80% of the traffic
    
+will be sent to endpoints in "us-west/zone1/    ", i.e the same zone, and the
    
+remaining 20% will go to endpoints in "us-west/zone2/". This setup is
    
+intended to favor routing traffic to endpoints in the same locality.
    
+A similar setting is specified for traffic originating in "us-west/zone2/    ".
    
 
      distribute:
     - from: us-west/zone1/*
       to:
@@ -1256,25 +1162,21 @@ 
    LocalityLoadBalancerSetting
    
         "us-west/zone1/*": 20
         "us-west/zone2/*": 80
 
    
-
-
    If the goal of the operator is not to distribute load across zones and
-regions but rather to restrict the regionality of failover to meet other
-operational requirements an operator can set a ‘failover’ policy instead of
-a ‘distribute’ policy.
    
-
-
    The following example sets up a locality failover policy for regions.
-Assume a service resides in zones within us-east, us-west & eu-west
-this example specifies that when endpoints within us-east become unhealthy
-traffic should failover to endpoints in any zone or sub-zone within eu-west
+
    If the goal of the operator is not to distribute load across zones and
    
+regions but rather to restrict the regionality of failover to meet other
    
+operational requirements an operator can set a 'failover' policy instead of
    
+a 'distribute' policy.
    
+
    The following example sets up a locality failover policy for regions.
    
+Assume a service resides in zones within us-east, us-west & eu-west
    
+this example specifies that when endpoints within us-east become unhealthy
    
+traffic should failover to endpoints in any zone or sub-zone within eu-west
    
 and similarly us-west should failover to us-east.
    
-
 
     failover:
    - from: us-east
      to: eu-west
    - from: us-west
      to: us-east
 
    
-
 
    Locality load balancing settings.
    
 
 
    
 
 
    mode
 TLSmode
 
-
    Indicates whether connections to this port should be secured
+
    Indicates whether connections to this port should be secured
    
 using TLS. The value of this field determines how TLS is enforced.
    
 
     		
 clientCertificate
 string
 
-
    REQUIRED if mode is MUTUAL. The path to the file holding the
-client-side TLS certificate to use.
+
    REQUIRED if mode is MUTUAL. The path to the file holding the
    
+client-side TLS certificate to use.
    
 Should be empty if mode is ISTIO_MUTUAL.
    
 
     		
 privateKey
 string
 
-
    REQUIRED if mode is MUTUAL. The path to the file holding the
-client’s private key.
+
    REQUIRED if mode is MUTUAL. The path to the file holding the
    
+client's private key.
    
 Should be empty if mode is ISTIO_MUTUAL.
    
 
     		
 caCertificates
 string
 
-
    OPTIONAL: The path to the file containing certificate authority
-certificates to use in verifying a presented server certificate. If
-omitted, the proxy will not verify the server’s certificate.
+
    OPTIONAL: The path to the file containing certificate authority
    
+certificates to use in verifying a presented server certificate. If
    
+omitted, the proxy will not verify the server's certificate.
    
 Should be empty if mode is ISTIO_MUTUAL.
    
 
     		
 credentialName
 string
 
-
    The name of the secret that holds the TLS certs for the
-client including the CA certificates. Secret must exist in the
-same namespace with the proxy using the certificates.
-The secret (of type generic)should contain the
-following keys and values: key: <privateKey>,
-cert: <clientCert>, cacert: <CACertificate>.
-Here CACertificate is used to verify the server certificate.
-Secret of type tls for client certificates along with
-ca.crt key for CA certificates is also supported.
-Only one of client certificates and CA certificate
+
    The name of the secret that holds the TLS certs for the
    
+client including the CA certificates. Secret must exist in the
    
+same namespace with the proxy using the certificates.
    
+The secret (of type generic)should contain the
    
+following keys and values: key: <privateKey>,
    
+cert: <clientCert>, cacert: <CACertificate>.
    
+Here CACertificate is used to verify the server certificate.
    
+Secret of type tls for client certificates along with
    
+ca.crt key for CA certificates is also supported.
    
+Only one of client certificates and CA certificate
    
 or credentialName can be specified.
    
-
-
    NOTE: This field is applicable at sidecars only if
-DestinationRule has a workloadSelector specified.
-Otherwise the field will be applicable only at gateways, and
+
    NOTE: This field is applicable at sidecars only if
    
+DestinationRule has a workloadSelector specified.
    
+Otherwise the field will be applicable only at gateways, and
    
 sidecars will continue to use the certificate paths.
    
 
     		
 subjectAltNames
 string[]
 
-
    A list of alternate names to verify the subject identity in the
-certificate. If specified, the proxy will verify that the server
-certificate’s subject alt name matches one of the specified values.
-If specified, this list overrides the value of subject_alt_names
-from the ServiceEntry. If unspecified, automatic validation of upstream
-presented certificate for new upstream connections will be done based on the
-downstream HTTP host/authority header, provided VERIFY_CERT_AT_CLIENT
+
    A list of alternate names to verify the subject identity in the
    
+certificate. If specified, the proxy will verify that the server
    
+certificate's subject alt name matches one of the specified values.
    
+If specified, this list overrides the value of subject_alt_names
    
+from the ServiceEntry. If unspecified, automatic validation of upstream
    
+presented certificate for new upstream connections will be done based on the
    
+downstream HTTP host/authority header, provided VERIFY_CERT_AT_CLIENT
    
 and ENABLE_AUTO_SNI environmental variables are set to true.
    
 
     		
 sni
 string
 
-
    SNI string to present to the server during TLS handshake.
-If unspecified, SNI will be automatically set based on downstream HTTP
-host/authority header for SIMPLE and MUTUAL TLS modes, provided ENABLE_AUTO_SNI
+
    SNI string to present to the server during TLS handshake.
    
+If unspecified, SNI will be automatically set based on downstream HTTP
    
+host/authority header for SIMPLE and MUTUAL TLS modes, provided ENABLE_AUTO_SNI
    
 environmental variable is set to true.
    
 
     		
 insecureSkipVerify
 BoolValue
 
-
    InsecureSkipVerify specifies whether the proxy should skip verifying the
-CA signature and SAN for the server certificate corresponding to the host.
-This flag should only be set if global CA signature verifcation is
-enabled, VerifyCertAtClient environmental variable is set to true,
-but no verification is desired for a specific host. If enabled with or
-without VerifyCertAtClient enabled, verification of the CA signature and
+
    InsecureSkipVerify specifies whether the proxy should skip verifying the
    
+CA signature and SAN for the server certificate corresponding to the host.
    
+This flag should only be set if global CA signature verifcation is
    
+enabled, VerifyCertAtClient environmental variable is set to true,
    
+but no verification is desired for a specific host. If enabled with or
    
+without VerifyCertAtClient enabled, verification of the CA signature and
    
 SAN will be skipped.
    
-
-
    InsecureSkipVerify is false by default.
-VerifyCertAtClient is false by default in Istio version 1.9 but will
-be true by default in a later version where, going forward, it will be
+
    InsecureSkipVerify is false by default.
    
+VerifyCertAtClient is false by default in Istio version 1.9 but will
    
+be true by default in a later version where, going forward, it will be
    
 enabled by default.
    
 
     		
 
 
 
    
@@ -1291,9 +1193,9 @@ 
    LocalityLoadBalancerSetting
    
@@ -1305,9 +1207,9 @@ 
    LocalityLoadBalancerSetting
    
@@ -1319,22 +1221,18 @@ 
    LocalityLoadBalancerSetting
    
@@ -1372,7 +1266,7 @@ 
    LocalityLoadBalancerSetting
    
@@ -1401,7 +1295,7 @@ 
    TrafficPolicy.PortTrafficPolicy
    
@@ -1472,11 +1366,11 @@ 
    TrafficPolicy.TunnelSettings
    
@@ -1488,7 +1382,7 @@ 
    TrafficPolicy.TunnelSettings
    
@@ -1512,10 +1406,10 @@ 
    TrafficPolicy.TunnelSettings
    LoadBalancerSettings.ConsistentHashLB
    
-
    Consistent Hash-based load balancing can be used to provide soft
-session affinity based on HTTP headers, cookies or other
-properties. The affinity to a particular destination host may be
-lost when one or more hosts are added/removed from the destination
+
    Consistent Hash-based load balancing can be used to provide soft
    
+session affinity based on HTTP headers, cookies or other
    
+properties. The affinity to a particular destination host may be
    
+lost when one or more hosts are added/removed from the destination
    
 service.
    
 
 
    
 
    distribute
 Distribute[]
 
-
    Optional: only one of distribute, failover or failoverPriority can be set.
-Explicitly specify loadbalancing weight across different zones and geographical locations.
-Refer to Locality weighted load balancing
+
    Optional: only one of distribute, failover or failoverPriority can be set.
    
+Explicitly specify loadbalancing weight across different zones and geographical locations.
    
+Refer to Locality weighted load balancing
    
 If empty, the locality weight is set according to the endpoints number within it.
    
 
     		
 failover
 Failover[]
 
-
    Optional: only one of distribute, failover or failoverPriority can be set.
-Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.
-Should be used together with OutlierDetection to detect unhealthy endpoints.
+
    Optional: only one of distribute, failover or failoverPriority can be set.
    
+Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.
    
+Should be used together with OutlierDetection to detect unhealthy endpoints.
    
 Note: if no OutlierDetection specified, this will not take effect.
    
 
     		
 failoverPriority
 string[]
 
-
    failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing.
-This is to support traffic failover across different groups of endpoints.
+
    failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing.
    
+This is to support traffic failover across different groups of endpoints.
    
 Suppose there are total N labels specified:
    
-
 
      
 
    1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority.
      2. 
 
    2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority.
      3. 
 
    3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority.
      4. 
 
    4. All the other endpoints have priority P(N) i.e. lowest priority.
      5. 
 
    
-
 
    Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match.
    
-
-
    It can be any label specified on both client and server workloads.
+
    It can be any label specified on both client and server workloads.
    
 The following labels which have special semantic meaning are also supported:
    
-
 
      
 
    • topology.istio.io/network is used to match the network metadata of an endpoint, which can be specified by pod/namespace label topology.istio.io/network, sidecar env ISTIO_META_NETWORK or MeshNetworks.
      • 
 
    • topology.istio.io/cluster is used to match the clusterID of an endpoint, which can be specified by pod label topology.istio.io/cluster or pod env ISTIO_META_CLUSTER_ID.
      • 
@@ -1342,16 +1240,13 @@ 
      LocalityLoadBalancerSetting
      
 
    • topology.kubernetes.io/zone is used to match the zone metadata of an endpoint, which maps to Kubernetes node label topology.kubernetes.io/zone or the deprecated label failure-domain.beta.kubernetes.io/zone.
      • 
 
    • topology.istio.io/subzone is used to match the subzone metadata of an endpoint, which maps to Istio node label topology.istio.io/subzone.
      • 
 
    
-
 
    The below topology config indicates the following priority levels:
    
-
 
    failoverPriority:
 - "topology.istio.io/network"
 - "topology.kubernetes.io/region"
 - "topology.kubernetes.io/zone"
 - "topology.istio.io/subzone"
 
    
-
 
      
 
    1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority.
      2. 
 
    2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority.
      3. 
@@ -1359,8 +1254,7 @@ 
      LocalityLoadBalancerSetting
      
 
    3. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority.
      4. 
 
    4. all the other endpoints have the same lowest priority.
      5. 
 
    
-
-
    Optional: only one of distribute, failover or failoverPriority can be set.
+
    Optional: only one of distribute, failover or failoverPriority can be set.
    
 And it should be used together with OutlierDetection to detect unhealthy endpoints, otherwise has no effect.
    
 
     		
 enabled
 BoolValue
 
-
    enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.
+
    enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.
    
 e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is.
    
 
     		
 port
 PortSelector
 
-
    Specifies the number of a port on the destination service
+
    Specifies the number of a port on the destination service
    
 on which this policy is being applied.
    
 
     		
 protocol
 string
 
-
    Specifies which protocol to use for tunneling the downstream connection.
-Supported protocols are:
-  CONNECT - uses HTTP CONNECT;
-  POST - uses HTTP POST.
-CONNECT is used by default if not specified.
+
    Specifies which protocol to use for tunneling the downstream connection.
    
+Supported protocols are:
    
+CONNECT - uses HTTP CONNECT;
    
+POST - uses HTTP POST.
    
+CONNECT is used by default if not specified.
    
 HTTP version for upstream requests is determined by the service protocol defined for the proxy.
    
 
     		
 targetHost
 string
 
-
    Specifies a host to which the downstream connection is tunneled.
+
    Specifies a host to which the downstream connection is tunneled.
    
 Target host must be an FQDN or IP address.
    
 
     		
 
 
 
    
@@ -1554,7 +1448,7 @@ 
    LoadBalancerSettings.ConsistentHa
 
    
@@ -1625,10 +1519,10 @@ 
    LoadBalancerSettings.Con
 
    
@@ -1655,8 +1549,8 @@ 
    LoadBalancerSettings.Consi
 
    
@@ -1669,8 +1563,8 @@ 
    LoadBalancerSettings.Consi
 
 
    LoadBalancerSettings.ConsistentHashLB.HTTPCookie
    
-
    Describes a HTTP cookie that will be used as the hash key for the
-Consistent Hash load balancer. If the cookie is not present, it will
+
    Describes a HTTP cookie that will be used as the hash key for the
    
+Consistent Hash load balancer. If the cookie is not present, it will
    
 be generated.
    
 
 
    useSourceIp
 bool (oneof)
 
-
    Hash based on the source IP address.
+
    Hash based on the source IP address.
    
 This is applicable for both TCP and HTTP connections.
    
 
     		minimumRingSize
 uint64
 
-
    The minimum number of virtual nodes to use for the hash
-ring. Defaults to 1024. Larger ring sizes result in more granular
-load distributions. If the number of hosts in the load balancing
-pool is larger than the ring size, each host will be assigned a
+
    The minimum number of virtual nodes to use for the hash
    
+ring. Defaults to 1024. Larger ring sizes result in more granular
    
+load distributions. If the number of hosts in the load balancing
    
+pool is larger than the ring size, each host will be assigned a
    
 single virtual node.
    
 
     		tableSize
 uint64
 
-
    The table size for Maglev hashing. This helps in controlling the
-disruption when the backend hosts change.
+
    The table size for Maglev hashing. This helps in controlling the
    
+disruption when the backend hosts change.
    
 Increasing the table size reduces the amount of disruption.
    
 
     		
 
    
@@ -1748,7 +1642,7 @@ 
    ConnectionPoolSettings.TCPSettingsconnectTimeout
 
    
@@ -1771,8 +1665,8 @@ 
    ConnectionPoolSettings.TCPSettingsmaxConnectionDuration
 
    
@@ -1801,10 +1695,10 @@ 
    ConnectionPoolSettings.HTTPSettings
 
    
@@ -1816,7 +1710,7 @@ 
    ConnectionPoolSettings.HTTPSettings
 
    
@@ -1828,8 +1722,8 @@ 
    ConnectionPoolSettings.HTTPSettings
 
    
@@ -1841,7 +1735,7 @@ 
    ConnectionPoolSettings.HTTPSettings
 
    
@@ -1853,12 +1747,12 @@ 
    ConnectionPoolSettings.HTTPSettings
 
    
@@ -1881,8 +1775,8 @@ 
    ConnectionPoolSettings.HTTPSettings
 
    
@@ -1911,8 +1805,8 @@ 
    ConnectionPoolSettings.
 
    
@@ -1924,8 +1818,8 @@ 
    ConnectionPoolSettings.
 
    
@@ -1937,8 +1831,8 @@ 
    ConnectionPoolSettings.
 
    
@@ -1951,15 +1845,12 @@ 
    ConnectionPoolSettings.
 
 
    LocalityLoadBalancerSetting.Distribute
    
-
    Describes how traffic originating in the ‘from’ zone or sub-zone is
-distributed over a set of ‘to’ zones. Syntax for specifying a zone is
-{region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
+
    Describes how traffic originating in the 'from' zone or sub-zone is
    
+distributed over a set of 'to' zones. Syntax for specifying a zone is
    
+{region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
    
 segment of the specification. Examples:
    
-
 
    * - matches all localities
    
-
 
    us-west/* - all zones and sub-zones within the us-west region
    
-
 
    us-west/zone-1/* - all sub-zones within us-west/zone-1
    
 
 
    Duration
 
-
    TCP connection timeout. format:
+
    TCP connection timeout. format:
    
 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.
    
 
     		Duration
 
-
    The maximum duration of a connection. The duration is defined as the period since a connection
-was established. If not set, there is no max duration. When max_connection_duration
+
    The maximum duration of a connection. The duration is defined as the period since a connection
    
+was established. If not set, there is no max duration. When max_connection_duration
    
 is reached the connection will be closed. Duration must be at least 1ms.
    
 
     		http1MaxPendingRequests
 int32
 
-
    Maximum number of requests that will be queued while waiting for
-a ready connection pool connection. Default 1024.
-Refer to https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking
-under which conditions a new connection is created for HTTP2.
+
    Maximum number of requests that will be queued while waiting for
    
+a ready connection pool connection. Default 1024.
    
+Refer to https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking
    
+under which conditions a new connection is created for HTTP2.
    
 Please note that this is applicable to both HTTP/1.1 and HTTP2.
    
 
     		http2MaxRequests
 int32
 
-
    Maximum number of active requests to a destination. Default 1024.
+
    Maximum number of active requests to a destination. Default 1024.
    
 Please note that this is applicable to both HTTP/1.1 and HTTP2.
    
 
     		maxRequestsPerConnection
 int32
 
-
    Maximum number of requests per connection to a backend. Setting this
-parameter to 1 disables keep alive. Default 0, meaning “unlimited”,
+
    Maximum number of requests per connection to a backend. Setting this
    
+parameter to 1 disables keep alive. Default 0, meaning "unlimited",
    
 up to 2^29.
    
 
     		maxRetries
 int32
 
-
    Maximum number of retries that can be outstanding to all hosts in a
+
    Maximum number of retries that can be outstanding to all hosts in a
    
 cluster at a given time. Defaults to 2^32-1.
    
 
     		idleTimeout
 Duration
 
-
    The idle timeout for upstream connection pool connections. The idle timeout
-is defined as the period in which there are no active requests.
-If not set, the default is 1 hour. When the idle timeout is reached,
-the connection will be closed. If the connection is an HTTP/2
-connection a drain sequence will occur prior to closing the connection.
-Note that request based timeouts mean that HTTP/2 PINGs will not
+
    The idle timeout for upstream connection pool connections. The idle timeout
    
+is defined as the period in which there are no active requests.
    
+If not set, the default is 1 hour. When the idle timeout is reached,
    
+the connection will be closed. If the connection is an HTTP/2
    
+connection a drain sequence will occur prior to closing the connection.
    
+Note that request based timeouts mean that HTTP/2 PINGs will not
    
 keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.
    
 
     		useClientProtocol
 bool
 
-
    If set to true, client protocol will be preserved while initiating connection to backend.
-Note that when this is set to true, h2_upgrade_policy will be ineffective i.e. the client
+
    If set to true, client protocol will be preserved while initiating connection to backend.
    
+Note that when this is set to true, h2_upgrade_policy will be ineffective i.e. the client
    
 connections will not be upgraded to http2.
    
 
     		probes
 uint32
 
-
    Maximum number of keepalive probes to send without response before
-deciding the connection is dead. Default is to use the OS level configuration
+
    Maximum number of keepalive probes to send without response before
    
+deciding the connection is dead. Default is to use the OS level configuration
    
 (unless overridden, Linux defaults to 9.)
    
 
     		time
 Duration
 
-
    The time duration a connection needs to be idle before keep-alive
-probes start being sent. Default is to use the OS level configuration
+
    The time duration a connection needs to be idle before keep-alive
    
+probes start being sent. Default is to use the OS level configuration
    
 (unless overridden, Linux defaults to 7200s (ie 2 hours.)
    
 
     		interval
 Duration
 
-
    The time duration between keep-alive probes.
-Default is to use the OS level configuration
+
    The time duration between keep-alive probes.
    
+Default is to use the OS level configuration
    
 (unless overridden, Linux defaults to 75s.)
    
 
     		
 
    
@@ -1976,7 +1867,7 @@ 
    LocalityLoadBalancerSetting.Dist
 
    
@@ -2001,12 +1892,12 @@ 
    LocalityLoadBalancerSetting.Dist
 
 
    LocalityLoadBalancerSetting.Failover
    
-
    Specify the traffic failover policy across regions. Since zone and sub-zone
-failover is supported by default this only needs to be specified for
-regions when the operator needs to constrain traffic failover so that
-the default behavior of failing over to any endpoint globally does not
-apply. This is useful when failing over traffic across regions would not
-improve service health or may need to be restricted for other reasons
+
    Specify the traffic failover policy across regions. Since zone and sub-zone
    
+failover is supported by default this only needs to be specified for
    
+regions when the operator needs to constrain traffic failover so that
    
+the default behavior of failing over to any endpoint globally does not
    
+apply. This is useful when failing over traffic across regions would not
    
+improve service health or may need to be restricted for other reasons
    
 like regulatory controls.
    
 
 
    from
 string
 
-
    Originating locality, ‘/’ separated, e.g. ‘region/zone/sub_zone’.
    
+
    Originating locality, '/' separated, e.g. 'region/zone/sub_zone'.
    
 
     		
 
@@ -1987,8 +1878,8 @@ 
    LocalityLoadBalancerSetting.Dist
 
    		to
 map<string, uint32>
 
-
    Map of upstream localities to traffic distribution weights. The sum of
-all weights should be 100. Any locality not present will
+
    Map of upstream localities to traffic distribution weights. The sum of
    
+all weights should be 100. Any locality not present will
    
 receive no traffic.
    
 
     		
 
    
@@ -2034,8 +1925,8 @@ 
    LocalityLoadBalancerSetting.Failov
 
    to
 string
 
-
    Destination region the traffic will fail over to when endpoints in
-the ‘from’ region becomes unhealthy.
    
+
    Destination region the traffic will fail over to when endpoints in
    
+the 'from' region becomes unhealthy.
    
 
     		
 
@@ -2048,7 +1939,6 @@ 
    LocalityLoadBalancerSetting.Failov
 
    google.protobuf.UInt32Value
    
 
    
 
    Wrapper message for uint32.
    
-
 
    The JSON representation for UInt32Value is JSON number.
    
 
 
@@ -2090,7 +1980,7 @@ 
    LoadBalancerSettings.SimpleLB
    
@@ -2098,8 +1988,8 @@ 
    LoadBalancerSettings.SimpleLB
    
@@ -2107,10 +1997,10 @@ 
    LoadBalancerSettings.SimpleLB
    
@@ -2118,9 +2008,9 @@ 
    LoadBalancerSettings.SimpleLB
    
@@ -2128,9 +2018,9 @@ 
    LoadBalancerSettings.SimpleLB
    
@@ -2167,7 +2057,7 @@ 
    ConnectionPoolSetti
 
    
@@ -2175,7 +2065,7 @@ 
    ConnectionPoolSetti
 
    
@@ -2212,7 +2102,7 @@ 
    ClientTLSSettings.TLSmode
    
@@ -2220,10 +2110,10 @@ 
    ClientTLSSettings.TLSmode
    
diff --git a/content/zh/docs/reference/config/networking/envoy-filter/index.html b/content/zh/docs/reference/config/networking/envoy-filter/index.html
index 4f5e0e4f5f747..95f4d57847b44 100644
--- a/content/zh/docs/reference/config/networking/envoy-filter/index.html
+++ b/content/zh/docs/reference/config/networking/envoy-filter/index.html
@@ -1,54 +1,49 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Envoy Filter
 description: Customizing Envoy configuration generated by Istio.
 location: https://istio.io/docs/reference/config/networking/envoy-filter.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.EnvoyFilter
 aliases: [/zh/docs/reference/config/networking/v1alpha3/envoy-filter]
 number_of_entries: 18
 ---
-
    EnvoyFilter provides a mechanism to customize the Envoy
-configuration generated by Istio Pilot. Use EnvoyFilter to modify
-values for certain fields, add specific filters, or even add
-entirely new listeners, clusters, etc. This feature must be used
-with care, as incorrect configurations could potentially
-destabilize the entire mesh. Unlike other Istio networking objects,
-EnvoyFilters are additively applied. Any number of EnvoyFilters can
-exist for a given workload in a specific namespace. The order of
-application of these EnvoyFilters is as follows: all EnvoyFilters
-in the config root
-namespace,
-followed by all matching EnvoyFilters in the workload’s namespace.
    
-
-
    NOTE 1: Some aspects of this API are deeply tied to the internal
-implementation in Istio networking subsystem as well as Envoy’s XDS
-API. While the EnvoyFilter API by itself will maintain backward
-compatibility, any envoy configuration provided through this
-mechanism should be carefully monitored across Istio proxy version
-upgrades, to ensure that deprecated fields are removed and replaced
+
    EnvoyFilter provides a mechanism to customize the Envoy
    
+configuration generated by Istio Pilot. Use EnvoyFilter to modify
    
+values for certain fields, add specific filters, or even add
    
+entirely new listeners, clusters, etc. This feature must be used
    
+with care, as incorrect configurations could potentially
    
+destabilize the entire mesh. Unlike other Istio networking objects,
    
+EnvoyFilters are additively applied. Any number of EnvoyFilters can
    
+exist for a given workload in a specific namespace. The order of
    
+application of these EnvoyFilters is as follows: all EnvoyFilters
    
+in the config root
    
+namespace    ,
    
+followed by all matching EnvoyFilters in the workload's namespace.
    
+
    NOTE 1: Some aspects of this API are deeply tied to the internal
    
+implementation in Istio networking subsystem as well as Envoy's XDS
    
+API. While the EnvoyFilter API by itself will maintain backward
    
+compatibility, any envoy configuration provided through this
    
+mechanism should be carefully monitored across Istio proxy version
    
+upgrades, to ensure that deprecated fields are removed and replaced
    
 appropriately.
    
-
-
    NOTE 2: When multiple EnvoyFilters are bound to the same
-workload in a given namespace, all patches will be processed
-sequentially in order of creation time.  The behavior is undefined
+
    NOTE 2: When multiple EnvoyFilters are bound to the same
    
+workload in a given namespace, all patches will be processed
    
+sequentially in order of creation time.  The behavior is undefined
    
 if multiple EnvoyFilter configurations conflict with each other.
    
-
-
    NOTE 3: To apply an EnvoyFilter resource to all workloads
-(sidecars and gateways) in the system, define the resource in the
-config root
-namespace,
+
    NOTE 3: To apply an EnvoyFilter resource to all workloads
    
+(sidecars and gateways) in the system, define the resource in the
    
+config root
    
+namespace    ,
    
 without a workloadSelector.
    
-
-
    The example below declares a global default EnvoyFilter resource in
-the root namespace called istio-config, that adds a custom
-protocol filter on all sidecars in the system, for outbound port
-9307. The filter should be added before the terminating tcp_proxy
-filter to take effect. In addition, it sets a 30s idle timeout for
+
    The example below declares a global default EnvoyFilter resource in
    
+the root namespace called istio-config, that adds a custom
    
+protocol filter on all sidecars in the system, for outbound port
    
+9307. The filter should be added before the terminating tcp_proxy
    
+filter to take effect. In addition, it sets a 30s idle timeout for
    
 all HTTP connections in both gateways and sidecars.
    
-
 
    apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
@@ -88,14 +83,12 @@
           common_http_protocol_options:
             idle_timeout: 30s
 
    
-
-
    The following example enables Envoy’s Lua filter for all inbound
-HTTP calls arriving at service port 8080 of the reviews service pod
-with labels “app: reviews”, in the bookinfo namespace. The lua
-filter calls out to an external service internal.org.net:8888 that
-requires a special cluster definition in envoy. The cluster is also
+
    The following example enables Envoy's Lua filter for all inbound
    
+HTTP calls arriving at service port 8080 of the reviews service pod
    
+with labels "app: reviews", in the bookinfo namespace. The lua
    
+filter calls out to an external service internal.org.net:8888 that
    
+requires a special cluster definition in envoy. The cluster is also
    
 added to the sidecar as part of this configuration.
    
-
 
    apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
@@ -159,12 +152,10 @@
                     address: "internal.org.net"
                     port_value: 8888
 
    
-
-
    The following example overwrites certain fields (HTTP idle timeout
-and X-Forward-For trusted hops) in the HTTP connection manager in a
-listener on the ingress gateway in istio-system namespace for the
+
    The following example overwrites certain fields (HTTP idle timeout
    
+and X-Forward-For trusted hops) in the HTTP connection manager in a
    
+listener on the ingress gateway in istio-system namespace for the
    
 SNI host app.example.com:
    
-
 
    apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
@@ -192,11 +183,9 @@
           common_http_protocol_options:
             idle_timeout: 30s
 
    
-
-
    The following example inserts an attributegen filter
-that produces istio_operationId attribute which is consumed
+
    The following example inserts an attributegen filter
    
+that produces istio_operationId attribute which is consumed
    
 by the istio.stats filter. filterClass: STATS encodes this dependency.
    
-
 
    apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
@@ -237,9 +226,7 @@
                code:
                  local: { inline_string: "envoy.wasm.attributegen" }
 
    
-
 
    The following example inserts an http ext_authz filter in the myns namespace.
    
-
 
    apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
@@ -264,12 +251,10 @@
             - key: foo
               value: myauth.acme # required by local ext auth server.
 
    
-
-
    A workload in the myns namespace needs to access a different ext_auth server
-that does not accept initial metadata. Since proto merge cannot remove fields, the
-following configuration uses the REPLACE operation. If you do not need to inherit
+
    A workload in the myns namespace needs to access a different ext_auth server
    
+that does not accept initial metadata. Since proto merge cannot remove fields, the
    
+following configuration uses the REPLACE operation. If you do not need to inherit
    
 fields, REPLACE is preferred over MERGE.
    
-
 
    apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
@@ -293,9 +278,7 @@
             envoy_grpc:
               cluster_name: acme-ext-authz-alt
 
    
-
 
    The following example deploys a Wasm extension for all inbound sidecar HTTP requests.
    
-
 
    apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
@@ -348,12 +331,10 @@
             ads: {}
           type_urls: ["type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm"]
 
    
-
-
    The following example adds a Wasm service extension for all proxies using a locally available Wasm file.
-The singleton Wasm extension is used to maintain a shared state between workers executing Wasm filters.
-For example, a local rate limit extension would rely on a singleton to limit requests across all workers.
+
    The following example adds a Wasm service extension for all proxies using a locally available Wasm file.
    
+The singleton Wasm extension is used to maintain a shared state between workers executing Wasm filters.
    
+For example, a local rate limit extension would rely on a singleton to limit requests across all workers.
    
 As another example, an authorization Wasm extension can use a singleton to maintain a database of accounts.
    
-
 
    apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
@@ -385,7 +366,7 @@
 
 
    EnvoyFilter
    
 
    
-
    EnvoyFilter provides a mechanism to customize the Envoy configuration
+
    EnvoyFilter provides a mechanism to customize the Envoy configuration
    
 generated by Istio Pilot.
    
 
 
    
 
    
 UNSPECIFIED
 
-
    No load balancing algorithm has been specified by the user. Istio
+
    No load balancing algorithm has been specified by the user. Istio
    
 will select an appropriate default.
    
 
     		
 
    
 RANDOM
 
-
    The random load balancer selects a random healthy host. The random
-load balancer generally performs better than round robin if no health
+
    The random load balancer selects a random healthy host. The random
    
+load balancer generally performs better than round robin if no health
    
 checking policy is configured.
    
 
     		
 
    
 PASSTHROUGH
 
-
    This option will forward the connection to the original IP address
-requested by the caller without doing any form of load
-balancing. This option must be used with care. It is meant for
-advanced use cases. Refer to Original Destination load balancer in
+
    This option will forward the connection to the original IP address
    
+requested by the caller without doing any form of load
    
+balancing. This option must be used with care. It is meant for
    
+advanced use cases. Refer to Original Destination load balancer in
    
 Envoy for further details.
    
 
     		
 
    
 ROUND_ROBIN
 
-
    A basic round robin load balancing policy. This is generally unsafe
-for many scenarios (e.g. when enpoint weighting is used) as it can
-overburden endpoints. In general, prefer to use LEAST_REQUEST as a
+
    A basic round robin load balancing policy. This is generally unsafe
    
+for many scenarios (e.g. when enpoint weighting is used) as it can
    
+overburden endpoints. In general, prefer to use LEAST_REQUEST as a
    
 drop-in replacement for ROUND_ROBIN.
    
 
     		
 
    
 LEAST_REQUEST
 
-
    The least request load balancer spreads load across endpoints, favoring
-endpoints with the least outstanding requests. This is generally safer
-and outperforms ROUND_ROBIN in nearly all cases. Prefer to use
+
    The least request load balancer spreads load across endpoints, favoring
    
+endpoints with the least outstanding requests. This is generally safer
    
+and outperforms ROUND_ROBIN in nearly all cases. Prefer to use
    
 LEAST_REQUEST as a drop-in replacement for ROUND_ROBIN.
    
 
 
    
 DO_NOT_UPGRADE
 
-
    Do not upgrade the connection to http2.
+
    Do not upgrade the connection to http2.
    
 This opt-out option overrides the default.
    
 
 
    
 UPGRADE
 
-
    Upgrade the connection to http2.
+
    Upgrade the connection to http2.
    
 This opt-in option overrides the default.
    
 
     		
 
    
 MUTUAL
 
-
    Secure connections to the upstream using mutual TLS by presenting
+
    Secure connections to the upstream using mutual TLS by presenting
    
 client certificates for authentication.
    
 
     		
 
    
 ISTIO_MUTUAL
 
-
    Secure connections to the upstream using mutual TLS by presenting
-client certificates for authentication.
-Compared to Mutual mode, this mode uses certificates generated
-automatically by Istio for mTLS authentication. When this mode is
+
    Secure connections to the upstream using mutual TLS by presenting
    
+client certificates for authentication.
    
+Compared to Mutual mode, this mode uses certificates generated
    
+automatically by Istio for mTLS authentication. When this mode is
    
 used, all other fields in ClientTLSSettings should be empty.
    
 
 
    
@@ -402,13 +383,13 @@ 
    EnvoyFilter
    
     
@@ -431,21 +412,18 @@ 
    EnvoyFilter
    
     
@@ -474,13 +452,13 @@ 
    EnvoyFilter.ProxyMatch
    
     
@@ -492,11 +470,11 @@ 
    EnvoyFilter.ProxyMatch
    
     
@@ -509,7 +487,7 @@ 
    EnvoyFilter.ProxyMatch
    
 
 
    EnvoyFilter.ClusterMatch
    
 
    
-
    Conditions specified in ClusterMatch must be met for the patch
+
    Conditions specified in ClusterMatch must be met for the patch
    
 to be applied to a cluster.
    
 
 
    workloadSelector
 WorkloadSelector
 
-
    Criteria used to select the specific set of pods/VMs on which
-this patch configuration should be applied. If omitted, the set
-of patches in this configuration will be applied to all workload
-instances in the same namespace.  If omitted, the EnvoyFilter
-patches will be applied to all workloads in the same
-namespace. If the EnvoyFilter is present in the config root
-namespace, it will be applied to all applicable workloads in any
+
    Criteria used to select the specific set of pods/VMs on which
    
+this patch configuration should be applied. If omitted, the set
    
+of patches in this configuration will be applied to all workload
    
+instances in the same namespace.  If omitted, the EnvoyFilter
    
+patches will be applied to all workloads in the same
    
+namespace. If the EnvoyFilter is present in the config root
    
+namespace, it will be applied to all applicable workloads in any
    
 namespace.
    
 
     		priority
 int32
 
-
    Priority defines the order in which patch sets are applied within a context.
-When one patch depends on another patch, the order of patch application
-is significant. The API provides two primary ways to order patches.
-Patch sets in the root namespace are applied before the patch sets in the
-workload namespace. Patches within a patch set are processed in the order
+
    Priority defines the order in which patch sets are applied within a context.
    
+When one patch depends on another patch, the order of patch application
    
+is significant. The API provides two primary ways to order patches.
    
+Patch sets in the root namespace are applied before the patch sets in the
    
+workload namespace. Patches within a patch set are processed in the order
    
 that they appear in the configPatches list.
    
-
-
    The default value for priority is 0 and the range is [ min-int32, max-int32 ].
-A patch set with a negative priority is processed before the default. A patch
+
    The default value for priority is 0 and the range is [ min-int32, max-int32 ].
    
+A patch set with a negative priority is processed before the default. A patch
    
 set with a positive priority is processed after the default.
    
-
-
    It is recommended to start with priority values that are multiples of 10
+
    It is recommended to start with priority values that are multiples of 10
    
 to leave room for further insertion.
    
-
-
    Patch sets are sorted in the following ascending key order:
+
    Patch sets are sorted in the following ascending key order:
    
 priority, creation time, fully qualified resource name.
    
 
     		proxyVersion
 string
 
-
    A regular expression in golang regex format (RE2) that can be
-used to select proxies using a specific version of istio
-proxy. The Istio version for a given proxy is obtained from the
-node metadata field ISTIO_VERSION supplied by the proxy when
-connecting to Pilot. This value is embedded as an environment
-variable (ISTIO_META_ISTIO_VERSION) in the Istio proxy docker
-image. Custom proxy implementations should provide this metadata
+
    A regular expression in golang regex format (RE2) that can be
    
+used to select proxies using a specific version of istio
    
+proxy. The Istio version for a given proxy is obtained from the
    
+node metadata field ISTIO_VERSION supplied by the proxy when
    
+connecting to Pilot. This value is embedded as an environment
    
+variable (ISTIO_META_ISTIO_VERSION) in the Istio proxy docker
    
+image. Custom proxy implementations should provide this metadata
    
 variable to take advantage of the Istio version check option.
    
 
     		metadata
 map<string, string>
 
-
    Match on the node metadata supplied by a proxy when connecting
-to Istio Pilot. Note that while Envoy’s node metadata is of
-type Struct, only string key-value pairs are processed by
-Pilot. All keys specified in the metadata must match with exact
-values. The match will fail if any of the specified keys are
+
    Match on the node metadata supplied by a proxy when connecting
    
+to Istio Pilot. Note that while Envoy's node metadata is of
    
+type Struct, only string key-value pairs are processed by
    
+Pilot. All keys specified in the metadata must match with exact
    
+values. The match will fail if any of the specified keys are
    
 absent or the values fail to match.
    
 
 
    
@@ -526,8 +504,8 @@ 
    EnvoyFilter.ClusterMatch
    
     
@@ -539,10 +517,10 @@ 
    EnvoyFilter.ClusterMatch
    
     
@@ -554,7 +532,7 @@ 
    EnvoyFilter.ClusterMatch
    
     
@@ -566,9 +544,9 @@ 
    EnvoyFilter.ClusterMatch
    
     
@@ -581,8 +559,8 @@ 
    EnvoyFilter.ClusterMatch
    
 
 
    EnvoyFilter.RouteConfigurationMatch
    
 
    
-
    Conditions specified in RouteConfigurationMatch must be met for
-the patch to be applied to a route configuration object or a
+
    Conditions specified in RouteConfigurationMatch must be met for
    
+the patch to be applied to a route configuration object or a
    
 specific virtual host within the route configuration.
    
 
 
    portNumber
 uint32
 
-
    The service port for which this cluster was generated.  If
-omitted, applies to clusters for any port.
+
    The service port for which this cluster was generated.  If
    
+omitted, applies to clusters for any port.
    
 Note: for inbound cluster, it is the service target port.
    
 
     		service
 string
 
-
    The fully qualified service name for this cluster. If omitted,
-applies to clusters for any service. For services defined
-through service entries, the service name is same as the hosts
-defined in the service entry.
+
    The fully qualified service name for this cluster. If omitted,
    
+applies to clusters for any service. For services defined
    
+through service entries, the service name is same as the hosts
    
+defined in the service entry.
    
 Note: for inbound cluster, this is ignored.
    
 
     		subset
 string
 
-
    The subset associated with the service. If omitted, applies to
+
    The subset associated with the service. If omitted, applies to
    
 clusters for any subset of a service.
    
 
     		name
 string
 
-
    The exact name of the cluster to match. To match a specific
-cluster by name, such as the internally generated Passthrough
-cluster, leave all fields in clusterMatch empty, except the
+
    The exact name of the cluster to match. To match a specific
    
+cluster by name, such as the internally generated Passthrough
    
+cluster, leave all fields in clusterMatch empty, except the
    
 name.
    
 
 
    
@@ -599,8 +577,8 @@ 
    EnvoyFilter.RouteConfigurationMatch
 
    
@@ -612,7 +590,7 @@ 
    EnvoyFilter.RouteConfigurationMatch
 
    
@@ -624,11 +602,11 @@ 
    EnvoyFilter.RouteConfigurationMatch
 
    
@@ -640,7 +618,7 @@ 
    EnvoyFilter.RouteConfigurationMatch
 
    
@@ -652,8 +630,8 @@ 
    EnvoyFilter.RouteConfigurationMatch
 
    
@@ -666,8 +644,8 @@ 
    EnvoyFilter.RouteConfigurationMatch
 
 
    EnvoyFilter.ListenerMatch
    
 
    
-
    Conditions specified in a listener match must be met for the
-patch to be applied to a specific listener across all filter
+
    Conditions specified in a listener match must be met for the
    
+patch to be applied to a specific listener across all filter
    
 chains, or a specific filter chain inside the listener.
    
 
 
    portNumber
 uint32
 
-
    The service port number or gateway server port number for which
-this route configuration was generated. If omitted, applies to
+
    The service port number or gateway server port number for which
    
+this route configuration was generated. If omitted, applies to
    
 route configurations for all ports.
    
 
     		portName
 string
 
-
    Applicable only for GATEWAY context. The gateway server port
+
    Applicable only for GATEWAY context. The gateway server port
    
 name for which this route configuration was generated.
    
 
     		gateway
 string
 
-
    The Istio gateway config’s namespace/name for which this route
-configuration was generated. Applies only if the context is
-GATEWAY. Should be in the namespace/name format. Use this field
-in conjunction with the portNumber and portName to accurately
-select the Envoy route configuration for a specific HTTPS
+
    The Istio gateway config's namespace/name for which this route
    
+configuration was generated. Applies only if the context is
    
+GATEWAY. Should be in the namespace/name format. Use this field
    
+in conjunction with the portNumber and portName to accurately
    
+select the Envoy route configuration for a specific HTTPS
    
 server within a gateway config object.
    
 
     		vhost
 VirtualHostMatch
 
-
    Match a specific virtual host in a route configuration and
+
    Match a specific virtual host in a route configuration and
    
 apply the patch to the virtual host.
    
 
     		name
 string
 
-
    Route configuration name to match on. Can be used to match a
-specific route configuration by name, such as the internally
+
    Route configuration name to match on. Can be used to match a
    
+specific route configuration by name, such as the internally
    
 generated http_proxy route configuration for all sidecars.
    
 
 
    
@@ -684,9 +662,9 @@ 
    EnvoyFilter.ListenerMatch
    
     
@@ -698,9 +676,9 @@ 
    EnvoyFilter.ListenerMatch
    
     
@@ -712,7 +690,7 @@ 
    EnvoyFilter.ListenerMatch
    
     
@@ -752,7 +730,7 @@ 
    EnvoyFilter.Patch
    
     
@@ -776,7 +754,7 @@ 
    EnvoyFilter.Patch
    
 
 
    EnvoyFilter.EnvoyConfigObjectMatch
    
 
    
-
    One or more match conditions to be met before a patch is applied
+
    One or more match conditions to be met before a patch is applied
    
 to the generated configuration for a given proxy.
    
 
 
    portNumber
 uint32
 
-
    The service port/gateway port to which traffic is being
-sent/received. If not specified, matches all listeners. Even though
-inbound listeners are generated for the instance/pod ports, only
+
    The service port/gateway port to which traffic is being
    
+sent/received. If not specified, matches all listeners. Even though
    
+inbound listeners are generated for the instance/pod ports, only
    
 service ports should be used to match listeners.
    
 
     		filterChain
 FilterChainMatch
 
-
    Match a specific filter chain in a listener. If specified, the
-patch will be applied to the filter chain (and a specific
-filter if specified) and not to other filter chains in the
+
    Match a specific filter chain in a listener. If specified, the
    
+patch will be applied to the filter chain (and a specific
    
+filter if specified) and not to other filter chains in the
    
 listener.
    
 
     		name
 string
 
-
    Match a specific listener by its name. The listeners generated
+
    Match a specific listener by its name. The listeners generated
    
 by Pilot are typically named as IP:Port.
    
 
     		value
 Struct
 
-
    The JSON config of the object being patched. This will be merged using
+
    The JSON config of the object being patched. This will be merged using
    
 proto merge semantics with the existing proto in the path.
    
 
 
    
@@ -793,8 +771,8 @@ 
    EnvoyFilter.EnvoyConfigObjectMatchcontext
 
    
@@ -867,14 +845,14 @@ 
    EnvoyFilter.EnvoyConfigObjectPatchapplyTo
 
    
@@ -925,9 +903,9 @@ 
    EnvoyFilter.RouteConfigu
 
    
@@ -967,9 +945,9 @@ 
    EnvoyFilter.RouteC
 
    
@@ -993,9 +971,9 @@ 
    EnvoyFilter.RouteC
 
 
    EnvoyFilter.ListenerMatch.FilterChainMatch
    
 
    
-
    For listeners with multiple filter chains (e.g., inbound
-listeners on sidecars with permissive mTLS, gateway listeners
-with multiple SNI matches), the filter chain match can be used
+
    For listeners with multiple filter chains (e.g., inbound
    
+listeners on sidecars with permissive mTLS, gateway listeners
    
+with multiple SNI matches), the filter chain match can be used
    
 to select a specific filter chain to patch.
    
 
 
    PatchContext
 
-
    The specific config generation context to match on. Istio Pilot
-generates envoy configuration in the context of a gateway,
+
    The specific config generation context to match on. Istio Pilot
    
+generates envoy configuration in the context of a gateway,
    
 inbound traffic to sidecar and outbound traffic from sidecar.
    
 
     		ApplyTo
 
-
    Specifies where in the Envoy configuration, the patch should be
-applied.  The match is expected to select the appropriate
-object based on applyTo.  For example, an applyTo with
-HTTP_FILTER is expected to have a match condition on the
-listeners, with a network filter selection on
-envoy.filters.network.http_connection_manager and a sub filter selection on the
-HTTP filter relative to which the insertion should be
-performed. Similarly, an applyTo on CLUSTER should have a match
+
    Specifies where in the Envoy configuration, the patch should be
    
+applied.  The match is expected to select the appropriate
    
+object based on applyTo.  For example, an applyTo with
    
+HTTP_FILTER is expected to have a match condition on the
    
+listeners, with a network filter selection on
    
+envoy.filters.network.http_connection_manager and a sub filter selection on the
    
+HTTP filter relative to which the insertion should be
    
+performed. Similarly, an applyTo on CLUSTER should have a match
    
 (if provided) on the cluster and not on a listener.
    
 
     		name
 string
 
-
    The Route objects generated by default are named as
-default.  Route objects generated using a virtual service
-will carry the name used in the virtual service’s HTTP
+
    The Route objects generated by default are named as
    
+default.  Route objects generated using a virtual service
    
+will carry the name used in the virtual service's HTTP
    
 routes.
    
 
     		name
 string
 
-
    The VirtualHosts objects generated by Istio are named as
-host:port, where the host typically corresponds to the
-VirtualService’s host field or the hostname of a service in the
+
    The VirtualHosts objects generated by Istio are named as
    
+host:port, where the host typically corresponds to the
    
+VirtualService's host field or the hostname of a service in the
    
 registry.
    
 
 
    
@@ -1023,8 +1001,8 @@ 
    EnvoyFilter.ListenerMatch.Fi
 
    
@@ -1036,14 +1014,12 @@ 
    EnvoyFilter.ListenerMatch.Fi
 
    
@@ -1075,8 +1050,8 @@ 
    EnvoyFilter.ListenerMatch.Fi
 
    
@@ -1088,7 +1063,7 @@ 
    EnvoyFilter.ListenerMatch.Fi
 
    
@@ -1117,8 +1092,8 @@ 
    EnvoyFilter.ListenerMatch.FilterM
 
    
@@ -1130,8 +1105,8 @@ 
    EnvoyFilter.ListenerMatch.FilterM
 
    
@@ -1144,9 +1119,9 @@ 
    EnvoyFilter.ListenerMatch.FilterM
 
 
    EnvoyFilter.ListenerMatch.SubFilterMatch
    
 
    
-
    Conditions to match a specific filter within another
-filter. This field is typically useful to match a HTTP filter
-inside the envoy.filters.network.http_connection_manager network filter.
+
    Conditions to match a specific filter within another
    
+filter. This field is typically useful to match a HTTP filter
    
+inside the envoy.filters.network.http_connection_manager network filter.
    
 This could also be applicable for thrift filters.
    
 
 
    sni
 string
 
-
    The SNI value used by a filter chain’s match condition.  This
-condition will evaluate to false if the filter chain has no
+
    The SNI value used by a filter chain's match condition.  This
    
+condition will evaluate to false if the filter chain has no
    
 sni match.
    
 
     		transportProtocol
 string
 
-
    Applies only to SIDECAR_INBOUND context. If non-empty, a
-transport protocol to consider when determining a filter
-chain match.  This value will be compared against the
-transport protocol of a new connection, when it’s detected by
+
    Applies only to SIDECAR_INBOUND context. If non-empty, a
    
+transport protocol to consider when determining a filter
    
+chain match.  This value will be compared against the
    
+transport protocol of a new connection, when it's detected by
    
 the tls_inspector listener filter.
    
-
 
    Accepted values include:
    
-
 
      
 
    • raw_buffer - default, used when no transport protocol is detected.
      • 
 
    • tls - set when TLS protocol is detected by the TLS inspector.
      • 
@@ -1058,12 +1034,11 @@ 
      EnvoyFilter.ListenerMatch.Fi
 
    		applicationProtocols
 string
 
-
    Applies only to sidecars. If non-empty, a comma separated set
-of application protocols to consider when determining a
-filter chain match.  This value will be compared against the
-application protocols of a new connection, when it’s detected
+
    Applies only to sidecars. If non-empty, a comma separated set
    
+of application protocols to consider when determining a
    
+filter chain match.  This value will be compared against the
    
+application protocols of a new connection, when it's detected
    
 by one of the listener filters such as the http_inspector.
    
-
 
    Accepted values include: h2, http/1.1, http/1.0
    
 
     		filter
 FilterMatch
 
-
    The name of a specific filter to apply the patch to. Set this
-to envoy.filters.network.http_connection_manager to add a filter or apply a
+
    The name of a specific filter to apply the patch to. Set this
    
+to envoy.filters.network.http_connection_manager to add a filter or apply a
    
 patch to the HTTP connection manager.
    
 
     		destinationPort
 uint32
 
-
    The destination_port value used by a filter chain’s match condition.
+
    The destination_port value used by a filter chain's match condition.
    
 This condition will evaluate to false if the filter chain has no destination_port match.
    
 
     		name
 string
 
-
    The filter name to match on.
-For standard Envoy filters, canonical filter
+
    The filter name to match on.
    
+For standard Envoy filters, canonical filter
    
 names should be used.
    
 
     		subFilter
 SubFilterMatch
 
-
    The next level filter within this filter to match
-upon. Typically used for HTTP Connection Manager filters and
+
    The next level filter within this filter to match
    
+upon. Typically used for HTTP Connection Manager filters and
    
 Thrift filters.
    
 
 
    
@@ -1218,7 +1193,7 @@ 
    EnvoyFilter.Route
 
 
    EnvoyFilter.Patch.Operation
    
 
    
-
    Operation denotes how the patch should be applied to the selected
+
    Operation denotes how the patch should be applied to the selected
    
 configuration.
    
 
 
    
@@ -1237,8 +1212,8 @@ 
    EnvoyFilter.Patch.Operation
    
     
@@ -1246,9 +1221,9 @@ 
    EnvoyFilter.Patch.Operation
    
     
@@ -1256,10 +1231,10 @@ 
    EnvoyFilter.Patch.Operation
    
     
@@ -1267,14 +1242,14 @@ 
    EnvoyFilter.Patch.Operation
    
     
@@ -1282,14 +1257,14 @@ 
    EnvoyFilter.Patch.Operation
    
     
@@ -1297,14 +1272,14 @@ 
    EnvoyFilter.Patch.Operation
    
     
@@ -1312,9 +1287,9 @@ 
    EnvoyFilter.Patch.Operation
    
     
@@ -1324,14 +1299,14 @@ 
    EnvoyFilter.Patch.Operation
    
 
 
    EnvoyFilter.Patch.FilterClass
    
 
    
-
    FilterClass determines the filter insertion point in the filter chain
-relative to the filters implicitly inserted by the control plane.
-It is used in conjuction with the ADD operation.
-This is the preferred insertion mechanism for adding filters over
-the INSERT_* operations since those operations rely on potentially unstable
-filter names.
-Filter ordering is important if your filter depends on or affects the
-functioning of a another filter in the filter chain.
+
    FilterClass determines the filter insertion point in the filter chain
    
+relative to the filters implicitly inserted by the control plane.
    
+It is used in conjuction with the ADD operation.
    
+This is the preferred insertion mechanism for adding filters over
    
+the INSERT_* operations since those operations rely on potentially unstable
    
+filter names.
    
+Filter ordering is important if your filter depends on or affects the
    
+functioning of a another filter in the filter chain.
    
 Within a filter class, filters are inserted in the order of processing.
    
 
 
    
 MERGE
 
-
    Merge the provided config with the generated config using
-proto merge semantics. If you are specifying config in its
+
    Merge the provided config with the generated config using
    
+proto merge semantics. If you are specifying config in its
    
 entirety, use REPLACE instead.
    
 
 
    
 ADD
 
-
    Add the provided config to an existing list (of listeners,
-clusters, virtual hosts, network filters, or http
-filters). This operation will be ignored when applyTo is set
+
    Add the provided config to an existing list (of listeners,
    
+clusters, virtual hosts, network filters, or http
    
+filters). This operation will be ignored when applyTo is set
    
 to ROUTE_CONFIGURATION, or HTTP_ROUTE.
    
 
 
    
 REMOVE
 
-
    Remove the selected object from the list (of listeners,
-clusters, virtual hosts, network filters, routes, or http
-filters). Does not require a value to be specified. This
-operation will be ignored when applyTo is set to
+
    Remove the selected object from the list (of listeners,
    
+clusters, virtual hosts, network filters, routes, or http
    
+filters). Does not require a value to be specified. This
    
+operation will be ignored when applyTo is set to
    
 ROUTE_CONFIGURATION, or HTTP_ROUTE.
    
 
 
    
 INSERT_BEFORE
 
-
    Insert operation on an array of named objects. This operation
-is typically useful only in the context of filters or routes,
-where the order of elements matter. Routes should be ordered
-based on most to least specific matching criteria since the
-first matching element is selected. For clusters and virtual hosts,
-order of the element in the array does not matter. Insert
-before the selected filter or sub filter. If no filter is
-selected, the specified filter will be inserted at the front
+
    Insert operation on an array of named objects. This operation
    
+is typically useful only in the context of filters or routes,
    
+where the order of elements matter. Routes should be ordered
    
+based on most to least specific matching criteria since the
    
+first matching element is selected. For clusters and virtual hosts,
    
+order of the element in the array does not matter. Insert
    
+before the selected filter or sub filter. If no filter is
    
+selected, the specified filter will be inserted at the front
    
 of the list.
    
 
 
    
 INSERT_AFTER
 
-
    Insert operation on an array of named objects. This operation
-is typically useful only in the context of filters or routes,
-where the order of elements matter. Routes should be ordered
-based on most to least specific matching criteria since the
-first matching element is selected. For clusters and virtual hosts,
-order of the element in the array does not matter. Insert
-after the selected filter or sub filter. If no filter is
-selected, the specified filter will be inserted at the end
+
    Insert operation on an array of named objects. This operation
    
+is typically useful only in the context of filters or routes,
    
+where the order of elements matter. Routes should be ordered
    
+based on most to least specific matching criteria since the
    
+first matching element is selected. For clusters and virtual hosts,
    
+order of the element in the array does not matter. Insert
    
+after the selected filter or sub filter. If no filter is
    
+selected, the specified filter will be inserted at the end
    
 of the list.
    
 
 
    
 INSERT_FIRST
 
-
    Insert operation on an array of named objects. This operation
-is typically useful only in the context of filters or routes,
-where the order of elements matter. Routes should be ordered
-based on most to least specific matching criteria since the
-first matching element is selected. For clusters and virtual hosts,
-order of the element in the array does not matter. Insert
-first in the list based on the presence of selected filter or not.
-This is specifically useful when you want your filter first in the
+
    Insert operation on an array of named objects. This operation
    
+is typically useful only in the context of filters or routes,
    
+where the order of elements matter. Routes should be ordered
    
+based on most to least specific matching criteria since the
    
+first matching element is selected. For clusters and virtual hosts,
    
+order of the element in the array does not matter. Insert
    
+first in the list based on the presence of selected filter or not.
    
+This is specifically useful when you want your filter first in the
    
 list based on a match condition specified in Match clause.
    
 
 
    
 REPLACE
 
-
    Replace contents of a named filter with new contents.
-REPLACE operation is only valid for HTTP_FILTER and
-NETWORK_FILTER. If the named filter is not found, this operation
+
    Replace contents of a named filter with new contents.
    
+REPLACE operation is only valid for HTTP_FILTER and
    
+NETWORK_FILTER. If the named filter is not found, this operation
    
 has no effect.
    
 
 
    
@@ -1345,7 +1320,7 @@ 
    EnvoyFilter.Patch.FilterClass
    
     
@@ -1408,7 +1383,7 @@ 
    EnvoyFilter.ApplyTo
    
     
@@ -1416,8 +1391,8 @@ 
    EnvoyFilter.ApplyTo
    
     
@@ -1425,9 +1400,9 @@ 
    EnvoyFilter.ApplyTo
    
     
@@ -1442,7 +1417,7 @@ 
    EnvoyFilter.ApplyTo
    
     
@@ -1457,7 +1432,7 @@ 
    EnvoyFilter.ApplyTo
    
     
@@ -1474,7 +1449,7 @@ 
    EnvoyFilter.ApplyTo
    
 
 
    EnvoyFilter.PatchContext
    
 
    
-
    PatchContext selects a class of configurations based on the
+
    PatchContext selects a class of configurations based on the
    
 traffic flow direction and workload type.
    
 
 
    
 UNSPECIFIED
 
-
    Control plane decides where to insert the filter.
+
    Control plane decides where to insert the filter.
    
 Do not specify FilterClass if the filter is independent of others.
    
 
 
    
 NETWORK_FILTER
 
-
    Applies the patch to the network filter chain, to modify an
+
    Applies the patch to the network filter chain, to modify an
    
 existing filter or add a new filter.
    
 
 
    
 HTTP_FILTER
 
-
    Applies the patch to the HTTP filter chain in the http
-connection manager, to modify an existing filter or add a new
+
    Applies the patch to the HTTP filter chain in the http
    
+connection manager, to modify an existing filter or add a new
    
 filter.
    
 
 
    
 ROUTE_CONFIGURATION
 
-
    Applies the patch to the Route configuration (rds output)
-inside a HTTP connection manager. This does not apply to the
-virtual host. Currently, only MERGE operation is allowed on the
+
    Applies the patch to the Route configuration (rds output)
    
+inside a HTTP connection manager. This does not apply to the
    
+virtual host. Currently, only MERGE operation is allowed on the
    
 route configuration objects.
    
 
 
    
 HTTP_ROUTE
 
-
    Applies the patch to a route object inside the matched virtual
+
    Applies the patch to a route object inside the matched virtual
    
 host in a route configuration.
    
 
 
    
 EXTENSION_CONFIG
 
-
    Applies the patch to or adds an extension config in ECDS output. Note that ECDS
+
    Applies the patch to or adds an extension config in ECDS output. Note that ECDS
    
 is only supported by HTTP filters.
    
 
 
    
diff --git a/content/zh/docs/reference/config/networking/gateway/index.html b/content/zh/docs/reference/config/networking/gateway/index.html
index 62570d2ac9bdd..5695edea2fee5 100644
--- a/content/zh/docs/reference/config/networking/gateway/index.html
+++ b/content/zh/docs/reference/config/networking/gateway/index.html
@@ -1,31 +1,27 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Gateway
 description: Configuration affecting edge load balancer.
 location: https://istio.io/docs/reference/config/networking/gateway.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.Gateway
 aliases: [/zh/docs/reference/config/networking/v1alpha3/gateway]
 number_of_entries: 6
 ---
-
    Gateway describes a load balancer operating at the edge of the mesh
-receiving incoming or outgoing HTTP/TCP connections. The specification
-describes a set of ports that should be exposed, the type of protocol to
+
    Gateway describes a load balancer operating at the edge of the mesh
    
+receiving incoming or outgoing HTTP/TCP connections. The specification
    
+describes a set of ports that should be exposed, the type of protocol to
    
 use, SNI configuration for the load balancer, etc.
    
-
-
    For example, the following Gateway configuration sets up a proxy to act
-as a load balancer exposing port 80 and 9080 (http), 443 (https),
-9443(https) and port 2379 (TCP) for ingress.  The gateway will be
-applied to the proxy running on a pod with labels app:
-my-gateway-controller. While Istio will configure the proxy to listen
-on these ports, it is the responsibility of the user to ensure that
+
    For example, the following Gateway configuration sets up a proxy to act
    
+as a load balancer exposing port 80 and 9080 (http), 443 (https),
    
+9443(https) and port 2379 (TCP) for ingress.  The gateway will be
    
+applied to the proxy running on a pod with labels app: my-gateway-controller. While Istio will configure the proxy to listen
    
+on these ports, it is the responsibility of the user to ensure that
    
 external traffic to these ports are allowed into the mesh.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -77,11 +73,8 @@
     hosts:
     - "*"
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -133,28 +126,23 @@
     hosts:
     - "*"
 
    
-
-
    {{}}
-{{}}
    
-
-
    The Gateway specification above describes the L4-L6 properties of a load
-balancer. A VirtualService can then be bound to a gateway to control
+
    {{}}
    
+{{}}
    
+
    The Gateway specification above describes the L4-L6 properties of a load
    
+balancer. A VirtualService can then be bound to a gateway to control
    
 the forwarding of traffic arriving at a particular host or gateway port.
    
-
-
    For example, the following VirtualService splits traffic for
-https://uk.bookinfo.com/reviews, https://eu.bookinfo.com/reviews,
-http://uk.bookinfo.com:9080/reviews,
-http://eu.bookinfo.com:9080/reviews into two versions (prod and qa) of
-an internal reviews service on port 9080. In addition, requests
-containing the cookie “user: dev-123” will be sent to special port 7777
-in the qa version. The same rule is also applicable inside the mesh for
-requests to the “reviews.prod.svc.cluster.local” service. This rule is
-applicable across ports 443, 9080. Note that http://uk.bookinfo.com
+
    For example, the following VirtualService splits traffic for
    
+https://uk.bookinfo.com/reviews, https://eu.bookinfo.com/reviews,
    
+http://uk.bookinfo.com:9080/reviews,
    
+http://eu.bookinfo.com:9080/reviews into two versions (prod and qa) of
    
+an internal reviews service on port 9080. In addition, requests
    
+containing the cookie "user: dev-123" will be sent to special port 7777
    
+in the qa version. The same rule is also applicable inside the mesh for
    
+requests to the "reviews.prod.svc.cluster.local" service. This rule is
    
+applicable across ports 443, 9080. Note that http://uk.bookinfo.com
    
 gets redirected to https://uk.bookinfo.com (i.e. 80 redirects to 443).
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -191,11 +179,8 @@
         host: reviews.qa.svc.cluster.local
       weight: 20
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -232,18 +217,14 @@
         host: reviews.qa.svc.cluster.local
       weight: 20
 
    
-
-
    {{}}
-{{}}
    
-
-
    The following VirtualService forwards traffic arriving at (external)
-port 27017 to internal Mongo server on port 5555. This rule is not
-applicable internally in the mesh as the gateway list omits the
+
    {{}}
    
+{{}}
    
+
    The following VirtualService forwards traffic arriving at (external)
    
+port 27017 to internal Mongo server on port 5555. This rule is not
    
+applicable internally in the mesh as the gateway list omits the
    
 reserved name mesh.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -263,11 +244,8 @@
         port:
           number: 5555
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -287,19 +265,15 @@
         port:
           number: 5555
 
    
-
-
    {{}}
-{{}}
    
-
-
    It is possible to restrict the set of virtual services that can bind to
-a gateway server using the namespace/hostname syntax in the hosts field.
-For example, the following Gateway allows any virtual service in the ns1
-namespace to bind to it, while restricting only the virtual service with
+
    {{}}
    
+{{}}
    
+
    It is possible to restrict the set of virtual services that can bind to
    
+a gateway server using the namespace/hostname syntax in the hosts field.
    
+For example, the following Gateway allows any virtual service in the ns1
    
+namespace to bind to it, while restricting only the virtual service with
    
 foo.bar.com host in the ns2 namespace to bind to it.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -317,11 +291,8 @@
     - "ns1/*"
     - "ns2/foo.bar.com"
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -339,13 +310,12 @@
     - "ns1/*"
     - "ns2/foo.bar.com"
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    
 
 
    Gateway
    
 
    
-
    Gateway describes a load balancer operating at the edge of the mesh
+
    Gateway describes a load balancer operating at the edge of the mesh
    
 receiving incoming or outgoing HTTP/TCP connections.
    
 
 
    
@@ -373,17 +343,17 @@ 
    Gateway
    
     
@@ -396,12 +366,10 @@ 
    Gateway
    
 
 
    Server
    
 
    
-
    Server describes the properties of the proxy on a given load balancer
+
    Server describes the properties of the proxy on a given load balancer
    
 port. For example,
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -417,11 +385,8 @@ 
    Server
    
     hosts:
     - "*"
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -437,15 +402,11 @@ 
    Server
    
     hosts:
     - "*"
 
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    Another example
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -461,11 +422,8 @@ 
    Server
    
     hosts:
     - "*"
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -481,15 +439,11 @@ 
    Server
    
     hosts:
     - "*"
 
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    The following is an example of TLS configuration for port 443
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -508,11 +462,8 @@ 
    Server
    
       mode: SIMPLE
       credentialName: tls-cert
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -531,9 +482,8 @@ 
    Server
    
       mode: SIMPLE
       credentialName: tls-cert
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    
 
 
    selector
 map<string, string>
 
-
    One or more labels that indicate a specific set of pods/VMs
-on which this gateway configuration should be applied.
-By default workloads are searched across all namespaces based on label selectors.
-This implies that a gateway resource in the namespace “foo” can select pods in
-the namespace “bar” based on labels.
-This behavior can be controlled via the PILOT_SCOPE_GATEWAY_TO_NAMESPACE
-environment variable in istiod. If this variable is set
-to true, the scope of label search is restricted to the configuration
-namespace in which the the resource is present. In other words, the Gateway
-resource must reside in the same namespace as the gateway workload
-instance.
+
    One or more labels that indicate a specific set of pods/VMs
    
+on which this gateway configuration should be applied.
    
+By default workloads are searched across all namespaces based on label selectors.
    
+This implies that a gateway resource in the namespace "foo" can select pods in
    
+the namespace "bar" based on labels.
    
+This behavior can be controlled via the PILOT_SCOPE_GATEWAY_TO_NAMESPACE
    
+environment variable in istiod. If this variable is set
    
+to true, the scope of label search is restricted to the configuration
    
+namespace in which the the resource is present. In other words, the Gateway
    
+resource must reside in the same namespace as the gateway workload
    
+instance.
    
 If selector is nil, the Gateway will be applied to all workloads.
    
 
 
    
@@ -549,7 +499,7 @@ 
    Server
    
     
@@ -561,13 +511,13 @@ 
    Server
    
     
@@ -579,34 +529,31 @@ 
    Server
    
     
@@ -618,8 +565,8 @@ 
    Server
    
     
@@ -631,8 +578,8 @@ 
    Server
    
     
@@ -672,9 +619,9 @@ 
    Port
    
     
@@ -697,7 +644,7 @@ 
    Port
    
     
@@ -724,7 +671,7 @@ 
    ServerTLSSettings
    
     
@@ -736,8 +683,8 @@ 
    ServerTLSSettings
    
     
@@ -749,7 +696,7 @@ 
    ServerTLSSettings
    
     
@@ -761,8 +708,8 @@ 
    ServerTLSSettings
    
     
@@ -786,16 +733,15 @@ 
    ServerTLSSettings
    
     
@@ -807,7 +753,7 @@ 
    ServerTLSSettings
    
     
@@ -819,10 +765,10 @@ 
    ServerTLSSettings
    
     
@@ -834,11 +780,11 @@ 
    ServerTLSSettings
    
     
@@ -872,7 +818,7 @@ 
    ServerTLSSettings
    
     
@@ -898,8 +844,8 @@ 
    ServerTLSSettings.TLSmode
    
     
@@ -914,7 +860,7 @@ 
    ServerTLSSettings.TLSmode
    
     
@@ -922,16 +868,16 @@ 
    ServerTLSSettings.TLSmode
    
     
@@ -939,11 +885,11 @@ 
    ServerTLSSettings.TLSmode
    
     
diff --git a/content/zh/docs/reference/config/networking/proxy-config/index.html b/content/zh/docs/reference/config/networking/proxy-config/index.html
index 866d9897db11f..188fcd931a3f8 100644
--- a/content/zh/docs/reference/config/networking/proxy-config/index.html
+++ b/content/zh/docs/reference/config/networking/proxy-config/index.html
@@ -1,30 +1,25 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: ProxyConfig
 description: Provides configuration for individual workloads.
 location: https://istio.io/docs/reference/config/networking/proxy-config.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.networking.v1beta1.ProxyConfig
 aliases: [/zh/docs/reference/config/networking/v1beta1/proxy-config]
 number_of_entries: 2
 ---
-
    ProxyConfig exposes proxy level configuration options. ProxyConfig can be configured on a per-workload basis,
-a per-namespace basis, or mesh-wide. ProxyConfig is not a required resource; there are default values in place, which are documented
+
    ProxyConfig exposes proxy level configuration options. ProxyConfig can be configured on a per-workload basis,
    
+a per-namespace basis, or mesh-wide. ProxyConfig is not a required resource; there are default values in place, which are documented
    
 inline with each field.
    
-
 
    NOTE: fields in ProxyConfig are not dynamically configured - changes will require restart of workloads to take effect.
    
-
-
    For any namespace, including the root configuration namespace, it is only valid
+
    For any namespace, including the root configuration namespace, it is only valid
    
 to have a single workload selector-less ProxyConfig resource.
    
-
-
    For resources with a workload selector, it is only valid to have one resource selecting
+
    For resources with a workload selector, it is only valid to have one resource selecting
    
 any given workload.
    
-
-
    For mesh level configuration, put the resource in the root configuration namespace for
+
    For mesh level configuration, put the resource in the root configuration namespace for
    
 your Istio installation without a workload selector:
    
-
 
    apiVersion: networking.istio.io/v1beta1
 kind: ProxyConfig
 metadata:
@@ -35,9 +30,7 @@
   image:
     imageType: distroless
 
    
-
 
    For namespace level configuration, put the resource in the desired namespace without a workload selector:
    
-
 
    apiVersion: networking.istio.io/v1beta1
 kind: ProxyConfig
 metadata:
@@ -46,9 +39,7 @@
 spec:
   concurrency: 0
 
    
-
 
    For workload level configuration, set the selector field on the ProxyConfig resource:
    
-
 
    apiVersion: networking.istio.io/v1beta1
 kind: ProxyConfig
 metadata:
@@ -62,9 +53,8 @@
   image:
     imageType: debug
 
    
-
-
    If a ProxyConfig CR is defined that matches a workload it will merge with its proxy.istio.io/config annotation if present,
-with the CR taking precedence over the annotation for overlapping fields. Similarly, if a mesh wide ProxyConfig CR is defined and
+
    If a ProxyConfig CR is defined that matches a workload it will merge with its proxy.istio.io/config annotation if present,
    
+with the CR taking precedence over the annotation for overlapping fields. Similarly, if a mesh wide ProxyConfig CR is defined and
    
 meshConfig.DefaultConfig is set, the two resources will be merged with the CR taking precedence for overlapping fields.
    
 
 
    ProxyConfig
    
@@ -85,7 +75,7 @@ 
    ProxyConfig
    
     
@@ -97,8 +87,8 @@ 
    ProxyConfig
    
     
@@ -110,7 +100,7 @@ 
    ProxyConfig
    
     
@@ -134,9 +124,9 @@ 
    ProxyConfig
    
 
 
    ProxyImage
    
 
    
-
    The following values are used to construct proxy image url.
-format: ${hub}/${image_name}/${tag}-${image_type},
-example: docker.io/istio/proxyv2:1.11.1 or docker.io/istio/proxyv2:1.11.1-distroless.
+
    The following values are used to construct proxy image url.
    
+format: ${hub}/${image_name}/${tag}-${image_type},
    
+example: docker.io/istio/proxyv2:1.11.1 or docker.io/istio/proxyv2:1.11.1-distroless.
    
 This information was previously part of the Values API.
    
 
 
    
 
    port
 Port
 
-
    The Port on which the proxy should listen for incoming
+
    The Port on which the proxy should listen for incoming
    
 connections.
    
 
     		bind
 string
 
-
    The ip or the Unix domain socket to which the listener should be bound
-to. Format: x.x.x.x or unix:///path/to/uds or unix://@foobar
-(Linux abstract namespace). When using Unix domain sockets, the port
-number should be 0.
-This can be used to restrict the reachability of this server to be gateway internal only.
-This is typically used when a gateway needs to communicate to another mesh service
-e.g. publishing metrics. In such case, the server created with the
+
    The ip or the Unix domain socket to which the listener should be bound
    
+to. Format: x.x.x.x or unix:///path/to/uds or unix://@foobar
    
+(Linux abstract namespace). When using Unix domain sockets, the port
    
+number should be 0.
    
+This can be used to restrict the reachability of this server to be gateway internal only.
    
+This is typically used when a gateway needs to communicate to another mesh service
    
+e.g. publishing metrics. In such case, the server created with the
    
 specified bind will not be available to external gateway clients.
    
 
     		hosts
 string[]
 
-
    One or more hosts exposed by this gateway.
-While typically applicable to
-HTTP services, it can also be used for TCP services using TLS with SNI.
-A host is specified as a dnsName with an optional namespace/ prefix.
-The dnsName should be specified using FQDN format, optionally including
-a wildcard character in the left-most component (e.g., prod/*.example.com).
-Set the dnsName to * to select all VirtualService hosts from the
+
    One or more hosts exposed by this gateway.
    
+While typically applicable to
    
+HTTP services, it can also be used for TCP services using TLS with SNI.
    
+A host is specified as a dnsName with an optional namespace/ prefix.
    
+The dnsName should be specified using FQDN format, optionally including
    
+a wildcard character in the left-most component (e.g., prod/*.example.com).
    
+Set the dnsName to * to select all VirtualService hosts from the
    
 specified namespace (e.g.,prod/*).
    
-
-
    The namespace can be set to * or ., representing any or the current
-namespace, respectively. For example, */foo.example.com selects the
-service from any available namespace while ./foo.example.com only selects
-the service from the namespace of the sidecar. The default, if no namespace/
-is specified, is */, that is, select services from any namespace.
+
    The namespace can be set to * or ., representing any or the current
    
+namespace, respectively. For example, */foo.example.com selects the
    
+service from any available namespace while ./foo.example.com only selects
    
+the service from the namespace of the sidecar. The default, if no namespace/
    
+is specified, is */, that is, select services from any namespace.
    
 Any associated DestinationRule in the selected namespace will also be used.
    
-
-
    A VirtualService must be bound to the gateway and must have one or
-more hosts that match the hosts specified in a server. The match
-could be an exact match or a suffix match with the server’s hosts. For
-example, if the server’s hosts specifies *.example.com, a
-VirtualService with hosts dev.example.com or prod.example.com will
-match. However, a VirtualService with host example.com or
+
    A VirtualService must be bound to the gateway and must have one or
    
+more hosts that match the hosts specified in a server. The match
    
+could be an exact match or a suffix match with the server's hosts. For
    
+example, if the server's hosts specifies *.example.com, a
    
+VirtualService with hosts dev.example.com or prod.example.com will
    
+match. However, a VirtualService with host example.com or
    
 newexample.com will not match.
    
-
-
    NOTE: Only virtual services exported to the gateway’s namespace
-(e.g., exportTo value of *) can be referenced.
-Private configurations (e.g., exportTo set to .) will not be
-available. Refer to the exportTo setting in VirtualService,
+
    NOTE: Only virtual services exported to the gateway's namespace
    
+(e.g., exportTo value of *) can be referenced.
    
+Private configurations (e.g., exportTo set to .) will not be
    
+available. Refer to the exportTo setting in VirtualService,
    
 DestinationRule, and ServiceEntry configurations for details.
    
 
     		tls
 ServerTLSSettings
 
-
    Set of TLS related options that govern the server’s behavior. Use
-these options to control if all http requests should be redirected to
+
    Set of TLS related options that govern the server's behavior. Use
    
+these options to control if all http requests should be redirected to
    
 https, and the TLS modes to use.
    
 
     		name
 string
 
-
    An optional name of the server, when set must be unique across all servers.
-This will be used for variety of purposes like prefixing stats generated with
+
    An optional name of the server, when set must be unique across all servers.
    
+This will be used for variety of purposes like prefixing stats generated with
    
 this name etc.
    
 
     		protocol
 string
 
-
    The protocol exposed on the port.
-MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
-TLS implies the connection will be routed based on the SNI header to
+
    The protocol exposed on the port.
    
+MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
    
+TLS implies the connection will be routed based on the SNI header to
    
 the destination without terminating the TLS connection.
    
 
     		targetPort
 uint32
 
-
    The port number on the endpoint where the traffic will be
+
    The port number on the endpoint where the traffic will be
    
 received. Applicable only when used with ServiceEntries.
    
 
     		httpsRedirect
 bool
 
-
    If set to true, the load balancer will send a 301 redirect for
+
    If set to true, the load balancer will send a 301 redirect for
    
 all http connections, asking the clients to use HTTPS.
    
 
     		mode
 TLSmode
 
-
    Optional: Indicates whether connections to this port should be
-secured using TLS. The value of this field determines how TLS is
+
    Optional: Indicates whether connections to this port should be
    
+secured using TLS. The value of this field determines how TLS is
    
 enforced.
    
 
     		serverCertificate
 string
 
-
    REQUIRED if mode is SIMPLE or MUTUAL. The path to the file
+
    REQUIRED if mode is SIMPLE or MUTUAL. The path to the file
    
 holding the server-side TLS certificate to use.
    
 
     		privateKey
 string
 
-
    REQUIRED if mode is SIMPLE or MUTUAL. The path to the file
-holding the server’s private key.
    
+
    REQUIRED if mode is SIMPLE or MUTUAL. The path to the file
    
+holding the server's private key.
    
 
     		
 
@@ -773,8 +720,8 @@ 
    ServerTLSSettings
    
     		caCertificates
 string
 
-
    REQUIRED if mode is MUTUAL. The path to a file containing
-certificate authority certificates to use in verifying a presented
+
    REQUIRED if mode is MUTUAL. The path to a file containing
    
+certificate authority certificates to use in verifying a presented
    
 client side certificate.
    
 
     		credentialName
 string
 
-
    For gateways running on Kubernetes, the name of the secret that
-holds the TLS certs including the CA certificates. Applicable
-only on Kubernetes. The secret (of type generic) should
-contain the following keys and values: key:
-<privateKey> and cert: <serverCert>. For mutual TLS,
-cacert: <CACertificate> can be provided in the same secret or
-a separate secret named <secret>-cacert.
-Secret of type tls for server certificates along with
-ca.crt key for CA certificates is also supported.
-Only one of server certificates and CA certificate
+
    For gateways running on Kubernetes, the name of the secret that
    
+holds the TLS certs including the CA certificates. Applicable
    
+only on Kubernetes. The secret (of type generic) should
    
+contain the following keys and values: key: <privateKey> and cert: <serverCert>. For mutual TLS,
    
+cacert: <CACertificate> can be provided in the same secret or
    
+a separate secret named <secret>-cacert.
    
+Secret of type tls for server certificates along with
    
+ca.crt key for CA certificates is also supported.
    
+Only one of server certificates and CA certificate
    
 or credentialName can be specified.
    
 
     		subjectAltNames
 string[]
 
-
    A list of alternate names to verify the subject identity in the
+
    A list of alternate names to verify the subject identity in the
    
 certificate presented by the client.
    
 
     		verifyCertificateSpki
 string[]
 
-
    An optional list of base64-encoded SHA-256 hashes of the SPKIs of
-authorized client certificates.
-Note: When both verify_certificate_hash and verify_certificate_spki
-are specified, a hash matching either value will result in the
+
    An optional list of base64-encoded SHA-256 hashes of the SPKIs of
    
+authorized client certificates.
    
+Note: When both verify_certificate_hash and verify_certificate_spki
    
+are specified, a hash matching either value will result in the
    
 certificate being accepted.
    
 
     		verifyCertificateHash
 string[]
 
-
    An optional list of hex-encoded SHA-256 hashes of the
-authorized client certificates. Both simple and colon separated
-formats are acceptable.
-Note: When both verify_certificate_hash and verify_certificate_spki
-are specified, a hash matching either value will result in the
+
    An optional list of hex-encoded SHA-256 hashes of the
    
+authorized client certificates. Both simple and colon separated
    
+formats are acceptable.
    
+Note: When both verify_certificate_hash and verify_certificate_spki
    
+are specified, a hash matching either value will result in the
    
 certificate being accepted.
    
 
     		cipherSuites
 string[]
 
-
    Optional: If specified, only support the specified cipher list.
+
    Optional: If specified, only support the specified cipher list.
    
 Otherwise default to the default cipher list supported by Envoy.
    
 
 
    
 PASSTHROUGH
 
-
    The SNI string presented by the client will be used as the
-match criterion in a VirtualService TLS route to determine
+
    The SNI string presented by the client will be used as the
    
+match criterion in a VirtualService TLS route to determine
    
 the destination service from the service registry.
    
 
 
    
 MUTUAL
 
-
    Secure connections to the downstream using mutual TLS by
+
    Secure connections to the downstream using mutual TLS by
    
 presenting server certificates for authentication.
    
 
 
    
 AUTO_PASSTHROUGH
 
-
    Similar to the passthrough mode, except servers with this TLS
-mode do not require an associated VirtualService to map from
-the SNI value to service in the registry. The destination
-details such as the service/subset/port are encoded in the
-SNI value. The proxy will forward to the upstream (Envoy)
-cluster (a group of endpoints) specified by the SNI
-value. This server is typically used to provide connectivity
-between services in disparate L3 networks that otherwise do
-not have direct connectivity between their respective
-endpoints. Use of this mode assumes that both the source and
+
    Similar to the passthrough mode, except servers with this TLS
    
+mode do not require an associated VirtualService to map from
    
+the SNI value to service in the registry. The destination
    
+details such as the service/subset/port are encoded in the
    
+SNI value. The proxy will forward to the upstream (Envoy)
    
+cluster (a group of endpoints) specified by the SNI
    
+value. This server is typically used to provide connectivity
    
+between services in disparate L3 networks that otherwise do
    
+not have direct connectivity between their respective
    
+endpoints. Use of this mode assumes that both the source and
    
 the destination are using Istio mTLS to secure traffic.
    
 
 
    
 ISTIO_MUTUAL
 
-
    Secure connections from the downstream using mutual TLS by
-presenting server certificates for authentication.  Compared
-to Mutual mode, this mode uses certificates, representing
-gateway workload identity, generated automatically by Istio
-for mTLS authentication. When this mode is used, all other
+
    Secure connections from the downstream using mutual TLS by
    
+presenting server certificates for authentication.  Compared
    
+to Mutual mode, this mode uses certificates, representing
    
+gateway workload identity, generated automatically by Istio
    
+for mTLS authentication. When this mode is used, all other
    
 fields in TLSOptions should be empty.
    
 
     		selector
 WorkloadSelector
 
-
    Optional. Selectors specify the set of pods/VMs on which this ProxyConfig resource should be applied.
+
    Optional. Selectors specify the set of pods/VMs on which this ProxyConfig resource should be applied.
    
 If not set, the ProxyConfig resource will be applied to all workloads in the namespace where this resource is defined.
    
 
     		concurrency
 Int32Value
 
-
    The number of worker threads to run.
-If unset, defaults to 2. If set to 0, this will be configured to use all cores on the machine using
+
    The number of worker threads to run.
    
+If unset, defaults to 2. If set to 0, this will be configured to use all cores on the machine using
    
 CPU requests and limits to choose a value, with limits taking precedence over requests.
    
 
     		environmentVariables
 map<string, string>
 
-
    Additional environment variables for the proxy.
+
    Additional environment variables for the proxy.
    
 Names starting with ISTIO_META_ will be included in the generated bootstrap configuration and sent to the XDS server.
    
 
 
    
@@ -153,9 +143,9 @@ 
    ProxyImage
    
     
diff --git a/content/zh/docs/reference/config/networking/service-entry/index.html b/content/zh/docs/reference/config/networking/service-entry/index.html
index 2088e61c6f524..7429905302050 100644
--- a/content/zh/docs/reference/config/networking/service-entry/index.html
+++ b/content/zh/docs/reference/config/networking/service-entry/index.html
@@ -1,38 +1,35 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Service Entry
 description: Configuration affecting service registry.
 location: https://istio.io/docs/reference/config/networking/service-entry.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.ServiceEntry
 aliases: [/zh/docs/reference/config/networking/v1alpha3/service-entry]
 number_of_entries: 3
 ---
-
    ServiceEntry enables adding additional entries into Istio’s
-internal service registry, so that auto-discovered services in the
-mesh can access/route to these manually specified services. A
-service entry describes the properties of a service (DNS name,
-VIPs, ports, protocols, endpoints). These services could be
-external to the mesh (e.g., web APIs) or mesh-internal services
-that are not part of the platform’s service registry (e.g., a set
-of VMs talking to services in Kubernetes). In addition, the
-endpoints of a service entry can also be dynamically selected by
-using the workloadSelector field. These endpoints can be VM
-workloads declared using the WorkloadEntry object or Kubernetes
-pods. The ability to select both pods and VMs under a single
-service allows for migration of services from VMs to Kubernetes
-without having to change the existing DNS names associated with the
+
    ServiceEntry enables adding additional entries into Istio's
    
+internal service registry, so that auto-discovered services in the
    
+mesh can access/route to these manually specified services. A
    
+service entry describes the properties of a service (DNS name,
    
+VIPs, ports, protocols, endpoints). These services could be
    
+external to the mesh (e.g., web APIs) or mesh-internal services
    
+that are not part of the platform's service registry (e.g., a set
    
+of VMs talking to services in Kubernetes). In addition, the
    
+endpoints of a service entry can also be dynamically selected by
    
+using the workloadSelector field. These endpoints can be VM
    
+workloads declared using the WorkloadEntry object or Kubernetes
    
+pods. The ability to select both pods and VMs under a single
    
+service allows for migration of services from VMs to Kubernetes
    
+without having to change the existing DNS names associated with the
    
 services.
    
-
-
    The following example declares a few external APIs accessed by internal
-applications over HTTPS. The sidecar inspects the SNI value in the
+
    The following example declares a few external APIs accessed by internal
    
+applications over HTTPS. The sidecar inspects the SNI value in the
    
 ClientHello message to route to the appropriate external service.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -49,11 +46,8 @@
     protocol: TLS
   resolution: DNS
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -70,18 +64,14 @@
     protocol: TLS
   resolution: DNS
 
    
-
-
    {{}}
-{{}}
    
-
-
    The following configuration adds a set of MongoDB instances running on
-unmanaged VMs to Istio’s registry, so that these services can be treated
-as any other service in the mesh. The associated DestinationRule is used
+
    {{}}
    
+{{}}
    
+
    The following configuration adds a set of MongoDB instances running on
    
+unmanaged VMs to Istio's registry, so that these services can be treated
    
+as any other service in the mesh. The associated DestinationRule is used
    
 to initiate mTLS connections to the database instances.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -101,11 +91,8 @@
   - address: 2.2.2.2
   - address: 3.3.3.3
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -125,15 +112,11 @@
   - address: 2.2.2.2
   - address: 3.3.3.3
 
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    and the associated DestinationRule
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -147,11 +130,8 @@
       privateKey: /etc/certs/client_private_key.pem
       caCertificates: /etc/certs/rootcacerts.pem
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -165,17 +145,13 @@
       privateKey: /etc/certs/client_private_key.pem
       caCertificates: /etc/certs/rootcacerts.pem
 
    
-
-
    {{}}
-{{}}
    
-
-
    The following example uses a combination of service entry and TLS
-routing in a virtual service to steer traffic based on the SNI value to
+
    {{}}
    
+{{}}
    
+
    The following example uses a combination of service entry and TLS
    
+routing in a virtual service to steer traffic based on the SNI value to
    
 an internal egress firewall.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -191,11 +167,8 @@
     protocol: TLS
   resolution: NONE
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -211,15 +184,11 @@
     protocol: TLS
   resolution: NONE
 
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    And the associated VirtualService to route based on the SNI value.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -237,11 +206,8 @@
     - destination:
         host: internal-egress-firewall.ns1.svc.cluster.local
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -259,25 +225,20 @@
     - destination:
         host: internal-egress-firewall.ns1.svc.cluster.local
 
    
-
-
    {{}}
-{{}}
    
-
-
    The virtual service with TLS match serves to override the default SNI
-match. In the absence of a virtual service, traffic will be forwarded to
+
    {{}}
    
+{{}}
    
+
    The virtual service with TLS match serves to override the default SNI
    
+match. In the absence of a virtual service, traffic will be forwarded to
    
 the wikipedia domains.
    
-
-
    The following example demonstrates the use of a dedicated egress gateway
-through which all external service traffic is forwarded.
-The ‘exportTo’ field allows for control over the visibility of a service
-declaration to other namespaces in the mesh. By default, a service is exported
-to all namespaces. The following example restricts the visibility to the
-current namespace, represented by “.”, so that it cannot be used by other
+
    The following example demonstrates the use of a dedicated egress gateway
    
+through which all external service traffic is forwarded.
    
+The 'exportTo' field allows for control over the visibility of a service
    
+declaration to other namespaces in the mesh. By default, a service is exported
    
+to all namespaces. The following example restricts the visibility to the
    
+current namespace, represented by ".", so that it cannot be used by other
    
 namespaces.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -295,11 +256,8 @@
     protocol: HTTP
   resolution: DNS
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -317,15 +275,11 @@
     protocol: HTTP
   resolution: DNS
 
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    Define a gateway to handle all egress traffic.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -342,11 +296,8 @@
    hosts:
    - "*"
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -363,20 +314,16 @@
    hosts:
    - "*"
 
    
-
-
    {{}}
-{{}}
    
-
-
    And the associated VirtualService to route from the sidecar to the
-gateway service (istio-egressgateway.istio-system.svc.cluster.local), as
-well as route from the gateway to the external service. Note that the
-virtual service is exported to all namespaces enabling them to route traffic
-through the gateway to the external service. Forcing traffic to go through
+
    {{}}
    
+{{}}
    
+
    And the associated VirtualService to route from the sidecar to the
    
+gateway service (istio-egressgateway.istio-system.svc.cluster.local), as
    
+well as route from the gateway to the external service. Note that the
    
+virtual service is exported to all namespaces enabling them to route traffic
    
+through the gateway to the external service. Forcing traffic to go through
    
 a managed middle proxy like this is a common practice.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -406,11 +353,8 @@
     - destination:
         host: example.com
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -440,18 +384,14 @@
     - destination:
         host: example.com
 
    
-
-
    {{}}
-{{}}
    
-
-
    The following example demonstrates the use of wildcards in the hosts for
-external services. If the connection has to be routed to the IP address
-requested by the application (i.e. application resolves DNS and attempts
+
    {{}}
    
+{{}}
    
+
    The following example demonstrates the use of wildcards in the hosts for
    
+external services. If the connection has to be routed to the IP address
    
+requested by the application (i.e. application resolves DNS and attempts
    
 to connect to a specific IP), the discovery mode must be set to NONE.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -466,11 +406,8 @@
     protocol: HTTP
   resolution: NONE
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -485,17 +422,13 @@
     protocol: HTTP
   resolution: NONE
 
    
-
-
    {{}}
-{{}}
    
-
-
    The following example demonstrates a service that is available via a
-Unix Domain Socket on the host of the client. The resolution must be
+
    {{}}
    
+{{}}
    
+
    The following example demonstrates a service that is available via a
    
+Unix Domain Socket on the host of the client. The resolution must be
    
 set to STATIC to use Unix address endpoints.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -512,11 +445,8 @@
   endpoints:
   - address: unix:///var/run/example/socket
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -533,21 +463,17 @@
   endpoints:
   - address: unix:///var/run/example/socket
 
    
-
-
    {{}}
-{{}}
    
-
-
    For HTTP-based services, it is possible to create a VirtualService
-backed by multiple DNS addressable endpoints. In such a scenario, the
-application can use the HTTP_PROXY environment variable to transparently
-reroute API calls for the VirtualService to a chosen backend. For
-example, the following configuration creates a non-existent external
-service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
+
    {{}}
    
+{{}}
    
+
    For HTTP-based services, it is possible to create a VirtualService
    
+backed by multiple DNS addressable endpoints. In such a scenario, the
    
+application can use the HTTP_PROXY environment variable to transparently
    
+reroute API calls for the VirtualService to a chosen backend. For
    
+example, the following configuration creates a non-existent external
    
+service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
    
 uk.foo.bar.com:9080, and in.foo.bar.com:7080
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -572,11 +498,8 @@
     ports:
       http: 7080
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -601,22 +524,17 @@
     ports:
       http: 7080
 
    
-
-
    {{}}
-{{}}
    
-
-
    With HTTP_PROXY=http://localhost/, calls from the application to
-http://foo.bar.com will be load balanced across the three domains
-specified above. In other words, a call to http://foo.bar.com/baz would
+
    {{}}
    
+{{}}
    
+
    With HTTP_PROXY=http://localhost/, calls from the application to
    
+http://foo.bar.com will be load balanced across the three domains
    
+specified above. In other words, a call to http://foo.bar.com/baz would
    
 be translated to http://uk.foo.bar.com/baz.
    
-
-
    The following example illustrates the usage of a ServiceEntry
-containing a subject alternate name
+
    The following example illustrates the usage of a ServiceEntry
    
+containing a subject alternate name
    
 whose format conforms to the SPIFFE standard:
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -637,11 +555,8 @@
   subjectAltNames:
   - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -662,25 +577,21 @@
   subjectAltNames:
   - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
 
    
-
-
    {{}}
-{{}}
    
-
-
    The following example demonstrates the use of ServiceEntry with a
-workloadSelector to handle the migration of a service
-details.bookinfo.com from VMs to Kubernetes. The service has two
-VM-based instances with sidecars as well as a set of Kubernetes
-pods managed by a standard deployment object. Consumers of this
-service in the mesh will be automatically load balanced across the
-VMs and Kubernetes.  VM for the details.bookinfo.com
-service. This VM has sidecar installed and bootstrapped using the
-details-legacy service account. The sidecar receives HTTP traffic
-on port 80 (wrapped in istio mutual TLS) and forwards it to the
+
    {{}}
    
+{{}}
    
+
    The following example demonstrates the use of ServiceEntry with a
    
+workloadSelector to handle the migration of a service
    
+details.bookinfo.com from VMs to Kubernetes. The service has two
    
+VM-based instances with sidecars as well as a set of Kubernetes
    
+pods managed by a standard deployment object. Consumers of this
    
+service in the mesh will be automatically load balanced across the
    
+VMs and Kubernetes.  VM for the details.bookinfo.com
    
+service. This VM has sidecar installed and bootstrapped using the
    
+details-legacy service account. The sidecar receives HTTP traffic
    
+on port 80 (wrapped in istio mutual TLS) and forwards it to the
    
 application on the localhost on the same port.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: WorkloadEntry
 metadata:
@@ -703,11 +614,8 @@
     app: details
     instance-id: vm2
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: WorkloadEntry
 metadata:
@@ -730,18 +638,14 @@
     app: details
     instance-id: vm2
 
    
-
-
    {{}}
-{{}}
    
-
-
    Assuming there is also a Kubernetes deployment with pod labels
-app: details using the same service account details, the
-following service entry declares a service spanning both VMs and
+
    {{}}
    
+{{}}
    
+
    Assuming there is also a Kubernetes deployment with pod labels
    
+app: details using the same service account details, the
    
+following service entry declares a service spanning both VMs and
    
 Kubernetes:
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -759,11 +663,8 @@
     labels:
       app: details
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -781,13 +682,12 @@
     labels:
       app: details
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    
 
 
    ServiceEntry
    
 
    
-
    ServiceEntry enables adding additional entries into Istio’s internal
+
    ServiceEntry enables adding additional entries into Istio's internal
    
 service registry.
    
 
 
    imageType
 string
 
-
    The image type of the image.
-Istio publishes default, debug, and distroless images.
-Other values are allowed if those image types (example: centos) are published to the specified hub.
+
    The image type of the image.
    
+Istio publishes default, debug, and distroless images.
    
+Other values are allowed if those image types (example: centos) are published to the specified hub.
    
 supported values: default, debug, distroless.
    
 
 
    
@@ -804,31 +704,27 @@ 
    ServiceEntry
    
     
@@ -865,8 +761,8 @@ 
    ServiceEntry
    
     
@@ -878,7 +774,7 @@ 
    ServiceEntry
    
     
@@ -890,9 +786,9 @@ 
    ServiceEntry
    
     
@@ -904,7 +800,7 @@ 
    ServiceEntry
    
     
@@ -916,11 +812,11 @@ 
    ServiceEntry
    
     
@@ -932,21 +828,18 @@ 
    ServiceEntry
    
     
@@ -958,12 +851,11 @@ 
    ServiceEntry
    
     
@@ -976,11 +868,11 @@ 
    ServiceEntry
    
 
 
    ServiceEntry.Location
    
 
    
-
    Location specifies whether the service is part of Istio mesh or
-outside the mesh.  Location determines the behavior of several
-features, such as service-to-service mTLS authentication, policy
-enforcement, etc. When communicating with services outside the mesh,
-Istio’s mTLS authentication is disabled, and policy enforcement is
+
    Location specifies whether the service is part of Istio mesh or
    
+outside the mesh.  Location determines the behavior of several
    
+features, such as service-to-service mTLS authentication, policy
    
+enforcement, etc. When communicating with services outside the mesh,
    
+Istio's mTLS authentication is disabled, and policy enforcement is
    
 performed on the client-side as opposed to server-side.
    
 
 
    hosts
 string[]
 
-
    The hosts associated with the ServiceEntry. Could be a DNS
+
    The hosts associated with the ServiceEntry. Could be a DNS
    
 name with wildcard prefix.
    
-
 
      
 
    1. The hosts field is used to select matching hosts in VirtualServices and DestinationRules.
      2. 
 
    2. For HTTP traffic the HTTP Host/Authority header will be matched against the hosts field.
      3. 
-
    3. For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value
+
    4. For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value
      
 will be matched against the hosts field.
      5. 
 
    
-
-
    NOTE 1: When resolution is set to type DNS and no endpoints
-are specified, the host field will be used as the DNS name of the
+
    NOTE 1: When resolution is set to type DNS and no endpoints
    
+are specified, the host field will be used as the DNS name of the
    
 endpoint to route traffic to.
    
-
-
    NOTE 2: If the hostname matches with the name of a service
-from another service registry such as Kubernetes that also
-supplies its own set of endpoints, the ServiceEntry will be
-treated as a decorator of the existing Kubernetes
-service. Properties in the service entry will be added to the
-Kubernetes service if applicable. Currently, the only the
+
    NOTE 2: If the hostname matches with the name of a service
    
+from another service registry such as Kubernetes that also
    
+supplies its own set of endpoints, the ServiceEntry will be
    
+treated as a decorator of the existing Kubernetes
    
+service. Properties in the service entry will be added to the
    
+Kubernetes service if applicable. Currently, the only the
    
 following additional properties will be considered by istiod:
    
-
 
      
-
    1. subjectAltNames: In addition to verifying the SANs of the
-service accounts associated with the pods of the service, the
+
    2. subjectAltNames: In addition to verifying the SANs of the
      
+service accounts associated with the pods of the service, the
      
 SANs specified here will also be verified.
      3. 
 
    
 
@@ -841,19 +737,19 @@ 
    ServiceEntry
    
     		addresses
 string[]
 
-
    The virtual IP addresses associated with the service. Could be CIDR
-prefix. For HTTP traffic, generated route configurations will include http route
-domains for both the addresses and hosts field values and the destination will
-be identified based on the HTTP Host/Authority header.
-If one or more IP addresses are specified,
-the incoming traffic will be identified as belonging to this service
-if the destination IP matches the IP/CIDRs specified in the addresses
-field. If the Addresses field is empty, traffic will be identified
-solely based on the destination port. In such scenarios, the port on
-which the service is being accessed must not be shared by any other
-service in the mesh. In other words, the sidecar will behave as a
-simple TCP proxy, forwarding incoming traffic on a specified port to
-the specified destination endpoint IP/host. Unix domain socket
+
    The virtual IP addresses associated with the service. Could be CIDR
    
+prefix. For HTTP traffic, generated route configurations will include http route
    
+domains for both the addresses and hosts field values and the destination will
    
+be identified based on the HTTP Host/Authority header.
    
+If one or more IP addresses are specified,
    
+the incoming traffic will be identified as belonging to this service
    
+if the destination IP matches the IP/CIDRs specified in the addresses
    
+field. If the Addresses field is empty, traffic will be identified
    
+solely based on the destination port. In such scenarios, the port on
    
+which the service is being accessed must not be shared by any other
    
+service in the mesh. In other words, the sidecar will behave as a
    
+simple TCP proxy, forwarding incoming traffic on a specified port to
    
+the specified destination endpoint IP/host. Unix domain socket
    
 addresses are not supported in this field.
    
 
     		ports
 Port[]
 
-
    The ports associated with the external service. If the
-Endpoints are Unix domain socket addresses, there must be exactly one
+
    The ports associated with the external service. If the
    
+Endpoints are Unix domain socket addresses, there must be exactly one
    
 port.
    
 
     		location
 Location
 
-
    Specify whether the service should be considered external to the mesh
+
    Specify whether the service should be considered external to the mesh
    
 or part of the mesh.
    
 
     		resolution
 Resolution
 
-
    Service discovery mode for the hosts. Care must be taken
-when setting the resolution mode to NONE for a TCP port without
-accompanying IP addresses. In such cases, traffic to any IP on
+
    Service discovery mode for the hosts. Care must be taken
    
+when setting the resolution mode to NONE for a TCP port without
    
+accompanying IP addresses. In such cases, traffic to any IP on
    
 said port will be allowed (i.e. 0.0.0.0:<port>).
    
 
     		endpoints
 WorkloadEntry[]
 
-
    One or more endpoints associated with the service. Only one of
+
    One or more endpoints associated with the service. Only one of
    
 endpoints or workloadSelector can be specified.
    
 
     		workloadSelector
 WorkloadSelector
 
-
    Applicable only for MESH_INTERNAL services. Only one of
-endpoints or workloadSelector can be specified. Selects one
-or more Kubernetes pods or VM workloads (specified using
-WorkloadEntry) based on their labels. The WorkloadEntry object
-representing the VMs should be defined in the same namespace as
+
    Applicable only for MESH_INTERNAL services. Only one of
    
+endpoints or workloadSelector can be specified. Selects one
    
+or more Kubernetes pods or VM workloads (specified using
    
+WorkloadEntry) based on their labels. The WorkloadEntry object
    
+representing the VMs should be defined in the same namespace as
    
 the ServiceEntry.
    
 
     		exportTo
 string[]
 
-
    A list of namespaces to which this service is exported. Exporting a service
-allows it to be used by sidecars, gateways and virtual services defined in
-other namespaces. This feature provides a mechanism for service owners
-and mesh administrators to control the visibility of services across
+
    A list of namespaces to which this service is exported. Exporting a service
    
+allows it to be used by sidecars, gateways and virtual services defined in
    
+other namespaces. This feature provides a mechanism for service owners
    
+and mesh administrators to control the visibility of services across
    
 namespace boundaries.
    
-
-
    If no namespaces are specified then the service is exported to all
+
    If no namespaces are specified then the service is exported to all
    
 namespaces by default.
    
-
-
    The value “.” is reserved and defines an export to the same namespace that
-the service is declared in. Similarly the value “*” is reserved and
+
    The value "." is reserved and defines an export to the same namespace that
    
+the service is declared in. Similarly the value "*" is reserved and
    
 defines an export to all namespaces.
    
-
-
    For a Kubernetes Service, the equivalent effect can be achieved by setting
-the annotation “networking.istio.io/exportTo” to a comma-separated list
+
    For a Kubernetes Service, the equivalent effect can be achieved by setting
    
+the annotation "networking.istio.io/exportTo" to a comma-separated list
    
 of namespace names.
    
 
     		subjectAltNames
 string[]
 
-
    If specified, the proxy will verify that the server certificate’s
+
    If specified, the proxy will verify that the server certificate's
    
 subject alternate name matches one of the specified values.
    
-
-
    NOTE: When using the workloadEntry with workloadSelectors, the
-service account specified in the workloadEntry will also be used
-to derive the additional subject alternate names that should be
+
    NOTE: When using the workloadEntry with workloadSelectors, the
    
+service account specified in the workloadEntry will also be used
    
+to derive the additional subject alternate names that should be
    
 verified.
    
 
 
    
@@ -994,7 +886,7 @@ 
    ServiceEntry.Location
    
     
@@ -1002,9 +894,9 @@ 
    ServiceEntry.Location
    
     
@@ -1014,14 +906,14 @@ 
    ServiceEntry.Location
    
 
 
    ServiceEntry.Resolution
    
 
    
-
    Resolution determines how the proxy will resolve the IP addresses of
-the network endpoints associated with the service, so that it can
-route to one of them. The resolution mode specified here has no impact
-on how the application resolves the IP address associated with the
-service. The application may still have to use DNS to resolve the
-service to an IP so that the outbound traffic can be captured by the
-Proxy. Alternatively, for HTTP services, the application could
-directly communicate with the proxy (e.g., by setting HTTP_PROXY) to
+
    Resolution determines how the proxy will resolve the IP addresses of
    
+the network endpoints associated with the service, so that it can
    
+route to one of them. The resolution mode specified here has no impact
    
+on how the application resolves the IP address associated with the
    
+service. The application may still have to use DNS to resolve the
    
+service to an IP so that the outbound traffic can be captured by the
    
+Proxy. Alternatively, for HTTP services, the application could
    
+directly communicate with the proxy (e.g., by setting HTTP_PROXY) to
    
 talk to these services.
    
 
 
    
 MESH_EXTERNAL
 
-
    Signifies that the service is external to the mesh. Typically used
+
    Signifies that the service is external to the mesh. Typically used
    
 to indicate external services consumed through APIs.
    
 
 
    
 MESH_INTERNAL
 
-
    Signifies that the service is part of the mesh. Typically used to
-indicate services added explicitly as part of expanding the service
-mesh to include unmanaged infrastructure (e.g., VMs added to a
+
    Signifies that the service is part of the mesh. Typically used to
    
+indicate services added explicitly as part of expanding the service
    
+mesh to include unmanaged infrastructure (e.g., VMs added to a
    
 Kubernetes based service mesh).
    
 
 
    
@@ -1035,11 +927,11 @@ 
    ServiceEntry.Resolution
    
     
@@ -1047,7 +939,7 @@ 
    ServiceEntry.Resolution
    
     
@@ -1055,12 +947,12 @@ 
    ServiceEntry.Resolution
    
     
@@ -1068,15 +960,15 @@ 
    ServiceEntry.Resolution
    
     
diff --git a/content/zh/docs/reference/config/networking/sidecar/index.html b/content/zh/docs/reference/config/networking/sidecar/index.html
index 81d5dc21dcb92..6db0dc95de84d 100644
--- a/content/zh/docs/reference/config/networking/sidecar/index.html
+++ b/content/zh/docs/reference/config/networking/sidecar/index.html
@@ -1,60 +1,54 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Sidecar
 description: Configuration affecting network reachability of a sidecar.
 location: https://istio.io/docs/reference/config/networking/sidecar.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.Sidecar
 aliases: [/zh/docs/reference/config/networking/v1alpha3/sidecar]
 number_of_entries: 7
 ---
-
    Sidecar describes the configuration of the sidecar proxy that mediates
-inbound and outbound communication to the workload instance it is attached to. By
-default, Istio will program all sidecar proxies in the mesh with the
-necessary configuration required to reach every workload instance in the mesh, as
-well as accept traffic on all the ports associated with the
-workload. The Sidecar configuration provides a way to fine tune the set of
-ports, protocols that the proxy will accept when forwarding traffic to
-and from the workload. In addition, it is possible to restrict the set
-of services that the proxy can reach when forwarding outbound traffic
+
    Sidecar describes the configuration of the sidecar proxy that mediates
    
+inbound and outbound communication to the workload instance it is attached to. By
    
+default, Istio will program all sidecar proxies in the mesh with the
    
+necessary configuration required to reach every workload instance in the mesh, as
    
+well as accept traffic on all the ports associated with the
    
+workload. The Sidecar configuration provides a way to fine tune the set of
    
+ports, protocols that the proxy will accept when forwarding traffic to
    
+and from the workload. In addition, it is possible to restrict the set
    
+of services that the proxy can reach when forwarding outbound traffic
    
 from workload instances.
    
-
-
    Services and configuration in a mesh are organized into one or more
-namespaces (e.g., a Kubernetes namespace or a CF org/space). A Sidecar
-configuration in a namespace will apply to one or more workload instances in the same
-namespace, selected using the workloadSelector field. In the absence of a
-workloadSelector, it will apply to all workload instances in the same
-namespace. When determining the Sidecar configuration to be applied to a
-workload instance, preference will be given to the resource with a
-workloadSelector that selects this workload instance, over a Sidecar configuration
+
    Services and configuration in a mesh are organized into one or more
    
+namespaces (e.g., a Kubernetes namespace or a CF org/space). A Sidecar
    
+configuration in a namespace will apply to one or more workload instances in the same
    
+namespace, selected using the workloadSelector field. In the absence of a
    
+workloadSelector, it will apply to all workload instances in the same
    
+namespace. When determining the Sidecar configuration to be applied to a
    
+workload instance, preference will be given to the resource with a
    
+workloadSelector that selects this workload instance, over a Sidecar configuration
    
 without any workloadSelector.
    
-
-
    NOTE 1: Each namespace can have only one Sidecar
-configuration without any workloadSelector that specifies the
-default for all pods in that namespace. It is recommended to use
-the name default for the namespace-wide sidecar. The behavior of
-the system is undefined if more than one selector-less Sidecar
-configurations exist in a given namespace. The behavior of the
-system is undefined if two or more Sidecar configurations with a
+
    NOTE 1: Each namespace can have only one Sidecar
    
+configuration without any workloadSelector     that specifies the
    
+default for all pods in that namespace    . It is recommended to use
    
+the name default for the namespace-wide sidecar. The behavior of
    
+the system is undefined if more than one selector-less Sidecar
    
+configurations exist in a given namespace. The behavior of the
    
+system is undefined if two or more Sidecar configurations with a
    
 workloadSelector select the same workload instance.
    
-
-
    NOTE 2: A Sidecar configuration in the MeshConfig
-root namespace
-will be applied by default to all namespaces without a Sidecar
-configuration. This global default Sidecar configuration should not have
+
    NOTE 2: A Sidecar configuration in the MeshConfig
    
+root namespace
    
+will be applied by default to all namespaces without a Sidecar
    
+configuration    . This global default Sidecar configuration should not have
    
 any workloadSelector.
    
-
-
    The example below declares a global default Sidecar configuration
-in the root namespace called istio-config, that configures
-sidecars in all namespaces to allow egress traffic only to other
-workloads in the same namespace as well as to services in the
+
    The example below declares a global default Sidecar configuration
    
+in the root namespace called istio-config, that configures
    
+sidecars in all namespaces to allow egress traffic only to other
    
+workloads in the same namespace as well as to services in the
    
 istio-system namespace.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -66,11 +60,8 @@
     - "./*"
     - "istio-system/*"
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -82,19 +73,15 @@
     - "./*"
     - "istio-system/*"
 
    
-
-
    {{}}
-{{}}
    
-
-
    The example below declares a Sidecar configuration in the
-prod-us1 namespace that overrides the global default defined
-above, and configures the sidecars in the namespace to allow egress
-traffic to public services in the prod-us1, prod-apis, and the
+
    {{}}
    
+{{}}
    
+
    The example below declares a Sidecar configuration in the
    
+prod-us1 namespace that overrides the global default defined
    
+above, and configures the sidecars in the namespace to allow egress
    
+traffic to public services in the prod-us1, prod-apis, and the
    
 istio-system namespaces.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -107,11 +94,8 @@
     - "prod-apis/*"
     - "istio-system/*"
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -124,22 +108,18 @@
     - "prod-apis/*"
     - "istio-system/*"
 
    
-
-
    {{}}
-{{}}
    
-
-
    The following example declares a Sidecar configuration in the
-prod-us1 namespace for all pods with labels app: ratings
-belonging to the ratings.prod-us1 service.  The workload accepts
-inbound HTTP traffic on port 9080. The traffic is then forwarded to
-the attached workload instance listening on a Unix domain
-socket. In the egress direction, in addition to the istio-system
-namespace, the sidecar proxies only HTTP traffic bound for port
+
    {{}}
    
+{{}}
    
+
    The following example declares a Sidecar configuration in the
    
+prod-us1 namespace for all pods with labels app: ratings
    
+belonging to the ratings.prod-us1 service.  The workload accepts
    
+inbound HTTP traffic on port 9080. The traffic is then forwarded to
    
+the attached workload instance listening on a Unix domain
    
+socket. In the egress direction, in addition to the istio-system
    
+namespace, the sidecar proxies only HTTP traffic bound for port
    
 9080 for services in the prod-us1 namespace.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -165,11 +145,8 @@
   - hosts:
     - "istio-system/*"
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -195,28 +172,24 @@
   - hosts:
     - "istio-system/*"
 
    
-
-
    {{}}
-{{}}
    
-
-
    If the workload is deployed without IPTables-based traffic capture,
-the Sidecar configuration is the only way to configure the ports
-on the proxy attached to the workload instance. The following
-example declares a Sidecar configuration in the prod-us1
-namespace for all pods with labels app: productpage belonging to
-the productpage.prod-us1 service. Assuming that these pods are
-deployed without IPtable rules (i.e. the istio-init container)
-and the proxy metadata ISTIO_META_INTERCEPTION_MODE is set to
-NONE, the specification, below, allows such pods to receive HTTP
-traffic on port 9080 (wrapped inside Istio mutual TLS) and forward
-it to the application listening on 127.0.0.1:8080. It also allows
-the application to communicate with a backing MySQL database on
-127.0.0.1:3306, that then gets proxied to the externally hosted
+
    {{}}
    
+{{}}
    
+
    If the workload is deployed without IPTables-based traffic capture,
    
+the Sidecar configuration is the only way to configure the ports
    
+on the proxy attached to the workload instance. The following
    
+example declares a Sidecar configuration in the prod-us1
    
+namespace for all pods with labels app: productpage belonging to
    
+the productpage.prod-us1 service. Assuming that these pods are
    
+deployed without IPtable rules (i.e. the istio-init container)
    
+and the proxy metadata ISTIO_META_INTERCEPTION_MODE is set to
    
+NONE, the specification, below, allows such pods to receive HTTP
    
+traffic on port 9080 (wrapped inside Istio mutual TLS) and forward
    
+it to the application listening on 127.0.0.1:8080. It also allows
    
+the application to communicate with a backing MySQL database on
    
+127.0.0.1:3306, that then gets proxied to the externally hosted
    
 MySQL service at mysql.foo.com:3306.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -243,11 +216,8 @@
     hosts:
     - "*/mysql.foo.com"
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -274,15 +244,11 @@
     hosts:
     - "*/mysql.foo.com"
 
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    And the associated service entry for routing to mysql.foo.com:3306
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -298,11 +264,8 @@
   location: MESH_EXTERNAL
   resolution: DNS
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -318,26 +281,21 @@
   location: MESH_EXTERNAL
   resolution: DNS
 
    
-
-
    {{}}
-{{}}
    
-
-
    It is also possible to mix and match traffic capture modes in a single
-proxy. For example, consider a setup where internal services are on the
-192.168.0.0/16 subnet. So, IP tables are setup on the VM to capture all
-outbound traffic on 192.168.0.0/16 subnet. Assume that the VM has an
-additional network interface on 172.16.0.0/16 subnet for inbound
-traffic. The following Sidecar configuration allows the VM to expose a
-listener on 172.16.1.32:80 (the VM’s IP) for traffic arriving from the
+
    {{}}
    
+{{}}
    
+
    It is also possible to mix and match traffic capture modes in a single
    
+proxy. For example, consider a setup where internal services are on the
    
+192.168.0.0/16 subnet. So, IP tables are setup on the VM to capture all
    
+outbound traffic on 192.168.0.0/16 subnet. Assume that the VM has an
    
+additional network interface on 172.16.0.0/16 subnet for inbound
    
+traffic. The following Sidecar configuration allows the VM to expose a
    
+listener on 172.16.1.32:80 (the VM's IP) for traffic arriving from the
    
 172.16.0.0/16 subnet.
    
-
-
    NOTE: The ISTIO_META_INTERCEPTION_MODE metadata on the
-proxy in the VM should contain REDIRECT or TPROXY as its value,
+
    NOTE: The ISTIO_META_INTERCEPTION_MODE metadata on the
    
+proxy in the VM should contain REDIRECT or TPROXY as its value,
    
 implying that IP tables based traffic capture is active.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -364,11 +322,8 @@
     hosts:
     - "*/*"
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -395,26 +350,22 @@
     hosts:
     - "*/*"
 
    
-
-
    {{}}
-{{}}
    
-
-
    The following example declares a Sidecar configuration in the
-prod-us1 namespace for all pods with labels app: ratings
-belonging to the ratings.prod-us1 service.  The service accepts
-inbound HTTPS traffic on port 8443 and the sidecar proxy terminates
-one way TLS using the given server certificates.
-The traffic is then forwarded to the attached workload instance
-listening on a Unix domain socket.
-It is expected that PeerAuthentication policy would be configured
-in order to set mTLS mode to “DISABLE” on specific
-ports.
-In this example, the mTLS mode is disabled on PORT 80.
+
    {{}}
    
+{{}}
    
+
    The following example declares a Sidecar configuration in the
    
+prod-us1 namespace for all pods with labels app: ratings
    
+belonging to the ratings.prod-us1 service.  The service accepts
    
+inbound HTTPS traffic on port 8443 and the sidecar proxy terminates
    
+one way TLS using the given server certificates.
    
+The traffic is then forwarded to the attached workload instance
    
+listening on a Unix domain socket.
    
+It is expected that PeerAuthentication policy would be configured
    
+in order to set mTLS mode to "DISABLE" on specific
    
+ports.
    
+In this example, the mTLS mode is disabled on PORT 80.
    
 This feature is currently experimental.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -435,11 +386,8 @@
       privateKey: "/etc/certs/privatekey.pem"
       serverCertificate: "/etc/certs/servercert.pem"
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: v1
 kind: Service
 metadata:
@@ -455,11 +403,8 @@
   selector:
     app: ratings
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
@@ -475,14 +420,13 @@
     80:
       mode: DISABLE
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    
 
 
    Sidecar
    
 
    
-
    Sidecar describes the configuration of the sidecar proxy that mediates
-inbound and outbound communication of the workload instance to which it is
+
    Sidecar describes the configuration of the sidecar proxy that mediates
    
+inbound and outbound communication of the workload instance to which it is
    
 attached.
    
 
 
    
 NONE
 
-
    Assume that incoming connections have already been resolved (to a
-specific destination IP address). Such connections are typically
-routed via the proxy using mechanisms such as IP table REDIRECT/
-eBPF. After performing any routing related transformations, the
-proxy will forward the connection to the IP address to which the
+
    Assume that incoming connections have already been resolved (to a
    
+specific destination IP address). Such connections are typically
    
+routed via the proxy using mechanisms such as IP table REDIRECT/
    
+eBPF. After performing any routing related transformations, the
    
+proxy will forward the connection to the IP address to which the
    
 connection was bound.
    
 
 
    
 STATIC
 
-
    Use the static IP addresses specified in endpoints (see below) as the
+
    Use the static IP addresses specified in endpoints (see below) as the
    
 backing instances associated with the service.
    
 
 
    
 DNS
 
-
    Attempt to resolve the IP address by querying the ambient DNS,
-asynchronously. If no endpoints are specified, the proxy
-will resolve the DNS address specified in the hosts field, if
-wildcards are not used. If endpoints are specified, the DNS
-addresses specified in the endpoints will be resolved to determine
-the destination IP address.  DNS resolution cannot be used with Unix
+
    Attempt to resolve the IP address by querying the ambient DNS,
    
+asynchronously. If no endpoints are specified, the proxy
    
+will resolve the DNS address specified in the hosts field, if
    
+wildcards are not used. If endpoints are specified, the DNS
    
+addresses specified in the endpoints will be resolved to determine
    
+the destination IP address.  DNS resolution cannot be used with Unix
    
 domain socket endpoints.
    
 
 
    
 DNS_ROUND_ROBIN
 
-
    Attempt to resolve the IP address by querying the ambient DNS,
-asynchronously. Unlike DNS, DNS_ROUND_ROBIN only uses the
-first IP address returned when a new connection needs to be initiated
-without relying on complete results of DNS resolution, and connections
-made to hosts will be retained even if DNS records change frequently
-eliminating draining connection pools and connection cycling.
-This is best suited for large web scale services that
-must be accessed via DNS. The proxy will resolve the DNS address
-specified in the hosts field, if wildcards are not used. DNS resolution
+
    Attempt to resolve the IP address by querying the ambient DNS,
    
+asynchronously. Unlike DNS, DNS_ROUND_ROBIN only uses the
    
+first IP address returned when a new connection needs to be initiated
    
+without relying on complete results of DNS resolution, and connections
    
+made to hosts will be retained even if DNS records change frequently
    
+eliminating draining connection pools and connection cycling.
    
+This is best suited for large web scale services that
    
+must be accessed via DNS. The proxy will resolve the DNS address
    
+specified in the hosts field, if wildcards are not used. DNS resolution
    
 cannot be used with Unix domain socket endpoints.
    
 
 
    
@@ -499,8 +443,8 @@ 
    Sidecar
    
     
@@ -512,11 +456,11 @@ 
    Sidecar
    
     
@@ -528,9 +472,9 @@ 
    Sidecar
    
     
@@ -542,12 +486,12 @@ 
    Sidecar
    
     
@@ -560,7 +504,7 @@ 
    Sidecar
    
 
 
    IstioIngressListener
    
 
    
-
    IstioIngressListener specifies the properties of an inbound
+
    IstioIngressListener specifies the properties of an inbound
    
 traffic listener on the sidecar proxy attached to a workload instance.
    
 
 
    workloadSelector
 WorkloadSelector
 
-
    Criteria used to select the specific set of pods/VMs on which this
-Sidecar configuration should be applied. If omitted, the Sidecar
+
    Criteria used to select the specific set of pods/VMs on which this
    
+Sidecar configuration should be applied. If omitted, the Sidecar
    
 configuration will be applied to all workload instances in the same namespace.
    
 
     		ingress
 IstioIngressListener[]
 
-
    Ingress specifies the configuration of the sidecar for processing
-inbound traffic to the attached workload instance. If omitted, Istio will
-automatically configure the sidecar based on the information about the workload
-obtained from the orchestration platform (e.g., exposed ports, services,
-etc.). If specified, inbound ports are configured if and only if the
+
    Ingress specifies the configuration of the sidecar for processing
    
+inbound traffic to the attached workload instance. If omitted, Istio will
    
+automatically configure the sidecar based on the information about the workload
    
+obtained from the orchestration platform (e.g., exposed ports, services,
    
+etc.). If specified, inbound ports are configured if and only if the
    
 workload instance is associated with a service.
    
 
     		egress
 IstioEgressListener[]
 
-
    Egress specifies the configuration of the sidecar for processing
-outbound traffic from the attached workload instance to other
-services in the mesh. If not specified, inherits the system
+
    Egress specifies the configuration of the sidecar for processing
    
+outbound traffic from the attached workload instance to other
    
+services in the mesh. If not specified, inherits the system
    
 detected defaults from the namespace-wide or the global default Sidecar.
    
 
     		outboundTrafficPolicy
 OutboundTrafficPolicy
 
-
    Configuration for the outbound traffic policy.  If your
-application uses one or more external services that are not known
-apriori, setting the policy to ALLOW_ANY will cause the
-sidecars to route any unknown traffic originating from the
-application to its requested destination. If not specified,
-inherits the system detected defaults from the namespace-wide or
+
    Configuration for the outbound traffic policy.  If your
    
+application uses one or more external services that are not known
    
+apriori, setting the policy to ALLOW_ANY will cause the
    
+sidecars to route any unknown traffic originating from the
    
+application to its requested destination. If not specified,
    
+inherits the system detected defaults from the namespace-wide or
    
 the global default Sidecar.
    
 
 
    
@@ -588,11 +532,11 @@ 
    IstioIngressListener
    
     
@@ -604,7 +548,7 @@ 
    IstioIngressListener
    
     
@@ -616,13 +560,13 @@ 
    IstioIngressListener
    
     
@@ -634,8 +578,8 @@ 
    IstioIngressListener
    
     
@@ -648,7 +592,7 @@ 
    IstioIngressListener
    
 
 
    IstioEgressListener
    
 
    
-
    IstioEgressListener specifies the properties of an outbound traffic
+
    IstioEgressListener specifies the properties of an outbound traffic
    
 listener on the sidecar proxy attached to a workload instance.
    
 
 
    bind
 string
 
-
    The IP(IPv4 or IPv6) to which the listener should be bound.
-Unix domain socket addresses are not allowed in
-the bind field for ingress listeners. If omitted, Istio will
-automatically configure the defaults based on imported services
-and the workload instances to which this configuration is applied
+
    The IP(IPv4 or IPv6) to which the listener should be bound.
    
+Unix domain socket addresses are not allowed in
    
+the bind field for ingress listeners. If omitted, Istio will
    
+automatically configure the defaults based on imported services
    
+and the workload instances to which this configuration is applied
    
 to.
    
 
     		captureMode
 CaptureMode
 
-
    The captureMode option dictates how traffic to the listener is
+
    The captureMode option dictates how traffic to the listener is
    
 expected to be captured (or not).
    
 
     		defaultEndpoint
 string
 
-
    The IP endpoint or Unix domain socket to which
-traffic should be forwarded to. This configuration can be used to
-redirect traffic arriving at the bind IP:Port on the sidecar to a localhost:port
-or Unix domain socket where the application workload instance is listening for
-connections. Arbitrary IPs are not supported. Format should be one of
-127.0.0.1:PORT, [::1]:PORT (forward to localhost),
-0.0.0.0:PORT, [::]:PORT (forward to the instance IP),
+
    The IP endpoint or Unix domain socket to which
    
+traffic should be forwarded to. This configuration can be used to
    
+redirect traffic arriving at the bind IP:Port on the sidecar to a localhost:port
    
+or Unix domain socket where the application workload instance is listening for
    
+connections. Arbitrary IPs are not supported. Format should be one of
    
+127.0.0.1:PORT, [::1]:PORT (forward to localhost),
    
+0.0.0.0:PORT, [::]:PORT (forward to the instance IP),
    
 or unix:///path/to/socket (forward to Unix domain socket).
    
 
     		tls
 ServerTLSSettings
 
-
    Set of TLS related options that will enable TLS termination on the
-sidecar for requests originating from outside the mesh.
+
    Set of TLS related options that will enable TLS termination on the
    
+sidecar for requests originating from outside the mesh.
    
 Currently supports only SIMPLE and MUTUAL TLS modes.
    
 
 
    
@@ -665,14 +609,14 @@ 
    IstioEgressListener
    
     
@@ -684,12 +628,12 @@ 
    IstioEgressListener
    
     
@@ -701,8 +645,8 @@ 
    IstioEgressListener
    
     
@@ -714,32 +658,29 @@ 
    IstioEgressListener
    
     
@@ -752,14 +693,14 @@ 
    IstioEgressListener
    
 
 
    WorkloadSelector
    
 
    
-
    WorkloadSelector specifies the criteria used to determine if the
-Gateway, Sidecar, EnvoyFilter, ServiceEntry, or DestinationRule
-configuration can be applied to a proxy. The matching criteria
-includes the metadata associated with a proxy, workload instance
-info such as labels attached to the pod/VM, or any other info that
-the proxy provides to Istio during the initial handshake. If
-multiple conditions are specified, all conditions need to match in
-order for the workload instance to be selected. Currently, only
+
    WorkloadSelector specifies the criteria used to determine if the
    
+Gateway, Sidecar, EnvoyFilter, ServiceEntry, or DestinationRule
    
+configuration can be applied to a proxy. The matching criteria
    
+includes the metadata associated with a proxy, workload instance
    
+info such as labels attached to the pod/VM, or any other info that
    
+the proxy provides to Istio during the initial handshake. If
    
+multiple conditions are specified, all conditions need to match in
    
+order for the workload instance to be selected. Currently, only
    
 label based selection mechanism is supported.
    
 
 
    port
 Port
 
-
    The port associated with the listener. If using Unix domain socket,
-use 0 as the port number, with a valid protocol. The port if
-specified, will be used as the default destination port associated
-with the imported hosts. If the port is omitted, Istio will infer the
-listener ports based on the imported hosts. Note that when multiple
-egress listeners are specified, where one or more listeners have
-specific ports while others have no port, the hosts exposed on a
-listener port will be based on the listener with the most specific
+
    The port associated with the listener. If using Unix domain socket,
    
+use 0 as the port number, with a valid protocol. The port if
    
+specified, will be used as the default destination port associated
    
+with the imported hosts. If the port is omitted, Istio will infer the
    
+listener ports based on the imported hosts. Note that when multiple
    
+egress listeners are specified, where one or more listeners have
    
+specific ports while others have no port, the hosts exposed on a
    
+listener port will be based on the listener with the most specific
    
 port.
    
 
     		bind
 string
 
-
    The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound
-to. Port MUST be specified if bind is not empty. Format: IPv4 or IPv6 address formats or
-unix:///path/to/uds or unix://@foobar (Linux abstract namespace). If
-omitted, Istio will automatically configure the defaults based on imported
-services, the workload instances to which this configuration is applied to and
-the captureMode. If captureMode is NONE, bind will default to
+
    The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound
    
+to. Port MUST be specified if bind is not empty. Format: IPv4 or IPv6 address formats or
    
+unix:///path/to/uds or unix://@foobar (Linux abstract namespace). If
    
+omitted, Istio will automatically configure the defaults based on imported
    
+services, the workload instances to which this configuration is applied to and
    
+the captureMode. If captureMode is NONE, bind will default to
    
 127.0.0.1.
    
 
     		captureMode
 CaptureMode
 
-
    When the bind address is an IP, the captureMode option dictates
-how traffic to the listener is expected to be captured (or not).
+
    When the bind address is an IP, the captureMode option dictates
    
+how traffic to the listener is expected to be captured (or not).
    
 captureMode must be DEFAULT or NONE for Unix domain socket binds.
    
 
     		hosts
 string[]
 
-
    One or more service hosts exposed by the listener
-in namespace/dnsName format. Services in the specified namespace
-matching dnsName will be exposed.
-The corresponding service can be a service in the service registry
-(e.g., a Kubernetes or cloud foundry service) or a service specified
-using a ServiceEntry or VirtualService configuration. Any
+
    One or more service hosts exposed by the listener
    
+in namespace/dnsName format. Services in the specified namespace
    
+matching dnsName will be exposed.
    
+The corresponding service can be a service in the service registry
    
+(e.g., a Kubernetes or cloud foundry service) or a service specified
    
+using a ServiceEntry or VirtualService configuration. Any
    
 associated DestinationRule in the same namespace will also be used.
    
-
-
    The dnsName should be specified using FQDN format, optionally including
-a wildcard character in the left-most component (e.g., prod/*.example.com).
-Set the dnsName to * to select all services from the specified namespace
+
    The dnsName should be specified using FQDN format, optionally including
    
+a wildcard character in the left-most component (e.g., prod/*.example.com).
    
+Set the dnsName to * to select all services from the specified namespace
    
 (e.g., prod/*).
    
-
-
    The namespace can be set to *, ., or ~, representing any, the current,
-or no namespace, respectively. For example, */foo.example.com selects the
-service from any available namespace while ./foo.example.com only selects
-the service from the namespace of the sidecar. If a host is set to */*,
-Istio will configure the sidecar to be able to reach every service in the
-mesh that is exported to the sidecar’s namespace. The value ~/* can be used
-to completely trim the configuration for sidecars that simply receive traffic
+
    The namespace can be set to *, ., or ~, representing any, the current,
    
+or no namespace, respectively. For example, */foo.example.com selects the
    
+service from any available namespace while ./foo.example.com only selects
    
+the service from the namespace of the sidecar. If a host is set to */*,
    
+Istio will configure the sidecar to be able to reach every service in the
    
+mesh that is exported to the sidecar's namespace. The value ~/* can be used
    
+to completely trim the configuration for sidecars that simply receive traffic
    
 and respond, but make no outbound connections of their own.
    
-
-
    NOTE: Only services and configuration artifacts exported to the sidecar’s
-namespace (e.g., exportTo value of *) can be referenced.
-Private configurations (e.g., exportTo set to .) will
-not be available. Refer to the exportTo setting in VirtualService,
+
    NOTE: Only services and configuration artifacts exported to the sidecar's
    
+namespace (e.g., exportTo value of *) can be referenced.
    
+Private configurations (e.g., exportTo set to .) will
    
+not be available. Refer to the exportTo setting in VirtualService,
    
 DestinationRule, and ServiceEntry configurations for details.
    
 
 
    
@@ -776,9 +717,9 @@ 
    WorkloadSelector
    
     
@@ -791,14 +732,14 @@ 
    WorkloadSelector
    
 
 
    OutboundTrafficPolicy
    
 
    
-
    OutboundTrafficPolicy sets the default behavior of the sidecar for
-handling outbound traffic from the application.
-If your application uses one or more external
-services that are not known apriori, setting the policy to ALLOW_ANY
-will cause the sidecars to route any unknown traffic originating from
-the application to its requested destination.  Users are strongly
-encouraged to use ServiceEntry configurations to explicitly declare any external
-dependencies, instead of using ALLOW_ANY, so that traffic to these
+
    OutboundTrafficPolicy sets the default behavior of the sidecar for
    
+handling outbound traffic from the application.
    
+If your application uses one or more external
    
+services that are not known apriori, setting the policy to ALLOW_ANY
    
+will cause the sidecars to route any unknown traffic originating from
    
+the application to its requested destination.  Users are strongly
    
+encouraged to use ServiceEntry configurations to explicitly declare any external
    
+dependencies, instead of using ALLOW_ANY, so that traffic to these
    
 services can be monitored.
    
 
 
    labels
 map<string, string>
 
-
    One or more labels that indicate a specific set of pods/VMs
-on which the configuration should be applied. The scope of
-label search is restricted to the configuration namespace in which the
+
    One or more labels that indicate a specific set of pods/VMs
    
+on which the configuration should be applied. The scope of
    
+label search is restricted to the configuration namespace in which the
    
 the resource is present.
    
 
 
    
@@ -836,7 +777,7 @@ 
    OutboundTrafficPolicy.Mode
    
     
@@ -844,7 +785,7 @@ 
    OutboundTrafficPolicy.Mode
    
     
@@ -854,7 +795,7 @@ 
    OutboundTrafficPolicy.Mode
    
 
 
    CaptureMode
    
 
    
-
    CaptureMode describes how traffic to a listener is expected to be
+
    CaptureMode describes how traffic to a listener is expected to be
    
 captured. Applicable only when the listener is bound to an IP.
    
 
 
    
 REGISTRY_ONLY
 
-
    Outbound traffic will be restricted to services defined in the
+
    Outbound traffic will be restricted to services defined in the
    
 service registry as well as those defined through ServiceEntry configurations.
    
 
 
    
 ALLOW_ANY
 
-
    Outbound traffic to unknown destinations will be allowed, in case
+
    Outbound traffic to unknown destinations will be allowed, in case
    
 there are no services or ServiceEntry configurations for the destination port.
    
 
 
    
@@ -882,10 +823,10 @@ 
    CaptureMode
    
     
diff --git a/content/zh/docs/reference/config/networking/virtual-service/index.html b/content/zh/docs/reference/config/networking/virtual-service/index.html
index ad012d60efd69..3db09b79210fc 100644
--- a/content/zh/docs/reference/config/networking/virtual-service/index.html
+++ b/content/zh/docs/reference/config/networking/virtual-service/index.html
@@ -1,60 +1,50 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Virtual Service
 description: Configuration affecting label/content routing, sni routing, etc.
 location: https://istio.io/docs/reference/config/networking/virtual-service.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.VirtualService
 aliases: [/zh/docs/reference/config/networking/v1alpha3/virtual-service]
 number_of_entries: 27
 ---
-
    Configuration affecting traffic routing. Here are a few terms useful to define
+
    Configuration affecting traffic routing. Here are a few terms useful to define
    
 in the context of traffic routing.
    
-
-
    Service a unit of application behavior bound to a unique name in a
-service registry. Services consist of multiple network endpoints
+
    Service a unit of application behavior bound to a unique name in a
    
+service registry. Services consist of multiple network endpoints
    
 implemented by workload instances running on pods, containers, VMs etc.
    
-
-
    Service versions (a.k.a. subsets) - In a continuous deployment
-scenario, for a given service, there can be distinct subsets of
-instances running different variants of the application binary. These
-variants are not necessarily different API versions. They could be
-iterative changes to the same service, deployed in different
-environments (prod, staging, dev, etc.). Common scenarios where this
-occurs include A/B testing, canary rollouts, etc. The choice of a
-particular version can be decided based on various criterion (headers,
-url, etc.) and/or by weights assigned to each version. Each service has
+
    Service versions (a.k.a. subsets) - In a continuous deployment
    
+scenario, for a given service, there can be distinct subsets of
    
+instances running different variants of the application binary. These
    
+variants are not necessarily different API versions. They could be
    
+iterative changes to the same service, deployed in different
    
+environments (prod, staging, dev, etc.). Common scenarios where this
    
+occurs include A/B testing, canary rollouts, etc. The choice of a
    
+particular version can be decided based on various criterion (headers,
    
+url, etc.) and/or by weights assigned to each version. Each service has
    
 a default version consisting of all its instances.
    
-
 
    Source - A downstream client calling a service.
    
-
-
    Host - The address used by a client when attempting to connect to a
+
    Host - The address used by a client when attempting to connect to a
    
 service.
    
-
-
    Access model - Applications address only the destination service
-(Host) without knowledge of individual service versions (subsets). The
-actual choice of the version is determined by the proxy/sidecar, enabling the
-application code to decouple itself from the evolution of dependent
+
    Access model - Applications address only the destination service
    
+(Host) without knowledge of individual service versions (subsets). The
    
+actual choice of the version is determined by the proxy/sidecar, enabling the
    
+application code to decouple itself from the evolution of dependent
    
 services.
    
-
-
    A VirtualService defines a set of traffic routing rules to apply when a host is
-addressed. Each routing rule defines matching criteria for traffic of a specific
-protocol. If the traffic is matched, then it is sent to a named destination service
+
    A VirtualService defines a set of traffic routing rules to apply when a host is
    
+addressed. Each routing rule defines matching criteria for traffic of a specific
    
+protocol. If the traffic is matched, then it is sent to a named destination service
    
 (or subset/version of it) defined in the registry.
    
-
-
    The source of traffic can also be matched in a routing rule. This allows routing
+
    The source of traffic can also be matched in a routing rule. This allows routing
    
 to be customized for specific client contexts.
    
-
-
    The following example on Kubernetes, routes all HTTP traffic by default to
-pods of the reviews service with label “version: v1”. In addition,
-HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will
-be rewritten to /newcatalog and sent to pods with label “version: v2”.
    
-
-
    {{}}
-{{}}
    
-
+
    The following example on Kubernetes, routes all HTTP traffic by default to
    
+pods of the reviews service with label "version: v1". In addition,
    
+HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will
    
+be rewritten to /newcatalog and sent to pods with label "version: v2".
    
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -81,11 +71,8 @@
         host: reviews.prod.svc.cluster.local
         subset: v1
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -112,17 +99,13 @@
         host: reviews.prod.svc.cluster.local
         subset: v1
 
    
-
-
    {{}}
-{{}}
    
-
-
    A subset/version of a route destination is identified with a reference
-to a named service subset which must be declared in a corresponding
+
    {{}}
    
+{{}}
    
+
    A subset/version of a route destination is identified with a reference
    
+to a named service subset which must be declared in a corresponding
    
 DestinationRule.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -137,11 +120,8 @@
     labels:
       version: v2
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -156,9 +136,8 @@
     labels:
       version: v2
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    
 
 
    VirtualService
    
 
    
@@ -178,34 +157,30 @@ 
    VirtualService
    
 
    
@@ -217,18 +192,18 @@ 
    VirtualService
    
     
@@ -240,10 +215,10 @@ 
    VirtualService
    
     
@@ -255,14 +230,14 @@ 
    VirtualService
    
     
@@ -274,8 +249,8 @@ 
    VirtualService
    
     
@@ -287,17 +262,15 @@ 
    VirtualService
    
     
@@ -310,30 +283,26 @@ 
    VirtualService
    
 
 
    Destination
    
 
    
-
    Destination indicates the network addressable service to which the
-request/connection will be sent after processing a routing rule. The
-destination.host should unambiguously refer to a service in the service
-registry. Istio’s service registry is composed of all the services found
-in the platform’s service registry (e.g., Kubernetes services, Consul
-services), as well as services declared through the
+
    Destination indicates the network addressable service to which the
    
+request/connection will be sent after processing a routing rule. The
    
+destination.host should unambiguously refer to a service in the service
    
+registry. Istio's service registry is composed of all the services found
    
+in the platform's service registry (e.g., Kubernetes services, Consul
    
+services), as well as services declared through the
    
 ServiceEntry resource.
    
-
-
    Note for Kubernetes users: When short names are used (e.g. “reviews”
-instead of “reviews.default.svc.cluster.local”), Istio will interpret
-the short name based on the namespace of the rule, not the service. A
-rule in the “default” namespace containing a host “reviews will be
-interpreted as “reviews.default.svc.cluster.local”, irrespective of the
-actual namespace associated with the reviews service. To avoid potential
-misconfigurations, it is recommended to always use fully qualified
+
    Note for Kubernetes users: When short names are used (e.g. "reviews"
    
+instead of "reviews.default.svc.cluster.local"), Istio will interpret
    
+the short name based on the namespace of the rule, not the service. A
    
+rule in the "default" namespace containing a host "reviews will be
    
+interpreted as "reviews.default.svc.cluster.local", irrespective of the
    
+actual namespace associated with the reviews service. To avoid potential
    
+misconfigurations, it is recommended to always use fully qualified
    
 domain names over short names.
    
-
-
    The following Kubernetes example routes all traffic by default to pods
-of the reviews service with label “version: v1” (i.e., subset v1), and
+
    The following Kubernetes example routes all traffic by default to pods
    
+of the reviews service with label "version: v1" (i.e., subset v1), and
    
 some to subset v2, in a Kubernetes environment.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -359,11 +328,8 @@ 
    Destination
    
         host: reviews # interpreted as reviews.foo.svc.cluster.local
         subset: v1
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -389,15 +355,11 @@ 
    Destination
    
         host: reviews # interpreted as reviews.foo.svc.cluster.local
         subset: v1
 
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    And the associated DestinationRule
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -413,11 +375,8 @@ 
    Destination
    
     labels:
       version: v2
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -433,23 +392,19 @@ 
    Destination
    
     labels:
       version: v2
 
    
-
-
    {{}}
-{{}}
    
-
-
    The following VirtualService sets a timeout of 5s for all calls to
-productpage.prod.svc.cluster.local service in Kubernetes. Notice that
-there are no subsets defined in this rule. Istio will fetch all
-instances of productpage.prod.svc.cluster.local service from the service
-registry and populate the sidecar’s load balancing pool. Also, notice
-that this rule is set in the istio-system namespace but uses the fully
-qualified domain name of the productpage service,
-productpage.prod.svc.cluster.local. Therefore the rule’s namespace does
+
    {{}}
    
+{{}}
    
+
    The following VirtualService sets a timeout of 5s for all calls to
    
+productpage.prod.svc.cluster.local service in Kubernetes. Notice that
    
+there are no subsets defined in this rule. Istio will fetch all
    
+instances of productpage.prod.svc.cluster.local service from the service
    
+registry and populate the sidecar's load balancing pool. Also, notice
    
+that this rule is set in the istio-system namespace but uses the fully
    
+qualified domain name of the productpage service,
    
+productpage.prod.svc.cluster.local. Therefore the rule's namespace does
    
 not have an impact in resolving the name of the productpage service.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -464,11 +419,8 @@ 
    Destination
    
     - destination:
         host: productpage.prod.svc.cluster.local
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -483,19 +435,15 @@ 
    Destination
    
     - destination:
         host: productpage.prod.svc.cluster.local
 
    
-
-
    {{}}
-{{}}
    
-
-
    To control routing for traffic bound to services outside the mesh, external
-services must first be added to Istio’s internal service registry using the
-ServiceEntry resource. VirtualServices can then be defined to control traffic
-bound to these external services. For example, the following rules define a
+
    {{}}
    
+{{}}
    
+
    To control routing for traffic bound to services outside the mesh, external
    
+services must first be added to Istio's internal service registry using the
    
+ServiceEntry resource. VirtualServices can then be defined to control traffic
    
+bound to these external services. For example, the following rules define a
    
 Service for wikipedia.org and set a timeout of 5s for HTTP requests.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -523,11 +471,8 @@ 
    Destination
    
     - destination:
         host: wikipedia.org
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -555,9 +500,8 @@ 
    Destination
    
     - destination:
         host: wikipedia.org
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    
 
 
    
 NONE
 
-
    No traffic capture. When used in an egress listener, the application is
-expected to explicitly communicate with the listener port or Unix
-domain socket. When used in an ingress listener, care needs to be taken
-to ensure that the listener port is not in use by other processes on
+
    No traffic capture. When used in an egress listener, the application is
    
+expected to explicitly communicate with the listener port or Unix
    
+domain socket. When used in an ingress listener, care needs to be taken
    
+to ensure that the listener port is not in use by other processes on
    
 the host.
    
 
     		hosts
 string[]
 
-
    The destination hosts to which traffic is being sent. Could
-be a DNS name with wildcard prefix or an IP address.  Depending on the
-platform, short-names can also be used instead of a FQDN (i.e. has no
-dots in the name). In such a scenario, the FQDN of the host would be
+
    The destination hosts to which traffic is being sent. Could
    
+be a DNS name with wildcard prefix or an IP address.  Depending on the
    
+platform, short-names can also be used instead of a FQDN (i.e. has no
    
+dots in the name). In such a scenario, the FQDN of the host would be
    
 derived based on the underlying platform.
    
-
-
    A single VirtualService can be used to describe all the traffic
-properties of the corresponding hosts, including those for multiple
-HTTP and TCP ports. Alternatively, the traffic properties of a host
-can be defined using more than one VirtualService, with certain
-caveats. Refer to the
-Operations Guide
+
    A single VirtualService can be used to describe all the traffic
    
+properties of the corresponding hosts, including those for multiple
    
+HTTP and TCP ports. Alternatively, the traffic properties of a host
    
+can be defined using more than one VirtualService, with certain
    
+caveats. Refer to the
    
+Operations Guide
    
 for details.
    
-
-
    Note for Kubernetes users: When short names are used (e.g. “reviews”
-instead of “reviews.default.svc.cluster.local”), Istio will interpret
-the short name based on the namespace of the rule, not the service. A
-rule in the “default” namespace containing a host “reviews” will be
-interpreted as “reviews.default.svc.cluster.local”, irrespective of
-the actual namespace associated with the reviews service. To avoid
-potential misconfigurations, it is recommended to always use fully
+
    Note for Kubernetes users: When short names are used (e.g. "reviews"
    
+instead of "reviews.default.svc.cluster.local"), Istio will interpret
    
+the short name based on the namespace of the rule, not the service. A
    
+rule in the "default" namespace containing a host "reviews" will be
    
+interpreted as "reviews.default.svc.cluster.local", irrespective of
    
+the actual namespace associated with the reviews service. To avoid
    
+potential misconfigurations, it is recommended to always use fully
    
 qualified domain names over short names.
    
-
-
    The hosts field applies to both HTTP and TCP services. Service inside
-the mesh, i.e., those found in the service registry, must always be
-referred to using their alphanumeric names. IP addresses are allowed
+
    The hosts field applies to both HTTP and TCP services. Service inside
    
+the mesh, i.e., those found in the service registry, must always be
    
+referred to using their alphanumeric names. IP addresses are allowed
    
 only for services defined via the Gateway.
    
-
 
    Note: It must be empty for a delegate VirtualService.
    
 
     		gateways
 string[]
 
-
    The names of gateways and sidecars that should apply these routes.
-Gateways in other namespaces may be referred to by
-<gateway namespace>/<gateway name>; specifying a gateway with no
-namespace qualifier is the same as specifying the VirtualService’s
-namespace. A single VirtualService is used for sidecars inside the mesh as
-well as for one or more gateways. The selection condition imposed by this
-field can be overridden using the source field in the match conditions
-of protocol-specific routes. The reserved word mesh is used to imply
-all the sidecars in the mesh. When this field is omitted, the default
-gateway (mesh) will be used, which would apply the rule to all
-sidecars in the mesh. If a list of gateway names is provided, the
-rules will apply only to the gateways. To apply the rules to both
+
    The names of gateways and sidecars that should apply these routes.
    
+Gateways in other namespaces may be referred to by
    
+<gateway namespace>/<gateway name>; specifying a gateway with no
    
+namespace qualifier is the same as specifying the VirtualService's
    
+namespace. A single VirtualService is used for sidecars inside the mesh as
    
+well as for one or more gateways. The selection condition imposed by this
    
+field can be overridden using the source field in the match conditions
    
+of protocol-specific routes. The reserved word mesh is used to imply
    
+all the sidecars in the mesh. When this field is omitted, the default
    
+gateway (mesh) will be used, which would apply the rule to all
    
+sidecars in the mesh. If a list of gateway names is provided, the
    
+rules will apply only to the gateways. To apply the rules to both
    
 gateways and sidecars, specify mesh as one of the gateway names.
    
 
     		http
 HTTPRoute[]
 
-
    An ordered list of route rules for HTTP traffic. HTTP routes will be
-applied to platform service ports named ‘http-’/‘http2-’/‘grpc-*’, gateway
-ports with protocol HTTP/HTTP2/GRPC/ TLS-terminated-HTTPS and service
-entry ports using HTTP/HTTP2/GRPC protocols.  The first rule matching
+
    An ordered list of route rules for HTTP traffic. HTTP routes will be
    
+applied to platform service ports named 'http-'/'http2-'/'grpc-*', gateway
    
+ports with protocol HTTP/HTTP2/GRPC/ TLS-terminated-HTTPS and service
    
+entry ports using HTTP/HTTP2/GRPC protocols.  The first rule matching
    
 an incoming request is used.
    
 
     		tls
 TLSRoute[]
 
-
    An ordered list of route rule for non-terminated TLS & HTTPS
-traffic. Routing is typically performed using the SNI value presented
-by the ClientHello message. TLS routes will be applied to platform
-service ports named ‘https-’, ‘tls-’, unterminated gateway ports using
-HTTPS/TLS protocols (i.e. with “passthrough” TLS mode) and service
-entry ports using HTTPS/TLS protocols.  The first rule matching an
-incoming request is used.  NOTE: Traffic ‘https-’ or ‘tls-’ ports
-without associated virtual service will be treated as opaque TCP
+
    An ordered list of route rule for non-terminated TLS & HTTPS
    
+traffic. Routing is typically performed using the SNI value presented
    
+by the ClientHello message. TLS routes will be applied to platform
    
+service ports named 'https-', 'tls-', unterminated gateway ports using
    
+HTTPS/TLS protocols (i.e. with "passthrough" TLS mode) and service
    
+entry ports using HTTPS/TLS protocols.  The first rule matching an
    
+incoming request is used.  NOTE: Traffic 'https-' or 'tls-' ports
    
+without associated virtual service will be treated as opaque TCP
    
 traffic.
    
 
     		tcp
 TCPRoute[]
 
-
    An ordered list of route rules for opaque TCP traffic. TCP routes will
-be applied to any port that is not a HTTP or TLS port. The first rule
+
    An ordered list of route rules for opaque TCP traffic. TCP routes will
    
+be applied to any port that is not a HTTP or TLS port. The first rule
    
 matching an incoming request is used.
    
 
     		exportTo
 string[]
 
-
    A list of namespaces to which this virtual service is exported. Exporting a
-virtual service allows it to be used by sidecars and gateways defined in
-other namespaces. This feature provides a mechanism for service owners
-and mesh administrators to control the visibility of virtual services
+
    A list of namespaces to which this virtual service is exported. Exporting a
    
+virtual service allows it to be used by sidecars and gateways defined in
    
+other namespaces. This feature provides a mechanism for service owners
    
+and mesh administrators to control the visibility of virtual services
    
 across namespace boundaries.
    
-
-
    If no namespaces are specified then the virtual service is exported to all
+
    If no namespaces are specified then the virtual service is exported to all
    
 namespaces by default.
    
-
-
    The value “.” is reserved and defines an export to the same namespace that
-the virtual service is declared in. Similarly the value “*” is reserved and
+
    The value "." is reserved and defines an export to the same namespace that
    
+the virtual service is declared in. Similarly the value "*" is reserved and
    
 defines an export to all namespaces.
    
 
 
    
@@ -573,19 +517,18 @@ 
    Destination
    
     
@@ -597,8 +540,8 @@ 
    Destination
    
     
@@ -610,8 +553,8 @@ 
    Destination
    
     
@@ -624,7 +567,7 @@ 
    Destination
    
 
 
    HTTPRoute
    
 
    
-
    Describes match conditions and actions for routing HTTP/1.1, HTTP2, and
+
    Describes match conditions and actions for routing HTTP/1.1, HTTP2, and
    
 gRPC traffic. See VirtualService for usage examples.
    
 
 
    
 
    host
 string
 
-
    The name of a service from the service registry. Service
-names are looked up from the platform’s service registry (e.g.,
-Kubernetes services, Consul services, etc.) and from the hosts
-declared by ServiceEntry. Traffic forwarded to
+
    The name of a service from the service registry. Service
    
+names are looked up from the platform's service registry (e.g.,
    
+Kubernetes services, Consul services, etc.) and from the hosts
    
+declared by ServiceEntry. Traffic forwarded to
    
 destinations that are not found in either of the two, will be dropped.
    
-
-
    Note for Kubernetes users: When short names are used (e.g. “reviews”
-instead of “reviews.default.svc.cluster.local”), Istio will interpret
-the short name based on the namespace of the rule, not the service. A
-rule in the “default” namespace containing a host “reviews will be
-interpreted as “reviews.default.svc.cluster.local”, irrespective of
-the actual namespace associated with the reviews service. To avoid
-potential misconfiguration, it is recommended to always use fully
+
    Note for Kubernetes users: When short names are used (e.g. "reviews"
    
+instead of "reviews.default.svc.cluster.local"), Istio will interpret
    
+the short name based on the namespace of the rule, not the service. A
    
+rule in the "default" namespace containing a host "reviews will be
    
+interpreted as "reviews.default.svc.cluster.local", irrespective of
    
+the actual namespace associated with the reviews service. To avoid
    
+potential misconfiguration, it is recommended to always use fully
    
 qualified domain names over short names.
    
 
     		subset
 string
 
-
    The name of a subset within the service. Applicable only to services
-within the mesh. The subset must be defined in a corresponding
+
    The name of a subset within the service. Applicable only to services
    
+within the mesh. The subset must be defined in a corresponding
    
 DestinationRule.
    
 
     		port
 PortSelector
 
-
    Specifies the port on the host that is being addressed. If a service
-exposes only a single port it is not required to explicitly select the
+
    Specifies the port on the host that is being addressed. If a service
    
+exposes only a single port it is not required to explicitly select the
    
 port.
    
 
 
    
@@ -641,9 +584,9 @@ 
    HTTPRoute
    
     
@@ -655,9 +598,9 @@ 
    HTTPRoute
    
     
@@ -669,9 +612,9 @@ 
    HTTPRoute
    
     
@@ -683,9 +626,9 @@ 
    HTTPRoute
    
     
@@ -697,10 +640,9 @@ 
    HTTPRoute
    
     
@@ -712,18 +654,15 @@ 
    HTTPRoute
    
     
@@ -770,8 +709,8 @@ 
    HTTPRoute
    
     
@@ -783,11 +722,11 @@ 
    HTTPRoute
    
     
@@ -799,8 +738,8 @@ 
    HTTPRoute
    
     
@@ -812,8 +751,8 @@ 
    HTTPRoute
    
     
@@ -837,10 +776,9 @@ 
    HTTPRoute
    
 
 
    Delegate
    
 
    
-
    Describes the delegate VirtualService.
-The following routing rules forward the traffic to /productpage by a delegate VirtualService named productpage,
+
    Describes the delegate VirtualService.
    
+The following routing rules forward the traffic to /productpage by a delegate VirtualService named productpage,
    
 forward the traffic to /reviews by a delegate VirtualService named reviews.
    
-
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -864,7 +802,6 @@ 
    Delegate
    
         name: reviews
         namespace: nsB
 
    
-
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -882,7 +819,6 @@ 
    Delegate
    
     - destination:
         host: productpage.nsA.svc.cluster.local
 
    
-
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -920,8 +856,8 @@ 
    Delegate
    
 
    name
 string
 
-
    The name assigned to the route for debugging purposes. The
-route’s name will be concatenated with the match’s name and will
-be logged in the access logs for requests matching this
+
    The name assigned to the route for debugging purposes. The
    
+route's name will be concatenated with the match's name and will
    
+be logged in the access logs for requests matching this
    
 route/match.
    
 
     		match
 HTTPMatchRequest[]
 
-
    Match conditions to be satisfied for the rule to be
-activated. All conditions inside a single match block have AND
-semantics, while the list of match blocks have OR semantics. The rule
+
    Match conditions to be satisfied for the rule to be
    
+activated. All conditions inside a single match block have AND
    
+semantics, while the list of match blocks have OR semantics. The rule
    
 is matched if any one of the match blocks succeed.
    
 
     		route
 HTTPRouteDestination[]
 
-
    A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
-The forwarding target can be one of several versions of a service (see
-glossary in beginning of document). Weights associated with the
+
    A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
    
+The forwarding target can be one of several versions of a service (see
    
+glossary in beginning of document). Weights associated with the
    
 service version determine the proportion of traffic it receives.
    
 
     		redirect
 HTTPRedirect
 
-
    A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
-If traffic passthrough option is specified in the rule,
-route/redirect will be ignored. The redirect primitive can be used to
+
    A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
    
+If traffic passthrough option is specified in the rule,
    
+route/redirect will be ignored. The redirect primitive can be used to
    
 send a HTTP 301 redirect to a different URI or Authority.
    
 
     		directResponse
 HTTPDirectResponse
 
-
    A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
-Direct Response is used to specify a fixed response that should
+
    A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
    
+Direct Response is used to specify a fixed response that should
    
 be sent to clients.
    
-
 
    It can be set only when Route and Redirect are empty.
    
 
     		delegate
 Delegate
 
-
    Delegate is used to specify the particular VirtualService which
+
    Delegate is used to specify the particular VirtualService which
    
 can be used to define delegate HTTPRoute.
    
-
-
    It can be set only when Route and Redirect are empty, and the route
-rules of the delegate VirtualService will be merged with that in the
+
    It can be set only when Route and Redirect are empty, and the route
    
+rules of the delegate VirtualService will be merged with that in the
    
 current one.
    
-
 
    NOTE:
    
-
 
      
 
    1. Only one level delegation is supported.
      2. 
-
    2. The delegate’s HTTPMatchRequest must be a strict subset of the root’s,
+
    3. The delegate's HTTPMatchRequest must be a strict subset of the root's,
      
 otherwise there is a conflict and the HTTPRoute will not take effect.
      4. 
 
    
 
@@ -736,7 +675,7 @@ 
    HTTPRoute
    
     		rewrite
 HTTPRewrite
 
-
    Rewrite HTTP URIs and Authority headers. Rewrite cannot be used with
+
    Rewrite HTTP URIs and Authority headers. Rewrite cannot be used with
    
 Redirect primitive. Rewrite will be performed before forwarding.
    
 
     		fault
 HTTPFaultInjection
 
-
    Fault injection policy to apply on HTTP traffic at the client side.
-Note that timeouts or retries will not be enabled when faults are
+
    Fault injection policy to apply on HTTP traffic at the client side.
    
+Note that timeouts or retries will not be enabled when faults are
    
 enabled on the client side.
    
 
     		mirror
 Destination
 
-
    Mirror HTTP traffic to a another destination in addition to forwarding
-the requests to the intended destination. Mirrored traffic is on a
-best effort basis where the sidecar/gateway will not wait for the
-mirrored cluster to respond before returning the response from the
-original destination.  Statistics will be generated for the mirrored
+
    Mirror HTTP traffic to a another destination in addition to forwarding
    
+the requests to the intended destination. Mirrored traffic is on a
    
+best effort basis where the sidecar/gateway will not wait for the
    
+mirrored cluster to respond before returning the response from the
    
+original destination.  Statistics will be generated for the mirrored
    
 destination.
    
 
     		mirrorPercentage
 Percent
 
-
    Percentage of the traffic to be mirrored by the mirror field.
-If this field is absent, all the traffic (100%) will be mirrored.
+
    Percentage of the traffic to be mirrored by the mirror field.
    
+If this field is absent, all the traffic (100%) will be mirrored.
    
 Max value is 100.
    
 
     		corsPolicy
 CorsPolicy
 
-
    Cross-Origin Resource Sharing policy (CORS). Refer to
-CORS
+
    Cross-Origin Resource Sharing policy (CORS). Refer to
    
+CORS
    
 for further details about cross origin resource sharing.
    
 
     		namespace
 string
 
-
    Namespace specifies the namespace where the delegate VirtualService resides.
-By default, it is same to the root’s.
    
+
    Namespace specifies the namespace where the delegate VirtualService resides.
    
+By default, it is same to the root's.
    
 
     		
 
@@ -933,17 +869,15 @@ 
    Delegate
    
 
 
    Headers
    
 
    
-
    Message headers can be manipulated when Envoy forwards requests to,
-or responses from, a destination service. Header manipulation rules can
-be specified for a specific route destination or for all destinations.
-The following VirtualService adds a test header with the value true
-to requests that are routed to any reviews service destination.
-It also removes the foo response header, but only from responses
+
    Message headers can be manipulated when Envoy forwards requests to,
    
+or responses from, a destination service. Header manipulation rules can
    
+be specified for a specific route destination or for all destinations.
    
+The following VirtualService adds a test header with the value true
    
+to requests that are routed to any reviews service destination.
    
+It also removes the foo response header, but only from responses
    
 coming from the v1 subset (version) of the reviews service.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -970,11 +904,8 @@ 
    Headers
    
           - foo
       weight: 75
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1001,9 +932,8 @@ 
    Headers
    
           - foo
       weight: 75
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    
 
 
@@ -1019,7 +949,7 @@ 
    Headers
    
@@ -1031,7 +961,7 @@ 
    Headers
    
@@ -1044,14 +974,12 @@ 
    Headers
    TLSRoute
    
-
    Describes match conditions and actions for routing unterminated TLS
-traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
-traffic arriving at port 443 of gateway called “mygateway” to internal
+
    Describes match conditions and actions for routing unterminated TLS
    
+traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
    
+traffic arriving at port 443 of gateway called "mygateway" to internal
    
 services in the mesh based on the SNI value.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1077,11 +1005,8 @@ 
    TLSRoute
    
     - destination:
         host: reviews.prod.svc.cluster.local
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1107,9 +1032,8 @@ 
    TLSRoute
    
     - destination:
         host: reviews.prod.svc.cluster.local
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    
 
 
    
 
 
    request
 HeaderOperations
 
-
    Header manipulation rules to apply before forwarding a request
+
    Header manipulation rules to apply before forwarding a request
    
 to the destination service
    
 
     		
 response
 HeaderOperations
 
-
    Header manipulation rules to apply before returning a response
+
    Header manipulation rules to apply before returning a response
    
 to the caller
    
 
     		
 
 
 
    
@@ -1125,9 +1049,9 @@ 
    TLSRoute
    
@@ -1151,13 +1075,11 @@ 
    TLSRoute
    TCPRoute
    
-
    Describes match conditions and actions for routing TCP traffic. The
-following routing rule forwards traffic arriving at port 27017 for
+
    Describes match conditions and actions for routing TCP traffic. The
    
+following routing rule forwards traffic arriving at port 27017 for
    
 mongo.prod.svc.cluster.local to another Mongo server on port 5555.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1174,11 +1096,8 @@ 
    TCPRoute
    
         port:
           number: 5555
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1195,9 +1114,8 @@ 
    TCPRoute
    
         port:
           number: 5555
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    
 
 
    
 
 
    match
 TLSMatchAttributes[]
 
-
    Match conditions to be satisfied for the rule to be
-activated. All conditions inside a single match block have AND
-semantics, while the list of match blocks have OR semantics. The rule
+
    Match conditions to be satisfied for the rule to be
    
+activated. All conditions inside a single match block have AND
    
+semantics, while the list of match blocks have OR semantics. The rule
    
 is matched if any one of the match blocks succeed.
    
 
     		
 
 
 
    
@@ -1213,9 +1131,9 @@ 
    TCPRoute
    
@@ -1239,15 +1157,13 @@ 
    TCPRoute
    HTTPMatchRequest
    
-
    HttpMatchRequest specifies a set of criterion to be met in order for the
-rule to be applied to the HTTP request. For example, the following
-restricts the rule to match only requests where the URL path
-starts with /ratings/v2/ and the request contains a custom end-user header
+
    HttpMatchRequest specifies a set of criterion to be met in order for the
    
+rule to be applied to the HTTP request. For example, the following
    
+restricts the rule to match only requests where the URL path
    
+starts with /ratings/v2/ and the request contains a custom end-user header
    
 with value jason.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1267,11 +1183,8 @@ 
    HTTPMatchRequest
    
     - destination:
         host: ratings.prod.svc.cluster.local
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1291,11 +1204,9 @@ 
    HTTPMatchRequest
    
     - destination:
         host: ratings.prod.svc.cluster.local
 
    
-
-
    {{}}
-{{}}
    
-
-
    HTTPMatchRequest CANNOT be empty.
+
    {{}}
    
+{{}}
    
+
    HTTPMatchRequest CANNOT be empty.
    
 Note: No regex string match can be set when delegate VirtualService is specified.
    
 
 
    
 
 
    match
 L4MatchAttributes[]
 
-
    Match conditions to be satisfied for the rule to be
-activated. All conditions inside a single match block have AND
-semantics, while the list of match blocks have OR semantics. The rule
+
    Match conditions to be satisfied for the rule to be
    
+activated. All conditions inside a single match block have AND
    
+semantics, while the list of match blocks have OR semantics. The rule
    
 is matched if any one of the match blocks succeed.
    
 
     		
 
 
 
    
@@ -1312,8 +1223,8 @@ 
    HTTPMatchRequest
    
@@ -1325,18 +1236,20 @@ 
    HTTPMatchRequest
    
@@ -1348,15 +1261,18 @@ 
    HTTPMatchRequest
    
@@ -1368,15 +1284,18 @@ 
    HTTPMatchRequest
    
@@ -1388,15 +1307,18 @@ 
    HTTPMatchRequest
    
@@ -1408,20 +1330,21 @@ 
    HTTPMatchRequest
    
@@ -1433,8 +1356,8 @@ 
    HTTPMatchRequest
    
@@ -1446,9 +1369,9 @@ 
    HTTPMatchRequest
    
@@ -1460,8 +1383,8 @@ 
    HTTPMatchRequest
    
@@ -1474,21 +1397,22 @@ 
    HTTPMatchRequest
    
@@ -1501,8 +1425,7 @@ 
    HTTPMatchRequest
    
@@ -1514,7 +1437,7 @@ 
    HTTPMatchRequest
    
@@ -1526,8 +1449,8 @@ 
    HTTPMatchRequest
    
@@ -1539,11 +1462,11 @@ 
    HTTPMatchRequest
    
@@ -1556,16 +1479,14 @@ 
    HTTPMatchRequest
    HTTPRouteDestination
    
-
    Each routing rule is associated with one or more service versions (see
-glossary in beginning of document). Weights associated with the version
-determine the proportion of traffic it receives. For example, the
-following rule will route 25% of traffic for the “reviews” service to
-instances with the “v2” tag and the remaining traffic (i.e., 75%) to
-“v1”.
    
-
-
    {{}}
-{{}}
    
-
+
    Each routing rule is associated with one or more service versions (see
    
+glossary in beginning of document). Weights associated with the version
    
+determine the proportion of traffic it receives. For example, the
    
+following rule will route 25% of traffic for the "reviews" service to
    
+instances with the "v2" tag and the remaining traffic (i.e., 75%) to
    
+"v1".
    
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1584,11 +1505,8 @@ 
    HTTPRouteDestination
    
         subset: v1
       weight: 75
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1607,15 +1525,11 @@ 
    HTTPRouteDestination
    
         subset: v1
       weight: 75
 
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    And the associated DestinationRule
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -1630,11 +1544,8 @@ 
    HTTPRouteDestination
    
     labels:
       version: v2
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -1649,17 +1560,13 @@ 
    HTTPRouteDestination
    
     labels:
       version: v2
 
    
-
-
    {{}}
-{{}}
    
-
-
    Traffic can also be split across two entirely different services without
-having to define new subsets. For example, the following rule forwards 25% of
+
    {{}}
    
+{{}}
    
+
    Traffic can also be split across two entirely different services without
    
+having to define new subsets. For example, the following rule forwards 25% of
    
 traffic to reviews.com to dev.reviews.com
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1676,11 +1583,8 @@ 
    HTTPRouteDestination
    
         host: reviews.com
       weight: 75
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1697,9 +1601,8 @@ 
    HTTPRouteDestination
    
         host: reviews.com
       weight: 75
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    
 
 
    
 
    name
 string
 
-
    The name assigned to a match. The match’s name will be
-concatenated with the parent route’s name and will be logged in
+
    The name assigned to a match. The match's name will be
    
+concatenated with the parent route's name and will be logged in
    
 the access logs for requests matching this route.
    
 
     		
 uri
 StringMatch
 
-
    URI to match
+
    URI to match
    
 values are case-sensitive and formatted as follows:
    
-
 
      
-
    • exact: "value" for exact string match
      • 
-
-
    • prefix: "value" for prefix-based match
      • 
-
-
    • regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
      • 
+
    • 
+
      exact: "value" for exact string match
      
+
      • 
+
    • 
+
      prefix: "value" for prefix-based match
      
+
      • 
+
    • 
+
      regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
      
+
      • 
 
    
-
-
    Note: Case-insensitive matching could be enabled via the
+
    Note: Case-insensitive matching could be enabled via the
    
 ignore_uri_case flag.
    
 
     		
 scheme
 StringMatch
 
-
    URI Scheme
+
    URI Scheme
    
 values are case-sensitive and formatted as follows:
    
-
 
      
-
    • exact: "value" for exact string match
      • 
-
-
    • prefix: "value" for prefix-based match
      • 
-
-
    • regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
      • 
+
    • 
+
      exact: "value" for exact string match
      
+
      • 
+
    • 
+
      prefix: "value" for prefix-based match
      
+
      • 
+
    • 
+
      regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
      
+
      • 
 
    
 
     		
 method
 StringMatch
 
-
    HTTP Method
+
    HTTP Method
    
 values are case-sensitive and formatted as follows:
    
-
 
      
-
    • exact: "value" for exact string match
      • 
-
-
    • prefix: "value" for prefix-based match
      • 
-
-
    • regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
      • 
+
    • 
+
      exact: "value" for exact string match
      
+
      • 
+
    • 
+
      prefix: "value" for prefix-based match
      
+
      • 
+
    • 
+
      regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
      
+
      • 
 
    
 
     		
 authority
 StringMatch
 
-
    HTTP Authority
+
    HTTP Authority
    
 values are case-sensitive and formatted as follows:
    
-
 
      
-
    • exact: "value" for exact string match
      • 
-
-
    • prefix: "value" for prefix-based match
      • 
-
-
    • regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
      • 
+
    • 
+
      exact: "value" for exact string match
      
+
      • 
+
    • 
+
      prefix: "value" for prefix-based match
      
+
      • 
+
    • 
+
      regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
      
+
      • 
 
    
 
     		
 headers
 map<string, StringMatch>
 
-
    The header keys must be lowercase and use hyphen as the separator,
+
    The header keys must be lowercase and use hyphen as the separator,
    
 e.g. x-request-id.
    
-
 
    Header values are case-sensitive and formatted as follows:
    
-
 
      
-
    • exact: "value" for exact string match
      • 
-
-
    • prefix: "value" for prefix-based match
      • 
-
-
    • regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
      • 
+
    • 
+
      exact: "value" for exact string match
      
+
      • 
+
    • 
+
      prefix: "value" for prefix-based match
      
+
      • 
+
    • 
+
      regex: "value" for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
      
+
      • 
 
    
-
-
    If the value is empty and only the name of header is specfied, presence of the header is checked.
+
    If the value is empty and only the name of header is specfied, presence of the header is checked.
    
 Note: The keys uri, scheme, method, and authority will be ignored.
    
 
     		
 port
 uint32
 
-
    Specifies the ports on the host that is being addressed. Many services
-only expose a single port or label ports with the protocols they support,
+
    Specifies the ports on the host that is being addressed. Many services
    
+only expose a single port or label ports with the protocols they support,
    
 in these cases it is not required to explicitly select the port.
    
 
     		
 sourceLabels
 map<string, string>
 
-
    One or more labels that constrain the applicability of a rule to source (client) workloads
-with the given labels. If the VirtualService has a list of gateways specified
-in the top-level gateways field, it must include the reserved gateway
+
    One or more labels that constrain the applicability of a rule to source (client) workloads
    
+with the given labels. If the VirtualService has a list of gateways specified
    
+in the top-level gateways field, it must include the reserved gateway
    
 mesh for this field to be applicable.
    
 
     		
 gateways
 string[]
 
-
    Names of gateways where the rule should be applied. Gateway names
-in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
+
    Names of gateways where the rule should be applied. Gateway names
    
+in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
    
 match is independent of sourceLabels.
    
 
     		
 map<string, StringMatch>
 
 
    Query parameters for matching.
    
-
 
    Ex:
    
-
 
      
-
    • For a query parameter like “?key=true”, the map key would be “key” and
-the string match could be defined as exact: "true".
      • 
-
-
    • For a query parameter like “?key”, the map key would be “key” and the
-string match could be defined as exact: "".
      • 
-
-
    • For a query parameter like “?key=123”, the map key would be “key” and the
-string match could be defined as regex: "\d+$". Note that this
-configuration will only match values like “123” but not “a123” or “123a”.
      • 
+
    • 
+
      For a query parameter like "?key=true", the map key would be "key" and
      
+the string match could be defined as exact: "true".
      
+
      • 
+
    • 
+
      For a query parameter like "?key", the map key would be "key" and the
      
+string match could be defined as exact: "".
      
+
      • 
+
    • 
+
      For a query parameter like "?key=123", the map key would be "key" and the
      
+string match could be defined as regex: "\d+$". Note that this
      
+configuration will only match values like "123" but not "a123" or "123a".
      
+
      • 
 
    
-
 
    Note: prefix matching is currently not supported.
    
 
     		
 bool
 
 
    Flag to specify whether the URI matching should be case-insensitive.
    
-
-
    Note: The case will be ignored only in the case of exact and prefix
+
    Note: The case will be ignored only in the case of exact and prefix
    
 URI matches.
    
 
     		
 withoutHeaders
 map<string, StringMatch>
 
-
    withoutHeader has the same syntax with the header, but has opposite meaning.
+
    withoutHeader has the same syntax with the header, but has opposite meaning.
    
 If a header is matched with a matching rule among withoutHeader, the traffic becomes not matched one.
    
 
     		
 sourceNamespace
 string
 
-
    Source namespace constraining the applicability of a rule to workloads in that namespace.
-If the VirtualService has a list of gateways specified in the top-level gateways field,
+
    Source namespace constraining the applicability of a rule to workloads in that namespace.
    
+If the VirtualService has a list of gateways specified in the top-level gateways field,
    
 it must include the reserved gateway mesh for this field to be applicable.
    
 
     		
 statPrefix
 string
 
-
    The human readable prefix to use when emitting statistics for this route.
-The statistics are generated with prefix route..
-This should be set for highly critical routes that one wishes to get “per-route” statistics on.
-This prefix is only for proxy-level statistics (envoy*) and not service-level (istio*) statistics.
-Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-route-stat-prefix
+
    The human readable prefix to use when emitting statistics for this route.
    
+The statistics are generated with prefix route.<stat_prefix>.
    
+This should be set for highly critical routes that one wishes to get "per-route" statistics on.
    
+This prefix is only for proxy-level statistics (envoy_) and not service-level (istio_) statistics.
    
+Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-route-stat-prefix
    
 for statistics that are generated when this is configured.
    
 
     		
 
 
 
    
@@ -1715,7 +1618,7 @@ 
    HTTPRouteDestination
    
@@ -1727,8 +1630,8 @@ 
    HTTPRouteDestination
    
@@ -1768,7 +1671,7 @@ 
    RouteDestination
    
@@ -1780,8 +1683,8 @@ 
    RouteDestination
    
@@ -1794,7 +1697,7 @@ 
    RouteDestination
    L4MatchAttributes
    
-
    L4 connection match attributes. Note that L4 connection matching support
+
    L4 connection match attributes. Note that L4 connection matching support
    
 is incomplete.
    
 
 
    
 
 
    destination
 Destination
 
-
    Destination uniquely identifies the instances of a service
+
    Destination uniquely identifies the instances of a service
    
 to which the request/connection should be forwarded to.
    
 
     		
 weight
 int32
 
-
    Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests.
-If there is only one destination in a rule, it will receive all traffic.
+
    Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests.
    
+If there is only one destination in a rule, it will receive all traffic.
    
 Otherwise, if weight is 0, the destination will not receive any traffic.
    
 
     		
 destination
 Destination
 
-
    Destination uniquely identifies the instances of a service
+
    Destination uniquely identifies the instances of a service
    
 to which the request/connection should be forwarded to.
    
 
     		
 weight
 int32
 
-
    Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests.
-If there is only one destination in a rule, it will receive all traffic.
+
    Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests.
    
+If there is only one destination in a rule, it will receive all traffic.
    
 Otherwise, if weight is 0, the destination will not receive any traffic.
    
 
     		
 
 
 
    
@@ -1811,7 +1714,7 @@ 
    L4MatchAttributes
    
@@ -1823,8 +1726,8 @@ 
    L4MatchAttributes
    
@@ -1836,9 +1739,9 @@ 
    L4MatchAttributes
    
@@ -1850,8 +1753,8 @@ 
    L4MatchAttributes
    
@@ -1863,8 +1766,8 @@ 
    L4MatchAttributes
    
@@ -1893,10 +1796,10 @@ 
    TLSMatchAttributes
    
@@ -1919,9 +1822,9 @@ 
    TLSMatchAttributes
    
@@ -1933,9 +1836,9 @@ 
    TLSMatchAttributes
    
@@ -1947,8 +1850,8 @@ 
    TLSMatchAttributes
    
@@ -1960,8 +1863,8 @@ 
    TLSMatchAttributes
    
@@ -1974,15 +1877,13 @@ 
    TLSMatchAttributes
    HTTPRedirect
    
-
    HTTPRedirect can be used to send a 301 redirect response to the caller,
-where the Authority/Host and the URI in the response can be swapped with
-the specified values. For example, the following rule redirects
-requests for /v1/getProductRatings API on the ratings service to
+
    HTTPRedirect can be used to send a 301 redirect response to the caller,
    
+where the Authority/Host and the URI in the response can be swapped with
    
+the specified values. For example, the following rule redirects
    
+requests for /v1/getProductRatings API on the ratings service to
    
 /v1/bookRatings provided by the bookratings service.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1999,11 +1900,8 @@ 
    HTTPRedirect
    
       authority: newratings.default.svc.cluster.local
   ...
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2020,9 +1918,8 @@ 
    HTTPRedirect
    
       authority: newratings.default.svc.cluster.local
   ...
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    
 
 
    
 
    destinationSubnets
 string[]
 
-
    IPv4 or IPv6 ip addresses of destination with optional subnet.  E.g.,
+
    IPv4 or IPv6 ip addresses of destination with optional subnet.  E.g.,
    
 a.b.c.d/xx form or just a.b.c.d.
    
 
     		
 port
 uint32
 
-
    Specifies the port on the host that is being addressed. Many services
-only expose a single port or label ports with the protocols they support,
+
    Specifies the port on the host that is being addressed. Many services
    
+only expose a single port or label ports with the protocols they support,
    
 in these cases it is not required to explicitly select the port.
    
 
     		
 sourceLabels
 map<string, string>
 
-
    One or more labels that constrain the applicability of a rule to
-workloads with the given labels. If the VirtualService has a list of
-gateways specified in the top-level gateways field, it should include the reserved gateway
+
    One or more labels that constrain the applicability of a rule to
    
+workloads with the given labels. If the VirtualService has a list of
    
+gateways specified in the top-level gateways field, it should include the reserved gateway
    
 mesh in order for this field to be applicable.
    
 
     		
 gateways
 string[]
 
-
    Names of gateways where the rule should be applied. Gateway names
-in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
+
    Names of gateways where the rule should be applied. Gateway names
    
+in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
    
 match is independent of sourceLabels.
    
 
     		
 sourceNamespace
 string
 
-
    Source namespace constraining the applicability of a rule to workloads in that namespace.
-If the VirtualService has a list of gateways specified in the top-level gateways field,
+
    Source namespace constraining the applicability of a rule to workloads in that namespace.
    
+If the VirtualService has a list of gateways specified in the top-level gateways field,
    
 it must include the reserved gateway mesh for this field to be applicable.
    
 
     		
 sniHosts
 string[]
 
-
    SNI (server name indicator) to match on. Wildcard prefixes
-can be used in the SNI value, e.g., *.com will match foo.example.com
-as well as example.com. An SNI value must be a subset (i.e., fall
-within the domain) of the corresponding virtual serivce’s hosts.
    
+
    SNI (server name indicator) to match on. Wildcard prefixes
    
+can be used in the SNI value, e.g., *.com will match foo.example.com
    
+as well as example.com. An SNI value must be a subset (i.e., fall
    
+within the domain) of the corresponding virtual serivce's hosts.
    
 
     		
 
@@ -1907,7 +1810,7 @@ 
    TLSMatchAttributes
    
     		destinationSubnets
 string[]
 
-
    IPv4 or IPv6 ip addresses of destination with optional subnet.  E.g.,
+
    IPv4 or IPv6 ip addresses of destination with optional subnet.  E.g.,
    
 a.b.c.d/xx form or just a.b.c.d.
    
 
     		
 port
 uint32
 
-
    Specifies the port on the host that is being addressed. Many services
-only expose a single port or label ports with the protocols they
-support, in these cases it is not required to explicitly select the
+
    Specifies the port on the host that is being addressed. Many services
    
+only expose a single port or label ports with the protocols they
    
+support, in these cases it is not required to explicitly select the
    
 port.
    
 
     		
 sourceLabels
 map<string, string>
 
-
    One or more labels that constrain the applicability of a rule to
-workloads with the given labels. If the VirtualService has a list of
-gateways specified in the top-level gateways field, it should include the reserved gateway
+
    One or more labels that constrain the applicability of a rule to
    
+workloads with the given labels. If the VirtualService has a list of
    
+gateways specified in the top-level gateways field, it should include the reserved gateway
    
 mesh in order for this field to be applicable.
    
 
     		
 gateways
 string[]
 
-
    Names of gateways where the rule should be applied. Gateway names
-in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
+
    Names of gateways where the rule should be applied. Gateway names
    
+in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
    
 match is independent of sourceLabels.
    
 
     		
 sourceNamespace
 string
 
-
    Source namespace constraining the applicability of a rule to workloads in that namespace.
-If the VirtualService has a list of gateways specified in the top-level gateways field,
+
    Source namespace constraining the applicability of a rule to workloads in that namespace.
    
+If the VirtualService has a list of gateways specified in the top-level gateways field,
    
 it must include the reserved gateway mesh for this field to be applicable.
    
 
     		
 
 
 
    
@@ -2038,8 +1935,8 @@ 
    HTTPRedirect
    
@@ -2051,7 +1948,7 @@ 
    HTTPRedirect
    
@@ -2074,9 +1971,11 @@ 
    HTTPRedirect
    
@@ -2101,7 +2000,7 @@ 
    HTTPRedirect
    
@@ -2114,13 +2013,11 @@ 
    HTTPRedirect
    HTTPDirectResponse
    
-
    HTTPDirectResponse can be used to send a fixed response to clients.
-For example, the following rule returns a fixed 503 status with a body
+
    HTTPDirectResponse can be used to send a fixed response to clients.
    
+For example, the following rule returns a fixed 503 status with a body
    
 to requests for /v1/getProductRatings API.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2138,11 +2035,8 @@ 
    HTTPDirectResponse
    
         string: "unknown error"
   ...
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2160,16 +2054,12 @@ 
    HTTPDirectResponse
    
         string: "unknown error"
   ...
 
    
-
-
    {{}}
-{{}}
    
-
-
    It is also possible to specify a binary response body.
+
    {{}}
    
+{{}}
    
+
    It is also possible to specify a binary response body.
    
 This is mostly useful for non text-based protocols such as gRPC.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2187,11 +2077,8 @@ 
    HTTPDirectResponse
    
         bytes: "dW5rbm93biBlcnJvcg==" # "unknown error" in base64
   ...
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2209,17 +2096,13 @@ 
    HTTPDirectResponse
    
         bytes: "dW5rbm93biBlcnJvcg==" # "unknown error" in base64
   ...
 
    
-
-
    {{}}
-{{}}
    
-
-
    It is good practice to add headers in the HTTPRoute
-as well as the direct_response, for example to specify
+
    {{}}
    
+{{}}
    
+
    It is good practice to add headers in the HTTPRoute
    
+as well as the direct_response, for example to specify
    
 the returned Content-Type.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2241,11 +2124,8 @@ 
    HTTPDirectResponse
    
           content-type: "appliation/json"
   ...
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2267,9 +2147,8 @@ 
    HTTPDirectResponse
    
           content-type: "text/plain"
   ...
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    
 
 
    
 
 
    uri
 string
 
-
    On a redirect, overwrite the Path portion of the URL with this
-value. Note that the entire path will be replaced, irrespective of the
+
    On a redirect, overwrite the Path portion of the URL with this
    
+value. Note that the entire path will be replaced, irrespective of the
    
 request URI being matched as an exact path or prefix.
    
 
     		
 authority
 string
 
-
    On a redirect, overwrite the Authority/Host portion of the URL with
+
    On a redirect, overwrite the Authority/Host portion of the URL with
    
 this value.
    
 
     		
 derivePort
 RedirectPortSelection (oneof)
 
-
    On a redirect, dynamically set the port:
-* FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.
-* FROM_REQUEST_PORT: automatically use the port of the request.
    
+
    On a redirect, dynamically set the port:
    
+
      
+
    • FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and 443 for HTTPS.
      • 
+
    • FROM_REQUEST_PORT: automatically use the port of the request.
      • 
+
    
 
     		
 
@@ -2087,9 +1986,9 @@ 
    HTTPRedirect
    
     		scheme
 string
 
-
    On a redirect, overwrite the scheme portion of the URL with this value.
-For example, http or https.
-If unset, the original scheme will be used.
+
    On a redirect, overwrite the scheme portion of the URL with this value.
    
+For example, http or https.
    
+If unset, the original scheme will be used.
    
 If derivePort is set to FROM_PROTOCOL_DEFAULT, this will impact the port used as well
    
 
     		
 redirectCode
 uint32
 
-
    On a redirect, Specifies the HTTP status code to use in the redirect
+
    On a redirect, Specifies the HTTP status code to use in the redirect
    
 response. The default response code is MOVED_PERMANENTLY (301).
    
 
     		
 
 
 
    
@@ -2296,7 +2175,7 @@ 
    HTTPDirectResponse
    
@@ -2346,15 +2225,13 @@ 
    HTTPBody
    HTTPRewrite
    
-
    HTTPRewrite can be used to rewrite specific parts of a HTTP request
-before forwarding the request to the destination. Rewrite primitive can
-be used only with HTTPRouteDestination. The following example
-demonstrates how to rewrite the URL prefix for api call (/ratings) to
+
    HTTPRewrite can be used to rewrite specific parts of a HTTP request
    
+before forwarding the request to the destination. Rewrite primitive can
    
+be used only with HTTPRouteDestination. The following example
    
+demonstrates how to rewrite the URL prefix for api call (/ratings) to
    
 ratings service before making the actual API call.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2373,11 +2250,8 @@ 
    HTTPRewrite
    
         host: ratings.prod.svc.cluster.local
         subset: v1
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2396,9 +2270,8 @@ 
    HTTPRewrite
    
         host: ratings.prod.svc.cluster.local
         subset: v1
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    
 
 
    
 
 
    body
 HTTPBody
 
-
    Specifies the content of the response body. If this setting is omitted,
+
    Specifies the content of the response body. If this setting is omitted,
    
 no body is included in the generated response.
    
 
     		
 
 
 
    
@@ -2414,8 +2287,8 @@ 
    HTTPRewrite
    
@@ -2439,7 +2312,7 @@ 
    HTTPRewrite
    StringMatch
    
-
    Describes how to match a given string in HTTP headers. Match is
+
    Describes how to match a given string in HTTP headers. Match is
    
 case-sensitive.
    
 
 
    
 
 
    uri
 string
 
-
    rewrite the path (or the prefix) portion of the URI with this
-value. If the original URI was matched based on prefix, the value
+
    rewrite the path (or the prefix) portion of the URI with this
    
+value. If the original URI was matched based on prefix, the value
    
 provided in this field will replace the corresponding matched prefix.
    
 
     		
 
 
 
    
@@ -2478,7 +2351,7 @@ 
    StringMatch
    
 
    regex
 string (oneof)
 
-
    RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
    
+
    RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
    
 
     		
 
@@ -2490,15 +2363,13 @@ 
    StringMatch
    
 
 
    HTTPRetry
    
 
    
-
    Describes the retry policy to use when a HTTP request fails. For
-example, the following rule sets the maximum number of retries to 3 when
-calling ratings:v1 service, with a 2s timeout per retry attempt.
-A retry will be attempted if there is a connect-failure, refused_stream
+
    Describes the retry policy to use when a HTTP request fails. For
    
+example, the following rule sets the maximum number of retries to 3 when
    
+calling ratings:v1 service, with a 2s timeout per retry attempt.
    
+A retry will be attempted if there is a connect-failure, refused_stream
    
 or when the upstream server responds with Service Unavailable(503).
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2516,11 +2387,8 @@ 
    HTTPRetry
    
       perTryTimeout: 2s
       retryOn: connect-failure,refused-stream,503
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2538,9 +2406,8 @@ 
    HTTPRetry
    
       perTryTimeout: 2s
       retryOn: gateway-error,connect-failure,refused-stream
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    
 
 
@@ -2556,10 +2423,10 @@ 
    HTTPRetry
    
@@ -2571,9 +2438,9 @@ 
    HTTPRetry
    
@@ -2585,10 +2452,10 @@ 
    HTTPRetry
    
@@ -2600,7 +2467,7 @@ 
    HTTPRetry
    
@@ -2613,17 +2480,15 @@ 
    HTTPRetry
    CorsPolicy
    
-
    Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
-service. Refer to CORS
-for further details about cross origin resource sharing. For example,
-the following rule restricts cross origin requests to those originating
-from example.com domain using HTTP POST/GET, and sets the
-Access-Control-Allow-Credentials header to false. In addition, it only
+
    Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
    
+service. Refer to CORS
    
+for further details about cross origin resource sharing. For example,
    
+the following rule restricts cross origin requests to those originating
    
+from example.com domain using HTTP POST/GET, and sets the
    
+Access-Control-Allow-Credentials header to false. In addition, it only
    
 exposes X-Foo-bar header and sets an expiry period of 1 day.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2647,11 +2512,8 @@ 
    CorsPolicy
    
       - X-Foo-Bar
       maxAge: "24h"
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2675,9 +2537,8 @@ 
    CorsPolicy
    
       - X-Foo-Bar
       maxAge: "24h"
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    
 
 
    
 
 
    attempts
 int32
 
-
    Number of retries to be allowed for a given request. The interval
-between retries will be determined automatically (25ms+). When request
-timeout of the HTTP route
-or per_try_timeout is configured, the actual number of retries attempted also depends on
+
    Number of retries to be allowed for a given request. The interval
    
+between retries will be determined automatically (25ms+). When request
    
+timeout of the HTTP route
    
+or per_try_timeout is configured, the actual number of retries attempted also depends on
    
 the specified request timeout and per_try_timeout values.
    
 
     		
 perTryTimeout
 Duration
 
-
    Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST BE >=1ms.
-Default is same value as request
-timeout of the HTTP route,
+
    Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST BE >=1ms.
    
+Default is same value as request
    
+timeout of the HTTP route,
    
 which means no timeout.
    
 
     		
 retryOn
 string
 
-
    Specifies the conditions under which retry takes place.
-One or more policies can be specified using a ‘,’ delimited list.
-If retry_on specifies a valid HTTP status, it will be added to retriable_status_codes retry policy.
-See the retry policies
+
    Specifies the conditions under which retry takes place.
    
+One or more policies can be specified using a ‘,’ delimited list.
    
+If retry_on specifies a valid HTTP status, it will be added to retriable_status_codes retry policy.
    
+See the retry policies
    
 and gRPC retry policies for more details.
    
 
     		
 retryRemoteLocalities
 BoolValue
 
-
    Flag to specify whether the retries should retry to other localities.
+
    Flag to specify whether the retries should retry to other localities.
    
 See the retry plugin configuration for more details.
    
 
     		
 
 
 
    
@@ -2693,8 +2554,8 @@ 
    CorsPolicy
    
@@ -2706,7 +2567,7 @@ 
    CorsPolicy
    
@@ -2718,7 +2579,7 @@ 
    CorsPolicy
    
@@ -2730,7 +2591,7 @@ 
    CorsPolicy
    
@@ -2742,7 +2603,7 @@ 
    CorsPolicy
    
@@ -2754,8 +2615,8 @@ 
    CorsPolicy
    
@@ -2768,13 +2629,12 @@ 
    CorsPolicy
    HTTPFaultInjection
    
-
    HTTPFaultInjection can be used to specify one or more faults to inject
-while forwarding HTTP requests to the destination specified in a route.
-Fault specification is part of a VirtualService rule. Faults include
-aborting the Http request from downstream service, and/or delaying
+
    HTTPFaultInjection can be used to specify one or more faults to inject
    
+while forwarding HTTP requests to the destination specified in a route.
    
+Fault specification is part of a VirtualService rule. Faults include
    
+aborting the Http request from downstream service, and/or delaying
    
 proxying of requests. A fault rule MUST HAVE delay or abort or both.
    
-
-
    Note: Delay and abort faults are independent of one another, even if
+
    Note: Delay and abort faults are independent of one another, even if
    
 both are specified simultaneously.
    
 
 
    
 
 
    allowOrigins
 StringMatch[]
 
-
    String patterns that match allowed origins.
-An origin is allowed if any of the string matchers match.
+
    String patterns that match allowed origins.
    
+An origin is allowed if any of the string matchers match.
    
 If a match is found, then the outgoing Access-Control-Allow-Origin would be set to the origin as provided by the client.
    
 
     		
 allowMethods
 string[]
 
-
    List of HTTP methods allowed to access the resource. The content will
+
    List of HTTP methods allowed to access the resource. The content will
    
 be serialized into the Access-Control-Allow-Methods header.
    
 
     		
 allowHeaders
 string[]
 
-
    List of HTTP headers that can be used when requesting the
+
    List of HTTP headers that can be used when requesting the
    
 resource. Serialized to Access-Control-Allow-Headers header.
    
 
     		
 exposeHeaders
 string[]
 
-
    A list of HTTP headers that the browsers are allowed to
+
    A list of HTTP headers that the browsers are allowed to
    
 access. Serialized into Access-Control-Expose-Headers header.
    
 
     		
 maxAge
 Duration
 
-
    Specifies how long the results of a preflight request can be
+
    Specifies how long the results of a preflight request can be
    
 cached. Translates to the Access-Control-Max-Age header.
    
 
     		
 allowCredentials
 BoolValue
 
-
    Indicates whether the caller is allowed to send the actual request
-(not the preflight) using credentials. Translates to
+
    Indicates whether the caller is allowed to send the actual request
    
+(not the preflight) using credentials. Translates to
    
 Access-Control-Allow-Credentials header.
    
 
     		
 
 
 
    
@@ -2791,7 +2651,7 @@ 
    HTTPFaultInjection
    
@@ -2803,7 +2663,7 @@ 
    HTTPFaultInjection
    
@@ -2816,7 +2676,7 @@ 
    HTTPFaultInjection
    PortSelector
    
-
    PortSelector specifies the number of a port to be used for
+
    PortSelector specifies the number of a port to be used for
    
 matching or selection for final routing.
    
 
 
    
 
    delay
 Delay
 
-
    Delay requests before forwarding, emulating various failures such as
+
    Delay requests before forwarding, emulating various failures such as
    
 network issues, overloaded upstream service, etc.
    
 
     		
 abort
 Abort
 
-
    Abort Http request attempts and return error codes back to downstream
+
    Abort Http request attempts and return error codes back to downstream
    
 service, giving the impression that the upstream service is faulty.
    
 
     		
 
 
 
    
@@ -2898,7 +2758,7 @@ 
    Headers.HeaderOperations
    
@@ -2922,14 +2782,12 @@ 
    Headers.HeaderOperations
    HTTPFaultInjection.Delay
    
-
    Delay specification is used to inject latency into the request
-forwarding path. The following example will introduce a 5 second delay
-in 1 out of every 1000 requests to the “v1” version of the “reviews”
+
    Delay specification is used to inject latency into the request
    
+forwarding path. The following example will introduce a 5 second delay
    
+in 1 out of every 1000 requests to the "v1" version of the "reviews"
    
 service from all pods with label env: prod
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2951,11 +2809,8 @@ 
    HTTPFaultInjection.Delay
    
           value: 0.1
         fixedDelay: 5s
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2977,12 +2832,10 @@ 
    HTTPFaultInjection.Delay
    
           value: 0.1
         fixedDelay: 5s
 
    
-
-
    {{}}
-{{}}
    
-
-
    The fixedDelay field is used to indicate the amount of delay in seconds.
-The optional percentage field can be used to only delay a certain
+
    {{}}
    
+{{}}
    
+
    The fixedDelay field is used to indicate the amount of delay in seconds.
    
+The optional percentage field can be used to only delay a certain
    
 percentage of requests. If left unspecified, all request will be delayed.
    
 
 
    
 
    add
 map<string, string>
 
-
    Append the given values to the headers specified by keys
+
    Append the given values to the headers specified by keys
    
 (will create a comma-separated list of values)
    
 
     		
 
 
 
    
@@ -2999,7 +2852,7 @@ 
    HTTPFaultInjection.Delay
    
@@ -3022,8 +2875,8 @@ 
    HTTPFaultInjection.Delay
    
@@ -3036,13 +2889,11 @@ 
    HTTPFaultInjection.Delay
    HTTPFaultInjection.Abort
    
-
    Abort specification is used to prematurely abort a request with a
-pre-specified error code. The following example will return an HTTP 400
-error code for 1 out of every 1000 requests to the “ratings” service “v1”.
    
-
-
    {{}}
-{{}}
    
-
+
    Abort specification is used to prematurely abort a request with a
    
+pre-specified error code. The following example will return an HTTP 400
    
+error code for 1 out of every 1000 requests to the "ratings" service "v1".
    
+
    {{}}
    
+{{}}
    
 
    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -3061,11 +2912,8 @@ 
    HTTPFaultInjection.Abort
    
           value: 0.1
         httpStatus: 400
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -3084,13 +2932,11 @@ 
    HTTPFaultInjection.Abort
    
           value: 0.1
         httpStatus: 400
 
    
-
-
    {{}}
-{{}}
    
-
-
    The httpStatus field is used to indicate the HTTP status code to
-return to the caller. The optional percentage field can be used to only
-abort a certain percentage of requests. If not specified, all requests are
+
    {{}}
    
+{{}}
    
+
    The httpStatus field is used to indicate the HTTP status code to
    
+return to the caller. The optional percentage field can be used to only
    
+abort a certain percentage of requests. If not specified, all requests are
    
 aborted.
    
 
 
    
 
    fixedDelay
 Duration (oneof)
 
-
    Add a fixed delay before forwarding the request. Format:
+
    Add a fixed delay before forwarding the request. Format:
    
 1h/1m/1s/1ms. MUST be >=1ms.
    
 
     		
 percent
 int32
 
-
    Percentage of requests on which the delay will be injected (0-100).
-Use of integer percent value is deprecated. Use the double percentage
+
    Percentage of requests on which the delay will be injected (0-100).
    
+Use of integer percent value is deprecated. Use the double percentage
    
 field instead.
    
 
     		
 
 
 
    
@@ -3118,9 +2964,9 @@ 
    HTTPFaultInjection.Abort
    
@@ -3145,7 +2991,6 @@ 
    HTTPFaultInjection.Abort
    google.protobuf.UInt32Value
    
 
    Wrapper message for uint32.
    
-
 
    The JSON representation for UInt32Value is JSON number.
    
 
 
    
 
    grpcStatus
 string (oneof)
 
-
    GRPC status code to use to abort the request. The supported
-codes are documented in https://github.com/grpc/grpc/blob/master/doc/statuscodes.md
-Note: If you want to return the status “Unavailable”, then you should
+
    GRPC status code to use to abort the request. The supported
    
+codes are documented in https://github.com/grpc/grpc/blob/master/doc/statuscodes.md
    
+Note: If you want to return the status "Unavailable", then you should
    
 specify the code as UNAVAILABLE(all caps), but not 14.
    
 
     		
 
 
    
diff --git a/content/zh/docs/reference/config/networking/workload-entry/index.html b/content/zh/docs/reference/config/networking/workload-entry/index.html
index 2b8051aa58411..05d9e5dc4316d 100644
--- a/content/zh/docs/reference/config/networking/workload-entry/index.html
+++ b/content/zh/docs/reference/config/networking/workload-entry/index.html
@@ -1,41 +1,37 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Workload Entry
 description: Configuration affecting VMs onboarded into the mesh.
 location: https://istio.io/docs/reference/config/networking/workload-entry.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.WorkloadEntry
 aliases: [/zh/docs/reference/config/networking/v1alpha3/workload-entry]
 number_of_entries: 1
 ---
-
    WorkloadEntry enables operators to describe the properties of a
-single non-Kubernetes workload such as a VM or a bare metal server
-as it is onboarded into the mesh. A WorkloadEntry must be
-accompanied by an Istio ServiceEntry that selects the workload
-through the appropriate labels and provides the service definition
-for a MESH_INTERNAL service (hostnames, port properties, etc.). A
-ServiceEntry object can select multiple workload entries as well
-as Kubernetes pods based on the label selector specified in the
+
    WorkloadEntry enables operators to describe the properties of a
    
+single non-Kubernetes workload such as a VM or a bare metal server
    
+as it is onboarded into the mesh. A WorkloadEntry must be
    
+accompanied by an Istio ServiceEntry that selects the workload
    
+through the appropriate labels and provides the service definition
    
+for a MESH_INTERNAL service (hostnames, port properties, etc.). A
    
+ServiceEntry object can select multiple workload entries as well
    
+as Kubernetes pods based on the label selector specified in the
    
 service entry.
    
-
-
    When a workload connects to istiod, the status field in the
-custom resource will be updated to indicate the health of the
-workload along with other details, similar to how Kubernetes
+
    When a workload connects to istiod, the status field in the
    
+custom resource will be updated to indicate the health of the
    
+workload along with other details, similar to how Kubernetes
    
 updates the status of a pod.
    
-
-
    The following example declares a workload entry representing a VM
-for the details.bookinfo.com service. This VM has sidecar
-installed and bootstrapped using the details-legacy service
-account. The service is exposed on port 80 to applications in the
-mesh. The HTTP traffic to this service is wrapped in Istio mutual
-TLS and sent to sidecars on VMs on target port 8080, that in turn
+
    The following example declares a workload entry representing a VM
    
+for the details.bookinfo.com service. This VM has sidecar
    
+installed and bootstrapped using the details-legacy service
    
+account. The service is exposed on port 80 to applications in the
    
+mesh. The HTTP traffic to this service is wrapped in Istio mutual
    
+TLS and sent to sidecars on VMs on target port 8080, that in turn
    
 forward it to the application on localhost on the same port.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    apiVersion: networking.istio.io/v1alpha3
 kind: WorkloadEntry
 metadata:
@@ -51,11 +47,8 @@
     app: details-legacy
     instance-id: vm1
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: WorkloadEntry
 metadata:
@@ -71,15 +64,11 @@
     app: details-legacy
     instance-id: vm1
 
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    and the associated service entry
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -98,11 +87,8 @@
     labels:
       app: details-legacy
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -121,19 +107,15 @@
     labels:
       app: details-legacy
 
    
-
-
    {{}}
-{{}}
    
-
-
    The following example declares the same VM workload using
-its fully qualified DNS name. The service entry’s resolution
-mode should be changed to DNS to indicate that the client-side
-sidecars should dynamically resolve the DNS name at runtime before
+
    {{}}
    
+{{}}
    
+
    The following example declares the same VM workload using
    
+its fully qualified DNS name. The service entry's resolution
    
+mode should be changed to DNS to indicate that the client-side
    
+sidecars should dynamically resolve the DNS name at runtime before
    
 forwarding the request.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    apiVersion: networking.istio.io/v1alpha3
 kind: WorkloadEntry
 metadata:
@@ -149,11 +131,8 @@
     app: details-legacy
     instance-id: vm1
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: WorkloadEntry
 metadata:
@@ -169,15 +148,11 @@
     app: details-legacy
     instance-id: vm1
 
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    and the associated service entry
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -196,11 +171,8 @@
     labels:
       app: details-legacy
 
    
-
-
    {{}}
    
-
-
    {{}}
    
-
+
    {{}}
    
+
    {{}}
    apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -219,9 +191,8 @@
     labels:
       app: details-legacy
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    WorkloadEntry
    
@@ -241,9 +212,9 @@ 
    WorkloadEntry
    
 
    
@@ -255,19 +226,17 @@ 
    WorkloadEntry
    
@@ -290,13 +259,13 @@ 
    WorkloadEntry
    
@@ -308,22 +277,22 @@ 
    WorkloadEntry
    
@@ -335,7 +304,7 @@ 
    WorkloadEntry
    
@@ -347,9 +316,9 @@ 
    WorkloadEntry
    
diff --git a/content/zh/docs/reference/config/networking/workload-group/index.html b/content/zh/docs/reference/config/networking/workload-group/index.html
index 5b0352e6ccf1a..de8b6aed9ca4a 100644
--- a/content/zh/docs/reference/config/networking/workload-group/index.html
+++ b/content/zh/docs/reference/config/networking/workload-group/index.html
@@ -1,32 +1,29 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Workload Group
 description: Describes a collection of workload instances.
 location: https://istio.io/docs/reference/config/networking/workload-group.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.WorkloadGroup
 aliases: [/zh/docs/reference/config/networking/v1alpha3/workload-group]
 number_of_entries: 7
 ---
-
    WorkloadGroup describes a collection of workload instances.
-It provides a specification that the workload instances can use to bootstrap
-their proxies, including the metadata and identity. It is only intended to
-be used with non-k8s workloads like Virtual Machines, and is meant to mimic
-the existing sidecar injection and deployment specification model used for
+
    WorkloadGroup describes a collection of workload instances.
    
+It provides a specification that the workload instances can use to bootstrap
    
+their proxies, including the metadata and identity. It is only intended to
    
+be used with non-k8s workloads like Virtual Machines, and is meant to mimic
    
+the existing sidecar injection and deployment specification model used for
    
 Kubernetes workloads to bootstrap Istio proxies.
    
-
-
    The following example declares a workload group representing a collection
-of workloads that will be registered under reviews in namespace
-bookinfo. The set of labels will be associated with each workload
-instance during the bootstrap process, and the ports 3550 and 8080
-will be associated with the workload group and use service account default.
+
    The following example declares a workload group representing a collection
    
+of workloads that will be registered under reviews in namespace
    
+bookinfo. The set of labels will be associated with each workload
    
+instance during the bootstrap process, and the ports 3550 and 8080
    
+will be associated with the workload group and use service account default.
    
 app.kubernetes.io/version is just an arbitrary example of a label.
    
-
-
    {{}}
-{{}}
    
-
+
    {{}}
    
+{{}}
    apiVersion: networking.istio.io/v1alpha3
 kind: WorkloadGroup
 metadata:
@@ -57,17 +54,16 @@
      - name: Lit-Header
        value: Im-The-Best
 
    
-
-
    {{}}
-{{}}
    
+
    {{}}
    
+{{}}
    WorkloadGroup
    
-
    WorkloadGroup enables specifying the properties of a single workload for bootstrap and
-provides a template for WorkloadEntry, similar to how Deployment specifies properties
-of workloads via Pod templates. A WorkloadGroup can have more than one WorkloadEntry.
-WorkloadGroup has no relationship to resources which control service registry like ServiceEntry
-and as such doesn’t configure host name for these workloads.
    
+
    WorkloadGroup enables specifying the properties of a single workload for bootstrap and
    
+provides a template for WorkloadEntry, similar to how Deployment specifies properties
    
+of workloads via Pod templates. A WorkloadGroup can have more than one WorkloadEntry.
    
+WorkloadGroup has no relationship to resources which control service registry like ServiceEntry
    
+and as such doesn't configure host name for these workloads.
    
 
 
    
 
 
 
 
 
 
 
 
 
 
 
 
 
    address
 string
 
-
    Address associated with the network endpoint without the
-port.  Domain names can be used if and only if the resolution is set
-to DNS, and must be fully-qualified without wildcards. Use the form
+
    Address associated with the network endpoint without the
    
+port.  Domain names can be used if and only if the resolution is set
    
+to DNS, and must be fully-qualified without wildcards. Use the form
    
 unix:///absolute/path/to/socket for Unix domain socket endpoints.
    
 
     		
 ports
 map<string, uint32>
 
-
    Set of ports associated with the endpoint. If the port map is
-specified, it must be a map of servicePortName to this endpoint’s
-port, such that traffic to the service port will be forwarded to
-the endpoint port that maps to the service’s portName. If
-omitted, and the targetPort is specified as part of the service’s
-port specification, traffic to the service port will be forwarded
-to one of the endpoints on the specified targetPort. If both
-the targetPort and endpoint’s port map are not specified, traffic
-to a service port will be forwarded to one of the endpoints on
+
    Set of ports associated with the endpoint. If the port map is
    
+specified, it must be a map of servicePortName to this endpoint's
    
+port, such that traffic to the service port will be forwarded to
    
+the endpoint port that maps to the service's portName. If
    
+omitted, and the targetPort is specified as part of the service's
    
+port specification, traffic to the service port will be forwarded
    
+to one of the endpoints on the specified targetPort. If both
    
+the targetPort and endpoint's port map are not specified, traffic
    
+to a service port will be forwarded to one of the endpoints on
    
 the same port.
    
-
 
    NOTE 1: Do not use for unix:// addresses.
    
-
 
    NOTE 2: endpoint port map takes precedence over targetPort.
    
 
     		
 network
 string
 
-
    Network enables Istio to group endpoints resident in the same L3
-domain/network. All endpoints in the same network are assumed to be
-directly reachable from one another. When endpoints in different
-networks cannot reach each other directly, an Istio Gateway can be
-used to establish connectivity (usually using the
-AUTO_PASSTHROUGH mode in a Gateway Server). This is
-an advanced configuration used typically for spanning an Istio mesh
+
    Network enables Istio to group endpoints resident in the same L3
    
+domain/network. All endpoints in the same network are assumed to be
    
+directly reachable from one another. When endpoints in different
    
+networks cannot reach each other directly, an Istio Gateway can be
    
+used to establish connectivity (usually using the
    
+AUTO_PASSTHROUGH mode in a Gateway Server). This is
    
+an advanced configuration used typically for spanning an Istio mesh
    
 over multiple clusters.
    
 
     		
 locality
 string
 
-
    The locality associated with the endpoint. A locality corresponds
-to a failure domain (e.g., country/region/zone). Arbitrary failure
-domain hierarchies can be represented by separating each
-encapsulating failure domain by /. For example, the locality of an
-an endpoint in US, in US-East-1 region, within availability zone
-az-1, in data center rack r11 can be represented as
-us/us-east-1/az-1/r11. Istio will configure the sidecar to route to
-endpoints within the same locality as the sidecar. If none of the
-endpoints in the locality are available, endpoints parent locality
-(but within the same network ID) will be chosen. For example, if
-there are two endpoints in same network (networkID “n1”), say e1
-with locality us/us-east-1/az-1/r11 and e2 with locality
-us/us-east-1/az-2/r12, a sidecar from us/us-east-1/az-1/r11 locality
-will prefer e1 from the same locality over e2 from a different
-locality. Endpoint e2 could be the IP associated with a gateway
-(that bridges networks n1 and n2), or the IP associated with a
+
    The locality associated with the endpoint. A locality corresponds
    
+to a failure domain (e.g., country/region/zone). Arbitrary failure
    
+domain hierarchies can be represented by separating each
    
+encapsulating failure domain by /. For example, the locality of an
    
+an endpoint in US, in US-East-1 region, within availability zone
    
+az-1, in data center rack r11 can be represented as
    
+us/us-east-1/az-1/r11. Istio will configure the sidecar to route to
    
+endpoints within the same locality as the sidecar. If none of the
    
+endpoints in the locality are available, endpoints parent locality
    
+(but within the same network ID) will be chosen. For example, if
    
+there are two endpoints in same network (networkID "n1"), say e1
    
+with locality us/us-east-1/az-1/r11 and e2 with locality
    
+us/us-east-1/az-2/r12, a sidecar from us/us-east-1/az-1/r11 locality
    
+will prefer e1 from the same locality over e2 from a different
    
+locality. Endpoint e2 could be the IP associated with a gateway
    
+(that bridges networks n1 and n2), or the IP associated with a
    
 standard service endpoint.
    
 
     		
 weight
 uint32
 
-
    The load balancing weight associated with the endpoint. Endpoints
+
    The load balancing weight associated with the endpoint. Endpoints
    
 with higher weights will receive proportionally higher traffic.
    
 
     		
 serviceAccount
 string
 
-
    The service account associated with the workload if a sidecar
-is present in the workload. The service account must be present
-in the same namespace as the configuration ( WorkloadEntry or a
+
    The service account associated with the workload if a sidecar
    
+is present in the workload. The service account must be present
    
+in the same namespace as the configuration ( WorkloadEntry or a
    
 ServiceEntry)
    
 
     		
 
 
 
 
    
@@ -83,7 +79,7 @@ 
    WorkloadGroup
    
@@ -95,10 +91,10 @@ 
    WorkloadGroup
    
@@ -110,7 +106,7 @@ 
    WorkloadGroup
    
@@ -148,7 +144,7 @@ 
    ReadinessProbe
    
@@ -160,7 +156,7 @@ 
    ReadinessProbe
    
@@ -172,7 +168,7 @@ 
    ReadinessProbe
    
@@ -184,7 +180,7 @@ 
    ReadinessProbe
    
@@ -196,7 +192,7 @@ 
    ReadinessProbe
    
@@ -267,8 +263,8 @@ 
    HTTPHealthCheckConfig
    
@@ -403,7 +399,7 @@ 
    ExecHealthCheckConfig
    WorkloadGroup.ObjectMeta
    
-
    ObjectMeta describes metadata that will be attached to a WorkloadEntry.
+
    ObjectMeta describes metadata that will be attached to a WorkloadEntry.
    
 It is a subset of the supported Kubernetes metadata.
    
 
 
    
 
 
    metadata
 ObjectMeta
 
-
    Metadata that will be used for all corresponding WorkloadEntries.
+
    Metadata that will be used for all corresponding WorkloadEntries.
    
 User labels for a workload group should be set here in metadata rather than in template.
    
 
     		
 template
 WorkloadEntry
 
-
    Template to be used for the generation of WorkloadEntry resources that belong to this WorkloadGroup.
-Please note that address and labels fields should not be set in the template, and an empty serviceAccount
-should default to default. The workload identities (mTLS certificates) will be bootstrapped using the
-specified service account’s token. Workload entries in this group will be in the same namespace as the
+
    Template to be used for the generation of WorkloadEntry resources that belong to this WorkloadGroup.
    
+Please note that address and labels fields should not be set in the template, and an empty serviceAccount
    
+should default to default. The workload identities (mTLS certificates) will be bootstrapped using the
    
+specified service account's token. Workload entries in this group will be in the same namespace as the
    
 workload group, and inherit the labels and annotations from the above metadata field.
    
 
     		
 probe
 ReadinessProbe
 
-
    ReadinessProbe describes the configuration the user must provide for healthchecking on their workload.
+
    ReadinessProbe describes the configuration the user must provide for healthchecking on their workload.
    
 This configuration mirrors K8S in both syntax and logic for the most part.
    
 
     		
 timeoutSeconds
 int32
 
-
    Number of seconds after which the probe times out.
+
    Number of seconds after which the probe times out.
    
 Defaults to 1 second. Minimum value is 1 second.
    
 
     		
 periodSeconds
 int32
 
-
    How often (in seconds) to perform the probe.
+
    How often (in seconds) to perform the probe.
    
 Default to 10 seconds. Minimum value is 1 second.
    
 
     		
 successThreshold
 int32
 
-
    Minimum consecutive successes for the probe to be considered successful after having failed.
+
    Minimum consecutive successes for the probe to be considered successful after having failed.
    
 Defaults to 1 second.
    
 
     		
 failureThreshold
 int32
 
-
    Minimum consecutive failures for the probe to be considered failed after having succeeded.
+
    Minimum consecutive failures for the probe to be considered failed after having succeeded.
    
 Defaults to 3 seconds.
    
 
     		
 httpGet
 HTTPHealthCheckConfig (oneof)
 
-
    httpGet is performed to a given endpoint
+
    httpGet is performed to a given endpoint
    
 and the status/able to connect determines health.
    
 
     		
 host
 string
 
-
    Host name to connect to, defaults to the pod IP. You probably want to set
-“Host” in httpHeaders instead.
    
+
    Host name to connect to, defaults to the pod IP. You probably want to set
    
+"Host" in httpHeaders instead.
    
 
     		
 
@@ -290,7 +286,7 @@ 
    HTTPHealthCheckConfig
    
     		httpHeaders
 HTTPHeader[]
 
-
    Headers the proxy will pass on to make the request.
+
    Headers the proxy will pass on to make the request.
    
 Allows repeated headers.
    
 
     		
 
 
 
    
diff --git a/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html b/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html
index 2b85b6e193816..86c457f44ba80 100644
--- a/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html
+++ b/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html
@@ -1,29 +1,25 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Wasm Plugin
 description: Extend the functionality provided by the Istio proxy through WebAssembly filters.
 location: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.extensions.v1alpha1.WasmPlugin
 aliases: [/zh/docs/reference/config/extensions/v1alpha1/wasm-plugin]
 number_of_entries: 6
 ---
-
    WasmPlugins provides a mechanism to extend the functionality provided by
+
    WasmPlugins provides a mechanism to extend the functionality provided by
    
 the Istio proxy through WebAssembly filters.
    
-
-
    Order of execution (as part of Envoy’s filter chain) is determined by
-phase and priority settings, allowing the configuration of complex
-interactions between user-supplied WasmPlugins and Istio’s internal
+
    Order of execution (as part of Envoy's filter chain) is determined by
    
+phase and priority settings, allowing the configuration of complex
    
+interactions between user-supplied WasmPlugins and Istio's internal
    
 filters.
    
-
 
    Examples:
    
-
-
    AuthN Filter deployed to ingress-gateway that implements an OpenID flow
-and populates the Authorization header with a JWT to be consumed by
+
    AuthN Filter deployed to ingress-gateway that implements an OpenID flow
    
+and populates the Authorization header with a JWT to be consumed by
    
 Istio AuthN.
    
-
 
    apiVersion: extensions.istio.io/v1alpha1
 kind: WasmPlugin
 metadata:
@@ -40,9 +36,7 @@
     openid_server: authn
     openid_realm: ingress
 
    
-
 
    This is the same as the last example, but using an OCI image.
    
-
 
    apiVersion: extensions.istio.io/v1alpha1
 kind: WasmPlugin
 metadata:
@@ -60,9 +54,7 @@
     openid_server: authn
     openid_realm: ingress
 
    
-
 
    This is the same as the last example, but using VmConfig to configure environment variables in the VM.
    
-
 
    apiVersion: extensions.istio.io/v1alpha1
 kind: WasmPlugin
 metadata:
@@ -86,9 +78,7 @@
     - name: TRUST_DOMAIN
       value: "cluster.local"
 
    
-
 
    This is also the same as the last example, but the Wasm module is pulled via https and updated for each time when this plugin resource is changed.
    
-
 
    apiVersion: extensions.istio.io/v1alpha1
 kind: WasmPlugin
 metadata:
@@ -111,22 +101,19 @@
     - name: TRUST_DOMAIN
       value: "cluster.local"
 
    
-
-
    And a more complex example that deploys three WasmPlugins and orders them
-using phase and priority. The (hypothetical) setup is that the
-openid-connect filter performs an OpenID Connect flow to authenticate the
-user, writing a signed JWT into the Authorization header of the request,
-which can be verified by the Istio authn plugin. Then, the acl-check plugin
-kicks in, passing the JWT to a policy server, which in turn responds with a
-signed token that contains information about which files and functions of the
-system are available to the user that was previously authenticated. The
-acl-check filter writes this token to a header. Finally, the check-header
-filter verifies the token in that header and makes sure that the token’s
-contents (the permitted ‘function’) matches its plugin configuration.
    
-
-
    The resulting filter chain looks like this:
+
    And a more complex example that deploys three WasmPlugins and orders them
    
+using phase and priority. The (hypothetical) setup is that the
    
+openid-connect filter performs an OpenID Connect flow to authenticate the
    
+user, writing a signed JWT into the Authorization header of the request,
    
+which can be verified by the Istio authn plugin. Then, the acl-check plugin
    
+kicks in, passing the JWT to a policy server, which in turn responds with a
    
+signed token that contains information about which files and functions of the
    
+system are available to the user that was previously authenticated. The
    
+acl-check filter writes this token to a header. Finally, the check-header
    
+filter verifies the token in that header and makes sure that the token's
    
+contents (the permitted 'function') matches its plugin configuration.
    
+
    The resulting filter chain looks like this:
    
 -> openid-connect -> istio.authn -> acl-check -> check-header -> router
    
-
 
    apiVersion: extensions.istio.io/v1alpha1
 kind: WasmPlugin
 metadata:
@@ -144,7 +131,6 @@
     openid_server: authn
     openid_realm: ingress
 
    
-
 
    apiVersion: extensions.istio.io/v1alpha1
 kind: WasmPlugin
 metadata:
@@ -163,7 +149,6 @@
     acl_server: some_server
     set_header: authz_complete
 
    
-
 
    apiVersion: extensions.istio.io/v1alpha1
 kind: WasmPlugin
 metadata:
@@ -186,7 +171,7 @@
 
 
    WasmPlugin
    
 
    
-
    WasmPlugins provides a mechanism to extend the functionality provided by
+
    WasmPlugins provides a mechanism to extend the functionality provided by
    
 the Istio proxy through WebAssembly filters.
    
 
 
    
@@ -203,11 +188,11 @@ 
    WasmPlugin
    
     
@@ -219,10 +204,10 @@ 
    WasmPlugin
    
     
@@ -234,10 +219,10 @@ 
    WasmPlugin
    
     
@@ -249,11 +234,11 @@ 
    WasmPlugin
    
     
@@ -265,9 +250,9 @@ 
    WasmPlugin
    
     
@@ -290,8 +275,8 @@ 
    WasmPlugin
    
     
@@ -314,11 +299,11 @@ 
    WasmPlugin
    
     
@@ -330,7 +315,7 @@ 
    WasmPlugin
    
     
@@ -343,7 +328,7 @@ 
    WasmPlugin
    
 
 
    VmConfig
    
 
    
-
    Configuration for a Wasm VM.
+
    Configuration for a Wasm VM.
    
 more details can be found here.
    
 
 
    selector
 WorkloadSelector
 
-
    Criteria used to select the specific set of pods/VMs on which
-this plugin configuration should be applied. If omitted, this
-configuration will be applied to all workload instances in the same
-namespace. If the WasmPlugin is present in the config root
-namespace, it will be applied to all applicable workloads in any
+
    Criteria used to select the specific set of pods/VMs on which
    
+this plugin configuration should be applied. If omitted, this
    
+configuration will be applied to all workload instances in the same
    
+namespace. If the WasmPlugin is present in the config root
    
+namespace, it will be applied to all applicable workloads in any
    
 namespace.
    
 
     		url
 string
 
-
    URL of a Wasm module or OCI container. If no scheme is present,
-defaults to oci://, referencing an OCI image. Other valid schemes
-are file:// for referencing .wasm module files present locally
-within the proxy container, and http[s]:// for .wasm module files
+
    URL of a Wasm module or OCI container. If no scheme is present,
    
+defaults to oci://, referencing an OCI image. Other valid schemes
    
+are file:// for referencing .wasm module files present locally
    
+within the proxy container, and http[s]:// for .wasm module files
    
 hosted remotely.
    
 
     		sha256
 string
 
-
    SHA256 checksum that will be used to verify Wasm module or OCI container.
-If the url field already references a SHA256 (using the @sha256:
-notation), it must match the value of this field. If an OCI image is
-referenced by tag and this field is set, its checksum will be verified
+
    SHA256 checksum that will be used to verify Wasm module or OCI container.
    
+If the url field already references a SHA256 (using the @sha256:
    
+notation), it must match the value of this field. If an OCI image is
    
+referenced by tag and this field is set, its checksum will be verified
    
 against the contents of this field after pulling.
    
 
     		imagePullPolicy
 PullPolicy
 
-
    The pull behaviour to be applied when fetching Wasm module by either
-OCI image or http/https. Only relevant when referencing Wasm module without
-any digest, including the digest in OCI image URL or sha256 field in vm_config.
-Defaults to IfNotPresent, except when an OCI image is referenced in the url
-and the latest tag is used, in which case Always is the default,
+
    The pull behaviour to be applied when fetching Wasm module by either
    
+OCI image or http/https. Only relevant when referencing Wasm module without
    
+any digest, including the digest in OCI image URL or sha256 field in vm_config.
    
+Defaults to IfNotPresent, except when an OCI image is referenced in the url
    
+and the latest tag is used, in which case Always is the default,
    
 mirroring K8s behaviour.
    
 
     		imagePullSecret
 string
 
-
    Credentials to use for OCI image pulling.
-Name of a K8s Secret in the same namespace as the WasmPlugin that
-contains a docker pull secret which is to be used to authenticate
+
    Credentials to use for OCI image pulling.
    
+Name of a K8s Secret in the same namespace as the WasmPlugin that
    
+contains a docker pull secret which is to be used to authenticate
    
 against the registry when pulling the image.
    
 
     		pluginName
 string
 
-
    The plugin name to be used in the Envoy configuration (used to be called
-rootID). Some .wasm modules might require this value to select the Wasm
+
    The plugin name to be used in the Envoy configuration (used to be called
    
+rootID). Some .wasm modules might require this value to select the Wasm
    
 plugin to execute.
    
 
     		priority
 Int64Value
 
-
    Determines ordering of WasmPlugins in the same phase.
-When multiple WasmPlugins are applied to the same workload in the
-same phase, they will be applied by priority, in descending order.
-If priority is not set, or two WasmPlugins exist with the same
-value, the ordering will be deterministically derived from name and
+
    Determines ordering of WasmPlugins in the same phase.
    
+When multiple WasmPlugins are applied to the same workload in the
    
+same phase, they will be applied by priority, in descending order.
    
+If priority is not set, or two WasmPlugins exist with the same
    
+value, the ordering will be deterministically derived from name and
    
 namespace of the WasmPlugins. Defaults to 0.
    
 
     		vmConfig
 VmConfig
 
-
    Configuration for a Wasm VM.
+
    Configuration for a Wasm VM.
    
 more details can be found here.
    
 
 
    
@@ -360,7 +345,7 @@ 
    VmConfig
    
     
@@ -387,7 +372,7 @@ 
    EnvVar
    
     
@@ -399,8 +384,8 @@ 
    EnvVar
    
     
@@ -470,7 +455,7 @@ 
    PluginPhase
    
 
 
    PullPolicy
    
 
    
-
    The pull behaviour to be applied when fetching a Wam module,
+
    The pull behaviour to be applied when fetching a Wam module,
    
 mirroring K8s behaviour.
    
 
 
    env
 EnvVar[]
 
-
    Specifies environment variables to be injected to this VM.
+
    Specifies environment variables to be injected to this VM.
    
 Note that if a key does not exist, it will be ignored.
    
 
     		name
 string
 
-
    Required
+
    Required
    
 Name of the environment variable. Must be a C_IDENTIFIER.
    
 
     		valueFrom
 EnvValueSource
 
-
    Required
-Source for the environment variable’s value.
    
+
    Required
    
+Source for the environment variable's value.
    
 
     		
 
@@ -411,9 +396,9 @@ 
    EnvVar
    
     		value
 string
 
-
    Value for the environment variable.
-Note that if value_from is HOST, it will be ignored.
-Defaults to “”.
    
+
    Value for the environment variable.
    
+Note that if value_from is HOST, it will be ignored.
    
+Defaults to "".
    
 
     		
 
@@ -438,8 +423,8 @@ 
    PluginPhase
    
 
    
 UNSPECIFIED_PHASE
 
-
    Control plane decides where to insert the plugin. This will generally
-be at the end of the filter chain, right before the Router.
+
    Control plane decides where to insert the plugin. This will generally
    
+be at the end of the filter chain, right before the Router.
    
 Do not specify PluginPhase if the plugin is independent of others.
    
 
 
    
@@ -484,7 +469,7 @@ 
    PullPolicy
    
     
@@ -492,8 +477,8 @@ 
    PullPolicy
    
     
@@ -501,7 +486,7 @@ 
    PullPolicy
    
     
@@ -529,7 +514,7 @@ 
    EnvValueSource
    
     
diff --git a/content/zh/docs/reference/config/security/authorization-policy/index.html b/content/zh/docs/reference/config/security/authorization-policy/index.html
index 6944834715333..d1d642337387c 100644
--- a/content/zh/docs/reference/config/security/authorization-policy/index.html
+++ b/content/zh/docs/reference/config/security/authorization-policy/index.html
@@ -1,10 +1,10 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Authorization Policy
 description: Configuration for access control on workloads.
 location: https://istio.io/docs/reference/config/security/authorization-policy.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.security.v1beta1.AuthorizationPolicy
 weight: 20
@@ -12,11 +12,9 @@
 number_of_entries: 9
 ---
 
    Istio Authorization Policy enables access control on workloads in the mesh.
    
-
-
    Authorization policy supports CUSTOM, DENY and ALLOW actions for access control. When CUSTOM, DENY and ALLOW actions
-are used for a workload at the same time, the CUSTOM action is evaluated first, then the DENY action, and finally the ALLOW action.
+
    Authorization policy supports CUSTOM, DENY and ALLOW actions for access control. When CUSTOM, DENY and ALLOW actions
    
+are used for a workload at the same time, the CUSTOM action is evaluated first, then the DENY action, and finally the ALLOW action.
    
 The evaluation is determined by the following rules:
    
-
 
      
 
    1. If there are any CUSTOM policies that match the request, evaluate and deny the request if the evaluation result is deny.
      2. 
 
    2. If there are any DENY policies that match the request, deny the request.
      3. 
@@ -24,39 +22,28 @@
 
    3. If any of the ALLOW policies match the request, allow the request.
      4. 
 
    4. Deny the request.
      5. 
 
    
-
-
    Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.
-AUDIT policies do not affect whether requests are allowed or denied to the workload.
+
    Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.
    
+AUDIT policies do not affect whether requests are allowed or denied to the workload.
    
 Requests will be allowed or denied based solely on CUSTOM, DENY and ALLOW actions.
    
-
-
    A request will be internally marked that it should be audited if there is an AUDIT policy on the workload that matches the request.
-A separate plugin must be configured and enabled to actually fulfill the audit decision and complete the audit behavior.
-The request will not be audited if there are no such supporting plugins enabled.
+
    A request will be internally marked that it should be audited if there is an AUDIT policy on the workload that matches the request.
    
+A separate plugin must be configured and enabled to actually fulfill the audit decision and complete the audit behavior.
    
+The request will not be audited if there are no such supporting plugins enabled.
    
 Currently, the only supported plugin is the Stackdriver plugin.
    
-
 
    Here is an example of Istio Authorization Policy:
    
-
-
    It sets the action to “ALLOW” to create an allow policy. The default action is “ALLOW”
+
    It sets the action to "ALLOW" to create an allow policy. The default action is "ALLOW"
    
 but it is useful to be explicit in the policy.
    
-
 
    It allows requests from:
    
-
 
      
-
    • service account “cluster.local/ns/default/sa/sleep” or
      • 
-
    • namespace “test”
      • 
+
    • service account "cluster.local/ns/default/sa/sleep" or
      • 
+
    • namespace "test"
      • 
 
    
-
 
    to access the workload with:
    
-
 
      
-
    • “GET” method at paths of prefix “/info” or,
      • 
-
    • “POST” method at path “/data”.
      • 
+
    • "GET" method at paths of prefix "/info" or,
      • 
+
    • "POST" method at path "/data".
      • 
 
    
-
-
    when the request has a valid JWT token issued by “https://accounts.google.com”.
    
-
+
    when the request has a valid JWT token issued by "https://accounts.google.com".
    
 
    Any other requests will be denied.
    
-
 
    apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -81,11 +68,9 @@
     - key: request.auth.claims[iss]
       values: ["https://accounts.google.com"]
 
    
-
-
    The following is another example that sets action to “DENY” to create a deny policy.
-It denies requests from the “dev” namespace to the “POST” method on all workloads
-in the “foo” namespace.
    
-
+
    The following is another example that sets action to "DENY" to create a deny policy.
    
+It denies requests from the "dev" namespace to the "POST" method on all workloads
    
+in the "foo" namespace.
    
 
    apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -101,10 +86,8 @@
     - operation:
         methods: ["POST"]
 
    
-
-
    The following authorization policy sets the action to “AUDIT”. It will audit any GET requests to the path with the
-prefix “/user/profile”.
    
-
+
    The following authorization policy sets the action to "AUDIT". It will audit any GET requests to the path with the
    
+prefix "/user/profile".
    
 
    apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -121,21 +104,16 @@
         methods: ["GET"]
         paths: ["/user/profile/*"]
 
    
-
-
    Authorization Policy scope (target) is determined by “metadata/namespace” and
-an optional “selector”.
    
-
+
    Authorization Policy scope (target) is determined by "metadata/namespace" and
    
+an optional "selector".
    
 
      
-
    • “metadata/namespace” tells which namespace the policy applies. If set to root
+
    • "metadata/namespace" tells which namespace the policy applies. If set to root
      
 namespace, the policy applies to all namespaces in a mesh.
      • 
-
    • workload “selector” can be used to further restrict where a policy applies.
      • 
+
    • workload "selector" can be used to further restrict where a policy applies.
      • 
 
    
-
 
    For example,
    
-
-
    The following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
+
    The following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
    
 all requests to workloads in namespace foo.
    
-
 
    apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -144,9 +122,7 @@
 spec:
   {}
 
    
-
 
    The following authorization policy allows all requests to workloads in namespace foo.
    
-
 
    apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -156,10 +132,8 @@
  rules:
  - {}
 
    
-
-
    The following authorization policy applies to workloads containing label “app: httpbin” in namespace bar. It allows
+
    The following authorization policy applies to workloads containing label "app: httpbin" in namespace bar. It allows
    
 nothing and effectively denies all requests to the selected workloads.
    
-
 
    apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -170,10 +144,8 @@
     matchLabels:
       app: httpbin
 
    
-
-
    The following authorization policy applies to workloads containing label “version: v1” in all namespaces in the mesh.
-(Assuming the root namespace is configured to “istio-system”).
    
-
+
    The following authorization policy applies to workloads containing label "version: v1" in all namespaces in the mesh.
    
+(Assuming the root namespace is configured to "istio-system").
    
 
    apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -203,10 +175,9 @@ 
    AuthorizationPolicy
    
 
    
@@ -219,8 +190,7 @@ 
    AuthorizationPolicy
    
     
@@ -255,17 +225,15 @@ 
    AuthorizationPolicy
    
 
 
    Rule
    
 
    
-
    Rule matches requests from a list of sources that perform a list of operations subject to a
-list of conditions. A match occurs when at least one source, one operation and all conditions
+
    Rule matches requests from a list of sources that perform a list of operations subject to a
    
+list of conditions. A match occurs when at least one source, one operation and all conditions
    
 matches the request. An empty rule is always matched.
    
-
 
    Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
    
-
 
      
-
    • Exact match: “abc” will match on value “abc”.
      • 
-
    • Prefix match: “abc*” will match on value “abc” and “abcd”.
      • 
-
    • Suffix match: “*abc” will match on value “abc” and “xabc”.
      • 
-
    • Presence match: “*” will match when value is not empty.
      • 
+
    • Exact match: "abc" will match on value "abc".
      • 
+
    • Prefix match: "abc*" will match on value "abc" and "abcd".
      • 
+
    • Suffix match: "*abc" will match on value "abc" and "xabc".
      • 
+
    • Presence match: "*" will match when value is not empty.
      • 
 
    
 
 
    
 UNSPECIFIED_POLICY
 
-
    Defaults to IfNotPresent, except for OCI images with tag latest, for which
+
    Defaults to IfNotPresent, except for OCI images with tag latest, for which
    
 the default will be Always.
    
 
 
    
 IfNotPresent
 
-
    If an existing version of the image has been pulled before, that
-will be used. If no version of the image is present locally, we
+
    If an existing version of the image has been pulled before, that
    
+will be used. If no version of the image is present locally, we
    
 will pull the latest version.
    
 
 
    
 Always
 
-
    We will always pull the latest version of an image when changing
+
    We will always pull the latest version of an image when changing
    
 this plugin. Note that the change includes metadata field as well.
    
 
 
    
 HOST
 
-
    Istio-proxy’s environment variables exposed to this VM.
    
+
    Istio-proxy's environment variables exposed to this VM.
    
 
     		
 
    selector
 WorkloadSelector
 
-
    Optional. The selector decides where to apply the authorization policy. The selector will match with workloads
-in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector
+
    Optional. The selector decides where to apply the authorization policy. The selector will match with workloads
    
+in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector
    
 will additionally match with workloads in all namespaces.
    
-
 
    If not set, the selector will match all workloads.
    
 
     		Rule[]
 
 
    Optional. A list of rules to match the request. A match occurs when at least one rule matches the request.
    
-
-
    If not set, the match will never occur. This is equivalent to setting a default of deny for the target workloads if
+
    If not set, the match will never occur. This is equivalent to setting a default of deny for the target workloads if
    
 the action is ALLOW.
    
 
 
    
@@ -283,7 +251,6 @@ 
    Rule
    
     
@@ -296,7 +263,6 @@ 
    Rule
    
     
@@ -309,7 +275,6 @@ 
    Rule
    
     
@@ -322,12 +287,10 @@ 
    Rule
    
 
 
    Source
    
 
    
-
    Source specifies the source identities of a request. Fields in the source are
+
    Source specifies the source identities of a request. Fields in the source are
    
 ANDed together.
    
-
-
    For example, the following source matches if the principal is “admin” or “dev”
-and the namespace is “prod” or “test” and the ip is not “1.2.3.4”.
    
-
+
    For example, the following source matches if the principal is "admin" or "dev"
    
+and the namespace is "prod" or "test" and the ip is not "1.2.3.4".
    
 
    principals: ["admin", "dev"]
 namespaces: ["prod", "test"]
 notIpBlocks: ["1.2.3.4"]
@@ -347,10 +310,9 @@ 
    Source
    
 
    
@@ -373,10 +335,9 @@ 
    Source
    
     
@@ -399,9 +360,8 @@ 
    Source
    
     
@@ -424,9 +384,8 @@ 
    Source
    
     
@@ -449,13 +408,12 @@ 
    Source
    
     
@@ -479,12 +437,10 @@ 
    Source
    
 
 
    Operation
    
 
    
-
    Operation specifies the operations of a request. Fields in the operation are
+
    Operation specifies the operations of a request. Fields in the operation are
    
 ANDed together.
    
-
-
    For example, the following operation matches if the host has suffix “.example.com”
-and the method is “GET” or “HEAD” and the path doesn’t have prefix “/admin”.
    
-
+
    For example, the following operation matches if the host has suffix ".example.com"
    
+and the method is "GET" or "HEAD" and the path doesn't have prefix "/admin".
    
 
    hosts: ["*.example.com"]
 methods: ["GET", "HEAD"]
 notPaths: ["/admin*"]
@@ -504,10 +460,9 @@ 
    Operation
    
 
    
@@ -531,7 +486,6 @@ 
    Operation
    
     
@@ -554,9 +508,8 @@ 
    Operation
    
     
@@ -579,10 +532,9 @@ 
    Operation
    
     
@@ -622,7 +574,7 @@ 
    Condition
    
     
@@ -634,7 +586,7 @@ 
    Condition
    
     
@@ -646,7 +598,7 @@ 
    Condition
    
     
@@ -673,7 +625,7 @@ 
    AuthorizationPolicy.ExtensionProv
 
    
@@ -776,20 +728,17 @@ 
    AuthorizationPolicy.Action
    
     
@@ -114,9 +102,8 @@ 
    JWTRule
    
     
@@ -128,15 +115,13 @@ 
    JWTRule
    
     
@@ -148,14 +133,12 @@ 
    JWTRule
    
     
@@ -167,8 +150,8 @@ 
    JWTRule
    
     
@@ -219,9 +202,9 @@ 
    JWTHeader
    
     
@@ -130,7 +120,7 @@ 
    PeerAuthentication
    
     
diff --git a/content/zh/docs/reference/config/security/request_authentication/index.html b/content/zh/docs/reference/config/security/request_authentication/index.html
index 1457b6e7975cc..226b060334cf5 100644
--- a/content/zh/docs/reference/config/security/request_authentication/index.html
+++ b/content/zh/docs/reference/config/security/request_authentication/index.html
@@ -1,10 +1,10 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: RequestAuthentication
 description: Request authentication configuration for workloads.
 location: https://istio.io/docs/reference/config/security/request_authentication.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.security.v1beta1.RequestAuthentication
 aliases: [/zh/docs/reference/config/security/v1beta1/request_authentication]
@@ -12,17 +12,15 @@
 ---
 
    RequestAuthentication
    
 
    
-
    RequestAuthentication defines what request authentication methods are supported by a workload.
-It will reject a request if the request contains invalid authentication information, based on the
-configured authentication rules. A request that does not contain any authentication credentials
-will be accepted but will not have any authenticated identity. To restrict access to authenticated
-requests only, this should be accompanied by an authorization rule.
+
    RequestAuthentication defines what request authentication methods are supported by a workload.
    
+It will reject a request if the request contains invalid authentication information, based on the
    
+configured authentication rules. A request that does not contain any authentication credentials
    
+will be accepted but will not have any authenticated identity. To restrict access to authenticated
    
+requests only, this should be accompanied by an authorization rule.
    
 Examples:
    
-
 
      
 
    • Require JWT for all request for workloads that have label app:httpbin
      • 
 
    
-
 
    apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
@@ -50,13 +48,11 @@ 
    RequestAuthentication
    
     - source:
         requestPrincipals: ["*"]
 
    
-
 
      
-
    • A policy in the root namespace (“istio-system” by default) applies to workloads in all namespaces
-in a mesh. The following policy makes all workloads only accept requests that contain a
+
    • A policy in the root namespace ("istio-system" by default) applies to workloads in all namespaces
      
+in a mesh. The following policy makes all workloads only accept requests that contain a
      
 valid JWT token.
      • 
 
    
-
 
    apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
@@ -78,13 +74,11 @@ 
    RequestAuthentication
    
     - source:
         requestPrincipals: ["*"]
 
    
-
 
      
-
    • The next example shows how to set a different JWT requirement for a different host. The RequestAuthentication
-declares it can accept JWTs issued by either issuer-foo or issuer-bar (the public key set is implicitly
+
    • The next example shows how to set a different JWT requirement for a different host. The RequestAuthentication
      
+declares it can accept JWTs issued by either issuer-foo or issuer-bar (the public key set is implicitly
      
 set from the OpenID Connect spec).
      • 
 
    
-
 
    apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
@@ -121,13 +115,11 @@ 
    RequestAuthentication
    
     - operation:
         hosts: ["another-host.com"]
 
    
-
 
      
-
    • You can fine tune the authorization policy to set different requirement per path. For example,
-to require JWT on all paths, except /healthz, the same RequestAuthentication can be used, but the
+
    • You can fine tune the authorization policy to set different requirement per path. For example,
      
+to require JWT on all paths, except /healthz, the same RequestAuthentication can be used, but the
      
 authorization policy could be:
      • 
 
    
-
 
    apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -145,24 +137,19 @@ 
    RequestAuthentication
    
     - operation:
         paths: ["/healthz"]
 
    
-
-
    [Experimental] Routing based on derived metadata
-is now supported. A prefix ‘@’ is used to denote a match against internal metadata instead of the headers in the request.
+
    [Experimental] Routing based on derived metadata
    
+is now supported. A prefix '@' is used to denote a match against internal metadata instead of the headers in the request.
    
 Currently this feature is only supported for the following metadata:
    
-
 
      
-
    • request.auth.claims.{claim-name}[.{sub-claim}]* which are extracted from validated JWT tokens. The claim name
+
    • request.auth.claims.{claim-name}[.{sub-claim}]* which are extracted from validated JWT tokens. The claim name
      
 currently does not support the . character. Examples: request.auth.claims.sub and request.auth.claims.name.givenName.
      • 
 
    
-
 
    The use of matches against JWT claim metadata is only supported in Gateways. The following example shows:
    
-
 
      
 
    • RequestAuthentication to decode and validate a JWT. This also makes the @request.auth.claims available for use in the VirtualService.
      • 
 
    • AuthorizationPolicy to check for valid principals in the request. This makes the JWT required for the request.
      • 
-
    • VirtualService to route the request based on the “sub” claim.
      • 
+
    • VirtualService to route the request based on the "sub" claim.
      • 
 
    
-
 
    apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
@@ -230,10 +217,9 @@ 
    RequestAuthentication
    
 
    
@@ -245,12 +231,12 @@ 
    RequestAuthentication
    
     
diff --git a/content/zh/docs/reference/config/telemetry/index.html b/content/zh/docs/reference/config/telemetry/index.html
index db4f57c8c6e6f..56fdaf78717f5 100644
--- a/content/zh/docs/reference/config/telemetry/index.html
+++ b/content/zh/docs/reference/config/telemetry/index.html
@@ -1,38 +1,30 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Telemetry
 description: Telemetry configuration for workloads.
 location: https://istio.io/docs/reference/config/telemetry.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.telemetry.v1alpha1.Telemetry
 aliases: [/zh/docs/reference/config/telemetry/v1alpha1/telemetry]
 number_of_entries: 18
 ---
 
    Telemetry defines how the telemetry is generated for workloads within a mesh.
    
-
-
    For mesh level configuration, put the resource in root configuration
+
    For mesh level configuration, put the resource in root configuration
    
 namespace for your Istio installation without a workload selector.
    
-
-
    For any namespace, including the root configuration namespace, it is only
+
    For any namespace, including the root configuration namespace, it is only
    
 valid to have a single workload selector-less Telemetry resource.
    
-
-
    For resources with a workload selector, it is only valid to have one resource
+
    For resources with a workload selector, it is only valid to have one resource
    
 selecting any given workload.
    
-
 
    The hierarchy of Telemetry configuration is as follows:
    
-
 
      
 
    1. Workload-specific configuration
      2. 
 
    2. Namespace-specific configuration
      3. 
 
    3. Root namespace configuration
      4. 
 
    
-
 
    Examples:
    
-
 
    Policy to enable random sampling for 10% of traffic:
    
-
 
    apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
@@ -43,10 +35,8 @@
   tracing:
   - randomSamplingPercentage: 10.00
 
    
-
-
    Policy to disable trace reporting for the “foo” workload (note: tracing
+
    Policy to disable trace reporting for the "foo" workload (note: tracing
    
 context will still be propagated):
    
-
 
    apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
@@ -59,9 +49,7 @@
   tracing:
   - disableSpanReporting: true
 
    
-
 
    Policy to select the alternate zipkin provider for trace reporting:
    
-
 
    apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
@@ -76,9 +64,7 @@
     - name: "zipkin-alternate"
     randomSamplingPercentage: 10.00
 
    
-
 
    Policy to add a custom tag from a literal value:
    
-
 
    apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
@@ -93,9 +79,7 @@
         literal:
           value: "foo"
 
    
-
 
    Policy to disable server-side metrics for Stackdriver for an entire mesh:
    
-
 
    apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
@@ -112,9 +96,7 @@
         mode: SERVER
       disabled: true
 
    
-
 
    Policy to add dimensions to all Prometheus metrics for the foo namespace:
    
-
 
    apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
@@ -133,10 +115,8 @@
         request_host:
           value: "request.host"
 
    
-
-
    Policy to remove the response_code dimension on some Prometheus metrics for
+
    Policy to remove the response_code dimension on some Prometheus metrics for
    
 the bar.foo workload:
    
-
 
    apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
@@ -171,9 +151,7 @@
         response_code:
           operation: REMOVE
 
    
-
 
    Policy to enable access logging for the entire mesh:
    
-
 
    apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
@@ -189,9 +167,7 @@
     # cases where a parent configuration has marked as `disabled: true`. In
     # those cases, `disabled: false` must be set explicitly to override.
 
    
-
 
    Policy to disable access logging for the foo namespace:
    
-
 
    apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
@@ -220,8 +196,8 @@ 
    Telemetry
    
 
    
@@ -233,7 +209,7 @@ 
    Telemetry
    
     
@@ -245,7 +221,7 @@ 
    Telemetry
    
     
@@ -257,7 +233,7 @@ 
    Telemetry
    
     
@@ -270,14 +246,13 @@ 
    Telemetry
    
 
 
    Tracing
    
 
    
-
    Tracing configures tracing behavior for workloads within a mesh.
-It can be used to enable/disable tracing, as well as to set sampling
+
    Tracing configures tracing behavior for workloads within a mesh.
    
+It can be used to enable/disable tracing, as well as to set sampling
    
 rates and custom tag extraction.
    
-
-
    Tracing configuration support overrides of the fields providers,
-random_sampling_percentage, disable_span_reporting, and custom_tags at
-each level in the configuration hierarchy, with missing values filled in
-from parent resources. However, when specified, custom_tags will
+
    Tracing configuration support overrides of the fields providers,
    
+random_sampling_percentage, disable_span_reporting, and custom_tags at
    
+each level in the configuration hierarchy, with missing values filled in
    
+from parent resources. However, when specified, custom_tags will
    
 fully replace any values provided by parent configuration.
    
 
 
    From[]
 
 
    Optional. from specifies the source of a request.
    
-
 
    If not set, any source is allowed.
    
 
     		To[]
 
 
    Optional. to specifies the operation of a request.
    
-
 
    If not set, any operation is allowed.
    
 
     		Condition[]
 
 
    Optional. when specifies a list of additional conditions of a request.
    
-
 
    If not set, any condition is allowed.
    
 
     		principals
 string[]
 
-
    Optional. A list of peer identities derived from the peer certificate. The peer identity is in the format of
-"<TRUST_DOMAIN>/ns/<NAMESPACE>/sa/<SERVICE_ACCOUNT>", for example, "cluster.local/ns/default/sa/productpage".
+
    Optional. A list of peer identities derived from the peer certificate. The peer identity is in the format of
    
+"<TRUST_DOMAIN>/ns/<NAMESPACE>/sa/<SERVICE_ACCOUNT>", for example, "cluster.local/ns/default/sa/productpage".
    
 This field requires mTLS enabled and is the same as the source.principal attribute.
    
-
 
    If not set, any principal is allowed.
    
 
     		requestPrincipals
 string[]
 
-
    Optional. A list of request identities derived from the JWT. The request identity is in the format of
-"<ISS>/<SUB>", for example, "example.com/sub-1". This field requires request authentication enabled and is the
+
    Optional. A list of request identities derived from the JWT. The request identity is in the format of
    
+"<ISS>/<SUB>", for example, "example.com/sub-1". This field requires request authentication enabled and is the
    
 same as the request.auth.principal attribute.
    
-
 
    If not set, any request principal is allowed.
    
 
     		namespaces
 string[]
 
-
    Optional. A list of namespaces derived from the peer certificate.
+
    Optional. A list of namespaces derived from the peer certificate.
    
 This field requires mTLS enabled and is the same as the source.namespace attribute.
    
-
 
    If not set, any namespace is allowed.
    
 
     		ipBlocks
 string[]
 
-
    Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. “1.2.3.4”) and
-CIDR (e.g. “1.2.3.0/24”) are supported. This is the same as the source.ip attribute.
    
-
+
    Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. "1.2.3.4") and
    
+CIDR (e.g. "1.2.3.0/24") are supported. This is the same as the source.ip attribute.
    
 
    If not set, any IP is allowed.
    
 
     		remoteIpBlocks
 string[]
 
-
    Optional. A list of IP blocks, populated from X-Forwarded-For header or proxy protocol.
-To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig
-when you install Istio or using an annotation on the ingress gateway.  See the documentation here:
-Configuring Gateway Network Topology.
-Single IP (e.g. “1.2.3.4”) and CIDR (e.g. “1.2.3.0/24”) are supported.
+
    Optional. A list of IP blocks, populated from X-Forwarded-For header or proxy protocol.
    
+To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig
    
+when you install Istio or using an annotation on the ingress gateway.  See the documentation here:
    
+Configuring Gateway Network Topology.
    
+Single IP (e.g. "1.2.3.4") and CIDR (e.g. "1.2.3.0/24") are supported.
    
 This is the same as the remote.ip attribute.
    
-
 
    If not set, any IP is allowed.
    
 
     		hosts
 string[]
 
-
    Optional. A list of hosts as specified in the HTTP request. The match is case-insensitive.
-See the security best practices for
+
    Optional. A list of hosts as specified in the HTTP request. The match is case-insensitive.
    
+See the security best practices for
    
 recommended usage of this field.
    
-
 
    If not set, any host is allowed. Must be used only with HTTP.
    
 
     		string[]
 
 
    Optional. A list of ports as specified in the connection.
    
-
 
    If not set, any port is allowed.
    
 
     		methods
 string[]
 
-
    Optional. A list of methods as specified in the HTTP request.
-For gRPC service, this will always be “POST”.
    
-
+
    Optional. A list of methods as specified in the HTTP request.
    
+For gRPC service, this will always be "POST".
    
 
    If not set, any method is allowed. Must be used only with HTTP.
    
 
     		paths
 string[]
 
-
    Optional. A list of paths as specified in the HTTP request. See the Authorization Policy Normalization
-for details of the path normalization.
-For gRPC service, this will be the fully-qualified name in the form of “/package.service/method”.
    
-
+
    Optional. A list of paths as specified in the HTTP request. See the Authorization Policy Normalization
    
+for details of the path normalization.
    
+For gRPC service, this will be the fully-qualified name in the form of "/package.service/method".
    
 
    If not set, any path is allowed. Must be used only with HTTP.
    
 
     		key
 string
 
-
    The name of an Istio attribute.
+
    The name of an Istio attribute.
    
 See the full list of supported attributes.
    
 
     		values
 string[]
 
-
    Optional. A list of allowed values for the attribute.
+
    Optional. A list of allowed values for the attribute.
    
 Note: at least one of values or not_values must be set.
    
 
     		notValues
 string[]
 
-
    Optional. A list of negative match of values for the attribute.
+
    Optional. A list of negative match of values for the attribute.
    
 Note: at least one of values or not_values must be set.
    
 
     		name
 string
 
-
    Specifies the name of the extension provider. The list of available providers is defined in the MeshConfig.
+
    Specifies the name of the extension provider. The list of available providers is defined in the MeshConfig.
    
 Note, currently at most 1 extension provider is allowed per workload. Different workloads can use different extension provider.
    
 
 
    
 CUSTOM
 
-
    The CUSTOM action allows an extension to handle the user request if the matching rules evaluate to true.
-The extension is evaluated independently and before the native ALLOW and DENY actions. When used together, A request
-is allowed if and only if all the actions return allow, in other words, the extension cannot bypass the
-authorization decision made by ALLOW and DENY action.
-Extension behavior is defined by the named providers declared in MeshConfig. The authorization policy refers to
-the extension by specifying the name of the provider.
-One example use case of the extension is to integrate with a custom external authorization system to delegate
+
    The CUSTOM action allows an extension to handle the user request if the matching rules evaluate to true.
    
+The extension is evaluated independently and before the native ALLOW and DENY actions. When used together, A request
    
+is allowed if and only if all the actions return allow, in other words, the extension cannot bypass the
    
+authorization decision made by ALLOW and DENY action.
    
+Extension behavior is defined by the named providers declared in MeshConfig. The authorization policy refers to
    
+the extension by specifying the name of the provider.
    
+One example use case of the extension is to integrate with a custom external authorization system to delegate
    
 the authorization decision to it.
    
-
 
    Note: The CUSTOM action is currently an alpha feature and is subject to breaking changes in later versions.
    
-
-
    The following authorization policy applies to an ingress gateway and delegates the authorization check to a named extension
-“my-custom-authz” if the request path has prefix “/admin/”.
    
-
+
    The following authorization policy applies to an ingress gateway and delegates the authorization check to a named extension
    
+"my-custom-authz" if the request path has prefix "/admin/".
    
 
    apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
diff --git a/content/zh/docs/reference/config/security/jwt/index.html b/content/zh/docs/reference/config/security/jwt/index.html
index d2804820347bd..c2503f7ba1aa0 100644
--- a/content/zh/docs/reference/config/security/jwt/index.html
+++ b/content/zh/docs/reference/config/security/jwt/index.html
@@ -1,10 +1,10 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: JWTRule
 description: Configuration to validate JWT.
 location: https://istio.io/docs/reference/config/security/jwt.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.security.v1beta1.JWTRule
 aliases: [/zh/docs/reference/config/security/v1beta1/jwt]
@@ -12,27 +12,22 @@
 ---
 
    JWTRule
    
 
    
-
    JSON Web Token (JWT) token format for authentication as defined by
-RFC 7519. See OAuth 2.0 and
-OIDC 1.0 for how this is used in the whole
+
    JSON Web Token (JWT) token format for authentication as defined by
    
+RFC 7519. See OAuth 2.0 and
    
+OIDC 1.0 for how this is used in the whole
    
 authentication flow.
    
-
 
    Examples:
    
-
-
    Spec for a JWT that is issued by https://example.com, with the audience claims must be either
-bookstore_android.apps.example.com or bookstore_web.apps.example.com.
-The token should be presented at the Authorization header (default). The JSON Web Key Set (JWKS)
+
    Spec for a JWT that is issued by https://example.com, with the audience claims must be either
    
+bookstore_android.apps.example.com or bookstore_web.apps.example.com.
    
+The token should be presented at the Authorization header (default). The JSON Web Key Set (JWKS)
    
 will be discovered following OpenID Connect protocol.
    
-
 
    issuer: https://example.com
 audiences:
 - bookstore_android.apps.example.com
   bookstore_web.apps.example.com
 
    
-
-
    This example specifies a token in a non-default location (x-goog-iap-jwt-assertion header). It also
+
    This example specifies a token in a non-default location (x-goog-iap-jwt-assertion header). It also
    
 defines the URI to fetch JWKS explicitly.
    
-
 
    issuer: https://example.com
 jwksUri: https://example.com/.secret/jwks.json
 fromHeaders:
@@ -53,12 +48,11 @@ 
    JWTRule
    
 
    		issuer
 string
 
-
    Identifies the issuer that issued the JWT. See
-issuer
+
    Identifies the issuer that issued the JWT. See
    
+issuer
    
 A JWT with different iss claim will be rejected.
    
-
-
    Example: https://foobar.auth0.com
-Example: 1234567-compute@developer.gserviceaccount.com
    
+
    Example: https://foobar.auth0.com
    
+Example: 1234567-compute@developer.gserviceaccount.com
    
 
     		
 
@@ -69,15 +63,12 @@ 
    JWTRule
    
     		audiences
 string[]
 
-
    The list of JWT
-audiences.
-that are allowed to access. A JWT containing any of these
+
    The list of JWT
    
+audiences.
    
+that are allowed to access. A JWT containing any of these
    
 audiences will be accepted.
    
-
 
    The service name will be accepted if audiences is empty.
    
-
 
    Example:
    
-
 
    audiences:
 - bookstore_android.apps.example.com
   bookstore_web.apps.example.com
@@ -92,17 +83,14 @@ 
    JWTRule
    
 
    		jwksUri
 string
 
-
    URL of the provider’s public key set to validate signature of the
+
    URL of the provider's public key set to validate signature of the
    
 JWT. See OpenID Discovery.
    
-
-
    Optional if the key set document can either (a) be retrieved from
-OpenID
-Discovery of
-the issuer or (b) inferred from the email domain of the issuer (e.g. a
+
    Optional if the key set document can either (a) be retrieved from
    
+OpenID
    
+Discovery     of
    
+the issuer or (b) inferred from the email domain of the issuer (e.g. a
    
 Google service account).
    
-
 
    Example: https://www.googleapis.com/oauth2/v1/certs
    
-
 
    Note: Only one of jwksUri and jwks should be used.
    
 
     		jwks
 string
 
-
    JSON Web Key Set of public keys to validate signature of the JWT.
-See https://auth0.com/docs/jwks.
    
-
+
    JSON Web Key Set of public keys to validate signature of the JWT.
    
+See https://auth0.com/docs/jwks.
    
 
    Note: Only one of jwksUri and jwks should be used.
    
 
     		fromHeaders
 JWTHeader[]
 
-
    List of header locations from which JWT is expected. For example, below is the location spec
-if JWT is expected to be found in x-jwt-assertion header, and have “Bearer ” prefix:
    
-
+
    List of header locations from which JWT is expected. For example, below is the location spec
    
+if JWT is expected to be found in x-jwt-assertion header, and have "Bearer " prefix:
    
 
      fromHeaders:
   - name: x-jwt-assertion
     prefix: "Bearer "
 
    
-
-
    Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
+
    Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
    
 such requests is undefined.
    
 
     		fromParams
 string[]
 
-
    List of query parameters from which JWT is expected. For example, if JWT is provided via query
-parameter my_token (e.g /path?my_token=), the config is:
    
-
+
    List of query parameters from which JWT is expected. For example, if JWT is provided via query
    
+parameter my_token (e.g /path?my_token=), the config is:
    
 
      fromParams:
   - "my_token"
 
    
-
-
    Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
+
    Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
    
 such requests is undefined.
    
 
     		outputPayloadToHeader
 string
 
-
    This field specifies the header name to output a successfully verified JWT payload to the
-backend. The forwarded data is base64_encoded(jwt_payload_in_JSON). If it is not specified,
+
    This field specifies the header name to output a successfully verified JWT payload to the
    
+backend. The forwarded data is base64_encoded(jwt_payload_in_JSON). If it is not specified,
    
 the payload will not be emitted.
    
 
     		prefix
 string
 
-
    The prefix that should be stripped before decoding the token.
-For example, for “Authorization: Bearer ”, prefix=“Bearer ” with a space at the end.
-If the header doesn’t have this exact prefix, it is considered invalid.
    
+
    The prefix that should be stripped before decoding the token.
    
+For example, for "Authorization: Bearer ", prefix="Bearer " with a space at the end.
    
+If the header doesn't have this exact prefix, it is considered invalid.
    
 
     		
 
diff --git a/content/zh/docs/reference/config/security/peer_authentication/index.html b/content/zh/docs/reference/config/security/peer_authentication/index.html
index 7af74ce9cb451..ead59c3749b8f 100644
--- a/content/zh/docs/reference/config/security/peer_authentication/index.html
+++ b/content/zh/docs/reference/config/security/peer_authentication/index.html
@@ -1,10 +1,10 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: PeerAuthentication
 description: Peer authentication configuration for workloads.
 location: https://istio.io/docs/reference/config/security/peer_authentication.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 schema: istio.security.v1beta1.PeerAuthentication
 aliases: [/zh/docs/reference/config/security/v1beta1/peer_authentication]
@@ -13,11 +13,8 @@
 
    PeerAuthentication
    
 
    
 
    PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
    
-
 
    Examples:
    
-
 
    Policy to allow mTLS traffic for all workloads under namespace foo:
    
-
 
    apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
@@ -27,12 +24,9 @@ 
    PeerAuthentication
    
   mtls:
     mode: STRICT
 
    
-
 
    For mesh level, put the policy in root-namespace according to your Istio installation.
    
-
-
    Policies to allow both mTLS & plaintext traffic for all workloads under namespace foo, but
+
    Policies to allow both mTLS & plaintext traffic for all workloads under namespace foo, but
    
 require mTLS for workload finance.
    
-
 
    apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
@@ -54,10 +48,8 @@ 
    PeerAuthentication
    
   mtls:
     mode: STRICT
 
    
-
-
    Policy to allow mTLS strict for all workloads, but leave port 8080 to
+
    Policy to allow mTLS strict for all workloads, but leave port 8080 to
    
 plaintext:
    
-
 
    apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
@@ -73,10 +65,8 @@ 
    PeerAuthentication
    
     8080:
       mode: DISABLE
 
    
-
-
    Policy to inherit mTLS mode from namespace (or mesh) settings, and overwrite
+
    Policy to inherit mTLS mode from namespace (or mesh) settings, and overwrite
    
 settings for port 8080
    
-
 
    apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
@@ -107,7 +97,7 @@ 
    PeerAuthentication
    
 
    		selector
 WorkloadSelector
 
-
    The selector determines the workloads to apply the ChannelAuthentication on.
+
    The selector determines the workloads to apply the ChannelAuthentication on.
    
 If not set, the policy will be applied to all workloads in the same namespace as the policy.
    
 
     		portLevelMtls
 map<uint32, MutualTLS>
 
-
    Port specific mutual TLS settings. These only apply when a workload selector
+
    Port specific mutual TLS settings. These only apply when a workload selector
    
 is specified.
    
 
     		selector
 WorkloadSelector
 
-
    Optional. The selector decides where to apply the request authentication policy. The selector will match with workloads
-in the same namespace as the request authentication policy. If the request authentication policy is in the root namespace,
+
    Optional. The selector decides where to apply the request authentication policy. The selector will match with workloads
    
+in the same namespace as the request authentication policy. If the request authentication policy is in the root namespace,
    
 the selector will additionally match with workloads in all namespaces.
    
-
 
    If not set, the selector will match all workloads.
    
 
     		jwtRules
 JWTRule[]
 
-
    Define the list of JWTs that can be validated at the selected workloads’ proxy. A valid token
-will be used to extract the authenticated identity.
-Each rule will be activated only when a token is presented at the location recognized by the
-rule. The token will be validated based on the JWT rule config. If validation fails, the request will
-be rejected.
-Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
+
    Define the list of JWTs that can be validated at the selected workloads' proxy. A valid token
    
+will be used to extract the authenticated identity.
    
+Each rule will be activated only when a token is presented at the location recognized by the
    
+rule. The token will be validated based on the JWT rule config. If validation fails, the request will
    
+be rejected.
    
+Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
    
 such requests is undefined.
    
 
     		selector
 WorkloadSelector
 
-
    Optional. The selector decides where to apply the Telemetry policy.
-If not set, the Telemetry policy will be applied to all workloads in the
+
    Optional. The selector decides where to apply the Telemetry policy.
    
+If not set, the Telemetry policy will be applied to all workloads in the
    
 same namespace as the Telemetry policy.
    
 
     		tracing
 Tracing[]
 
-
    Optional. Tracing configures the tracing behavior for all
+
    Optional. Tracing configures the tracing behavior for all
    
 selected workloads.
    
 
     		metrics
 Metrics[]
 
-
    Optional. Metrics configure the metrics behavior for all
+
    Optional. Metrics configure the metrics behavior for all
    
 selected workloads.
    
 
     		accessLogging
 AccessLogging[]
 
-
    Optional. AccessLogging configures the access logging behavior for all
+
    Optional. AccessLogging configures the access logging behavior for all
    
 selected workloads.
    
 
 
    
@@ -305,10 +280,10 @@ 
    Tracing
    
     
@@ -320,14 +295,13 @@ 
    Tracing
    
     
@@ -339,8 +313,8 @@ 
    Tracing
    
     
@@ -364,7 +338,7 @@ 
    Tracing
    
 
 
    ProviderRef
    
 
    
-
    Used to bind Telemetry configuration to specific providers for
+
    Used to bind Telemetry configuration to specific providers for
    
 targeted customization.
    
 
 
    providers
 ProviderRef[]
 
-
    Optional. Name of provider(s) to use for span reporting. If a provider is
-not specified, the default tracing
-provider will be
-used. NOTE: At the moment, only a single provider can be specified in a
+
    Optional. Name of provider(s) to use for span reporting. If a provider is
    
+not specified, the default tracing
    
+provider     will be
    
+used. NOTE: At the moment, only a single provider can be specified in a
    
 given Tracing rule.
    
 
     		randomSamplingPercentage
 DoubleValue
 
-
    Controls the rate at which traffic will be selected for tracing if no
-prior sampling decision has been made. If a prior sampling decision has
-been made, that decision will be respected. However, if no sampling
-decision has been made (example: no x-b3-sampled tracing header was
-present in the requests), the traffic will be selected for telemetry
+
    Controls the rate at which traffic will be selected for tracing if no
    
+prior sampling decision has been made. If a prior sampling decision has
    
+been made, that decision will be respected. However, if no sampling
    
+decision has been made (example: no x-b3-sampled tracing header was
    
+present in the requests), the traffic will be selected for telemetry
    
 generation at the percentage specified.
    
-
-
    Defaults to 0%. Valid values [0.00-100.00]. Can be specified in 0.01%
+
    Defaults to 0%. Valid values [0.00-100.00]. Can be specified in 0.01%
    
 increments.
    
 
     		disableSpanReporting
 BoolValue
 
-
    Controls span reporting. If set to true, no spans will be reported for
-impacted workloads. This does NOT impact context propagation or trace
+
    Controls span reporting. If set to true, no spans will be reported for
    
+impacted workloads. This does NOT impact context propagation or trace
    
 sampling behavior.
    
 
 
    
@@ -385,7 +359,7 @@ 
    ProviderRef
    
 
 
     
@@ -393,8 +367,8 @@ 
    ProviderRef
    
 
 
    Metrics
    
 
    
-
    Metrics defines the workload-level overrides for metrics generation behavior
-within a mesh. It can be used to enable/disable metrics generation, as well
+
    Metrics defines the workload-level overrides for metrics generation behavior
    
+within a mesh. It can be used to enable/disable metrics generation, as well
    
 as to customize the dimensions of the generated metrics.
    
 
 
    
-No
+Yes
 
 
    
 
    
@@ -411,9 +385,9 @@ 
    Metrics
    
     
@@ -426,17 +400,17 @@ 
    Metrics
    
     
@@ -449,7 +423,7 @@ 
    Metrics
    
 
 
    MetricSelector
    
 
    
-
    Provides a mechanism for matching metrics for the application of override
+
    Provides a mechanism for matching metrics for the application of override
    
 behaviors.
    
 
 
    providers
 ProviderRef[]
 
-
    Optional. Name of providers to which this configuration should apply.
-If a provider is not specified, the default metrics
-provider will be
+
    Optional. Name of providers to which this configuration should apply.
    
+If a provider is not specified, the default metrics
    
+provider     will be
    
 used.
    
 
     		MetricsOverrides[]
 
 
    Optional. Ordered list of overrides to metrics generation behavior.
    
-
-
    Specified overrides will be applied in order. They will be applied on
-top of inherited overrides from other resources in the hierarchy in the
-following order:
-1. Mesh-scoped overrides
-2. Namespace-scoped overrides
-3. Workload-scoped overrides
    
-
-
    Because overrides are applied in order, users are advised to order their
-overrides from least specific to most specific matches. That is, it is
-a best practice to list any universal overrides first, with tailored
+
    Specified overrides will be applied in order. They will be applied on
    
+top of inherited overrides from other resources in the hierarchy in the
    
+following order:
    
+
      
+
    1. Mesh-scoped overrides
      2. 
+
    2. Namespace-scoped overrides
      3. 
+
    3. Workload-scoped overrides
      4. 
+
    
+
    Because overrides are applied in order, users are advised to order their
    
+overrides from least specific to most specific matches. That is, it is
    
+a best practice to list any universal overrides first, with tailored
    
 overrides following them.
    
 
 
    
@@ -477,7 +451,7 @@ 
    MetricSelector
    
     
@@ -489,7 +463,7 @@ 
    MetricSelector
    
     
@@ -502,7 +476,7 @@ 
    MetricSelector
    
 
 
    MetricsOverrides
    
 
    
-
    MetricsOverrides defines custom metric generation behavior for an individual
+
    MetricsOverrides defines custom metric generation behavior for an individual
    
 metric or the set of all standard metrics.
    
 
 
    customMetric
 string (oneof)
 
-
    Allows free-form specification of a metric. No validation of custom
+
    Allows free-form specification of a metric. No validation of custom
    
 metrics is provided.
    
 
     		mode
 WorkloadMode
 
-
    Controls which mode of metrics generation is selected: CLIENT and/or
+
    Controls which mode of metrics generation is selected: CLIENT and/or
    
 SERVER.
    
 
 
    
@@ -519,11 +493,10 @@ 
    MetricsOverrides
    
     
@@ -535,9 +508,9 @@ 
    MetricsOverrides
    
     
@@ -549,12 +522,12 @@ 
    MetricsOverrides
    
 
    match
 MetricSelector
 
-
    Match allows provides the scope of the override. It can be used to select
-individual metrics, as well as the workload modes (server and/or client)
+
    Match allows provides the scope of the override. It can be used to select
    
+individual metrics, as well as the workload modes (server and/or client)
    
 in which the metrics will be generated.
    
-
-
    If match is not specified, the overrides will apply to all metrics for
+
    If match is not specified, the overrides will apply to all metrics for
    
 both modes of operation (client and server).
    
 
     		disabled
 BoolValue
 
-
    Optional. Must explicitly set this to “true” to turn off metrics reporting
-for the listed metrics. If disabled has been set to “true” in a parent
-configuration, it must explicitly be set to “false” to turn metrics
+
    Optional. Must explicitly set this to "true" to turn off metrics reporting
    
+for the listed metrics. If disabled has been set to "true" in a parent
    
+configuration, it must explicitly be set to "false" to turn metrics
    
 reporting on in the workloads selected by the Telemetry resource.
    
 
     		tagOverrides
 map<string, TagOverride>
 
-
    Optional. Collection of tag names and tag expressions to override in the
-selected metric(s).
-The key in the map is the name of the tag.
-The value in the map is the operation to perform on the the tag.
-WARNING: some providers may not support adding/removing tags.
-See also: https://istio.io/latest/docs/reference/config/metrics/#labels
    
+
    Optional. Collection of tag names and tag expressions to override in the
    
+selected metric(s).
    
+The key in the map is the name of the tag.
    
+The value in the map is the operation to perform on the the tag.
    
+WARNING: some providers may not support adding/removing tags.
    
+See also: https://istio.io/latest/docs/reference/config/metrics/#labels
    
 
     		
 
@@ -566,8 +539,8 @@ 
    MetricsOverrides
    
 
 
    AccessLogging
    
 
    
-
    Access logging defines the workload-level overrides for access log
-generation. It can be used to select provider or enable/disable access log
+
    Access logging defines the workload-level overrides for access log
    
+generation. It can be used to select provider or enable/disable access log
    
 generation for a workload.
    
 
 
@@ -595,8 +568,8 @@ 
    AccessLogging
    
@@ -608,10 +581,10 @@ 
    AccessLogging
    
@@ -623,7 +596,7 @@ 
    AccessLogging
    
@@ -636,7 +609,7 @@ 
    AccessLogging
    Tracing.TracingSelector
    
-
    TracingSelector provides a coarse-grained ability to configure tracing
+
    TracingSelector provides a coarse-grained ability to configure tracing
    
 behavior based on certain traffic metadata (such as traffic direction).
    
 
 
    
 
    providers
 ProviderRef[]
 
-
    Optional. Name of providers to which this configuration should apply.
-If a provider is not specified, the default logging
+
    Optional. Name of providers to which this configuration should apply.
    
+If a provider is not specified, the     default logging
    
 provider     will be used.
    
 
     		
 disabled
 BoolValue
 
-
    Controls logging. If set to true, no access logs will be generated for
-impacted workloads (for the specified providers).
-NOTE: currently default behavior will be controlled by the provider(s)
-selected above. Customization controls will be added to this API in
+
    Controls logging. If set to true, no access logs will be generated for
    
+impacted workloads (for the specified providers).
    
+NOTE: currently default behavior will be controlled by the provider(s)
    
+selected above. Customization controls will be added to this API in
    
 future releases.
    
 
     		
 filter
 Filter
 
-
    Optional. If specified, this filter will be used to select specific
+
    Optional. If specified, this filter will be used to select specific
    
 requests/connections for logging.
    
 
     		
 
 
 
    
@@ -653,7 +626,7 @@ 
    Tracing.TracingSelector
    
@@ -666,12 +639,11 @@ 
    Tracing.TracingSelector
    Tracing.CustomTag
    
-
    CustomTag defines a tag to be added to a trace span that is based on
-an operator-supplied value. This value can either be a hard-coded value,
-a value taken from an environment variable known to the sidecar proxy, or
+
    CustomTag defines a tag to be added to a trace span that is based on
    
+an operator-supplied value. This value can either be a hard-coded value,
    
+a value taken from an environment variable known to the sidecar proxy, or
    
 from a request header.
    
-
-
    NOTE: when specified, custom_tags will fully replace any values provided
+
    NOTE: when specified, custom_tags will fully replace any values provided
    
 by parent configuration.
    
 
 
    
 
    mode
 WorkloadMode
 
-
    This determines whether or not to apply the tracing configuration
+
    This determines whether or not to apply the tracing configuration
    
 based on the direction of traffic relative to the proxied workload.
    
 
     		
 
 
 
    
@@ -710,7 +682,7 @@ 
    Tracing.CustomTag
    
@@ -774,7 +746,7 @@ 
    Tracing.Environment
    
@@ -812,7 +784,7 @@ 
    Tracing.RequestHeader
    
@@ -825,8 +797,8 @@ 
    Tracing.RequestHeader
    MetricsOverrides.TagOverride
    
-
    TagOverride specifies an operation to perform on a metric dimension (also
-known as a label). Tags may be added, removed, or have their default
+
    TagOverride specifies an operation to perform on a metric dimension (also
    
+known as a label). Tags may be added, removed, or have their default
    
 values overridden.
    
 
 
    
 
    header
 RequestHeader (oneof)
 
-
    RequestHeader adds the value of an header from the request to each
+
    RequestHeader adds the value of an header from the request to each
    
 span.
    
 
     		
 defaultValue
 string
 
-
    Optional. If the environment variable is not found, this value will be
+
    Optional. If the environment variable is not found, this value will be
    
 used instead.
    
 
     		
 defaultValue
 string
 
-
    Optional. If the header is not found, this value will be
+
    Optional. If the header is not found, this value will be
    
 used instead.
    
 
     		
 
 
 
    
@@ -854,13 +826,13 @@ 
    MetricsOverrides.TagOverride
    
@@ -873,11 +845,11 @@ 
    MetricsOverrides.TagOverride
    AccessLogging.LogSelector
    
-
    LogSelector provides a coarse-grained ability to configure logging behavior
-based on certain traffic metadata (such as traffic direction). LogSelector
-applies to traffic metadata which is not represented in the attribute set
-currently supported by Filters. It allows control planes to limit the
-configuration sent to individual workloads. Finer-grained logging behavior
+
    LogSelector provides a coarse-grained ability to configure logging behavior
    
+based on certain traffic metadata (such as traffic direction). LogSelector
    
+applies to traffic metadata which is not represented in the attribute set
    
+currently supported by Filters. It allows control planes to limit the
    
+configuration sent to individual workloads. Finer-grained logging behavior
    
 can be further configured via filter.
    
 
 
    
 
    value
 string
 
-
    Value is only considered if the operation is UPSERT.
-Values are CEL expressions over
-attributes. Examples include: “string(destination.port)” and
-“request.host”. Istio exposes all standard Envoy
-attributes.
-Additionally, Istio exposes node metadata as attributes.
-More information is provided in the customization
+
    Value is only considered if the operation is UPSERT.
    
+Values are     CEL expressions over
    
+attributes. Examples include: "string(destination.port)" and
    
+"request.host". Istio exposes all standard Envoy
    
+attributes    .
    
+Additionally, Istio exposes node metadata as attributes.
    
+More information is provided in the customization
    
 docs    .
    
 
     		
 
 
 
    
@@ -894,7 +866,7 @@ 
    AccessLogging.LogSelector
    
@@ -924,9 +896,7 @@ 
    AccessLogging.Filter
    
 
    mode
 WorkloadMode
 
-
    This determines whether or not to apply the access logging configuration
+
    This determines whether or not to apply the access logging configuration
    
 based on the direction of traffic relative to the proxied workload.
    
 
     		
 string
 
 
    CEL expression for selecting when requests/connections should be logged.
    
-
 
    Examples:
    
-
 
      
 
    • response.code >= 400
      • 
 
    • connection.mtls && request.url_path.contains('v1beta3')
      • 
@@ -942,9 +912,9 @@ 
      AccessLogging.Filter
      
 
 
      MetricSelector.IstioMetric
      
 
      
-
      Curated list of known metric types that is supported by Istio metric
-providers. See also:
-https://istio.io/latest/docs/reference/config/metrics/#metrics
      
+
      Curated list of known metric types that is supported by Istio metric
      
+providers. See also:
      
+https://istio.io/latest/docs/reference/config/metrics/#metrics
      
 
 
@@ -957,7 +927,7 @@ 
      MetricSelector.IstioMetric
      
@@ -965,13 +935,10 @@ 
      MetricSelector.IstioMetric
      
@@ -1113,8 +1058,7 @@ 
      MetricSelector.IstioMetric
      
@@ -1135,7 +1079,7 @@ 
      MetricsOverrides.TagOverride.Ope
 
      
@@ -1143,7 +1087,7 @@ 
      MetricsOverrides.TagOverride.Ope
 
      
@@ -1153,11 +1097,11 @@ 
      MetricsOverrides.TagOverride.Ope
 
 
      WorkloadMode
      
-
      WorkloadMode allows selection of the role of the underlying workload in
-network traffic. A workload is considered as acting as a SERVER if it is
-the destination of the traffic (that is, traffic direction, from the
-perspective of the workload is inbound). If the workload is the source of
-the network traffic, it is considered to be in CLIENT mode (traffic is
+
      WorkloadMode allows selection of the role of the underlying workload in
      
+network traffic. A workload is considered as acting as a SERVER if it is
      
+the destination of the traffic (that is, traffic direction, from the
      
+perspective of the workload is inbound). If the workload is the source of
      
+the network traffic, it is considered to be in CLIENT mode (traffic is
      
 outbound from the workload).
      
 
 
      
 
 
      
 ALL_METRICS
 
-
      Use of this enum indicates that the override should apply to all Istio
+
      Use of this enum indicates that the override should apply to all Istio
      
 default metrics.
      
 
       		
 
      
 REQUEST_COUNT
 
-
      Counter of requests to/from an application, generated for HTTP, HTTP/2,
+
      Counter of requests to/from an application, generated for HTTP, HTTP/2,
      
 and GRPC traffic.
      
-
 
      The Prometheus provider exports this metric as: istio_requests_total.
      
-
 
      The Stackdriver provider exports this metric as:
      
-
 
        
 
      • istio.io/service/server/request_count (SERVER mode)
        • 
 
      • istio.io/service/client/request_count (CLIENT mode)
        • 
@@ -982,14 +949,11 @@ 
        MetricSelector.IstioMetric
        
 
      
 REQUEST_DURATION
 
-
      Histogram of request durations, generated for HTTP, HTTP/2, and GRPC
+
      Histogram of request durations, generated for HTTP, HTTP/2, and GRPC
      
 traffic.
      
-
-
      The Prometheus provider exports this metric as:
+
      The Prometheus provider exports this metric as:
      
 istio_request_duration_milliseconds.
      
-
 
      The Stackdriver provider exports this metric as:
      
-
 
        
 
      • istio.io/service/server/response_latencies (SERVER mode)
        • 
 
      • istio.io/service/client/roundtrip_latencies (CLIENT mode)
        • 
@@ -1000,13 +964,10 @@ 
        MetricSelector.IstioMetric
        
 
      
 REQUEST_SIZE
 
-
      Histogram of request body sizes, generated for HTTP, HTTP/2, and GRPC
+
      Histogram of request body sizes, generated for HTTP, HTTP/2, and GRPC
      
 traffic.
      
-
 
      The Prometheus provider exports this metric as: istio_request_bytes.
      
-
 
      The Stackdriver provider exports this metric as:
      
-
 
        
 
      • istio.io/service/server/request_bytes (SERVER mode)
        • 
 
      • istio.io/service/client/request_bytes (CLIENT mode)
        • 
@@ -1017,13 +978,10 @@ 
        MetricSelector.IstioMetric
        
 
      
 RESPONSE_SIZE
 
-
      Histogram of response body sizes, generated for HTTP, HTTP/2, and GRPC
+
      Histogram of response body sizes, generated for HTTP, HTTP/2, and GRPC
      
 traffic.
      
-
 
      The Prometheus provider exports this metric as: istio_response_bytes.
      
-
 
      The Stackdriver provider exports this metric as:
      
-
 
        
 
      • istio.io/service/server/response_bytes (SERVER mode)
        • 
 
      • istio.io/service/client/response_bytes (CLIENT mode)
        • 
@@ -1035,12 +993,9 @@ 
        MetricSelector.IstioMetric
        
 
      		TCP_OPENED_CONNECTIONS
 
 
      Counter of TCP connections opened over lifetime of workload.
      
-
-
      The Prometheus provider exports this metric as:
+
      The Prometheus provider exports this metric as:
      
 istio_tcp_connections_opened_total.
      
-
 
      The Stackdriver provider exports this metric as:
      
-
 
        
 
      • istio.io/service/server/connection_open_count (SERVER mode)
        • 
 
      • istio.io/service/client/connection_open_count (CLIENT mode)
        • 
@@ -1052,12 +1007,9 @@ 
        MetricSelector.IstioMetric
        
 
      		TCP_CLOSED_CONNECTIONS
 
 
      Counter of TCP connections closed over lifetime of workload.
      
-
-
      The Prometheus provider exports this metric as:
+
      The Prometheus provider exports this metric as:
      
 istio_tcp_connections_closed_total.
      
-
 
      The Stackdriver provider exports this metric as:
      
-
 
        
 
      • istio.io/service/server/connection_close_count (SERVER mode)
        • 
 
      • istio.io/service/client/connection_close_count (CLIENT mode)
        • 
@@ -1069,12 +1021,9 @@ 
        MetricSelector.IstioMetric
        
 
      		TCP_SENT_BYTES
 
 
      Counter of bytes sent during a response over a TCP connection.
      
-
-
      The Prometheus provider exports this metric as:
+
      The Prometheus provider exports this metric as:
      
 istio_tcp_sent_bytes_total.
      
-
 
      The Stackdriver provider exports this metric as:
      
-
 
        
 
      • istio.io/service/server/sent_bytes_count (SERVER mode)
        • 
 
      • istio.io/service/client/sent_bytes_count (CLIENT mode)
        • 
@@ -1086,12 +1035,9 @@ 
        MetricSelector.IstioMetric
        
 
      		TCP_RECEIVED_BYTES
 
 
      Counter of bytes received during a request over a TCP connection.
      
-
-
      The Prometheus provider exports this metric as:
+
      The Prometheus provider exports this metric as:
      
 istio_tcp_received_bytes_total.
      
-
 
      The Stackdriver provider exports this metric as:
      
-
 
        
 
      • istio.io/service/server/received_bytes_count (SERVER mode)
        • 
 
      • istio.io/service/client/received_bytes_count (CLIENT mode)
        • 
@@ -1103,8 +1049,7 @@ 
        MetricSelector.IstioMetric
        
 
      		GRPC_REQUEST_MESSAGES
 
 
      Counter incremented for every gRPC messages sent from a client.
      
-
-
      The Prometheus provider exports this metric as:
+
      The Prometheus provider exports this metric as:
      
 istio_request_messages_total
      
 
       		
 GRPC_RESPONSE_MESSAGES
 
 
      Counter incremented for every gRPC messages sent from a server.
      
-
-
      The Prometheus provider exports this metric as:
+
      The Prometheus provider exports this metric as:
      
 istio_response_messages_total
      
 
 
      
 UPSERT
 
-
      Insert or Update the tag with the provided value expression. The
+
      Insert or Update the tag with the provided value expression. The
      
 value field MUST be specified if UPSERT is used as the operation.
      
 
 
      
 REMOVE
 
-
      Specifies that the tag should not be included in the metric when
+
      Specifies that the tag should not be included in the metric when
      
 generated.
      
 
       		
 
      
@@ -1171,7 +1115,7 @@ 
      WorkloadMode
      
@@ -1179,7 +1123,7 @@ 
      WorkloadMode
      
@@ -1187,7 +1131,7 @@ 
      WorkloadMode
      
diff --git a/content/zh/docs/reference/config/type/workload-selector/index.html b/content/zh/docs/reference/config/type/workload-selector/index.html
index ec2818ed29712..b070f64ded174 100644
--- a/content/zh/docs/reference/config/type/workload-selector/index.html
+++ b/content/zh/docs/reference/config/type/workload-selector/index.html
@@ -1,20 +1,20 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/ericvn/api' REPO
+source_repo: https://github.com/ericvn/api
 title: Workload Selector
 description: Definition of a workload selector.
 location: https://istio.io/docs/reference/config/type/workload-selector.html
-layout: protoc-gen-docs
+layout: partner-component
 generator: protoc-gen-docs
 number_of_entries: 3
 ---
 
      WorkloadSelector
      
-
      WorkloadSelector specifies the criteria used to determine if a policy can be applied
-to a proxy. The matching criteria includes the metadata associated with a proxy,
-workload instance info such as labels attached to the pod/VM, or any other info
-that the proxy provides to Istio during the initial handshake. If multiple conditions are
-specified, all conditions need to match in order for the workload instance to be
+
      WorkloadSelector specifies the criteria used to determine if a policy can be applied
      
+to a proxy. The matching criteria includes the metadata associated with a proxy,
      
+workload instance info such as labels attached to the pod/VM, or any other info
      
+that the proxy provides to Istio during the initial handshake. If multiple conditions are
      
+specified, all conditions need to match in order for the workload instance to be
      
 selected. Currently, only label based selection mechanism is supported.
      
 
 
      
 
      
 CLIENT_AND_SERVER
 
-
      Selects for scenarios when the workload is either the
+
      Selects for scenarios when the workload is either the
      
 source or destination of the network traffic.
      
 
       		
 
      
 CLIENT
 
-
      Selects for scenarios when the workload is the
+
      Selects for scenarios when the workload is the
      
 source of the network traffic.
      
 
       		
 
      
 SERVER
 
-
      Selects for scenarios when the workload is the
+
      Selects for scenarios when the workload is the
      
 destination of the network traffic.
      
 
       		
 
      
@@ -31,8 +31,8 @@ 
      WorkloadSelector
      
@@ -45,7 +45,7 @@ 
      WorkloadSelector
      PortSelector
      
-
      PortSelector is the criteria for specifying if a policy can be applied to
+
      PortSelector is the criteria for specifying if a policy can be applied to
      
 a listener having a specific port.
      
 
 
      
 
      matchLabels
 map<string, string>
 
-
      One or more labels that indicate a specific set of pods/VMs
-on which a policy should be applied. The scope of label search is restricted to
+
      One or more labels that indicate a specific set of pods/VMs
      
+on which a policy should be applied. The scope of label search is restricted to
      
 the configuration namespace in which the resource is present.
      
 
       		
 
 
 
      
@@ -74,11 +74,11 @@ 
      PortSelector
      WorkloadMode
      
-
      WorkloadMode allows selection of the role of the underlying workload in
-network traffic. A workload is considered as acting as a SERVER if it is
-the destination of the traffic (that is, traffic direction, from the
-perspective of the workload is inbound). If the workload is the source of
-the network traffic, it is considered to be in CLIENT mode (traffic is
+
      WorkloadMode allows selection of the role of the underlying workload in
      
+network traffic. A workload is considered as acting as a SERVER if it is
      
+the destination of the traffic (that is, traffic direction, from the
      
+perspective of the workload is inbound). If the workload is the source of
      
+the network traffic, it is considered to be in CLIENT mode (traffic is
      
 outbound from the workload).
      
 
 
      
 
 
 
      
@@ -99,8 +99,8 @@ 
      WorkloadMode
      
@@ -108,7 +108,7 @@ 
      WorkloadMode
      
@@ -116,7 +116,7 @@ 
      WorkloadMode
      
diff --git a/scripts/grab_reference_docs.sh b/scripts/grab_reference_docs.sh
index 8e3660b8f42c0..804e9b19a5b5c 100755
--- a/scripts/grab_reference_docs.sh
+++ b/scripts/grab_reference_docs.sh
@@ -36,7 +36,7 @@ fi
 # The repos to mine for docs, just add new entries here to pull in more repos.
 REPOS=(
     https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"
-    https://github.com/istio/api.git@"${SOURCE_BRANCH_NAME}"
+    https://github.com/ericvn/api.git@testNewImage
     https://github.com/istio/proxy.git@"${SOURCE_BRANCH_NAME}"
 )
 

From 105c841ad88ce84f3687960d1cd43a7ddc4216e4 Mon Sep 17 00:00:00 2001
From: Eric Van Norman 
Date: Thu, 13 Oct 2022 10:34:07 -0500
Subject: [PATCH 2/3] Update to use GFM and Unsafe.

---
 .../config/istio.analysis.v1alpha1/index.html |  62 +-
 .../config/istio.mesh.v1alpha1/index.html     | 952 +++++++++---------
 .../config/istio.operator.v1alpha1/index.html | 158 +--
 .../meta/v1beta1/istio-status/index.html      |  30 +-
 .../networking/destination-rule/index.html    | 722 ++++++-------
 .../config/networking/envoy-filter/index.html | 406 ++++----
 .../config/networking/gateway/index.html      | 328 +++---
 .../config/networking/proxy-config/index.html |  34 +-
 .../networking/service-entry/index.html       | 472 ++++-----
 .../config/networking/sidecar/index.html      | 434 ++++----
 .../networking/virtual-service/index.html     | 914 ++++++++---------
 .../networking/workload-entry/index.html      | 168 ++--
 .../networking/workload-group/index.html      |  64 +-
 .../proxy_extensions/wasm-plugin/index.html   | 120 +--
 .../security/authorization-policy/index.html  | 106 +-
 .../reference/config/security/jwt/index.html  |  56 +-
 .../security/peer_authentication/index.html   |  10 +-
 .../request_authentication/index.html         |  44 +-
 .../reference/config/telemetry/index.html     | 222 ++--
 .../config/type/workload-selector/index.html  |  34 +-
 .../config/istio.analysis.v1alpha1/index.html |  62 +-
 .../config/istio.mesh.v1alpha1/index.html     | 952 +++++++++---------
 .../config/istio.operator.v1alpha1/index.html | 158 +--
 .../meta/v1beta1/istio-status/index.html      |  30 +-
 .../networking/destination-rule/index.html    | 722 ++++++-------
 .../config/networking/envoy-filter/index.html | 406 ++++----
 .../config/networking/gateway/index.html      | 328 +++---
 .../config/networking/proxy-config/index.html |  34 +-
 .../networking/service-entry/index.html       | 472 ++++-----
 .../config/networking/sidecar/index.html      | 434 ++++----
 .../networking/virtual-service/index.html     | 914 ++++++++---------
 .../networking/workload-entry/index.html      | 168 ++--
 .../networking/workload-group/index.html      |  64 +-
 .../proxy_extensions/wasm-plugin/index.html   | 120 +--
 .../security/authorization-policy/index.html  | 106 +-
 .../reference/config/security/jwt/index.html  |  56 +-
 .../security/peer_authentication/index.html   |  10 +-
 .../request_authentication/index.html         |  44 +-
 .../reference/config/telemetry/index.html     | 222 ++--
 .../config/type/workload-selector/index.html  |  34 +-
 40 files changed, 5336 insertions(+), 5336 deletions(-)

diff --git a/content/en/docs/reference/config/istio.analysis.v1alpha1/index.html b/content/en/docs/reference/config/istio.analysis.v1alpha1/index.html
index 10c9ba25ee134..be16cc59a07b1 100644
--- a/content/en/docs/reference/config/istio.analysis.v1alpha1/index.html
+++ b/content/en/docs/reference/config/istio.analysis.v1alpha1/index.html
@@ -13,7 +13,7 @@
 
 
      AnalysisMessageBase
      
 
      
-
      AnalysisMessageBase describes some common information that is needed for all
      
+
      AnalysisMessageBase describes some common information that is needed for all
 messages. All information should be static with respect to the error code.
      
 
 
      
 
      
 CLIENT
 
-
      Selects for scenarios when the workload is the
-source of the network traffic. In addition,
+
      Selects for scenarios when the workload is the
      
+source of the network traffic. In addition,
      
 if the workload is a gateway, selects this.
      
 
       		
 
      
 SERVER
 
-
      Selects for scenarios when the workload is the
+
      Selects for scenarios when the workload is the
      
 destination of the network traffic.
      
 
       		
 
      
 CLIENT_AND_SERVER
 
-
      Selects for scenarios when the workload is either the
+
      Selects for scenarios when the workload is either the
      
 source or destination of the network traffic.
      
 
 
      
@@ -50,9 +50,9 @@ 
      AnalysisMessageBase
      
@@ -65,9 +65,9 @@ 
      AnalysisMessageBase
      AnalysisMessageWeakSchema
      
-
      AnalysisMessageWeakSchema is the set of information that's needed to define a
      
-weakly-typed schema. The purpose of this proto is to provide a mechanism for
      
-validating istio/istio/galley/pkg/config/analysis/msg/messages.yaml to make
      
+
      AnalysisMessageWeakSchema is the set of information that's needed to define a
+weakly-typed schema. The purpose of this proto is to provide a mechanism for
+validating istio/istio/galley/pkg/config/analysis/msg/messages.yaml to make
 sure that we don't allow committing underspecified types.
      
 
 
      
 
      documentationUrl
 string
 
-
      A url pointing to the Istio documentation for this specific error type.
      
-Should be of the form
      
-^http(s)?://(preliminary\.)?istio.io/docs/reference/config/analysis/
      
+
      A url pointing to the Istio documentation for this specific error type.
+Should be of the form
+^http(s)?://(preliminary\.)?istio.io/docs/reference/config/analysis/
 Required.
      
 
       		
 
 
 
      
@@ -106,8 +106,8 @@ 
      AnalysisMessageWeakSchema
      
@@ -131,11 +131,11 @@ 
      AnalysisMessageWeakSchema
      GenericAnalysisMessage
      
-
      GenericAnalysisMessage is an instance of an AnalysisMessage defined by a
      
-schema, whose metaschema is AnalysisMessageWeakSchema. (Names are hard.) Code
      
-should be able to perform validation of arguments as needed by using the
      
-message type information to look at the AnalysisMessageWeakSchema and examine the
      
-list of args at runtime. Developers can also create stronger-typed versions
      
+
      GenericAnalysisMessage is an instance of an AnalysisMessage defined by a
+schema, whose metaschema is AnalysisMessageWeakSchema. (Names are hard.) Code
+should be able to perform validation of arguments as needed by using the
+message type information to look at the AnalysisMessageWeakSchema and examine the
+list of args at runtime. Developers can also create stronger-typed versions
 of GenericAnalysisMessage for well-known and stable message types.
      
 
 
      
 
      template
 string
 
-
      A go-style template string (https://golang.org/pkg/fmt/#hdr-Printing)
      
-defining how to combine the args for a  particular message into a log line.
      
+
      A go-style template string (https://golang.org/pkg/fmt/#hdr-Printing)
+defining how to combine the args for a  particular message into a log line.
 Required.
      
 
       		
 
 
 
      
@@ -174,11 +174,11 @@ 
      GenericAnalysisMessage
      
@@ -191,7 +191,7 @@ 
      GenericAnalysisMessage
      InternalErrorAnalysisMessage
      
-
      InternalErrorAnalysisMessage is a strongly-typed message representing some
      
+
      InternalErrorAnalysisMessage is a strongly-typed message representing some
 error in Istio code that prevented us from performing analysis at all.
      
 
 
      
 
      resourcePaths
 string[]
 
-
      A list of strings specifying the resource identifiers that were the cause
      
-of message generation. A "path" here is a (NAMESPACE/)?RESOURCETYPE/NAME
      
-tuple that uniquely identifies a particular resource. There doesn't seem to
      
-be a single concept for this, but this is intuitively taken from
      
-https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology
      
+
      A list of strings specifying the resource identifiers that were the cause
+of message generation. A "path" here is a (NAMESPACE/)?RESOURCETYPE/NAME
+tuple that uniquely identifies a particular resource. There doesn't seem to
+be a single concept for this, but this is intuitively taken from
+https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology
 At least one is required.
      
 
       		
 
 
 
      
@@ -231,9 +231,9 @@ 
      InternalErrorAnalysisMessage
      AnalysisMessageBase.Type
      
-
      A unique identifier for the type of message. Name is intended to be
      
-human-readable, code is intended to be machine readable. There should be a
      
-one-to-one mapping between name and code. (i.e. do not re-use names or
      
+
      A unique identifier for the type of message. Name is intended to be
+human-readable, code is intended to be machine readable. There should be a
+one-to-one mapping between name and code. (i.e. do not re-use names or
 codes between message types.)
      
 
 
      
 
 
 
      
@@ -250,8 +250,8 @@ 
      AnalysisMessageBase.Type
      
@@ -263,8 +263,8 @@ 
      AnalysisMessageBase.Type
      
@@ -302,9 +302,9 @@ 
      AnalysisMessageWeakSchema.ArgType
      goType
@@ -317,7 +317,7 @@ 
      AnalysisMessageWeakSchema.ArgType
      AnalysisMessageBase.Level
      
-
      The values here are chosen so that more severe messages get sorted higher,
      
+
      The values here are chosen so that more severe messages get sorted higher,
 as well as leaving space in between to add more later
      
 
 
      
 
      name
 string
 
-
      A human-readable name for the message type. e.g. "InternalError",
      
-"PodMissingProxy". This should be the same for all messages of the same type.
      
+
      A human-readable name for the message type. e.g. "InternalError",
+"PodMissingProxy". This should be the same for all messages of the same type.
 Required.
      
 
       		
 code
 string
 
-
      A 7 character code matching ^IST[0-9]{4}$ intended to uniquely identify
      
-the message type. (e.g. "IST0001" is mapped to the "InternalError" message
      
+
      A 7 character code matching ^IST[0-9]{4}$ intended to uniquely identify
+the message type. (e.g. "IST0001" is mapped to the "InternalError" message
 type.) 0000-0100 are reserved. Required.
      
 
       		
 string
 
-
      Required. Should be a golang type, used in code generation.
      
-Ideally this will change to a less language-pinned type before this gets
      
-out of alpha, but for compatibility with current istio/istio code it's
      
+
      Required. Should be a golang type, used in code generation.
+Ideally this will change to a less language-pinned type before this gets
+out of alpha, but for compatibility with current istio/istio code it's
 go_type for now.
      
 
       		
 
 
      
diff --git a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
index d7bf4bfba413b..4158228a0a596 100644
--- a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
+++ b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
@@ -29,7 +29,7 @@ 
      MeshConfig
      
@@ -52,7 +52,7 @@ 
      MeshConfig
      
@@ -64,15 +64,15 @@ 
      MeshConfig
      
@@ -95,8 +95,8 @@ 
      MeshConfig
      
@@ -108,7 +108,7 @@ 
      MeshConfig
      
@@ -120,7 +120,7 @@ 
      MeshConfig
      
@@ -132,10 +132,10 @@ 
      MeshConfig
      
@@ -147,7 +147,7 @@ 
      MeshConfig
      
@@ -159,7 +159,7 @@ 
      MeshConfig
      
@@ -171,7 +171,7 @@ 
      MeshConfig
      
@@ -183,7 +183,7 @@ 
      MeshConfig
      
@@ -195,9 +195,9 @@ 
      MeshConfig
      
@@ -209,9 +209,9 @@ 
      MeshConfig
      
@@ -223,10 +223,10 @@ 
      MeshConfig
      
@@ -238,17 +238,17 @@ 
      MeshConfig
      
@@ -260,8 +260,8 @@ 
      MeshConfig
      
@@ -273,16 +273,16 @@ 
      MeshConfig
      
@@ -294,7 +294,7 @@ 
      MeshConfig
      
@@ -306,12 +306,12 @@ 
      MeshConfig
      
@@ -323,9 +323,9 @@ 
      MeshConfig
      
@@ -337,26 +337,26 @@ 
      MeshConfig
      
@@ -368,9 +368,9 @@ 
      MeshConfig
      
@@ -382,9 +382,9 @@ 
      MeshConfig
      
@@ -396,12 +396,12 @@ 
      MeshConfig
      
@@ -424,7 +424,7 @@ 
      MeshConfig
      
@@ -436,9 +436,9 @@ 
      MeshConfig
      
@@ -450,9 +450,9 @@ 
      MeshConfig
      
@@ -533,7 +533,7 @@ 
      MeshConfig
      
@@ -556,11 +556,11 @@ 
      MeshConfig
      
@@ -589,12 +589,12 @@ 
      MeshConfig
      
@@ -606,13 +606,13 @@ 
      MeshConfig
      
@@ -636,8 +636,8 @@ 
      MeshConfig
      ConfigSource
      
-
      ConfigSource describes information about a configuration store inside a
      
-mesh. A single control plane instance can interact with one or more data
      
+
      ConfigSource describes information about a configuration store inside a
+mesh. A single control plane instance can interact with one or more data
 sources.
      
 
 
      
 
      proxyListenPort
 int32
 
-
      Port on which Envoy should listen for incoming connections from
      
+
      Port on which Envoy should listen for incoming connections from
 other services. Default port is 15001.
      
 
       		
 connectTimeout
 Duration
 
-
      Connection timeout used by Envoy. (MUST BE >=1ms)
      
+
      Connection timeout used by Envoy. (MUST BE >=1ms)
 Default timeout is 10s.
      
 
       		
 protocolDetectionTimeout
 Duration
 
-
      Automatic protocol detection uses a set of heuristics to
      
-determine whether the connection is using TLS or not (on the
      
-server side), as well as the application protocol being used
      
-(e.g., http vs tcp). These heuristics rely on the client sending
      
-the first bits of data. For server first protocols like MySQL,
      
-MongoDB, etc. Envoy will timeout on the protocol detection after
      
-the specified period, defaulting to non mTLS plain TCP
      
-traffic. Set this field to tweak the period that Envoy will wait
      
-for the client to send the first bits of data. (MUST BE >=1ms or
      
+
      Automatic protocol detection uses a set of heuristics to
+determine whether the connection is using TLS or not (on the
+server side), as well as the application protocol being used
+(e.g., http vs tcp). These heuristics rely on the client sending
+the first bits of data. For server first protocols like MySQL,
+MongoDB, etc. Envoy will timeout on the protocol detection after
+the specified period, defaulting to non mTLS plain TCP
+traffic. Set this field to tweak the period that Envoy will wait
+for the client to send the first bits of data. (MUST BE >=1ms or
 0s to disable). Default detection timeout is 0s (no timeout).
      
 
       		
 ingressClass
 string
 
-
      Class of ingress resources to be processed by Istio ingress
      
-controller. This corresponds to the value of
      
+
      Class of ingress resources to be processed by Istio ingress
+controller. This corresponds to the value of
 kubernetes.io/ingress.class annotation.
      
 
       		
 ingressService
 string
 
-
      Name of the Kubernetes service used for the istio ingress controller.
      
+
      Name of the Kubernetes service used for the istio ingress controller.
 If no ingress controller is specified, the default value istio-ingressgateway is used.
      
 
       		
 ingressControllerMode
 IngressControllerMode
 
-
      Defines whether to use Istio ingress controller for annotated or all ingress resources.
      
+
      Defines whether to use Istio ingress controller for annotated or all ingress resources.
 Default mode is STRICT.
      
 
       		
 ingressSelector
 string
 
-
      Defines which gateway deployment to use as the Ingress controller. This field corresponds to
      
-the Gateway.selector field, and will be set as istio: INGRESS_SELECTOR.
      
-By default, ingressgateway is used, which will select the default IngressGateway as it has the
      
-istio: ingressgateway labels.
      
+
      Defines which gateway deployment to use as the Ingress controller. This field corresponds to
+the Gateway.selector field, and will be set as istio: INGRESS_SELECTOR.
+By default, ingressgateway is used, which will select the default IngressGateway as it has the
+istio: ingressgateway labels.
 It is recommended that this is the same value as ingress_service.
      
 
       		
 enableTracing
 bool
 
-
      Flag to control generation of trace spans and request IDs.
      
+
      Flag to control generation of trace spans and request IDs.
 Requires a trace span collector defined in the proxy configuration.
      
 
       		
 accessLogFile
 string
 
-
      File address for the proxy access log (e.g. /dev/stdout).
      
+
      File address for the proxy access log (e.g. /dev/stdout).
 Empty value disables access logging.
      
 
       		
 accessLogFormat
 string
 
-
      Format for the proxy access log
      
+
      Format for the proxy access log
 Empty value results in proxy's default access log format
      
 
       		
 accessLogEncoding
 AccessLogEncoding
 
-
      Encoding for the proxy access log (TEXT or JSON).
      
+
      Encoding for the proxy access log (TEXT or JSON).
 Default value is TEXT.
      
 
       		
 enableEnvoyAccessLogService
 bool
 
-
      This flag enables Envoy's gRPC Access Log Service.
      
-See Access Log Service
      
-for details about Envoy's gRPC Access Log Service API.
      
+
      This flag enables Envoy's gRPC Access Log Service.
+See Access Log Service
+for details about Envoy's gRPC Access Log Service API.
 Default value is false.
      
 
       		
 disableEnvoyListenerLog
 bool
 
-
      This flag disables Envoy Listener logs.
      
-See Listener Access Log
      
-Istio Enables Envoy's listener access logs on "NoRoute" response flag.
      
+
      This flag disables Envoy Listener logs.
+See Listener Access Log
+Istio Enables Envoy's listener access logs on "NoRoute" response flag.
 Default value is false.
      
 
       		
 defaultConfig
 ProxyConfig
 
-
      Default proxy config used by gateway and sidecars.
      
-In case of Kubernetes, the proxy config is applied once during the injection process,
      
-and remain constant for the duration of the pod. The rest of the mesh config can be changed
      
-at runtime and config gets distributed dynamically.
      
+
      Default proxy config used by gateway and sidecars.
+In case of Kubernetes, the proxy config is applied once during the injection process,
+and remain constant for the duration of the pod. The rest of the mesh config can be changed
+at runtime and config gets distributed dynamically.
 On Kubernetes, this can be overridden on individual pods with the proxy.istio.io/config annotation.
      
 
       		
 outboundTrafficPolicy
 OutboundTrafficPolicy
 
-
      Set the default behavior of the sidecar for handling outbound
      
-traffic from the application.  If your application uses one or
      
-more external services that are not known apriori, setting the
      
-policy to ALLOW_ANY will cause the sidecars to route any unknown
      
-traffic originating from the application to its requested
      
-destination. Users are strongly encouraged to use ServiceEntries
      
-to explicitly declare any external dependencies, instead of using
      
-ALLOW_ANY, so that traffic to these services can be
      
-monitored. Can be overridden at a Sidecar level by setting the
      
-OutboundTrafficPolicy in the Sidecar
      
-API      .
      
+
      Set the default behavior of the sidecar for handling outbound
+traffic from the application.  If your application uses one or
+more external services that are not known apriori, setting the
+policy to ALLOW_ANY will cause the sidecars to route any unknown
+traffic originating from the application to its requested
+destination. Users are strongly encouraged to use ServiceEntries
+to explicitly declare any external dependencies, instead of using
+ALLOW_ANY, so that traffic to these services can be
+monitored. Can be overridden at a Sidecar level by setting the
+OutboundTrafficPolicy in the Sidecar
+API.
 Default mode is ALLOW_ANY which means outbound traffic to unknown destinations will be allowed.
      
 
       		
 configSources
 ConfigSource[]
 
-
      ConfigSource describes a source of configuration data for networking
      
-rules, and other Istio configuration artifacts. Multiple data sources
      
+
      ConfigSource describes a source of configuration data for networking
+rules, and other Istio configuration artifacts. Multiple data sources
 can be configured for a single control plane.
      
 
       		
 enableAutoMtls
 BoolValue
 
-
      This flag is used to enable mutual TLS automatically for service to service communication
      
-within the mesh, default true.
      
-If set to true, and a given service does not have a corresponding DestinationRule configured,
      
-or its DestinationRule does not have ClientTLSSettings specified, Istio configures client side
      
-TLS configuration appropriately. More specifically,
      
-If the upstream authentication policy is in STRICT mode, use Istio provisioned certificate
      
-for mutual TLS to connect to upstream.
      
-If upstream service is in plain text mode, use plain text.
      
-If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
      
-mutual TLS when server sides are capable of accepting mutual TLS traffic.
      
+
      This flag is used to enable mutual TLS automatically for service to service communication
+within the mesh, default true.
+If set to true, and a given service does not have a corresponding DestinationRule configured,
+or its DestinationRule does not have ClientTLSSettings specified, Istio configures client side
+TLS configuration appropriately. More specifically,
+If the upstream authentication policy is in STRICT mode, use Istio provisioned certificate
+for mutual TLS to connect to upstream.
+If upstream service is in plain text mode, use plain text.
+If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
+mutual TLS when server sides are capable of accepting mutual TLS traffic.
 If service DestinationRule exists and has ClientTLSSettings specified, that is always used instead.
      
 
       		
 trustDomain
 string
 
-
      The trust domain corresponds to the trust root of a system.
      
+
      The trust domain corresponds to the trust root of a system.
 Refer to SPIFFE-ID
      
 
       		
 trustDomainAliases
 string[]
 
-
      The trust domain aliases represent the aliases of trust_domain.
      
+
      The trust domain aliases represent the aliases of trust_domain.
 For example, if we have
      
 
      trustDomain: td1
 trustDomainAliases: ["td2", "td3"]
 
      
-
      Any service with the identity td1/ns/foo/sa/a-service-account, td2/ns/foo/sa/a-service-account,
      
+
      Any service with the identity td1/ns/foo/sa/a-service-account, td2/ns/foo/sa/a-service-account,
 or td3/ns/foo/sa/a-service-account will be treated the same in the Istio mesh.
      
 
       		
 caCertificates
 CertificateData[]
 
-
      The extra root certificates for workload-to-workload communication.
      
-The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret)
      
-are automatically added by Istiod.
      
+
      The extra root certificates for workload-to-workload communication.
+The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret)
+are automatically added by Istiod.
 The CA certificate that signs the workload certificates is automatically added by Istio Agent.
      
 
       		
 defaultServiceExportTo
 string[]
 
-
      The default value for the ServiceEntry.export_to field and services
      
-imported through container registry integrations, e.g. this applies to
      
-Kubernetes Service resources. The value is a list of namespace names and
      
+
      The default value for the ServiceEntry.export_to field and services
+imported through container registry integrations, e.g. this applies to
+Kubernetes Service resources. The value is a list of namespace names and
 reserved namespace aliases. The allowed namespace aliases are:
      
 
      * - All Namespaces
 . - Current Namespace
 ~ - No Namespace
 
      
-
      If not set the system will use "*" as the default value which implies that
      
+
      If not set the system will use "*" as the default value which implies that
 services are exported to all namespaces.
      
-
      All namespaces is a reasonable default for implementations that don't
      
-need to restrict access or visibility of services across namespace
      
-boundaries. If that requirement is present it is generally good practice to
      
-make the default Current namespace so that services are only visible
      
-within their own namespaces by default. Operators can then expand the
      
-visibility of services to other namespaces as needed. Use of No Namespace
      
-is expected to be rare but can have utility for deployments where
      
-dependency management needs to be precise even within the scope of a single
      
+
      All namespaces is a reasonable default for implementations that don't
+need to restrict access or visibility of services across namespace
+boundaries. If that requirement is present it is generally good practice to
+make the default Current namespace so that services are only visible
+within their own namespaces by default. Operators can then expand the
+visibility of services to other namespaces as needed. Use of No Namespace
+is expected to be rare but can have utility for deployments where
+dependency management needs to be precise even within the scope of a single
 namespace.
      
-
      For further discussion see the reference documentation for ServiceEntry,
      
+
      For further discussion see the reference documentation for ServiceEntry,
 Sidecar, and Gateway.
      
 
       		
 defaultVirtualServiceExportTo
 string[]
 
-
      The default value for the VirtualService.export_to field. Has the same
      
+
      The default value for the VirtualService.export_to field. Has the same
 syntax as default_service_export_to.
      
-
      If not set the system will use "*" as the default value which implies that
      
+
      If not set the system will use "*" as the default value which implies that
 virtual services are exported to all namespaces
      
 
       		
 defaultDestinationRuleExportTo
 string[]
 
-
      The default value for the DestinationRule.export_to field. Has the same
      
+
      The default value for the DestinationRule.export_to field. Has the same
 syntax as default_service_export_to.
      
-
      If not set the system will use "*" as the default value which implies that
      
+
      If not set the system will use "*" as the default value which implies that
 destination rules are exported to all namespaces
      
 
       		
 rootNamespace
 string
 
-
      The namespace to treat as the administrative root namespace for
      
-Istio configuration. When processing a leaf namespace Istio will search for
      
-declarations in that namespace first and if none are found it will
      
-search in the root namespace. Any matching declaration found in the root
      
+
      The namespace to treat as the administrative root namespace for
+Istio configuration. When processing a leaf namespace Istio will search for
+declarations in that namespace first and if none are found it will
+search in the root namespace. Any matching declaration found in the root
 namespace is processed as if it were declared in the leaf namespace.
      
-
      The precise semantics of this processing are documented on each resource
      
+
      The precise semantics of this processing are documented on each resource
 type.
      
 
       		
 dnsRefreshRate
 Duration
 
-
      Configures DNS refresh rate for Envoy clusters of type STRICT_DNS
      
+
      Configures DNS refresh rate for Envoy clusters of type STRICT_DNS
 Default refresh rate is 5s.
      
 
       		
 h2UpgradePolicy
 H2UpgradePolicy
 
-
      Specify if http1.1 connections should be upgraded to http2 by default.
      
-if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE.
      
-If one or more services or namespaces do not have sidecar(s), then this should be set to DO_NOT_UPGRADE.
      
+
      Specify if http1.1 connections should be upgraded to http2 by default.
+if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE.
+If one or more services or namespaces do not have sidecar(s), then this should be set to DO_NOT_UPGRADE.
 It can be enabled by destination using the destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy override.
      
 
       		
 inboundClusterStatName
 string
 
-
      Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for
      
-network filters like TCP and Redis.
      
-By default, Istio emits statistics with the pattern inbound|<port>|<port-name>|<service-FQDN>.
      
+
      Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for
+network filters like TCP and Redis.
+By default, Istio emits statistics with the pattern inbound|<port>|<port-name>|<service-FQDN>.
 For example inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local. This can be used to override that pattern.
      
 
      A Pattern can be composed of various pre-defined variables. The following variables are supported.
      
 
        
@@ -476,9 +476,9 @@ 
        MeshConfig
        
 
      		outboundClusterStatName
 string
 
-
      Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for
      
-network filters like TCP and Redis.
      
-By default, Istio emits statistics with the pattern outbound|<port>|<subsetname>|<service-FQDN>.
      
+
      Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for
+network filters like TCP and Redis.
+By default, Istio emits statistics with the pattern outbound|<port>|<subsetname>|<service-FQDN>.
 For example outbound|8080|v2|reviews.prod.svc.cluster.local. This can be used to override that pattern.
      
 
      A Pattern can be composed of various pre-defined variables. The following variables are supported.
      
 
        
@@ -514,14 +514,14 @@ 
        MeshConfig
        
 
      		enablePrometheusMerge
 BoolValue
 
-
      If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
      
-and Istio agent. The sidecar injection will replace prometheus.io annotations present on the pod
      
-and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
      
-This relies on the annotations prometheus.io/scrape, prometheus.io/port, and
      
-prometheus.io/path annotations.
      
-If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide.
      
-In this case, it is recommended to disable aggregation on that deployment with the
      
-prometheus.istio.io/merge-metrics: "false" annotation.
      
+
      If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
+and Istio agent. The sidecar injection will replace prometheus.io annotations present on the pod
+and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
+This relies on the annotations prometheus.io/scrape, prometheus.io/port, and
+prometheus.io/path annotations.
+If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide.
+In this case, it is recommended to disable aggregation on that deployment with the
+prometheus.istio.io/merge-metrics: "false" annotation.
 If not specified, this will be enabled by default.
      
 
       		
 extensionProviders
 ExtensionProvider[]
 
-
      Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy
      
+
      Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy
 can be used with an extension provider to delegate the authorization decision to a custom authorization system.
      
 
       		
 discoverySelectors
 LabelSelector[]
 
-
      A list of Kubernetes selectors that specify the set of namespaces that Istio considers when
      
-computing configuration updates for sidecars. This can be used to reduce Istio's computational load
      
-by limiting the number of entities (including services, pods, and endpoints) that are watched and processed.
      
-If omitted, Istio will use the default behavior of processing all namespaces in the cluster.
      
-Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector.
      
+
      A list of Kubernetes selectors that specify the set of namespaces that Istio considers when
+computing configuration updates for sidecars. This can be used to reduce Istio's computational load
+by limiting the number of entities (including services, pods, and endpoints) that are watched and processed.
+If omitted, Istio will use the default behavior of processing all namespaces in the cluster.
+Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector.
 The following example selects any namespace that matches either below:
      
 
        
 
      1. The namespace has both of these labels: env: prod and region: us-east1
        2. 
@@ -577,7 +577,7 @@ 
        MeshConfig
        
         - cassandra
         - spark
 
-
        Refer to the kubernetes selector docs
        
+
        Refer to the kubernetes selector docs
 for additional detail on selector semantics.
        
 
 
      		
 pathNormalization
 ProxyPathNormalization
 
-
      ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are
      
-normalized by the sidecars and gateways.
      
-The normalized paths will be used in all aspects through the requests' lifetime on the
      
-sidecars and gateways, which includes routing decisions in outbound direction (client proxy),
      
-authorization policy match and enforcement in inbound direction (server proxy), and the URL
      
-path proxied to the upstream service.
      
+
      ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are
+normalized by the sidecars and gateways.
+The normalized paths will be used in all aspects through the requests' lifetime on the
+sidecars and gateways, which includes routing decisions in outbound direction (client proxy),
+authorization policy match and enforcement in inbound direction (server proxy), and the URL
+path proxied to the upstream service.
 If not set, the NormalizationType.DEFAULT configuration will be used.
      
 
       		
 defaultHttpRetryPolicy
 HTTPRetry
 
-
      Configure the default HTTP retry policy.
      
-The default number of retry attempts is set at 2 for these errors:
      
-"connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes".
      
-Setting the number of attempts to 0 disables retry policy globally.
      
-This setting can be overriden on a per-host basis using the Virtual Service
      
-API.
      
-All settings in the retry policy except perTryTimeout can currently be
      
+
      Configure the default HTTP retry policy.
+The default number of retry attempts is set at 2 for these errors:
+"connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes".
+Setting the number of attempts to 0 disables retry policy globally.
+This setting can be overriden on a per-host basis using the Virtual Service
+API.
+All settings in the retry policy except perTryTimeout can currently be
 configured globally via this field.
      
 
       		
 
 
 
      
@@ -654,9 +654,9 @@ 
      ConfigSource
      
@@ -668,8 +668,8 @@ 
      ConfigSource
      
@@ -742,10 +742,10 @@ 
      MeshConfig.CertificateData
      
@@ -757,8 +757,8 @@ 
      MeshConfig.CertificateData
      
@@ -770,14 +770,14 @@ 
      MeshConfig.CertificateData
      
@@ -804,8 +804,8 @@ 
      MeshConfig.ThriftConfig
      
@@ -843,8 +843,8 @@ 
      MeshConfig.CA
      
@@ -856,13 +856,13 @@ 
      MeshConfig.CA
      
@@ -887,7 +887,7 @@ 
      MeshConfig.CA
      
@@ -958,9 +958,9 @@ 
      MeshConfig.ExtensionProvider
      
@@ -1083,9 +1083,9 @@ 
      MeshConfig.ExtensionProvider
      MeshConfig.DefaultProviders
      
-
      Holds the name references to the providers that will be used by default
      
+
      Holds the name references to the providers that will be used by default
 in other Istio configuration resources if the provider is not specified.
      
-
      These names must match a provider defined in extension_providers that is
      
+
      These names must match a provider defined in extension_providers that is
 one of the supported tracing providers.
      
 
 
      
 
      address
 string
 
-
      Address of the server implementing the Istio Mesh Configuration
      
-protocol (MCP). Can be IP address or a fully qualified DNS name.
      
-Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or
      
+
      Address of the server implementing the Istio Mesh Configuration
+protocol (MCP). Can be IP address or a fully qualified DNS name.
+Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or
 fs:/// to specify a file-based backend with absolute path to the directory.
      
 
       		
 tlsSettings
 ClientTLSSettings
 
-
      Use the tls_settings to specify the tls mode to use. If the MCP server
      
-uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
      
+
      Use the tls_settings to specify the tls mode to use. If the MCP server
+uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
 mode as ISTIO_MUTUAL.
      
 
       		
 spiffeBundleUrl
 string (oneof)
 
-
      The SPIFFE bundle endpoint URL that complies to:
      
-https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle
      
-The endpoint should support authentication based on Web PKI:
      
-https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki
      
+
      The SPIFFE bundle endpoint URL that complies to:
+https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle
+The endpoint should support authentication based on Web PKI:
+https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki
 The certificate is retrieved from the endpoint.
      
 
       		
 certSigners
 string[]
 
-
      Optional. Specify the kubernetes signers (External CA) that use this trustAnchor
      
-when Istiod is acting as RA(registration authority)
      
+
      Optional. Specify the kubernetes signers (External CA) that use this trustAnchor
+when Istiod is acting as RA(registration authority)
 If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.
      
 
       		
 trustDomains
 string[]
 
-
      Optional. Specify the list of trust domains to which this trustAnchor data belongs.
      
-If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
      
-and its aliases.
      
-Note that we can have multiple trustAnchor data for a same trust_domain.
      
-In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
      
-If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers.
      
-If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers.
      
-If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains.
      
+
      Optional. Specify the list of trust domains to which this trustAnchor data belongs.
+If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
+and its aliases.
+Note that we can have multiple trustAnchor data for a same trust_domain.
+In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
+If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers.
+If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers.
+If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains.
 If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains.
      
 
       		
 rateLimitUrl
 string
 
-
      Specify thrift rate limit service URL. If pilot has thrift protocol support enabled,
      
-this will enable the rate limit service for destinations that have matching rate
      
+
      Specify thrift rate limit service URL. If pilot has thrift protocol support enabled,
+this will enable the rate limit service for destinations that have matching rate
 limit configurations.
      
 
       		
 address
 string
 
-
      REQUIRED. Address of the CA server implementing the Istio CA gRPC API.
      
-Can be IP address or a fully qualified DNS name with port
      
+
      REQUIRED. Address of the CA server implementing the Istio CA gRPC API.
+Can be IP address or a fully qualified DNS name with port
 Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000
      
 
       		
 tlsSettings
 ClientTLSSettings
 
-
      Use the tls_settings to specify the tls mode to use.
      
+
      Use the tls_settings to specify the tls mode to use.
 Regarding tls_settings:
      
 
        
-
      • DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
        
+
      • DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
 DISABLE MODE can also be used for testing
        • 
-
      • TLS MUTUAL MODE be on by default. If the CA certificates
        
-(cert bundle to verify the CA server's certificate) is omitted, Istiod will
        
+
      • TLS MUTUAL MODE be on by default. If the CA certificates
+(cert bundle to verify the CA server's certificate) is omitted, Istiod will
 use the system root certs to verify the CA server's certificate.
        • 
 
      
 
@@ -875,7 +875,7 @@ 
      MeshConfig.CA
      
       		requestTimeout
 Duration
 
-
      timeout for forward CSR requests from Istiod to External CA
      
+
      timeout for forward CSR requests from Istiod to External CA
 Default: 10s
      
 
       		
 istiodSide
 bool
 
-
      Use istiod_side to specify CA Server integrate to Istiod side or Agent side
      
+
      Use istiod_side to specify CA Server integrate to Istiod side or Agent side
 Default: true
      
 
       		
 lightstep
 LightstepTracingProvider (oneof)
 
-
      Configures a Lightstep tracing provider.
      
-Note: For Istio 1.15+, configuring this provider will result in
      
-using an OpenTelemetryTracingProvider configured specially for
      
+
      Configures a Lightstep tracing provider.
+Note: For Istio 1.15+, configuring this provider will result in
+using an OpenTelemetryTracingProvider configured specially for
 Lightstep. This is part of the Lightstep transition to OpenTelemetry.
      
 
       		
 
 
 
      
@@ -1174,11 +1174,11 @@ 
      MeshConfig.TLSConfig
      
@@ -1207,21 +1207,21 @@ 
      MeshConfig.ServiceSettings.Settings
 
      
@@ -1248,10 +1248,10 @@ 
      Mesh
 
      
@@ -1263,9 +1263,9 @@ 
      Mesh
 
      
@@ -1277,9 +1277,9 @@ 
      Mesh
 
      
@@ -1306,9 +1306,9 @@ 
      Mes
 
      
@@ -1345,8 +1345,8 @@ 
      Mes
 
      
@@ -1358,8 +1358,8 @@ 
      Mes
 
      
@@ -1371,7 +1371,7 @@ 
      Mes
 
      
@@ -1394,15 +1394,15 @@ 
      Mes
 
      
@@ -1443,11 +1443,11 @@ 
      Mes
 
      
@@ -1563,8 +1563,8 @@ 
      Mes
 
      
@@ -1576,7 +1576,7 @@ 
      Mes
 
      
@@ -1616,9 +1616,9 @@ 
      MeshConfig.Extension
 
      
@@ -1655,8 +1655,8 @@ 
      MeshConfig.Extension
 
 
      MeshConfig.ExtensionProvider.LightstepTracingProvider
      
-
      Defines configuration for a Lightstep tracer.
      
-Note: Lightstep has moved to OpenTelemetry-based integrations. Istio 1.15+
      
+
      Defines configuration for a Lightstep tracer.
+Note: Lightstep has moved to OpenTelemetry-based integrations. Istio 1.15+
 will generate OpenTelemetry-compatible configuration when using this option.
      
 
 
      
 
      minProtocolVersion
 TLSProtocol
 
-
      Optional: the minimum TLS protocol version. The default minimum
      
-TLS version will be TLS 1.2. As servers may not be Envoy and be
      
-set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the
      
-minimum TLS version for clients may also be TLS 1.2.
      
-In the current Istio implementation, the maximum TLS protocol version
      
+
      Optional: the minimum TLS protocol version. The default minimum
+TLS version will be TLS 1.2. As servers may not be Envoy and be
+set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the
+minimum TLS version for clients may also be TLS 1.2.
+In the current Istio implementation, the maximum TLS protocol version
 is TLS 1.3.
      
 
       		clusterLocal
 bool
 
-
      If true, specifies that the client and service endpoints must reside in the same cluster.
      
-By default, in multi-cluster deployments, the Istio control plane assumes all service
      
-endpoints to be reachable from any client in any of the clusters which are part of the
      
-mesh. This configuration option limits the set of service endpoints visible to a client
      
+
      If true, specifies that the client and service endpoints must reside in the same cluster.
+By default, in multi-cluster deployments, the Istio control plane assumes all service
+endpoints to be reachable from any client in any of the clusters which are part of the
+mesh. This configuration option limits the set of service endpoints visible to a client
 to be cluster scoped.
      
 
      There are some common scenarios when this can be useful:
      
 
        
-
      • A service (or group of services) is inherently local to the cluster and has local storage
        
+
      • A service (or group of services) is inherently local to the cluster and has local storage
 for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).
        • 
-
      • A mesh administrator wants to slowly migrate services to Istio. They might start by first
        
-having services cluster-local and then slowly transition them to mesh-wide. They could do
        
-this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group
        
+
      • A mesh administrator wants to slowly migrate services to Istio. They might start by first
+having services cluster-local and then slowly transition them to mesh-wide. They could do
+this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group
 (e.g. *.myns.svc.cluster.local).
        • 
 
      
-
      By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all
      
+
      By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all
 services in the kube-system namespace to be cluster-local, unless explicitly overridden here.
      
 
       		maxRequestBytes
 uint32
 
-
      Sets the maximum size of a message body that the ext-authz filter will hold in memory.
      
-If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
      
-Otherwise the request will be sent to the provider with a partial message.
      
-Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
      
+
      Sets the maximum size of a message body that the ext-authz filter will hold in memory.
+If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
+Otherwise the request will be sent to the provider with a partial message.
+Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
 fail_open is set to true.
      
 
       		allowPartialMessage
 bool
 
-
      When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
      
-The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
      
-A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
      
+
      When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
+The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
+A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
 indicating if the body data is partial.
      
 
       		packAsBytes
 bool
 
-
      If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
      
-in the raw_body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
      
-Otherwise, it will be filled with UTF-8 string in the body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
      
+
      If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
+in the raw_body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
+Otherwise, it will be filled with UTF-8 string in the body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
 This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.
      
 
       		service
 string
 
-
      REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service.
      
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
      
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
      
+
      REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
      
 
      Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".
      
 
@@ -1332,8 +1332,8 @@ 
      Mes
 
      		timeout
 Duration
 
-
      The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
      
-When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
      
+
      The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
+When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
 In this situation, the response sent back to the client will depend on the configured fail_open field.
      
 
       		pathPrefix
 string
 
-
      Sets a prefix to the value of authorization request header Path.
      
-For example, setting this to "/check" for an original user request at path "/admin" will cause the
      
+
      Sets a prefix to the value of authorization request header Path.
+For example, setting this to "/check" for an original user request at path "/admin" will cause the
 authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin".
      
 
       		failOpen
 bool
 
-
      If true, the user request will be allowed even if the communication with the authorization service has failed,
      
-or if the authorization service has returned a HTTP 5xx error.
      
+
      If true, the user request will be allowed even if the communication with the authorization service has failed,
+or if the authorization service has returned a HTTP 5xx error.
 Default is false and the request will be rejected with "Forbidden" response.
      
 
       		statusOnError
 string
 
-
      Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
      
+
      Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
 The default status is "403" (HTTP Forbidden).
      
 
       		includeRequestHeadersInCheck
 string[]
 
-
      List of client request headers that should be included in the authorization request sent to the authorization service.
      
+
      List of client request headers that should be included in the authorization request sent to the authorization service.
 Note that in addition to the headers specified here following headers are included by default:
      
 
        
 
      1. Host, Method, Path and Content-Length are automatically sent.
        2. 
-
      2. Content-Length will be set to 0 and the request will not have a message body. However, the authorization
        
-request can include the buffered client request body (controlled by include_request_body_in_check setting),
        
+
      3. Content-Length will be set to 0 and the request will not have a message body. However, the authorization
+request can include the buffered client request body (controlled by include_request_body_in_check setting),
 consequently the value of Content-Length of the authorization request reflects the size of its payload size.
        4. 
 
      
-
      Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
      
+
      Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
 https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
      
 
        
 
      • Exact match: "abc" will match on value "abc".
        • 
@@ -1419,8 +1419,8 @@ 
        Mes
 
      		includeAdditionalHeadersInCheck
 map<string, string>
 
-
      Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
      
-Key is the header name and value is the header value.
      
+
      Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
+Key is the header name and value is the header value.
 Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden.
      
 
       		headersToUpstreamOnAllow
 string[]
 
-
      List of headers from the authorization service that should be added or overridden in the original request and
      
-forwarded to the upstream when the authorization check result is allowed (HTTP code 200).
      
-If not specified, the original request will not be modified and forwarded to backend as-is.
      
+
      List of headers from the authorization service that should be added or overridden in the original request and
+forwarded to the upstream when the authorization check result is allowed (HTTP code 200).
+If not specified, the original request will not be modified and forwarded to backend as-is.
 Note, any existing headers will be overridden.
      
-
      Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
      
+
      Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
 https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
      
 
        
 
      • Exact match: "abc" will match on value "abc".
        • 
@@ -1464,14 +1464,14 @@ 
        Mes
 
      		headersToDownstreamOnDeny
 string[]
 
-
      List of headers from the authorization service that should be forwarded to downstream when the authorization
      
-check result is not allowed (HTTP code other than 200).
      
-If not specified, all the authorization response headers, except Authority (Host) will be in the response to
      
-the downstream.
      
-When a header is included in this list, Path, Status, Content-Length, WWWAuthenticate and Location are
      
-automatically added.
      
+
      List of headers from the authorization service that should be forwarded to downstream when the authorization
+check result is not allowed (HTTP code other than 200).
+If not specified, all the authorization response headers, except Authority (Host) will be in the response to
+the downstream.
+When a header is included in this list, Path, Status, Content-Length, WWWAuthenticate and Location are
+automatically added.
 Note, the body from the authorization service is always included in the response to downstream.
      
-
      Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
      
+
      Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
 https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
      
 
        
 
      • Exact match: "abc" will match on value "abc".
        • 
@@ -1488,11 +1488,11 @@ 
        Mes
 
      		headersToDownstreamOnAllow
 string[]
 
-
      List of headers from the authorization service that should be forwarded to downstream when the authorization
      
-check result is allowed (HTTP code 200).
      
-If not specified, the original response will not be modified and forwarded to downstream as-is.
      
+
      List of headers from the authorization service that should be forwarded to downstream when the authorization
+check result is allowed (HTTP code 200).
+If not specified, the original response will not be modified and forwarded to downstream as-is.
 Note, any existing headers will be overridden.
      
-
      Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
      
+
      Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
 https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
      
 
        
 
      • Exact match: "abc" will match on value "abc".
        • 
@@ -1524,9 +1524,9 @@ 
        Mes
 
      		service
 string
 
-
      REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service.
      
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
      
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
      
+
      REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
      
 
      Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".
      
 
@@ -1550,8 +1550,8 @@ 
      Mes
 
      		timeout
 Duration
 
-
      The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
      
-When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
      
+
      The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
+When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
 In this situation, the response sent back to the client will depend on the configured fail_open field.
      
 
       		failOpen
 bool
 
-
      If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed,
      
-or if the authorization service has returned a HTTP 5xx error.
      
+
      If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed,
+or if the authorization service has returned a HTTP 5xx error.
 Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately.
      
 
       		statusOnError
 string
 
-
      Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
      
+
      Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
 The default status is "403" (HTTP Forbidden).
      
 
       		service
 string
 
-
      REQUIRED. Specifies the service that the Zipkin API.
      
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
      
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
      
+
      REQUIRED. Specifies the service that the Zipkin API.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
      
 
      Example: "zipkin.default.svc.cluster.local" or "bar/zipkin.example.com".
      
 
@@ -1642,7 +1642,7 @@ 
      MeshConfig.Extension
 
      		maxTagLength
 uint32
 
-
      Optional. Controls the overall path length allowed in a reported span.
      
+
      Optional. Controls the overall path length allowed in a reported span.
 NOTE: currently only controls max length of the path tag.
      
 
       		
 
      
@@ -1673,9 +1673,9 @@ 
      MeshConfig.Extens
 
      
@@ -1739,9 +1739,9 @@ 
      MeshConfig.Extensio
 
      
@@ -1794,9 +1794,9 @@ 
      MeshConfig.Exten
 
      service
 string
 
-
      REQUIRED. Specifies the service for the Lightstep collector.
      
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
      
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
      
+
      REQUIRED. Specifies the service for the Lightstep collector.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
      
 
      Example: "lightstep.default.svc.cluster.local" or "bar/lightstep.example.com".
      
 
@@ -1710,7 +1710,7 @@ 
      MeshConfig.Extens
 
      		maxTagLength
 uint32
 
-
      Optional. Controls the overall path length allowed in a reported span.
      
+
      Optional. Controls the overall path length allowed in a reported span.
 NOTE: currently only controls max length of the path tag.
      
 
       		service
 string
 
-
      REQUIRED. Specifies the service for the Datadog agent.
      
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
      
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
      
+
      REQUIRED. Specifies the service for the Datadog agent.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
      
 
      Example: "datadog.default.svc.cluster.local" or "bar/datadog.example.com".
      
 
@@ -1765,7 +1765,7 @@ 
      MeshConfig.Extensio
 
      		maxTagLength
 uint32
 
-
      Optional. Controls the overall path length allowed in a reported span.
      
+
      Optional. Controls the overall path length allowed in a reported span.
 NOTE: currently only controls max length of the path tag.
      
 
       		service
 string
 
-
      REQUIRED. Specifies the service for the SkyWalking receiver.
      
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
      
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
      
+
      REQUIRED. Specifies the service for the SkyWalking receiver.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
      
 
      Example: "skywalking.default.svc.cluster.local" or "bar/skywalking.example.com".
      
 
@@ -1833,8 +1833,8 @@ 
      MeshConfig.Exten
 
      MeshConfig.ExtensionProvider.StackdriverProvider
      
 
      
 
      Defines configuration for Stackdriver.
      
-
      WARNING: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used
      
-alongside any OpenCensus provider configuration. This is due to a limitation in the implementation of OpenCensus
      
+
      WARNING: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used
+alongside any OpenCensus provider configuration. This is due to a limitation in the implementation of OpenCensus
 driver in Envoy.
      
 
 
@@ -1851,7 +1851,7 @@ 
      MeshConfig.ExtensionPr
 
      
@@ -1876,12 +1876,12 @@ 
      MeshConfig.ExtensionPr
 
      MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider
      
 
      Defines configuration for an OpenCensus tracer writing to an OpenCensus backend.
      
-
      WARNING: OpenCensusAgentTracingProviders should be used with extreme care. Configuration of
      
-OpenCensus providers CANNOT be changed during the course of proxy's lifetime due to a limitation
      
-in the implementation of OpenCensus driver in Envoy. This means only a single provider configuration
      
-may be used for OpenCensus at any given time for a proxy or group of proxies AND that any change to the provider
      
+
      WARNING: OpenCensusAgentTracingProviders should be used with extreme care. Configuration of
+OpenCensus providers CANNOT be changed during the course of proxy's lifetime due to a limitation
+in the implementation of OpenCensus driver in Envoy. This means only a single provider configuration
+may be used for OpenCensus at any given time for a proxy or group of proxies AND that any change to the provider
 configuration MUST be accompanied by a restart of all proxies that will use that configuration.
      
-
      NOTE: Stackdriver tracing uses OpenCensus configuraiton under the hood and, as a result, cannot be used
      
+
      NOTE: Stackdriver tracing uses OpenCensus configuraiton under the hood and, as a result, cannot be used
 alongside OpenCensus provider configuration.
      
 
 
      maxTagLength
 uint32
 
-
      Optional. Controls the overall path length allowed in a reported span.
      
+
      Optional. Controls the overall path length allowed in a reported span.
 NOTE: currently only controls max length of the path tag.
      
 
       		
 
      
@@ -1898,9 +1898,9 @@ 
      MeshConfig.
 
      
@@ -1938,7 +1938,7 @@ 
      MeshConfig.
 
      
@@ -1954,7 +1954,7 @@ 
      MeshConfig.Exten
 
 
      MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider
      
-
      Defines configuration for Envoy-based access logging that writes to
      
+
      Defines configuration for Envoy-based access logging that writes to
 local files (and/or standard streams).
      
 
 
      service
 string
 
-
      REQUIRED. Specifies the service for the OpenCensusAgent.
      
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
      
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
      
+
      REQUIRED. Specifies the service for the OpenCensusAgent.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
      
 
      Example: "ocagent.default.svc.cluster.local" or "bar/ocagent.example.com".
      
 
@@ -1924,9 +1924,9 @@ 
      MeshConfig.
 
      		context
 TraceContext[]
 
-
      Specifies the set of context propagation headers used for distributed
      
-tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified,
      
-the proxy will attempt to read each header for each request and will
      
+
      Specifies the set of context propagation headers used for distributed
+tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified,
+the proxy will attempt to read each header for each request and will
 write all headers.
      
 
       		maxTagLength
 uint32
 
-
      Optional. Controls the overall path length allowed in a reported span.
      
+
      Optional. Controls the overall path length allowed in a reported span.
 NOTE: currently only controls max length of the path tag.
      
 
       		
 
      
@@ -1971,8 +1971,8 @@ 
      MeshConfig.Exte
 
      
@@ -1996,7 +1996,7 @@ 
      MeshConfig.Exte
 
 
      MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider
      
-
      Defines configuration for an Envoy Access Logging Service
      
+
      Defines configuration for an Envoy Access Logging Service
 integration for HTTP traffic.
      
 
 
      path
 string
 
-
      Path to a local file to write the access log entries.
      
-This may be used to write to streams, via /dev/stderr and /dev/stdout
      
+
      Path to a local file to write the access log entries.
+This may be used to write to streams, via /dev/stderr and /dev/stdout
 If unspecified, defaults to /dev/stdout.
      
 
       		
 
      
@@ -2013,9 +2013,9 @@ 
      MeshConfig.Exte
 
      service
 string
 
-
      REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
      
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
      
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
      
+
      REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
      
 
      Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
      
 
@@ -2039,7 +2039,7 @@ 
      MeshConfig.Exte
 
      		logName
 string
 
-
      Optional. The friendly name of the access log.
      
+
      Optional. The friendly name of the access log.
 Defaults:
      
 
        
 
      • "http_envoy_accesslog"
        • 
@@ -2100,7 +2100,7 @@ 
        MeshConfig.Exte
 
 
        MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider
        
 
        
-
        Defines configuration for an Envoy Access Logging Service
        
+
        Defines configuration for an Envoy Access Logging Service
 integration for TCP traffic.
        
 
 
@@ -2117,9 +2117,9 @@ 
        MeshConfig.Exten
 
        
@@ -2255,12 +2255,12 @@ 
        MeshConfig.Ext
 
        
@@ -2287,8 +2287,8 @@ 
        MeshC
 
        
@@ -2353,12 +2353,12 @@ 
        Me
 
        service
 string
 
-
        REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
        
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
        
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
        
+
        REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
        
 
        Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
        
 
@@ -2143,7 +2143,7 @@ 
        MeshConfig.Exten
 
        		logName
 string
 
-
        Optional. The friendly name of the access log.
        
+
        Optional. The friendly name of the access log.
 Defaults:
        
 
          
 
        • "tcp_envoy_accesslog"
          • 
@@ -2187,9 +2187,9 @@ 
          MeshConfig.E
 
        		service
 string
 
-
        REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
        
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
        
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
        
+
        REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
        
 
        Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
        
 
@@ -2213,7 +2213,7 @@ 
        MeshConfig.E
 
        		logName
 string
 
-
        Optional. The friendly name of the access log.
        
+
        Optional. The friendly name of the access log.
 Defaults:
        
 
          
 
        • "otel_envoy_accesslog"
          • 
@@ -2228,7 +2228,7 @@ 
          MeshConfig.E
 
        		logFormat
 LogFormat
 
-
        Optional. Format for the proxy access log
        
+
        Optional. Format for the proxy access log
 Empty value results in proxy's default access log format, following Envoy access logging formatting.
        
 
         		labels
 map<string, string>
 
-
        Collection of tag names and tag expressions to include in the log
        
-entry. Conflicts are resolved by the tag name by overriding previously
        
+
        Collection of tag names and tag expressions to include in the log
+entry. Conflicts are resolved by the tag name by overriding previously
 supplied values.
        
-
        Example:
        
-labels:
        
-path: request.url_path
        
+
        Example:
+labels:
+path: request.url_path
 foo: request.headers['x-foo']
        
 
         		text
 string (oneof)
 
-
        Textual format for the envoy access logs. Envoy command operators may be
        
-used in the format. The format string documentation
        
+
        Textual format for the envoy access logs. Envoy command operators may be
+used in the format. The format string documentation
 provides more information.
        
 
        NOTE: Istio will insert a newline ('\n') on all formats (if missing).
        
 
        Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"
        
@@ -2302,11 +2302,11 @@ 
        MeshC
 
        		labels
 Struct (oneof)
 
-
        JSON structured format for the envoy access logs. Envoy command operators
        
-can be used as values for fields within the Struct. Values are rendered
        
-as strings, numbers, or boolean values, as appropriate
        
-(see: format dictionaries). Nested JSON is
        
-supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
        
+
        JSON structured format for the envoy access logs. Envoy command operators
+can be used as values for fields within the Struct. Values are rendered
+as strings, numbers, or boolean values, as appropriate
+(see: format dictionaries). Nested JSON is
+supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
 Use labels: {} for default envoy JSON log format.
        
 
        Example:
        
 
        labels:
@@ -2338,10 +2338,10 @@ 
        Me
 
        		text
 string
 
-
        Textual format for the envoy access logs. Envoy command operators may be
        
-used in the format. The format string documentation
        
-provides more information.
        
-Alias to body filed in Open Telemetry
        
+
        Textual format for the envoy access logs. Envoy command operators may be
+used in the format. The format string documentation
+provides more information.
+Alias to body filed in Open Telemetry
 Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"
        
 
         		labels
 Struct
 
-
        Optional. Additional attributes that describe the specific event occurrence.
        
-Structured format for the envoy access logs. Envoy command operators
        
-can be used as values for fields within the Struct. Values are rendered
        
-as strings, numbers, or boolean values, as appropriate
        
-(see: format dictionaries). Nested JSON is
        
-supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
        
+
        Optional. Additional attributes that describe the specific event occurrence.
+Structured format for the envoy access logs. Envoy command operators
+can be used as values for fields within the Struct. Values are rendered
+as strings, numbers, or boolean values, as appropriate
+(see: format dictionaries). Nested JSON is
+supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
 Alias to attributes filed in Open Telemetry
        
 
        Example:
        
 
        labels:
@@ -2376,9 +2376,9 @@ 
        Me
 
 
        k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector
        
 
        
-
        A label selector is a label query over a set of resources. The result of matchLabels and
        
-matchExpressions are ANDed. An empty label selector matches all objects. A null
        
-label selector matches no objects.
        
+
        A label selector is a label query over a set of resources. The result of matchLabels and
+matchExpressions are ANDed. An empty label selector matches all objects. A null
+label selector matches no objects.
 +structType=atomic
        
 
 
@@ -2395,9 +2395,9 @@ 
        k8s.io.apimachinery.
 
        
@@ -2409,7 +2409,7 @@ 
        k8s.io.apimachinery.
 
        
@@ -2449,8 +2449,8 @@ 
        Tracing
        
@@ -2495,7 +2495,7 @@ 
        Tracing
        
@@ -2507,8 +2507,8 @@ 
        Tracing
        
@@ -2521,7 +2521,7 @@ 
        Tracing
        PrivateKeyProvider
        
-
        PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured
        
+
        PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured
 mesh wide or individual per-workload basis.
        
 
 
        matchLabels
 map<string, string>
 
-
        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
        
-map is equivalent to an element of matchExpressions, whose key field is "key", the
        
-operator is "In", and the values array contains only "value". The requirements are ANDed.
        
+
        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
 +optional
        
 
         		matchExpressions
 LabelSelectorRequirement[]
 
-
        matchExpressions is a list of label selector requirements. The requirements are ANDed.
        
+
        matchExpressions is a list of label selector requirements. The requirements are ANDed.
 +optional
        
 
         		
 lightstep
 Lightstep (oneof)
 
-
        Use a Lightstep tracer.
        
-NOTE: For Istio 1.15+, this configuration option will result
        
+
        Use a Lightstep tracer.
+NOTE: For Istio 1.15+, this configuration option will result
 in using OpenTelemetry-based Lightstep integration.
        
 
         		
 sampling
 double
 
-
        The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation,
        
+
        The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation,
 if not requested by the client or not forced. Default is 1.0.
        
 
         		
 tlsSettings
 ClientTLSSettings
 
-
        Use the tls_settings to specify the tls mode to use. If the remote tracing service
        
-uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
        
+
        Use the tls_settings to specify the tls mode to use. If the remote tracing service
+uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
 mode as ISTIO_MUTUAL.
        
 
         		
 
 
 
        
@@ -2548,8 +2548,8 @@ 
        PrivateKeyProvider
        ProxyConfig
        
-
        ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis
        
-as well as by the mesh-wide defaults.
        
+
        ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis
+as well as by the mesh-wide defaults.
 To set the mesh wide defaults, configure the defaultConfig section of meshConfig. For example:
        
 
        meshConfig:
   defaultConfig:
@@ -2560,9 +2560,9 @@ 
        ProxyConfig
        
   proxy.istio.io/config: |
     discoveryAddress: istiod:15012
 
        
-
        If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults.
        
-This is different than a deep merge provided by protobuf.
        
-For example, "tracing": { "sampling": 5 } would completely override a setting configuring a tracing provider
        
+
        If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults.
+This is different than a deep merge provided by protobuf.
+For example, "tracing": { "sampling": 5 } would completely override a setting configuring a tracing provider
 such as "tracing": { "zipkin": { "address": "..." } }.
        
 
        Note: fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.
        
 
@@ -2580,7 +2580,7 @@ 
        ProxyConfig
        
 
        
@@ -2603,17 +2603,17 @@ 
        ProxyConfig
        
@@ -2625,7 +2625,7 @@ 
        ProxyConfig
        
@@ -2637,8 +2637,8 @@ 
        ProxyConfig
        
@@ -2650,9 +2650,9 @@ 
        ProxyConfig
        
@@ -2664,7 +2664,7 @@ 
        ProxyConfig
        
@@ -2687,7 +2687,7 @@ 
        ProxyConfig
        
@@ -2699,7 +2699,7 @@ 
        ProxyConfig
        
@@ -2711,7 +2711,7 @@ 
        ProxyConfig
        
@@ -2723,10 +2723,10 @@ 
        ProxyConfig
        
@@ -2738,9 +2738,9 @@ 
        ProxyConfig
        
@@ -2785,9 +2785,9 @@ 
        ProxyConfig
        
@@ -2799,8 +2799,8 @@ 
        ProxyConfig
        
@@ -2812,7 +2812,7 @@ 
        ProxyConfig
        
@@ -2824,7 +2824,7 @@ 
        ProxyConfig
        
@@ -2836,7 +2836,7 @@ 
        ProxyConfig
        
@@ -2848,9 +2848,9 @@ 
        ProxyConfig
        
@@ -2862,10 +2862,10 @@ 
        ProxyConfig
        
@@ -2877,8 +2877,8 @@ 
        ProxyConfig
        
@@ -2890,8 +2890,8 @@ 
        ProxyConfig
        
@@ -2903,16 +2903,16 @@ 
        ProxyConfig
        
@@ -2934,9 +2934,9 @@ 
        ProxyConfig
        
@@ -2948,9 +2948,9 @@ 
        ProxyConfig
        
@@ -2984,8 +2984,8 @@ 
        ProxyConfig
        
@@ -3024,8 +3024,8 @@ 
        RemoteService
        
@@ -3105,9 +3105,9 @@ 
        Tracing.Datadog
        Tracing.Stackdriver
        
-
        Stackdriver defines configuration for a Stackdriver tracer.
        
-See Envoy's OpenCensus trace configuration
        
-and
        
+
        Stackdriver defines configuration for a Stackdriver tracer.
+See Envoy's OpenCensus trace configuration
+and
 OpenCensus trace config for details.
        
 
 
        
 
 
 
        configPath
 string
 
-
        Path to the generated configuration file directory.
        
+
        Path to the generated configuration file directory.
 Proxy agent generates the actual configuration and stores it in this directory.
        
 
         		
 serviceCluster
 string (oneof)
 
-
        Service cluster defines the name for the service_cluster that is
        
-shared by all Envoy instances. This setting corresponds to
        
---service-cluster flag in Envoy.  In a typical Envoy deployment, the
        
-service-cluster flag is used to identify the caller, for
        
+
        Service cluster defines the name for the service_cluster that is
+shared by all Envoy instances. This setting corresponds to
+--service-cluster flag in Envoy.  In a typical Envoy deployment, the
+service-cluster flag is used to identify the caller, for
 source-based routing scenarios.
        
-
        Since Istio does not assign a local service/service version to each
        
-Envoy instance, the name is same for all of them.  However, the
        
-source/caller's identity (e.g., IP address) is encoded in the
        
---service-node flag when launching Envoy.  When the RDS service
        
-receives API calls from Envoy, it uses the value of the service-node
        
-flag to compute routes that are relative to the service instances
        
+
        Since Istio does not assign a local service/service version to each
+Envoy instance, the name is same for all of them.  However, the
+source/caller's identity (e.g., IP address) is encoded in the
+--service-node flag when launching Envoy.  When the RDS service
+receives API calls from Envoy, it uses the value of the service-node
+flag to compute routes that are relative to the service instances
 located at that IP address.
        
 
         		
 tracingServiceName
 TracingServiceName (oneof)
 
-
        Used by Envoy proxies to assign the values for the service names in trace
        
+
        Used by Envoy proxies to assign the values for the service names in trace
 spans.
        
 
         		
 drainDuration
 Duration
 
-
        The time in seconds that Envoy will drain connections during a hot
        
-restart. MUST be >=1s (e.g., 1s/1m/1h)
        
+
        The time in seconds that Envoy will drain connections during a hot
+restart. MUST be >=1s (e.g., 1s/1m/1h)
 Default drain duration is 45s.
        
 
         		
 parentShutdownDuration
 Duration
 
-
        The time in seconds that Envoy will wait before shutting down the
        
-parent process during a hot restart. MUST be >=1s (e.g., 1s/1m/1h).
        
-MUST BE greater than drain_duration parameter.
        
+
        The time in seconds that Envoy will wait before shutting down the
+parent process during a hot restart. MUST be >=1s (e.g., 1s/1m/1h).
+MUST BE greater than drain_duration parameter.
 Default shutdown duration is 60s.
        
 
         		
 discoveryAddress
 string
 
-
        Address of the discovery service exposing xDS with mTLS connection.
        
+
        Address of the discovery service exposing xDS with mTLS connection.
 The inject configuration may override this value.
        
 
         		
 proxyAdminPort
 int32
 
-
        Port on which Envoy should listen for administrative commands.
        
+
        Port on which Envoy should listen for administrative commands.
 Default port is 15000.
        
 
         		
 controlPlaneAuthPolicy
 AuthenticationPolicy
 
-
        AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
        
+
        AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
 Default is set to MUTUAL_TLS.
        
 
         		
 customConfigFile
 string
 
-
        File path of custom proxy configuration, currently used by proxies
        
+
        File path of custom proxy configuration, currently used by proxies
 in front of Mixer and Pilot.
        
 
         		
 statNameLength
 int32
 
-
        Maximum length of name field in Envoy's metrics. The length of the name field
        
-is determined by the length of a name field in a service and the set of labels that
        
-comprise a particular version of the service. The default value is set to 189 characters.
        
-Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric.
        
+
        Maximum length of name field in Envoy's metrics. The length of the name field
+is determined by the length of a name field in a service and the set of labels that
+comprise a particular version of the service. The default value is set to 189 characters.
+Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric.
 Increase the value of this field if you find that the metrics from Envoys are truncated.
        
 
         		
 concurrency
 Int32Value
 
-
        The number of worker threads to run.
        
-If unset, this will be automatically determined based on CPU requests/limits.
        
-If set to 0, all cores on the machine will be used.
        
+
        The number of worker threads to run.
+If unset, this will be automatically determined based on CPU requests/limits.
+If set to 0, all cores on the machine will be used.
 Default is 2 worker threads.
        
 
         		
 envoyAccessLogService
 RemoteService
 
-
        Address of the service to which access logs from Envoys should be
        
-sent. (e.g. accesslog-service:15000). See Access Log
        
-Service
        
+
        Address of the service to which access logs from Envoys should be
+sent. (e.g. accesslog-service:15000). See Access Log
+Service
 for details about Envoy's gRPC Access Log Service API.
        
 
         		
 envoyMetricsService
 RemoteService
 
-
        Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000).
        
-See Metric Service
        
+
        Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000).
+See Metric Service
 for details about Envoy's Metrics Service API.
        
 
         		
 proxyMetadata
 map<string, string>
 
-
        Additional environment variables for the proxy.
        
+
        Additional environment variables for the proxy.
 Names starting with ISTIO_META_ will be included in the generated bootstrap and sent to the XDS server.
        
 
         		
 runtimeValues
 map<string, string>
 
-
        Envoy runtime configuration to set during bootstrapping.
        
+
        Envoy runtime configuration to set during bootstrapping.
 This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.
        
 
         		
 statusPort
 int32
 
-
        Port on which the agent should listen for administrative commands such as readiness probe.
        
+
        Port on which the agent should listen for administrative commands such as readiness probe.
 Default is set to port 15020.
        
 
         		
 extraStatTags
 string[]
 
-
        An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be
        
-added by configuring the telemetry extension. Each additional tag needs to be present in this list.
        
-Extra tags emitted by the telemetry extensions must be listed here so that they can be processed
        
+
        An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be
+added by configuring the telemetry extension. Each additional tag needs to be present in this list.
+Extra tags emitted by the telemetry extensions must be listed here so that they can be processed
 and exposed as Prometheus metrics.
        
 
         		
 terminationDrainDuration
 Duration
 
-
        The amount of time allowed for connections to complete on proxy shutdown.
        
-On receiving SIGTERM or SIGINT, istio-agent tells the active Envoy to start draining,
        
-preventing any new connections and allowing existing connections to complete. It then
        
-sleeps for the termination_drain_duration and then kills any remaining active Envoy processes.
        
+
        The amount of time allowed for connections to complete on proxy shutdown.
+On receiving SIGTERM or SIGINT, istio-agent tells the active Envoy to start draining,
+preventing any new connections and allowing existing connections to complete. It then
+sleeps for the termination_drain_duration and then kills any remaining active Envoy processes.
 If not set, a default of 5s will be applied.
        
 
         		
 meshId
 string
 
-
        The unique identifier for the service mesh
        
-All control planes running in the same service mesh should specify the same mesh ID.
        
+
        The unique identifier for the service mesh
+All control planes running in the same service mesh should specify the same mesh ID.
 Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.
        
 
         		
 readinessProbe
 ReadinessProbe
 
-
        VM Health Checking readiness probe. This health check config exactly mirrors the
        
-kubernetes readiness probe configuration both in schema and logic.
        
+
        VM Health Checking readiness probe. This health check config exactly mirrors the
+kubernetes readiness probe configuration both in schema and logic.
 Only one health check method of 3 can be set at a time.
        
 
         		
 proxyStatsMatcher
 ProxyStatsMatcher
 
-
        Proxy stats matcher defines configuration for reporting custom Envoy stats.
        
-To reduce memory and CPU overhead from Envoy stats system, Istio proxies by
        
-default create and expose only a subset of Envoy stats. This option is to
        
-control creation of additional Envoy stats with prefix, suffix, and regex
        
-expressions match on the name of the stats. This replaces the stats
        
-inclusion annotations
        
-(sidecar.istio.io/statsInclusionPrefixes,
        
-sidecar.istio.io/statsInclusionRegexps, and
        
-sidecar.istio.io/statsInclusionSuffixes). For example, to enable stats
        
-for circuit breaker, retry, and upstream connections, you can specify stats
        
+
        Proxy stats matcher defines configuration for reporting custom Envoy stats.
+To reduce memory and CPU overhead from Envoy stats system, Istio proxies by
+default create and expose only a subset of Envoy stats. This option is to
+control creation of additional Envoy stats with prefix, suffix, and regex
+expressions match on the name of the stats. This replaces the stats
+inclusion annotations
+(sidecar.istio.io/statsInclusionPrefixes,
+sidecar.istio.io/statsInclusionRegexps, and
+sidecar.istio.io/statsInclusionSuffixes). For example, to enable stats
+for circuit breaker, retry, and upstream connections, you can specify stats
 matcher as follow:
        
 
        proxyStatsMatcher:
   inclusionRegexps:
@@ -2921,8 +2921,8 @@ 
        ProxyConfig
        
     - upstream_rq_retry
     - upstream_cx
 
        
-
        Note including more Envoy stats might increase number of time series
        
-collected by prometheus significantly. Care needs to be taken on Prometheus
        
+
        Note including more Envoy stats might increase number of time series
+collected by prometheus significantly. Care needs to be taken on Prometheus
 resource provision and configuration to reduce cardinality.
        
 
         		
 holdApplicationUntilProxyStarts
 BoolValue
 
-
        Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior.
        
-This feature adds hooks to delay application startup until the pod proxy
        
-is ready to accept traffic, mitigating some startup race conditions.
        
+
        Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior.
+This feature adds hooks to delay application startup until the pod proxy
+is ready to accept traffic, mitigating some startup race conditions.
 Default value is 'false'.
        
 
         		
 caCertificatesPem
 string[]
 
-
        The PEM data of the extra root certificates for workload-to-workload communication.
        
-This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA.
        
-The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret)
        
+
        The PEM data of the extra root certificates for workload-to-workload communication.
+This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA.
+The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret)
 are added automatically by Istiod.
        
 
         		
 zipkinAddress
 string
 
-
        Address of the Zipkin service (e.g. zipkin:9411).
        
-DEPRECATED: Use tracing instead.
        
+
        Address of the Zipkin service (e.g. zipkin:9411).
+DEPRECATED: Use tracing instead.
        
 
         		
 
@@ -3011,8 +3011,8 @@ 
        RemoteService
        
         		address
 string
 
-
        Address of a remove service used for various purposes (access log
        
-receiver, metrics receiver, etc.). Can be IP address or a fully
        
+
        Address of a remove service used for various purposes (access log
+receiver, metrics receiver, etc.). Can be IP address or a fully
 qualified DNS name.
        
 
         		
 tlsSettings
 ClientTLSSettings
 
-
        Use the tls_settings to specify the tls mode to use. If the remote service
        
-uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
        
+
        Use the tls_settings to specify the tls mode to use. If the remote service
+uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
 mode as ISTIO_MUTUAL.
        
 
         		
 
 
 
        
@@ -3125,11 +3125,11 @@ 
        Tracing.Stackdriver
        Tracing.OpenCensusAgent
        
-
        OpenCensusAgent defines configuration for an OpenCensus tracer writing to
        
-an OpenCensus agent backend. See
        
-Envoy's OpenCensus trace configuration
        
-and
        
-OpenCensus trace config
        
+
        OpenCensusAgent defines configuration for an OpenCensus tracer writing to
+an OpenCensus agent backend. See
+Envoy's OpenCensus trace configuration
+and
+OpenCensus trace config
 for details.
        
 
 
        
 
 
 
        
@@ -3146,9 +3146,9 @@ 
        Tracing.OpenCensusAgent
        
@@ -3160,9 +3160,9 @@ 
        Tracing.OpenCensusAgent
        
@@ -3191,11 +3191,11 @@ 
        PrivateKeyProvider.CryptoMb
        
@@ -3208,7 +3208,7 @@ 
        PrivateKeyProvider.CryptoMb
        ProxyConfig.ProxyStatsMatcher
        
-
        Proxy stats name matchers for stats creation. Note this is in addition to
        
+
        Proxy stats name matchers for stats creation. Note this is in addition to
 the minimum Envoy stats that Istio generates by default.
        
 
 
        
 
        address
 string
 
-
        gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or
        
-unix:path). See gRPC naming
        
-docs         for
        
+
        gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or
+unix:path). See gRPC naming
+docs for
 details.
        
 
         		
 context
 TraceContext[]
 
-
        Specifies the set of context propagation headers used for distributed
        
-tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified,
        
-the proxy will attempt to read each header for each request and will
        
+
        Specifies the set of context propagation headers used for distributed
+tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified,
+the proxy will attempt to read each header for each request and will
 write all headers.
        
 
         		
 pollDelay
 Duration
 
-
        How long to wait until the per-thread processing queue should be processed. If the processing queue
        
-gets full (eight sign or decrypt requests are received) it is processed immediately.
        
-However, if the queue is not filled before the delay has expired, the requests already in the queue
        
-are processed, even if the queue is not full.
        
-In effect, this value controls the balance between latency and throughput.
        
+
        How long to wait until the per-thread processing queue should be processed. If the processing queue
+gets full (eight sign or decrypt requests are received) it is processed immediately.
+However, if the queue is not filled before the delay has expired, the requests already in the queue
+are processed, even if the queue is not full.
+In effect, this value controls the balance between latency and throughput.
 The duration needs to be set to a non-zero value.
        
 
         		
 
 
 
        
@@ -3259,10 +3259,10 @@ 
        ProxyConfig.ProxyStatsMatcher
        Network
        
-
        Network provides information about the endpoints in a routable L3
        
-network. A single routable L3 network can have one or more service
        
-registries. Note that the network has no relation to the locality of the
        
-endpoint. The endpoint locality will be obtained from the service
        
+
        Network provides information about the endpoints in a routable L3
+network. A single routable L3 network can have one or more service
+registries. Note that the network has no relation to the locality of the
+endpoint. The endpoint locality will be obtained from the service
 registry.
        
 
 
        
 
 
 
        
@@ -3279,8 +3279,8 @@ 
        Network
        
@@ -3304,7 +3304,7 @@ 
        Network
        MeshNetworks
        
-
        MeshNetworks (config map) provides information about the set of networks
        
+
        MeshNetworks (config map) provides information about the set of networks
 inside a mesh and how to route to endpoints in each network. For example
        
 
        MeshNetworks(file/config map):
        
 
        networks:
@@ -3335,8 +3335,8 @@ 
        MeshNetworks
        
 
        
@@ -3349,23 +3349,23 @@ 
        MeshNetworks
        
 
 
        Network.NetworkEndpoints
        
 
        
-
        NetworkEndpoints describes how the network associated with an endpoint
        
-should be inferred. An endpoint will be assigned to a network based on
        
+
        NetworkEndpoints describes how the network associated with an endpoint
+should be inferred. An endpoint will be assigned to a network based on
 the following rules:
        
 
          
 
        1. 
-
          Implicitly: If the registry explicitly provides information about
          
-the network to which the endpoint belongs to. In some cases, its
          
-possible to indicate the network associated with the endpoint by
          
+
          Implicitly: If the registry explicitly provides information about
+the network to which the endpoint belongs to. In some cases, its
+possible to indicate the network associated with the endpoint by
 adding the ISTIO_META_NETWORK environment variable to the sidecar.
          
 
          2. 
 
        2. 
 
          Explicitly:
          
-
          a. By matching the registry name with one of the "fromRegistry"
          
-in the mesh config. A "from_registry" can only be assigned to a
          
+
          a. By matching the registry name with one of the "fromRegistry"
+in the mesh config. A "from_registry" can only be assigned to a
 single network.
          
-
          b. By matching the IP against one of the CIDR ranges in a mesh
          
-config network. The CIDR ranges must not overlap and be assigned to
          
+
          b. By matching the IP against one of the CIDR ranges in a mesh
+config network. The CIDR ranges must not overlap and be assigned to
 a single network.
          
 
          3. 
 
        
@@ -3385,7 +3385,7 @@ 
        Network.NetworkEndpoints
        
 
        
@@ -3397,9 +3397,9 @@ 
        Network.NetworkEndpoints
        
         
@@ -3412,8 +3412,8 @@ 
        Network.NetworkEndpoints
        
 
 
        Network.IstioNetworkGateway
        
 
        
-
        The gateway associated with this network. Traffic from remote networks
        
-will arrive at the specified gateway:port. All incoming traffic must
        
+
        The gateway associated with this network. Traffic from remote networks
+will arrive at the specified gateway:port. All incoming traffic must
 use mTLS.
        
 
 
        
 
        endpoints
 NetworkEndpoints[]
 
-
        The list of endpoints in the network (obtained through the
        
-constituent service registries or from CIDR ranges). All endpoints in
        
+
        The list of endpoints in the network (obtained through the
+constituent service registries or from CIDR ranges). All endpoints in
 the network are directly accessible to one another.
        
 
         		
 
 
 networks
 map<string, Network>
 
-
        The set of networks inside this mesh. Each network should
        
-have a unique name and information about how to infer the endpoints in
        
+
        The set of networks inside this mesh. Each network should
+have a unique name and information about how to infer the endpoints in
 the network as well as the gateways associated with the network.
        
 
         		fromCidr
 string (oneof)
 
-
        A CIDR range for the set of endpoints in this network. The CIDR
        
+
        A CIDR range for the set of endpoints in this network. The CIDR
 ranges for endpoints from different networks must not overlap.
        
 
         		fromRegistry
 string (oneof)
 
-
        Add all endpoints from the specified registry into this network.
        
-The names of the registries should correspond to the kubeconfig file name
        
-inside the secret that was used to configure the registry (Kubernetes
        
+
        Add all endpoints from the specified registry into this network.
+The names of the registries should correspond to the kubeconfig file name
+inside the secret that was used to configure the registry (Kubernetes
 multicluster) or supplied by MCP server.
        
 
 
        
@@ -3430,12 +3430,12 @@ 
        Network.IstioNetworkGateway
        
         
@@ -3492,7 +3492,7 @@ 
        MeshConfig.OutboundTrafficPolicy.
 
        
@@ -3500,7 +3500,7 @@ 
        MeshConfig.OutboundTrafficPolicy.
 
        
@@ -3510,7 +3510,7 @@ 
        MeshConfig.OutboundTrafficPolicy.
 
 
        MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContext
        
 
        
-
        TraceContext selects the context propagation headers used for
        
+
        TraceContext selects the context propagation headers used for
 distributed tracing.
        
 
 
        registryServiceName
 string (oneof)
 
-
        A fully qualified domain name of the gateway service.  Pilot will
        
-lookup the service from the service registries in the network and
        
-obtain the endpoint IPs of the gateway from the service
        
-registry. Note that while the service name is a fully qualified
        
-domain name, it need not be resolvable outside the orchestration
        
-platform for the registry. e.g., this could be
        
+
        A fully qualified domain name of the gateway service.  Pilot will
+lookup the service from the service registries in the network and
+obtain the endpoint IPs of the gateway from the service
+registry. Note that while the service name is a fully qualified
+domain name, it need not be resolvable outside the orchestration
+platform for the registry. e.g., this could be
 istio-ingressgateway.istio-system.svc.cluster.local.
        
 
 
        
 REGISTRY_ONLY
 
-
        outbound traffic will be restricted to services defined in the
        
+
        outbound traffic will be restricted to services defined in the
 service registry as well as those defined through ServiceEntries
        
 
 
        
 ALLOW_ANY
 
-
        outbound traffic to unknown destinations will be allowed, in case
        
+
        outbound traffic to unknown destinations will be allowed, in case
 there are no services or ServiceEntries for the destination port
        
 
 
        
@@ -3524,8 +3524,8 @@ 
        
 
        
@@ -3540,7 +3540,7 @@ 
        
 
        
@@ -3548,9 +3548,9 @@ 
        
 
        
@@ -3585,8 +3585,8 @@ 
        MeshConfig.ProxyPat
 
        
@@ -3594,7 +3594,7 @@ 
        MeshConfig.ProxyPat
 
        
@@ -3602,8 +3602,8 @@ 
        MeshConfig.ProxyPat
 
        
@@ -3674,10 +3674,10 @@ 
        MeshConfig.IngressControllerMode
        
         
@@ -3685,10 +3685,10 @@ 
        MeshConfig.IngressControllerMode
        
         
@@ -3767,8 +3767,8 @@ 
        Resource
        
         
@@ -3778,7 +3778,7 @@ 
        Resource
        
 
 
        Tracing.OpenCensusAgent.TraceContext
        
 
        
-
        TraceContext selects the context propagation headers used for
        
+
        TraceContext selects the context propagation headers used for
 distributed tracing.
        
 
 
        W3C_TRACE_CONTEXT
 
-
        Use W3C Trace Context propagation using the traceparent HTTP header.
        
-See the
        
+
        Use W3C Trace Context propagation using the traceparent HTTP header.
+See the
 Trace Context documentation for details.
        
 
         		CLOUD_TRACE_CONTEXT
 
-
        Use Cloud Trace context propagation using the
        
+
        Use Cloud Trace context propagation using the
 X-Cloud-Trace-Context http header.
        
 
         		B3
 
-
        Use multi-header B3 context propagation using the X-B3-TraceId,
        
-X-B3-SpanId, and X-B3-Sampled HTTP headers. See
        
-B3 header propagation README
        
+
        Use multi-header B3 context propagation using the X-B3-TraceId,
+X-B3-SpanId, and X-B3-Sampled HTTP headers. See
+B3 header propagation README
 for details.
        
 
 
        
 BASE
 
-
        Normalize according to RFC 3986.
        
-For Envoy proxies, this is the normalize_path option.
        
+
        Normalize according to RFC 3986.
+For Envoy proxies, this is the normalize_path option.
 For example, /a/../b normalizes to /b.
        
 
 
        
 MERGE_SLASHES
 
-
        In addition to the BASE normalization, consecutive slashes are also merged.
        
+
        In addition to the BASE normalization, consecutive slashes are also merged.
 For example, /a//b normalizes to a/b.
        
 
 
        
 DECODE_AND_MERGE_SLASHES
 
-
        In addition to normalization in MERGE_SLASHES, slash characters are UTF-8 decoded (case insensitive) prior to merging.
        
-This means %2F, %2f, %5C, and %5c sequences in the request path will be rewritten to / or \.
        
+
        In addition to normalization in MERGE_SLASHES, slash characters are UTF-8 decoded (case insensitive) prior to merging.
+This means %2F, %2f, %5C, and %5c sequences in the request path will be rewritten to / or \.
 For example, /a%2f/b normalizes to a/b.
        
 
 
        
 DEFAULT
 
-
        Istio ingress controller will act on ingress resources that do not
        
-contain any annotation or whose annotations match the value
        
-specified in the ingress_class parameter described earlier. Use this
        
-mode if Istio ingress controller will be the default ingress
        
+
        Istio ingress controller will act on ingress resources that do not
+contain any annotation or whose annotations match the value
+specified in the ingress_class parameter described earlier. Use this
+mode if Istio ingress controller will be the default ingress
 controller for the entire Kubernetes cluster.
        
 
 
        
 STRICT
 
-
        Istio ingress controller will only act on ingress resources whose
        
-annotations match the value specified in the ingress_class parameter
        
-described earlier. Use this mode if Istio ingress controller will be
        
-a secondary ingress controller (e.g., in addition to a
        
+
        Istio ingress controller will only act on ingress resources whose
+annotations match the value specified in the ingress_class parameter
+described earlier. Use this mode if Istio ingress controller will be
+a secondary ingress controller (e.g., in addition to a
 cloud-provided ingress controller).
        
 
 
        
 SERVICE_REGISTRY
 
-
        Set to only receive service entries that are generated by the platform.
        
-These auto generated service entries are combination of services and endpoints
        
+
        Set to only receive service entries that are generated by the platform.
+These auto generated service entries are combination of services and endpoints
 that are generated by a specific platform e.g. k8
        
 
 
        
@@ -3792,8 +3792,8 @@ 
        Tracing.OpenCensusAgent.TraceConte
 
        
@@ -3808,7 +3808,7 @@ 
        Tracing.OpenCensusAgent.TraceConte
 
        
@@ -3816,9 +3816,9 @@ 
        Tracing.OpenCensusAgent.TraceConte
 
        
@@ -3828,8 +3828,8 @@ 
        Tracing.OpenCensusAgent.TraceConte
 
 
        ProxyConfig.TracingServiceName
        
 
        
-
        Allows specification of various Istio-supported naming schemes for the
        
-Envoy service_cluster value. The servce_cluster value is primarily used
        
+
        Allows specification of various Istio-supported naming schemes for the
+Envoy service_cluster value. The servce_cluster value is primarily used
 by Envoys to provide service names for tracing spans.
        
 
 
        
 W3C_TRACE_CONTEXT
 
-
        Use W3C Trace Context propagation using the traceparent HTTP header.
        
-See the
        
+
        Use W3C Trace Context propagation using the traceparent HTTP header.
+See the
 Trace Context documentation for details.
        
 
 
        
 CLOUD_TRACE_CONTEXT
 
-
        Use Cloud Trace context propagation using the
        
+
        Use Cloud Trace context propagation using the
 X-Cloud-Trace-Context http header.
        
 
 
        
 B3
 
-
        Use multi-header B3 context propagation using the X-B3-TraceId,
        
-X-B3-SpanId, and X-B3-Sampled HTTP headers. See
        
-B3 header propagation README
        
+
        Use multi-header B3 context propagation using the X-B3-TraceId,
+X-B3-SpanId, and X-B3-Sampled HTTP headers. See
+B3 header propagation README
 for details.
        
 
 
        
@@ -3843,7 +3843,7 @@ 
        ProxyConfig.TracingServiceName
        
         
@@ -3867,8 +3867,8 @@ 
        ProxyConfig.TracingServiceName
        
 
 
        ProxyConfig.InboundInterceptionMode
        
 
        
-
        The mode used to redirect inbound traffic to Envoy.
        
-This setting has no effect on outbound traffic: iptables REDIRECT is always used for
        
+
        The mode used to redirect inbound traffic to Envoy.
+This setting has no effect on outbound traffic: iptables REDIRECT is always used for
 outbound connections.
        
 
 
        
 APP_LABEL_AND_NAMESPACE
 
-
        Default scheme. Uses the app label and workload namespace to construct
        
+
        Default scheme. Uses the app label and workload namespace to construct
 a cluster name. If the app label does not exist istio-proxy is used.
        
 
 
        
@@ -3882,7 +3882,7 @@ 
        ProxyConfig.InboundInterceptionMode
 
        
@@ -3890,9 +3890,9 @@ 
        ProxyConfig.InboundInterceptionMode
 
        
@@ -3900,7 +3900,7 @@ 
        ProxyConfig.InboundInterceptionMode
 
        
@@ -3910,8 +3910,8 @@ 
        ProxyConfig.InboundInterceptionMode
 
 
        AuthenticationPolicy
        
 
        
-
        AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
        
-It can be set for two different scopes, mesh-wide or set on a per-pod basis using the ProxyConfig annotation.
        
+
        AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
+It can be set for two different scopes, mesh-wide or set on a per-pod basis using the ProxyConfig annotation.
 Mesh policy cannot be INHERIT.
        
 
 
        
 REDIRECT
 
-
        The REDIRECT mode uses iptables REDIRECT to NAT and redirect to Envoy. This mode loses
        
+
        The REDIRECT mode uses iptables REDIRECT to NAT and redirect to Envoy. This mode loses
 source IP addresses during redirection.
        
 
 
        
 TPROXY
 
-
        The TPROXY mode uses iptables TPROXY to redirect to Envoy. This mode preserves both the
        
-source and destination IP addresses and ports, so that they can be used for advanced
        
-filtering and manipulation. This mode also configures the sidecar to run with the
        
+
        The TPROXY mode uses iptables TPROXY to redirect to Envoy. This mode preserves both the
+source and destination IP addresses and ports, so that they can be used for advanced
+filtering and manipulation. This mode also configures the sidecar to run with the
 CAP_NET_ADMIN capability, which is required to use TPROXY.
        
 
 
        
 NONE
 
-
        The NONE mode does not configure redirect to Envoy at all. This is an advanced
        
+
        The NONE mode does not configure redirect to Envoy at all. This is an advanced
 configuration that typically requires changes to user applications.
        
 
 
        
@@ -3939,7 +3939,7 @@ 
        AuthenticationPolicy
        
         
diff --git a/content/en/docs/reference/config/istio.operator.v1alpha1/index.html b/content/en/docs/reference/config/istio.operator.v1alpha1/index.html
index 93f058bd5aab4..7578af3f61ccc 100644
--- a/content/en/docs/reference/config/istio.operator.v1alpha1/index.html
+++ b/content/en/docs/reference/config/istio.operator.v1alpha1/index.html
@@ -9,17 +9,17 @@
 weight: 20
 number_of_entries: 74
 ---
-
        Configuration affecting Istio control plane installation version and shape.
        
-Note: unlike other Istio protos, field names must use camelCase. This is asserted in tests.
        
-Without camelCase, the json tag on the Go struct will not match the user's JSON representation.
        
-This leads to Kubernetes merge libraries, which rely on this tag, to fail.
        
+
        Configuration affecting Istio control plane installation version and shape.
+Note: unlike other Istio protos, field names must use camelCase. This is asserted in tests.
+Without camelCase, the json tag on the Go struct will not match the user's JSON representation.
+This leads to Kubernetes merge libraries, which rely on this tag, to fail.
 All other usages use jsonpb which does not use the json tag.
        
 
 
        IstioOperatorSpec
        
 
        
-
        IstioOperatorSpec defines the desired installed state of Istio components.
        
-The spec is a used to define a customization of the default profile values that are supplied with each Istio release.
        
-Because the spec is a customization API, specifying an empty IstioOperatorSpec results in a default Istio
        
+
        IstioOperatorSpec defines the desired installed state of Istio components.
+The spec is a used to define a customization of the default profile values that are supplied with each Istio release.
+Because the spec is a customization API, specifying an empty IstioOperatorSpec results in a default Istio
 component values.
        
 
        apiVersion: install.istio.io/v1alpha1
 kind: IstioOperator
@@ -103,9 +103,9 @@ 
        IstioOperatorSpec
        
 
        
@@ -117,7 +117,7 @@ 
        IstioOperatorSpec
        
         
@@ -129,7 +129,7 @@ 
        IstioOperatorSpec
        
         
@@ -152,7 +152,7 @@ 
        IstioOperatorSpec
        
         
@@ -164,9 +164,9 @@ 
        IstioOperatorSpec
        
         
@@ -189,8 +189,8 @@ 
        IstioOperatorSpec
        
         
@@ -650,7 +650,7 @@ 
        KubernetesResourcesSpec
        
         
@@ -662,7 +662,7 @@ 
        KubernetesResourcesSpec
        
         
@@ -674,7 +674,7 @@ 
        KubernetesResourcesSpec
        
         
@@ -686,7 +686,7 @@ 
        KubernetesResourcesSpec
        
         
@@ -698,7 +698,7 @@ 
        KubernetesResourcesSpec
        
         
@@ -710,7 +710,7 @@ 
        KubernetesResourcesSpec
        
         
@@ -722,7 +722,7 @@ 
        KubernetesResourcesSpec
        
         
@@ -734,7 +734,7 @@ 
        KubernetesResourcesSpec
        
         
@@ -746,8 +746,8 @@ 
        KubernetesResourcesSpec
        
         
@@ -759,7 +759,7 @@ 
        KubernetesResourcesSpec
        
         
@@ -771,7 +771,7 @@ 
        KubernetesResourcesSpec
        
         
@@ -783,7 +783,7 @@ 
        KubernetesResourcesSpec
        
         
@@ -795,7 +795,7 @@ 
        KubernetesResourcesSpec
        
         
@@ -807,7 +807,7 @@ 
        KubernetesResourcesSpec
        
         
@@ -819,7 +819,7 @@ 
        KubernetesResourcesSpec
        
         
@@ -831,7 +831,7 @@ 
        KubernetesResourcesSpec
        
         
@@ -843,8 +843,8 @@ 
        KubernetesResourcesSpec
        
         
@@ -856,7 +856,7 @@ 
        KubernetesResourcesSpec
        
         
@@ -918,7 +918,7 @@ 
        K8sObjectOverlay
        
         
@@ -2260,7 +2260,7 @@ 
        ObjectMetricSource
        
         
@@ -3626,9 +3626,9 @@ 
        SeccompProfile
        
 
 
        IntOrString
        
 
        
-
        IntOrString is a type that can hold an int32 or a string.  When used in
        
-JSON or YAML marshalling and unmarshalling, it produces or consumes the
        
-inner type.  This allows you to have, for example, a JSON field that can
        
+
        IntOrString is a type that can hold an int32 or a string.  When used in
+JSON or YAML marshalling and unmarshalling, it produces or consumes the
+inner type.  This allows you to have, for example, a JSON field that can
 accept a name or number.
        
 
 
        
 INHERIT
 
-
        Use the policy defined by the parent scope. Should not be used for mesh
        
+
        Use the policy defined by the parent scope. Should not be used for mesh
 policy.
        
 
         		namespace
 string
 
-
        Namespace to install control plane resources into. If unset, Istio will be installed into the same namespace
        
-as the IstioOperator CR. You must also set values.global.istioNamespace if you wish to install Istio in
        
-a custom namespace.
        
+
        Namespace to install control plane resources into. If unset, Istio will be installed into the same namespace
+as the IstioOperator CR. You must also set values.global.istioNamespace if you wish to install Istio in
+a custom namespace.
 If you have enabled CNI, you must  exclude this namespace by adding it to the list values.cni.excludeNamespaces.
        
 
         		revision
 string
 
-
        Identify the revision this installation is associated with.
        
+
        Identify the revision this installation is associated with.
 This option is currently experimental.
        
 
         		defaultRevision
 bool
 
-
        Identify whether this revision is the default revision for the cluster
        
+
        Identify whether this revision is the default revision for the cluster
 This option is currently experimental.
        
 
         		components
 IstioComponentSetSpec
 
-
        Kubernetes resource settings, enablement and component-specific settings that are not internal to the
        
+
        Kubernetes resource settings, enablement and component-specific settings that are not internal to the
 component.
        
 
         		values
 Struct
 
-
        Overrides for default values.yaml. This is a validated pass-through to Helm templates.
        
-See the Helm installation options for schema details.
        
-Anything that is available in IstioOperatorSpec should be set above rather than using the passthrough. This
        
+
        Overrides for default values.yaml. This is a validated pass-through to Helm templates.
+See the Helm installation options for schema details.
+Anything that is available in IstioOperatorSpec should be set above rather than using the passthrough. This
 includes Kubernetes resource settings for components in KubernetesResourcesSpec.
        
 
         		addonComponents
 map<string, ExternalComponentSpec>
 
-
        Deprecated.
        
-Users should manage the installation of addon components on their own.
        
+
        Deprecated.
+Users should manage the installation of addon components on their own.
 Refer to samples/addons for demo installation of addon components.
        
 
         		affinity
 Affinity
 
-
        k8s affinity.
        
+
        k8s affinity.
 https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
        
 
         		env
 EnvVar[]
 
-
        Deployment environment variables.
        
+
        Deployment environment variables.
 https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/
        
 
         		hpaSpec
 HorizontalPodAutoscalerSpec
 
-
        k8s HorizontalPodAutoscaler settings.
        
+
        k8s HorizontalPodAutoscaler settings.
 https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
        
 
         		imagePullPolicy
 string
 
-
        k8s imagePullPolicy.
        
+
        k8s imagePullPolicy.
 https://kubernetes.io/docs/concepts/containers/images/
        
 
         		nodeSelector
 map<string, string>
 
-
        k8s nodeSelector.
        
+
        k8s nodeSelector.
 https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
        
 
         		podDisruptionBudget
 PodDisruptionBudgetSpec
 
-
        k8s PodDisruptionBudget settings.
        
+
        k8s PodDisruptionBudget settings.
 https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#how-disruption-budgets-work
        
 
         		podAnnotations
 map<string, string>
 
-
        k8s pod annotations.
        
+
        k8s pod annotations.
 https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
        
 
         		priorityClassName
 string
 
-
        k8s priority_class_name. Default for all resources unless overridden.
        
+
        k8s priority_class_name. Default for all resources unless overridden.
 https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
        
 
         		readinessProbe
 ReadinessProbe
 
-
        k8s readinessProbe settings.
        
-https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
        
+
        k8s readinessProbe settings.
+https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
 k8s.io.api.core.v1.Probe readiness_probe = 9;
        
 
         		replicaCount
 uint32
 
-
        k8s Deployment replicas setting.
        
+
        k8s Deployment replicas setting.
 https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
        
 
         		resources
 Resources
 
-
        k8s resources settings.
        
+
        k8s resources settings.
 https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
        
 
         		service
 ServiceSpec
 
-
        k8s Service settings.
        
+
        k8s Service settings.
 https://kubernetes.io/docs/concepts/services-networking/service/
        
 
         		strategy
 DeploymentStrategy
 
-
        k8s deployment strategy.
        
+
        k8s deployment strategy.
 https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
        
 
         		tolerations
 Toleration[]
 
-
        k8s toleration
        
+
        k8s toleration
 https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
        
 
         		serviceAnnotations
 map<string, string>
 
-
        k8s service annotations.
        
+
        k8s service annotations.
 https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
        
 
         		securityContext
 PodSecurityContext
 
-
        k8s pod security context
        
+
        k8s pod security context
 https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
        
 
         		volumes
 Volume[]
 
-
        k8s volume
        
-https://kubernetes.io/docs/concepts/storage/volumes/
        
+
        k8s volume
+https://kubernetes.io/docs/concepts/storage/volumes/
 Volumes defines the collection of Volume to inject into the pod.
        
 
         		volumeMounts
 VolumeMount[]
 
-
        k8s volumeMounts
        
+
        k8s volumeMounts
 VolumeMounts defines the collection of VolumeMount to inject into containers.
        
 
         		name
 string
 
-
        Name of resource.
        
+
        Name of resource.
 Namespace is always the component namespace.
        
 
         		target
 Value
 
-
        Type changes from CrossVersionObjectReference to ResourceMetricTarget in autoscaling v2beta2/v2 compared with v2beta1
        
+
        Type changes from CrossVersionObjectReference to ResourceMetricTarget in autoscaling v2beta2/v2 compared with v2beta1
 Change it to dynamic type to keep backward compatible
        
 
 
        
@@ -3731,9 +3731,9 @@ 
        K8sObjectOverlay.PathValue
        
         
@@ -3745,10 +3745,10 @@ 
        K8sObjectOverlay.PathValue
        
         
@@ -3761,9 +3761,9 @@ 
        K8sObjectOverlay.PathValue
        
 
 
        google.protobuf.Value
        
 
        
-
        Value represents a dynamically typed value which can be either
        
-null, a number, a string, a boolean, a recursive struct value, or a
        
-list of values. A producer of value is expected to set one of that
        
+
        Value represents a dynamically typed value which can be either
+null, a number, a string, a boolean, a recursive struct value, or a
+list of values. A producer of value is expected to set one of that
 variants, absence of any variant indicates an error.
        
 
        The JSON representation for Value is JSON value.
        
 
@@ -3864,8 +3864,8 @@ 
        k8s.io.api.core.v1.Volume
        
 
        
@@ -3877,8 +3877,8 @@ 
        k8s.io.api.core.v1.Volume
        
         
@@ -3918,8 +3918,8 @@ 
        k8s.io.api.core.v1.VolumeMount
        
         
@@ -3931,7 +3931,7 @@ 
        k8s.io.api.core.v1.VolumeMount
        
         
@@ -3943,8 +3943,8 @@ 
        k8s.io.api.core.v1.VolumeMount
        
         
@@ -3956,10 +3956,10 @@ 
        k8s.io.api.core.v1.VolumeMount
        
         
@@ -3971,10 +3971,10 @@ 
        k8s.io.api.core.v1.VolumeMount
        
         
@@ -3987,9 +3987,9 @@ 
        k8s.io.api.core.v1.VolumeMount
        
 
 
        k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector
        
 
        
-
        A label selector is a label query over a set of resources. The result of matchLabels and
        
-matchExpressions are ANDed. An empty label selector matches all objects. A null
        
-label selector matches no objects.
        
+
        A label selector is a label query over a set of resources. The result of matchLabels and
+matchExpressions are ANDed. An empty label selector matches all objects. A null
+label selector matches no objects.
 +structType=atomic
        
 
 
        path
 string
 
-
        Path of the form a.[key1:value1].b.[:value2]
        
-Where [key1:value1] is a selector for a key-value pair to identify a list element and [:value] is a value
        
-selector to identify a list element in a leaf list.
        
+
        Path of the form a.[key1:value1].b.[:value2]
+Where [key1:value1] is a selector for a key-value pair to identify a list element and [:value] is a value
+selector to identify a list element in a leaf list.
 All path intermediate nodes must exist.
        
 
         		value
 Value
 
-
        Value to add, delete or replace.
        
-For add, the path should be a new leaf.
        
-For delete, value should be unset.
        
-For replace, path should reference an existing node.
        
+
        Value to add, delete or replace.
+For add, the path should be a new leaf.
+For delete, value should be unset.
+For replace, path should reference an existing node.
 All values are strings but are converted into appropriate type based on schema.
        
 
         		name
 string
 
-
        name of the volume.
        
-Must be a DNS_LABEL and unique within the pod.
        
+
        name of the volume.
+Must be a DNS_LABEL and unique within the pod.
 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
        
 
         		volumeSource
 VolumeSource
 
-
        volumeSource represents the location and type of the mounted volume.
        
-If not specified, the Volume is implied to be an EmptyDir.
        
+
        volumeSource represents the location and type of the mounted volume.
+If not specified, the Volume is implied to be an EmptyDir.
 This implied behavior is deprecated and will be removed in a future version.
        
 
         		readOnly
 bool
 
-
        Mounted read-only if true, read-write otherwise (false or unspecified).
        
-Defaults to false.
        
+
        Mounted read-only if true, read-write otherwise (false or unspecified).
+Defaults to false.
 +optional
        
 
         		mountPath
 string
 
-
        Path within the container at which the volume should be mounted.  Must
        
+
        Path within the container at which the volume should be mounted.  Must
 not contain ':'.
        
 
         		subPath
 string
 
-
        Path within the volume from which the container's volume should be mounted.
        
-Defaults to "" (volume's root).
        
+
        Path within the volume from which the container's volume should be mounted.
+Defaults to "" (volume's root).
 +optional
        
 
         		mountPropagation
 string
 
-
        mountPropagation determines how mounts are propagated from the host
        
-to container and the other way around.
        
-When not set, MountPropagationNone is used.
        
-This field is beta in 1.10.
        
+
        mountPropagation determines how mounts are propagated from the host
+to container and the other way around.
+When not set, MountPropagationNone is used.
+This field is beta in 1.10.
 +optional
        
 
         		subPathExpr
 string
 
-
        Expanded path within the volume from which the container's volume should be mounted.
        
-Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
        
-Defaults to "" (volume's root).
        
-SubPathExpr and SubPath are mutually exclusive.
        
+
        Expanded path within the volume from which the container's volume should be mounted.
+Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+Defaults to "" (volume's root).
+SubPathExpr and SubPath are mutually exclusive.
 +optional
        
 
 
        
@@ -4006,9 +4006,9 @@ 
        k8s.io.apimachinery.
 
        
@@ -4020,7 +4020,7 @@ 
        k8s.io.apimachinery.
 
        
@@ -4081,8 +4081,8 @@ 
        InstallStatus.Status
        
         
diff --git a/content/en/docs/reference/config/meta/v1beta1/istio-status/index.html b/content/en/docs/reference/config/meta/v1beta1/istio-status/index.html
index b52e70e03abea..dd12e7e66e07d 100644
--- a/content/en/docs/reference/config/meta/v1beta1/istio-status/index.html
+++ b/content/en/docs/reference/config/meta/v1beta1/istio-status/index.html
@@ -24,10 +24,10 @@ 
        IstioStatus
        
         
@@ -39,9 +39,9 @@ 
        IstioStatus
        
         
@@ -53,9 +53,9 @@ 
        IstioStatus
        
         
@@ -93,7 +93,7 @@ 
        IstioCondition
        
         
@@ -105,7 +105,7 @@ 
        IstioCondition
        
         
@@ -117,7 +117,7 @@ 
        IstioCondition
        
         
@@ -129,7 +129,7 @@ 
        IstioCondition
        
         
@@ -141,7 +141,7 @@ 
        IstioCondition
        
         
diff --git a/content/en/docs/reference/config/networking/destination-rule/index.html b/content/en/docs/reference/config/networking/destination-rule/index.html
index d303f851a6ab7..f9fd94989fda2 100644
--- a/content/en/docs/reference/config/networking/destination-rule/index.html
+++ b/content/en/docs/reference/config/networking/destination-rule/index.html
@@ -10,14 +10,14 @@
 aliases: [/docs/reference/config/networking/v1alpha3/destination-rule]
 number_of_entries: 23
 ---
-
        DestinationRule defines policies that apply to traffic intended for a
        
-service after routing has occurred. These rules specify configuration
        
-for load balancing, connection pool size from the sidecar, and outlier
        
-detection settings to detect and evict unhealthy hosts from the load
        
-balancing pool. For example, a simple load balancing policy for the
        
+
        DestinationRule defines policies that apply to traffic intended for a
+service after routing has occurred. These rules specify configuration
+for load balancing, connection pool size from the sidecar, and outlier
+detection settings to detect and evict unhealthy hosts from the load
+balancing pool. For example, a simple load balancing policy for the
 ratings service would look as follows:
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -28,8 +28,8 @@
     loadBalancer:
       simple: LEAST_REQUEST
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -40,15 +40,15 @@
     loadBalancer:
       simple: LEAST_REQUEST
 
        
-
        {{}}
        
-{{}}
        
-
        Version specific policies can be specified by defining a named
        
-subset and overriding the settings specified at the service level. The
        
-following rule uses a round robin load balancing policy for all traffic
        
-going to a subset named testversion that is composed of endpoints (e.g.,
        
+
        {{}}
+{{}}
        
+
        Version specific policies can be specified by defining a named
+subset and overriding the settings specified at the service level. The
+following rule uses a round robin load balancing policy for all traffic
+going to a subset named testversion that is composed of endpoints (e.g.,
 pods) with labels (version:v3).
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -66,8 +66,8 @@
       loadBalancer:
         simple: ROUND_ROBIN
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -85,16 +85,16 @@
       loadBalancer:
         simple: ROUND_ROBIN
 
        
-
        {{}}
        
-{{}}
        
-
        Note: Policies specified for subsets will not take effect until
        
+
        {{}}
+{{}}
        
+
        Note: Policies specified for subsets will not take effect until
 a route rule explicitly sends traffic to this subset.
        
-
        Traffic policies can be customized to specific ports as well. The
        
-following rule uses the least connection load balancing policy for all
        
-traffic to port 80, while uses a round robin load balancing setting for
        
+
        Traffic policies can be customized to specific ports as well. The
+following rule uses the least connection load balancing policy for all
+traffic to port 80, while uses a round robin load balancing setting for
 traffic to the port 9080.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -112,8 +112,8 @@
       loadBalancer:
         simple: ROUND_ROBIN
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -131,13 +131,13 @@
       loadBalancer:
         simple: ROUND_ROBIN
 
        
-
        {{}}
        
-{{}}
        
-
        Destination Rules can be customized to specific workloads as well.
        
-The following example shows how a destination rule can be applied to a
        
+
        {{}}
+{{}}
        
+
        Destination Rules can be customized to specific workloads as well.
+The following example shows how a destination rule can be applied to a
 specific workload using the workloadSelector configuration.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -157,8 +157,8 @@
         credentialName: client-credential
         mode: MUTUAL
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -178,12 +178,12 @@
         credentialName: client-credential
         mode: MUTUAL
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        DestinationRule
        
 
        
-
        DestinationRule defines policies that apply to traffic intended for a service
        
+
        DestinationRule defines policies that apply to traffic intended for a service
 after routing has occurred.
        
 
 
        matchLabels
 map<string, string>
 
-
        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
        
-map is equivalent to an element of matchExpressions, whose key field is "key", the
        
-operator is "In", and the values array contains only "value". The requirements are ANDed.
        
+
        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
 +optional
        
 
         		matchExpressions
 LabelSelectorRequirement[]
 
-
        matchExpressions is a list of label selector requirements. The requirements are ANDed.
        
+
        matchExpressions is a list of label selector requirements. The requirements are ANDed.
 +optional
        
 
 
        
 ACTION_REQUIRED
 
-
        Overall status only and would not be set as a component status.
        
-Action is needed from the user for reconciliation to proceed
        
+
        Overall status only and would not be set as a component status.
+Action is needed from the user for reconciliation to proceed
 e.g. There are proxies still pointing to the control plane revision when try to remove an IstioOperator CR.
        
 
         		conditions
 IstioCondition[]
 
-
        Current service state of pod.
        
-More info: https://istio.io/docs/reference/config/config-status/
        
-+optional
        
-+patchMergeKey=type
        
+
        Current service state of pod.
+More info: https://istio.io/docs/reference/config/config-status/
++optional
++patchMergeKey=type
 +patchStrategy=merge
        
 
         		validationMessages
 AnalysisMessageBase[]
 
-
        Includes any errors or warnings detected by Istio's analyzers.
        
-+optional
        
-+patchMergeKey=type
        
+
        Includes any errors or warnings detected by Istio's analyzers.
++optional
++patchMergeKey=type
 +patchStrategy=merge
        
 
         		observedGeneration
 int64
 
-
        Resource Generation to which the Reconciled Condition refers.
        
-When this value is not equal to the object's metadata generation, reconciled condition  calculation for the current
        
-generation is still in progress.  See https://istio.io/latest/docs/reference/config/config-status/ for more info.
        
+
        Resource Generation to which the Reconciled Condition refers.
+When this value is not equal to the object's metadata generation, reconciled condition  calculation for the current
+generation is still in progress.  See https://istio.io/latest/docs/reference/config/config-status/ for more info.
 +optional
        
 
         		status
 string
 
-
        Status is the status of the condition.
        
+
        Status is the status of the condition.
 Can be True, False, Unknown.
        
 
         		lastProbeTime
 Timestamp
 
-
        Last time we probed the condition.
        
+
        Last time we probed the condition.
 +optional
        
 
         		lastTransitionTime
 Timestamp
 
-
        Last time the condition transitioned from one status to another.
        
+
        Last time the condition transitioned from one status to another.
 +optional
        
 
         		reason
 string
 
-
        Unique, one-word, CamelCase reason for the condition's last transition.
        
+
        Unique, one-word, CamelCase reason for the condition's last transition.
 +optional
        
 
         		message
 string
 
-
        Human-readable message indicating details about last transition.
        
+
        Human-readable message indicating details about last transition.
 +optional
        
 
 
        
@@ -200,18 +200,18 @@ 
        DestinationRule
        
         
@@ -236,7 +236,7 @@ 
        DestinationRule
        
         
@@ -248,17 +248,17 @@ 
        DestinationRule
        
         
@@ -270,13 +270,13 @@ 
        DestinationRule
        
         
@@ -289,7 +289,7 @@ 
        DestinationRule
        
 
 
        TrafficPolicy
        
 
        
-
        Traffic policies to apply for a specific destination, across all
        
+
        Traffic policies to apply for a specific destination, across all
 destination ports. See DestinationRule for examples.
        
 
 
        host
 string
 
-
        The name of a service from the service registry. Service
        
-names are looked up from the platform's service registry (e.g.,
        
-Kubernetes services, Consul services, etc.) and from the hosts
        
-declared by ServiceEntries. Rules defined for
        
+
        The name of a service from the service registry. Service
+names are looked up from the platform's service registry (e.g.,
+Kubernetes services, Consul services, etc.) and from the hosts
+declared by ServiceEntries. Rules defined for
 services that do not exist in the service registry will be ignored.
        
-
        Note for Kubernetes users: When short names are used (e.g. "reviews"
        
-instead of "reviews.default.svc.cluster.local"), Istio will interpret
        
-the short name based on the namespace of the rule, not the service. A
        
-rule in the "default" namespace containing a host "reviews" will be
        
-interpreted as "reviews.default.svc.cluster.local", irrespective of
        
-the actual namespace associated with the reviews service. To avoid
        
-potential misconfigurations, it is recommended to always use fully
        
+
        Note for Kubernetes users: When short names are used (e.g. "reviews"
+instead of "reviews.default.svc.cluster.local"), Istio will interpret
+the short name based on the namespace of the rule, not the service. A
+rule in the "default" namespace containing a host "reviews" will be
+interpreted as "reviews.default.svc.cluster.local", irrespective of
+the actual namespace associated with the reviews service. To avoid
+potential misconfigurations, it is recommended to always use fully
 qualified domain names over short names.
        
 
        Note that the host field applies to both HTTP and TCP services.
        
 
@@ -224,7 +224,7 @@ 
        DestinationRule
        
         		trafficPolicy
 TrafficPolicy
 
-
        Traffic policies to apply (load balancing policy, connection pool
        
+
        Traffic policies to apply (load balancing policy, connection pool
 sizes, outlier detection).
        
 
         		subsets
 Subset[]
 
-
        One or more named sets that represent individual versions of a
        
+
        One or more named sets that represent individual versions of a
 service. Traffic policies can be overridden at subset level.
        
 
         		exportTo
 string[]
 
-
        A list of namespaces to which this destination rule is exported.
        
-The resolution of a destination rule to apply to a service occurs in the
        
-context of a hierarchy of namespaces. Exporting a destination rule allows
        
-it to be included in the resolution hierarchy for services in
        
-other namespaces. This feature provides a mechanism for service owners
        
-and mesh administrators to control the visibility of destination rules
        
+
        A list of namespaces to which this destination rule is exported.
+The resolution of a destination rule to apply to a service occurs in the
+context of a hierarchy of namespaces. Exporting a destination rule allows
+it to be included in the resolution hierarchy for services in
+other namespaces. This feature provides a mechanism for service owners
+and mesh administrators to control the visibility of destination rules
 across namespace boundaries.
        
-
        If no namespaces are specified then the destination rule is exported to all
        
+
        If no namespaces are specified then the destination rule is exported to all
 namespaces by default.
        
-
        The value "." is reserved and defines an export to the same namespace that
        
-the destination rule is declared in. Similarly, the value "*" is reserved and
        
+
        The value "." is reserved and defines an export to the same namespace that
+the destination rule is declared in. Similarly, the value "*" is reserved and
 defines an export to all namespaces.
        
 
         		workloadSelector
 WorkloadSelector
 
-
        Criteria used to select the specific set of pods/VMs on which this
        
-DestinationRule configuration should be applied. If specified, the DestinationRule
        
-configuration will be applied only to the workload instances matching the workload selector
        
-label in the same namespace. Workload selectors do not apply across namespace boundaries.
        
-If omitted, the DestinationRule falls back to its default behavior.
        
-For example, if specific sidecars need to have egress TLS settings for services outside
        
-of the mesh, instead of every sidecar in the mesh needing to have the
        
+
        Criteria used to select the specific set of pods/VMs on which this
+DestinationRule configuration should be applied. If specified, the DestinationRule
+configuration will be applied only to the workload instances matching the workload selector
+label in the same namespace. Workload selectors do not apply across namespace boundaries.
+If omitted, the DestinationRule falls back to its default behavior.
+For example, if specific sidecars need to have egress TLS settings for services outside
+of the mesh, instead of every sidecar in the mesh needing to have the
 configuration (which is the default behaviour), a workload selector can be specified.
        
 
 
        
@@ -350,10 +350,10 @@ 
        TrafficPolicy
        
         
@@ -365,8 +365,8 @@ 
        TrafficPolicy
        
         
@@ -379,16 +379,16 @@ 
        TrafficPolicy
        
 
 
        Subset
        
 
        
-
        A subset of endpoints of a service. Subsets can be used for scenarios
        
-like A/B testing, or routing to a specific version of a service. Refer
        
-to VirtualService documentation for examples of using
        
-subsets in these scenarios. In addition, traffic policies defined at the
        
-service-level can be overridden at a subset-level. The following rule
        
-uses a round robin load balancing policy for all traffic going to a
        
-subset named testversion that is composed of endpoints (e.g., pods) with
        
+
        A subset of endpoints of a service. Subsets can be used for scenarios
+like A/B testing, or routing to a specific version of a service. Refer
+to VirtualService documentation for examples of using
+subsets in these scenarios. In addition, traffic policies defined at the
+service-level can be overridden at a subset-level. The following rule
+uses a round robin load balancing policy for all traffic going to a
+subset named testversion that is composed of endpoints (e.g., pods) with
 labels (version:v3).
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -406,8 +406,8 @@ 
        Subset
        
       loadBalancer:
         simple: ROUND_ROBIN
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -425,14 +425,14 @@ 
        Subset
        
       loadBalancer:
         simple: ROUND_ROBIN
 
        
-
        {{}}
        
-{{}}
        
-
        Note: Policies specified for subsets will not take effect until
        
+
        {{}}
+{{}}
        
+
        Note: Policies specified for subsets will not take effect until
 a route rule explicitly sends traffic to this subset.
        
-
        One or more labels are typically required to identify the subset destination,
        
-however, when the corresponding DestinationRule represents a host that
        
-supports multiple SNI hosts (e.g., an egress gateway), a subset without labels
        
-may be meaningful. In this case a traffic policy with ClientTLSSettings
        
+
        One or more labels are typically required to identify the subset destination,
+however, when the corresponding DestinationRule represents a host that
+supports multiple SNI hosts (e.g., an egress gateway), a subset without labels
+may be meaningful. In this case a traffic policy with ClientTLSSettings
 can be used to identify a specific SNI host corresponding to the named subset.
        
 
 
        portLevelSettings
 PortTrafficPolicy[]
 
-
        Traffic policies specific to individual ports. Note that port level
        
-settings will override the destination-level settings. Traffic
        
-settings specified at the destination-level will not be inherited when
        
-overridden by port-level settings, i.e. default values will be applied
        
+
        Traffic policies specific to individual ports. Note that port level
+settings will override the destination-level settings. Traffic
+settings specified at the destination-level will not be inherited when
+overridden by port-level settings, i.e. default values will be applied
 to fields omitted in port-level traffic policies.
        
 
         		tunnel
 TunnelSettings
 
-
        Configuration of tunneling TCP over other transport or application layers
        
-for the host configured in the DestinationRule.
        
+
        Configuration of tunneling TCP over other transport or application layers
+for the host configured in the DestinationRule.
 Tunnel settings can be applied to TCP or TLS routes and can't be applied to HTTP routes.
        
 
 
        
@@ -449,7 +449,7 @@ 
        Subset
        
         
@@ -461,7 +461,7 @@ 
        Subset
        
         
@@ -473,9 +473,9 @@ 
        Subset
        
         
@@ -488,14 +488,14 @@ 
        Subset
        
 
 
        LoadBalancerSettings
        
 
        
-
        Load balancing policies to apply for a specific destination. See Envoy's
        
-load balancing
        
-documentation
        
+
        Load balancing policies to apply for a specific destination. See Envoy's
+load balancing
+documentation
 for more details.
        
-
        For example, the following rule uses a round robin load balancing policy
        
+
        For example, the following rule uses a round robin load balancing policy
 for all traffic going to the ratings service.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -506,8 +506,8 @@ 
        LoadBalancerSettings
        
     loadBalancer:
       simple: ROUND_ROBIN
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -518,13 +518,13 @@ 
        LoadBalancerSettings
        
     loadBalancer:
       simple: ROUND_ROBIN
 
        
-
        {{}}
        
-{{}}
        
-
        The following example sets up sticky sessions for the ratings service
        
-hashing-based load balancer for the same ratings service using the
        
+
        {{}}
+{{}}
        
+
        The following example sets up sticky sessions for the ratings service
+hashing-based load balancer for the same ratings service using the
 the User cookie as the hash key.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -538,8 +538,8 @@ 
        LoadBalancerSettings
        
           name: user
           ttl: 0s
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -553,8 +553,8 @@ 
        LoadBalancerSettings
        
           name: user
           ttl: 0s
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        name
 string
 
-
        Name of the subset. The service name and the subset name can
        
+
        Name of the subset. The service name and the subset name can
 be used for traffic splitting in a route rule.
        
 
         		labels
 map<string, string>
 
-
        Labels apply a filter over the endpoints of a service in the
        
+
        Labels apply a filter over the endpoints of a service in the
 service registry. See route rules for examples of usage.
        
 
         		trafficPolicy
 TrafficPolicy
 
-
        Traffic policies that apply to this subset. Subsets inherit the
        
-traffic policies specified at the DestinationRule level. Settings
        
-specified at the subset level will override the corresponding settings
        
+
        Traffic policies that apply to this subset. Subsets inherit the
+traffic policies specified at the DestinationRule level. Settings
+specified at the subset level will override the corresponding settings
 specified at the DestinationRule level.
        
 
 
        
@@ -588,7 +588,7 @@ 
        LoadBalancerSettings
        
         
@@ -600,10 +600,10 @@ 
        LoadBalancerSettings
        
         
@@ -616,15 +616,15 @@ 
        LoadBalancerSettings
        
 
 
        ConnectionPoolSettings
        
 
        
-
        Connection pool settings for an upstream host. The settings apply to
        
-each individual host in the upstream service.  See Envoy's circuit
        
-breaker
        
-for more details. Connection pool settings can be applied at the TCP
        
+
        Connection pool settings for an upstream host. The settings apply to
+each individual host in the upstream service.  See Envoy's circuit
+breaker
+for more details. Connection pool settings can be applied at the TCP
 level as well as at HTTP level.
        
-
        For example, the following rule sets a limit of 100 connections to redis
        
+
        For example, the following rule sets a limit of 100 connections to redis
 service called myredissrv with a connect timeout of 30ms
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -640,8 +640,8 @@ 
        ConnectionPoolSettings
        
           time: 7200s
           interval: 75s
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -657,8 +657,8 @@ 
        ConnectionPoolSettings
        
           time: 7200s
           interval: 75s
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        
 
        localityLbSetting
 LocalityLoadBalancerSetting
 
-
        Locality load balancer settings, this will override mesh wide settings in entirety, meaning no merging would be performed
        
+
        Locality load balancer settings, this will override mesh wide settings in entirety, meaning no merging would be performed
 between this object and the object one in MeshConfig
        
 
         		warmupDurationSecs
 Duration
 
-
        Represents the warmup duration of Service. If set, the newly created endpoint of service
        
-remains in warmup mode starting from its creation time for the duration of this window and
        
-Istio progressively increases amount of traffic for that endpoint instead of sending proportional amount of traffic.
        
-This should be enabled for services that require warm up time to serve full production load with reasonable latency.
        
+
        Represents the warmup duration of Service. If set, the newly created endpoint of service
+remains in warmup mode starting from its creation time for the duration of this window and
+Istio progressively increases amount of traffic for that endpoint instead of sending proportional amount of traffic.
+This should be enabled for services that require warm up time to serve full production load with reasonable latency.
 Currently this is only supported for ROUND_ROBIN and LEAST_REQUEST load balancers.
        
 
 
        
@@ -697,22 +697,22 @@ 
        ConnectionPoolSettings
        
 
 
        OutlierDetection
        
 
        
-
        A Circuit breaker implementation that tracks the status of each
        
-individual host in the upstream service.  Applicable to both HTTP and
        
-TCP services.  For HTTP services, hosts that continually return 5xx
        
-errors for API calls are ejected from the pool for a pre-defined period
        
-of time. For TCP services, connection timeouts or connection
        
-failures to a given host counts as an error when measuring the
        
-consecutive errors metric. See Envoy's outlier
        
-detection
        
+
        A Circuit breaker implementation that tracks the status of each
+individual host in the upstream service.  Applicable to both HTTP and
+TCP services.  For HTTP services, hosts that continually return 5xx
+errors for API calls are ejected from the pool for a pre-defined period
+of time. For TCP services, connection timeouts or connection
+failures to a given host counts as an error when measuring the
+consecutive errors metric. See Envoy's outlier
+detection
 for more details.
        
-
        The following rule sets a connection pool size of 100 HTTP1 connections
        
-with no more than 10 req/connection to the "reviews" service. In addition,
        
-it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
        
-hosts to be scanned every 5 mins so that any host that fails 7 consecutive
        
+
        The following rule sets a connection pool size of 100 HTTP1 connections
+with no more than 10 req/connection to the "reviews" service. In addition,
+it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
+hosts to be scanned every 5 mins so that any host that fails 7 consecutive
 times with a 502, 503, or 504 error code will be ejected for 15 minutes.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -731,8 +731,8 @@ 
        OutlierDetection
        
       interval: 5m
       baseEjectionTime: 15m
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -751,8 +751,8 @@ 
        OutlierDetection
        
       interval: 5m
       baseEjectionTime: 15m
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        
 
        
@@ -768,13 +768,13 @@ 
        OutlierDetection
        
         
@@ -786,8 +786,8 @@ 
        OutlierDetection
        
         
@@ -799,17 +799,17 @@ 
        OutlierDetection
        
         
@@ -821,16 +821,16 @@ 
        OutlierDetection
        
         
@@ -842,7 +842,7 @@ 
        OutlierDetection
        
         
@@ -854,10 +854,10 @@ 
        OutlierDetection
        
         
@@ -869,7 +869,7 @@ 
        OutlierDetection
        
         
@@ -881,12 +881,12 @@ 
        OutlierDetection
        
         
@@ -899,13 +899,13 @@ 
        OutlierDetection
        
 
 
        ClientTLSSettings
        
 
        
-
        SSL/TLS related settings for upstream connections. See Envoy's TLS
        
-context
        
+
        SSL/TLS related settings for upstream connections. See Envoy's TLS
+context
 for more details. These settings are common to both HTTP and TCP upstreams.
        
-
        For example, the following rule configures a client to use mutual TLS
        
+
        For example, the following rule configures a client to use mutual TLS
 for connections to upstream database cluster.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -919,8 +919,8 @@ 
        ClientTLSSettings
        
       privateKey: /etc/certs/client_private_key.pem
       caCertificates: /etc/certs/rootcacerts.pem
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -934,12 +934,12 @@ 
        ClientTLSSettings
        
       privateKey: /etc/certs/client_private_key.pem
       caCertificates: /etc/certs/rootcacerts.pem
 
        
-
        {{}}
        
-{{}}
        
-
        The following rule configures a client to use TLS when talking to a
        
+
        {{}}
+{{}}
        
+
        The following rule configures a client to use TLS when talking to a
 foreign service whose domain matches *.foo.com.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -950,8 +950,8 @@ 
        ClientTLSSettings
        
     tls:
       mode: SIMPLE
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -962,12 +962,12 @@ 
        ClientTLSSettings
        
     tls:
       mode: SIMPLE
 
        
-
        {{}}
        
-{{}}
        
-
        The following rule configures a client to use Istio mutual TLS when talking
        
+
        {{}}
+{{}}
        
+
        The following rule configures a client to use Istio mutual TLS when talking
 to rating services.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -978,8 +978,8 @@ 
        ClientTLSSettings
        
     tls:
       mode: ISTIO_MUTUAL
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -990,8 +990,8 @@ 
        ClientTLSSettings
        
     tls:
       mode: ISTIO_MUTUAL
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        
 
        splitExternalLocalOriginErrors
 bool
 
-
        Determines whether to distinguish local origin failures from external errors. If set to true
        
-consecutive_local_origin_failure is taken into account for outlier detection calculations.
        
-This should be used when you want to derive the outlier detection status based on the errors
        
-seen locally such as failure to connect, timeout while connecting etc. rather than the status code
        
-retuned by upstream service. This is especially useful when the upstream service explicitly returns
        
-a 5xx for some requests and you want to ignore those responses from upstream service while determining
        
-the outlier detection status of a host.
        
+
        Determines whether to distinguish local origin failures from external errors. If set to true
+consecutive_local_origin_failure is taken into account for outlier detection calculations.
+This should be used when you want to derive the outlier detection status based on the errors
+seen locally such as failure to connect, timeout while connecting etc. rather than the status code
+retuned by upstream service. This is especially useful when the upstream service explicitly returns
+a 5xx for some requests and you want to ignore those responses from upstream service while determining
+the outlier detection status of a host.
 Defaults to false.
        
 
         		consecutiveLocalOriginFailures
 UInt32Value
 
-
        The number of consecutive locally originated failures before ejection
        
-occurs. Defaults to 5. Parameter takes effect only when split_external_local_origin_errors
        
+
        The number of consecutive locally originated failures before ejection
+occurs. Defaults to 5. Parameter takes effect only when split_external_local_origin_errors
 is set to true.
        
 
         		consecutiveGatewayErrors
 UInt32Value
 
-
        Number of gateway errors before a host is ejected from the connection pool.
        
-When the upstream host is accessed over HTTP, a 502, 503, or 504 return
        
-code qualifies as a gateway error. When the upstream host is accessed over
        
-an opaque TCP connection, connect timeouts and connection error/failure
        
-events qualify as a gateway error.
        
+
        Number of gateway errors before a host is ejected from the connection pool.
+When the upstream host is accessed over HTTP, a 502, 503, or 504 return
+code qualifies as a gateway error. When the upstream host is accessed over
+an opaque TCP connection, connect timeouts and connection error/failure
+events qualify as a gateway error.
 This feature is disabled by default or when set to the value 0.
        
-
        Note that consecutive_gateway_errors and consecutive_5xx_errors can be
        
-used separately or together. Because the errors counted by
        
-consecutive_gateway_errors are also included in consecutive_5xx_errors,
        
-if the value of consecutive_gateway_errors is greater than or equal to
        
-the value of consecutive_5xx_errors, consecutive_gateway_errors will have
        
+
        Note that consecutive_gateway_errors and consecutive_5xx_errors can be
+used separately or together. Because the errors counted by
+consecutive_gateway_errors are also included in consecutive_5xx_errors,
+if the value of consecutive_gateway_errors is greater than or equal to
+the value of consecutive_5xx_errors, consecutive_gateway_errors will have
 no effect.
        
 
         		consecutive5xxErrors
 UInt32Value
 
-
        Number of 5xx errors before a host is ejected from the connection pool.
        
-When the upstream host is accessed over an opaque TCP connection, connect
        
-timeouts, connection error/failure and request failure events qualify as a
        
-5xx error.
        
+
        Number of 5xx errors before a host is ejected from the connection pool.
+When the upstream host is accessed over an opaque TCP connection, connect
+timeouts, connection error/failure and request failure events qualify as a
+5xx error.
 This feature defaults to 5 but can be disabled by setting the value to 0.
        
-
        Note that consecutive_gateway_errors and consecutive_5xx_errors can be
        
-used separately or together. Because the errors counted by
        
-consecutive_gateway_errors are also included in consecutive_5xx_errors,
        
-if the value of consecutive_gateway_errors is greater than or equal to
        
-the value of consecutive_5xx_errors, consecutive_gateway_errors will have
        
+
        Note that consecutive_gateway_errors and consecutive_5xx_errors can be
+used separately or together. Because the errors counted by
+consecutive_gateway_errors are also included in consecutive_5xx_errors,
+if the value of consecutive_gateway_errors is greater than or equal to
+the value of consecutive_5xx_errors, consecutive_gateway_errors will have
 no effect.
        
 
         		interval
 Duration
 
-
        Time interval between ejection sweep analysis. format:
        
+
        Time interval between ejection sweep analysis. format:
 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.
        
 
         		baseEjectionTime
 Duration
 
-
        Minimum ejection duration. A host will remain ejected for a period
        
-equal to the product of minimum ejection duration and the number of
        
-times the host has been ejected. This technique allows the system to
        
-automatically increase the ejection period for unhealthy upstream
        
+
        Minimum ejection duration. A host will remain ejected for a period
+equal to the product of minimum ejection duration and the number of
+times the host has been ejected. This technique allows the system to
+automatically increase the ejection period for unhealthy upstream
 servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.
        
 
         		maxEjectionPercent
 int32
 
-
        Maximum % of hosts in the load balancing pool for the upstream
        
+
        Maximum % of hosts in the load balancing pool for the upstream
 service that can be ejected. Defaults to 10%.
        
 
         		minHealthPercent
 int32
 
-
        Outlier detection will be enabled as long as the associated load balancing
        
-pool has at least min_health_percent hosts in healthy mode. When the
        
-percentage of healthy hosts in the load balancing pool drops below this
        
-threshold, outlier detection will be disabled and the proxy will load balance
        
-across all hosts in the pool (healthy and unhealthy). The threshold can be
        
-disabled by setting it to 0%. The default is 0% as it's not typically
        
+
        Outlier detection will be enabled as long as the associated load balancing
+pool has at least min_health_percent hosts in healthy mode. When the
+percentage of healthy hosts in the load balancing pool drops below this
+threshold, outlier detection will be disabled and the proxy will load balance
+across all hosts in the pool (healthy and unhealthy). The threshold can be
+disabled by setting it to 0%. The default is 0% as it's not typically
 applicable in k8s environments with few pods per service.
        
 
 
        
@@ -1007,7 +1007,7 @@ 
        ClientTLSSettings
        
         
@@ -1019,8 +1019,8 @@ 
        ClientTLSSettings
        
         
@@ -1032,8 +1032,8 @@ 
        ClientTLSSettings
        
         
@@ -1045,9 +1045,9 @@ 
        ClientTLSSettings
        
         
@@ -1059,20 +1059,20 @@ 
        ClientTLSSettings
        
         
@@ -1084,13 +1084,13 @@ 
        ClientTLSSettings
        
         
@@ -1102,9 +1102,9 @@ 
        ClientTLSSettings
        
         
@@ -1116,16 +1116,16 @@ 
        ClientTLSSettings
        
         
@@ -1138,19 +1138,19 @@ 
        ClientTLSSettings
        
 
 
        LocalityLoadBalancerSetting
        
 
        
-
        Locality-weighted load balancing allows administrators to control the
        
-distribution of traffic to endpoints based on the localities of where the
        
-traffic originates and where it will terminate. These localities are
        
-specified using arbitrary labels that designate a hierarchy of localities in
        
-{region}/{zone}/{sub-zone} form. For additional detail refer to
        
-Locality Weight
        
+
        Locality-weighted load balancing allows administrators to control the
+distribution of traffic to endpoints based on the localities of where the
+traffic originates and where it will terminate. These localities are
+specified using arbitrary labels that designate a hierarchy of localities in
+{region}/{zone}/{sub-zone} form. For additional detail refer to
+Locality Weight
 The following example shows how to setup locality weights mesh-wide.
        
-
        Given a mesh with workloads and their service deployed to "us-west/zone1/"
        
-and "us-west/zone2/        ". This example specifies that when traffic accessing a
        
-service originates from workloads in "us-west/zone1/", 80% of the traffic
        
-will be sent to endpoints in "us-west/zone1/        ", i.e the same zone, and the
        
-remaining 20% will go to endpoints in "us-west/zone2/". This setup is
        
-intended to favor routing traffic to endpoints in the same locality.
        
+
        Given a mesh with workloads and their service deployed to "us-west/zone1/"
+and "us-west/zone2/". This example specifies that when traffic accessing a
+service originates from workloads in "us-west/zone1/", 80% of the traffic
+will be sent to endpoints in "us-west/zone1/", i.e the same zone, and the
+remaining 20% will go to endpoints in "us-west/zone2/". This setup is
+intended to favor routing traffic to endpoints in the same locality.
 A similar setting is specified for traffic originating in "us-west/zone2/".
        
 
          distribute:
     - from: us-west/zone1/*
@@ -1162,14 +1162,14 @@ 
        LocalityLoadBalancerSetting
        
         "us-west/zone1/*": 20
         "us-west/zone2/*": 80
 
        
-
        If the goal of the operator is not to distribute load across zones and
        
-regions but rather to restrict the regionality of failover to meet other
        
-operational requirements an operator can set a 'failover' policy instead of
        
+
        If the goal of the operator is not to distribute load across zones and
+regions but rather to restrict the regionality of failover to meet other
+operational requirements an operator can set a 'failover' policy instead of
 a 'distribute' policy.
        
-
        The following example sets up a locality failover policy for regions.
        
-Assume a service resides in zones within us-east, us-west & eu-west
        
-this example specifies that when endpoints within us-east become unhealthy
        
-traffic should failover to endpoints in any zone or sub-zone within eu-west
        
+
        The following example sets up a locality failover policy for regions.
+Assume a service resides in zones within us-east, us-west & eu-west
+this example specifies that when endpoints within us-east become unhealthy
+traffic should failover to endpoints in any zone or sub-zone within eu-west
 and similarly us-west should failover to us-east.
        
 
         failover:
    - from: us-east
@@ -1193,9 +1193,9 @@ 
        LocalityLoadBalancerSetting
        
 
        
@@ -1207,9 +1207,9 @@ 
        LocalityLoadBalancerSetting
        
         
@@ -1221,8 +1221,8 @@ 
        LocalityLoadBalancerSetting
        
         
@@ -1266,7 +1266,7 @@ 
        LocalityLoadBalancerSetting
        
         
@@ -1295,7 +1295,7 @@ 
        TrafficPolicy.PortTrafficPolicy
        
         
@@ -1366,11 +1366,11 @@ 
        TrafficPolicy.TunnelSettings
        
         
@@ -1382,7 +1382,7 @@ 
        TrafficPolicy.TunnelSettings
        
         
@@ -1406,10 +1406,10 @@ 
        TrafficPolicy.TunnelSettings
        
 
 
        LoadBalancerSettings.ConsistentHashLB
        
 
        
-
        Consistent Hash-based load balancing can be used to provide soft
        
-session affinity based on HTTP headers, cookies or other
        
-properties. The affinity to a particular destination host may be
        
-lost when one or more hosts are added/removed from the destination
        
+
        Consistent Hash-based load balancing can be used to provide soft
+session affinity based on HTTP headers, cookies or other
+properties. The affinity to a particular destination host may be
+lost when one or more hosts are added/removed from the destination
 service.
        
 
 
        
 
        mode
 TLSmode
 
-
        Indicates whether connections to this port should be secured
        
+
        Indicates whether connections to this port should be secured
 using TLS. The value of this field determines how TLS is enforced.
        
 
         		clientCertificate
 string
 
-
        REQUIRED if mode is MUTUAL. The path to the file holding the
        
-client-side TLS certificate to use.
        
+
        REQUIRED if mode is MUTUAL. The path to the file holding the
+client-side TLS certificate to use.
 Should be empty if mode is ISTIO_MUTUAL.
        
 
         		privateKey
 string
 
-
        REQUIRED if mode is MUTUAL. The path to the file holding the
        
-client's private key.
        
+
        REQUIRED if mode is MUTUAL. The path to the file holding the
+client's private key.
 Should be empty if mode is ISTIO_MUTUAL.
        
 
         		caCertificates
 string
 
-
        OPTIONAL: The path to the file containing certificate authority
        
-certificates to use in verifying a presented server certificate. If
        
-omitted, the proxy will not verify the server's certificate.
        
+
        OPTIONAL: The path to the file containing certificate authority
+certificates to use in verifying a presented server certificate. If
+omitted, the proxy will not verify the server's certificate.
 Should be empty if mode is ISTIO_MUTUAL.
        
 
         		credentialName
 string
 
-
        The name of the secret that holds the TLS certs for the
        
-client including the CA certificates. Secret must exist in the
        
-same namespace with the proxy using the certificates.
        
-The secret (of type generic)should contain the
        
-following keys and values: key: <privateKey>,
        
-cert: <clientCert>, cacert: <CACertificate>.
        
-Here CACertificate is used to verify the server certificate.
        
-Secret of type tls for client certificates along with
        
-ca.crt key for CA certificates is also supported.
        
-Only one of client certificates and CA certificate
        
+
        The name of the secret that holds the TLS certs for the
+client including the CA certificates. Secret must exist in the
+same namespace with the proxy using the certificates.
+The secret (of type generic)should contain the
+following keys and values: key: <privateKey>,
+cert: <clientCert>, cacert: <CACertificate>.
+Here CACertificate is used to verify the server certificate.
+Secret of type tls for client certificates along with
+ca.crt key for CA certificates is also supported.
+Only one of client certificates and CA certificate
 or credentialName can be specified.
        
-
        NOTE: This field is applicable at sidecars only if
        
-DestinationRule has a workloadSelector specified.
        
-Otherwise the field will be applicable only at gateways, and
        
+
        NOTE: This field is applicable at sidecars only if
+DestinationRule has a workloadSelector specified.
+Otherwise the field will be applicable only at gateways, and
 sidecars will continue to use the certificate paths.
        
 
         		subjectAltNames
 string[]
 
-
        A list of alternate names to verify the subject identity in the
        
-certificate. If specified, the proxy will verify that the server
        
-certificate's subject alt name matches one of the specified values.
        
-If specified, this list overrides the value of subject_alt_names
        
-from the ServiceEntry. If unspecified, automatic validation of upstream
        
-presented certificate for new upstream connections will be done based on the
        
-downstream HTTP host/authority header, provided VERIFY_CERT_AT_CLIENT
        
+
        A list of alternate names to verify the subject identity in the
+certificate. If specified, the proxy will verify that the server
+certificate's subject alt name matches one of the specified values.
+If specified, this list overrides the value of subject_alt_names
+from the ServiceEntry. If unspecified, automatic validation of upstream
+presented certificate for new upstream connections will be done based on the
+downstream HTTP host/authority header, provided VERIFY_CERT_AT_CLIENT
 and ENABLE_AUTO_SNI environmental variables are set to true.
        
 
         		sni
 string
 
-
        SNI string to present to the server during TLS handshake.
        
-If unspecified, SNI will be automatically set based on downstream HTTP
        
-host/authority header for SIMPLE and MUTUAL TLS modes, provided ENABLE_AUTO_SNI
        
+
        SNI string to present to the server during TLS handshake.
+If unspecified, SNI will be automatically set based on downstream HTTP
+host/authority header for SIMPLE and MUTUAL TLS modes, provided ENABLE_AUTO_SNI
 environmental variable is set to true.
        
 
         		insecureSkipVerify
 BoolValue
 
-
        InsecureSkipVerify specifies whether the proxy should skip verifying the
        
-CA signature and SAN for the server certificate corresponding to the host.
        
-This flag should only be set if global CA signature verifcation is
        
-enabled, VerifyCertAtClient environmental variable is set to true,
        
-but no verification is desired for a specific host. If enabled with or
        
-without VerifyCertAtClient enabled, verification of the CA signature and
        
+
        InsecureSkipVerify specifies whether the proxy should skip verifying the
+CA signature and SAN for the server certificate corresponding to the host.
+This flag should only be set if global CA signature verifcation is
+enabled, VerifyCertAtClient environmental variable is set to true,
+but no verification is desired for a specific host. If enabled with or
+without VerifyCertAtClient enabled, verification of the CA signature and
 SAN will be skipped.
        
-
        InsecureSkipVerify is false by default.
        
-VerifyCertAtClient is false by default in Istio version 1.9 but will
        
-be true by default in a later version where, going forward, it will be
        
+
        InsecureSkipVerify is false by default.
+VerifyCertAtClient is false by default in Istio version 1.9 but will
+be true by default in a later version where, going forward, it will be
 enabled by default.
        
 
         		distribute
 Distribute[]
 
-
        Optional: only one of distribute, failover or failoverPriority can be set.
        
-Explicitly specify loadbalancing weight across different zones and geographical locations.
        
-Refer to Locality weighted load balancing
        
+
        Optional: only one of distribute, failover or failoverPriority can be set.
+Explicitly specify loadbalancing weight across different zones and geographical locations.
+Refer to Locality weighted load balancing
 If empty, the locality weight is set according to the endpoints number within it.
        
 
         		failover
 Failover[]
 
-
        Optional: only one of distribute, failover or failoverPriority can be set.
        
-Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.
        
-Should be used together with OutlierDetection to detect unhealthy endpoints.
        
+
        Optional: only one of distribute, failover or failoverPriority can be set.
+Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.
+Should be used together with OutlierDetection to detect unhealthy endpoints.
 Note: if no OutlierDetection specified, this will not take effect.
        
 
         		failoverPriority
 string[]
 
-
        failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing.
        
-This is to support traffic failover across different groups of endpoints.
        
+
        failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing.
+This is to support traffic failover across different groups of endpoints.
 Suppose there are total N labels specified:
        
 
          
 
        1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority.
          2. 
@@ -1231,7 +1231,7 @@ 
          LocalityLoadBalancerSetting
          
 
        2. All the other endpoints have priority P(N) i.e. lowest priority.
          3. 
 
        
 
        Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match.
        
-
        It can be any label specified on both client and server workloads.
        
+
        It can be any label specified on both client and server workloads.
 The following labels which have special semantic meaning are also supported:
        
 
          
 
        • topology.istio.io/network is used to match the network metadata of an endpoint, which can be specified by pod/namespace label topology.istio.io/network, sidecar env ISTIO_META_NETWORK or MeshNetworks.
          • 
@@ -1254,7 +1254,7 @@ 
          LocalityLoadBalancerSetting
          
 
        • endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority.
          • 
 
        • all the other endpoints have the same lowest priority.
          • 
 
-
          Optional: only one of distribute, failover or failoverPriority can be set.
          
+
          Optional: only one of distribute, failover or failoverPriority can be set.
 And it should be used together with OutlierDetection to detect unhealthy endpoints, otherwise has no effect.
          
 
 
        		enabled
 BoolValue
 
-
        enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.
        
+
        enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.
 e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is.
        
 
         		port
 PortSelector
 
-
        Specifies the number of a port on the destination service
        
+
        Specifies the number of a port on the destination service
 on which this policy is being applied.
        
 
         		protocol
 string
 
-
        Specifies which protocol to use for tunneling the downstream connection.
        
-Supported protocols are:
        
-CONNECT - uses HTTP CONNECT;
        
-POST - uses HTTP POST.
        
-CONNECT is used by default if not specified.
        
+
        Specifies which protocol to use for tunneling the downstream connection.
+Supported protocols are:
+CONNECT - uses HTTP CONNECT;
+POST - uses HTTP POST.
+CONNECT is used by default if not specified.
 HTTP version for upstream requests is determined by the service protocol defined for the proxy.
        
 
         		targetHost
 string
 
-
        Specifies a host to which the downstream connection is tunneled.
        
+
        Specifies a host to which the downstream connection is tunneled.
 Target host must be an FQDN or IP address.
        
 
 
        
@@ -1448,7 +1448,7 @@ 
        LoadBalancerSettings.ConsistentHa
 
        
@@ -1519,10 +1519,10 @@ 
        LoadBalancerSettings.Con
 
        
@@ -1549,8 +1549,8 @@ 
        LoadBalancerSettings.Consi
 
        
@@ -1563,8 +1563,8 @@ 
        LoadBalancerSettings.Consi
 
 
        LoadBalancerSettings.ConsistentHashLB.HTTPCookie
        
 
        
-
        Describes a HTTP cookie that will be used as the hash key for the
        
-Consistent Hash load balancer. If the cookie is not present, it will
        
+
        Describes a HTTP cookie that will be used as the hash key for the
+Consistent Hash load balancer. If the cookie is not present, it will
 be generated.
        
 
 
        useSourceIp
 bool (oneof)
 
-
        Hash based on the source IP address.
        
+
        Hash based on the source IP address.
 This is applicable for both TCP and HTTP connections.
        
 
         		minimumRingSize
 uint64
 
-
        The minimum number of virtual nodes to use for the hash
        
-ring. Defaults to 1024. Larger ring sizes result in more granular
        
-load distributions. If the number of hosts in the load balancing
        
-pool is larger than the ring size, each host will be assigned a
        
+
        The minimum number of virtual nodes to use for the hash
+ring. Defaults to 1024. Larger ring sizes result in more granular
+load distributions. If the number of hosts in the load balancing
+pool is larger than the ring size, each host will be assigned a
 single virtual node.
        
 
         		tableSize
 uint64
 
-
        The table size for Maglev hashing. This helps in controlling the
        
-disruption when the backend hosts change.
        
+
        The table size for Maglev hashing. This helps in controlling the
+disruption when the backend hosts change.
 Increasing the table size reduces the amount of disruption.
        
 
 
        
@@ -1642,7 +1642,7 @@ 
        ConnectionPoolSettings.TCPSettingsconnectTimeout
 
        
@@ -1665,8 +1665,8 @@ 
        ConnectionPoolSettings.TCPSettingsmaxConnectionDuration
 
        
@@ -1695,10 +1695,10 @@ 
        ConnectionPoolSettings.HTTPSettings
 
        
@@ -1710,7 +1710,7 @@ 
        ConnectionPoolSettings.HTTPSettings
 
        
@@ -1722,8 +1722,8 @@ 
        ConnectionPoolSettings.HTTPSettings
 
        
@@ -1735,7 +1735,7 @@ 
        ConnectionPoolSettings.HTTPSettings
 
        
@@ -1747,12 +1747,12 @@ 
        ConnectionPoolSettings.HTTPSettings
 
        
@@ -1775,8 +1775,8 @@ 
        ConnectionPoolSettings.HTTPSettings
 
        
@@ -1805,8 +1805,8 @@ 
        ConnectionPoolSettings.
 
        
@@ -1818,8 +1818,8 @@ 
        ConnectionPoolSettings.
 
        
@@ -1831,8 +1831,8 @@ 
        ConnectionPoolSettings.
 
        
@@ -1845,9 +1845,9 @@ 
        ConnectionPoolSettings.
 
 
        LocalityLoadBalancerSetting.Distribute
        
 
        
-
        Describes how traffic originating in the 'from' zone or sub-zone is
        
-distributed over a set of 'to' zones. Syntax for specifying a zone is
        
-{region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
        
+
        Describes how traffic originating in the 'from' zone or sub-zone is
+distributed over a set of 'to' zones. Syntax for specifying a zone is
+{region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
 segment of the specification. Examples:
        
 
        * - matches all localities
        
 
        us-west/* - all zones and sub-zones within the us-west region
        
@@ -1878,8 +1878,8 @@ 
        LocalityLoadBalancerSetting.Dist
 
        
@@ -1892,12 +1892,12 @@ 
        LocalityLoadBalancerSetting.Dist
 
 
        LocalityLoadBalancerSetting.Failover
        
 
        
-
        Specify the traffic failover policy across regions. Since zone and sub-zone
        
-failover is supported by default this only needs to be specified for
        
-regions when the operator needs to constrain traffic failover so that
        
-the default behavior of failing over to any endpoint globally does not
        
-apply. This is useful when failing over traffic across regions would not
        
-improve service health or may need to be restricted for other reasons
        
+
        Specify the traffic failover policy across regions. Since zone and sub-zone
+failover is supported by default this only needs to be specified for
+regions when the operator needs to constrain traffic failover so that
+the default behavior of failing over to any endpoint globally does not
+apply. This is useful when failing over traffic across regions would not
+improve service health or may need to be restricted for other reasons
 like regulatory controls.
        
 
 
        Duration
 
-
        TCP connection timeout. format:
        
+
        TCP connection timeout. format:
 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.
        
 
         		Duration
 
-
        The maximum duration of a connection. The duration is defined as the period since a connection
        
-was established. If not set, there is no max duration. When max_connection_duration
        
+
        The maximum duration of a connection. The duration is defined as the period since a connection
+was established. If not set, there is no max duration. When max_connection_duration
 is reached the connection will be closed. Duration must be at least 1ms.
        
 
         		http1MaxPendingRequests
 int32
 
-
        Maximum number of requests that will be queued while waiting for
        
-a ready connection pool connection. Default 1024.
        
-Refer to https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking
        
-under which conditions a new connection is created for HTTP2.
        
+
        Maximum number of requests that will be queued while waiting for
+a ready connection pool connection. Default 1024.
+Refer to https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking
+under which conditions a new connection is created for HTTP2.
 Please note that this is applicable to both HTTP/1.1 and HTTP2.
        
 
         		http2MaxRequests
 int32
 
-
        Maximum number of active requests to a destination. Default 1024.
        
+
        Maximum number of active requests to a destination. Default 1024.
 Please note that this is applicable to both HTTP/1.1 and HTTP2.
        
 
         		maxRequestsPerConnection
 int32
 
-
        Maximum number of requests per connection to a backend. Setting this
        
-parameter to 1 disables keep alive. Default 0, meaning "unlimited",
        
+
        Maximum number of requests per connection to a backend. Setting this
+parameter to 1 disables keep alive. Default 0, meaning "unlimited",
 up to 2^29.
        
 
         		maxRetries
 int32
 
-
        Maximum number of retries that can be outstanding to all hosts in a
        
+
        Maximum number of retries that can be outstanding to all hosts in a
 cluster at a given time. Defaults to 2^32-1.
        
 
         		idleTimeout
 Duration
 
-
        The idle timeout for upstream connection pool connections. The idle timeout
        
-is defined as the period in which there are no active requests.
        
-If not set, the default is 1 hour. When the idle timeout is reached,
        
-the connection will be closed. If the connection is an HTTP/2
        
-connection a drain sequence will occur prior to closing the connection.
        
-Note that request based timeouts mean that HTTP/2 PINGs will not
        
+
        The idle timeout for upstream connection pool connections. The idle timeout
+is defined as the period in which there are no active requests.
+If not set, the default is 1 hour. When the idle timeout is reached,
+the connection will be closed. If the connection is an HTTP/2
+connection a drain sequence will occur prior to closing the connection.
+Note that request based timeouts mean that HTTP/2 PINGs will not
 keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.
        
 
         		useClientProtocol
 bool
 
-
        If set to true, client protocol will be preserved while initiating connection to backend.
        
-Note that when this is set to true, h2_upgrade_policy will be ineffective i.e. the client
        
+
        If set to true, client protocol will be preserved while initiating connection to backend.
+Note that when this is set to true, h2_upgrade_policy will be ineffective i.e. the client
 connections will not be upgraded to http2.
        
 
         		probes
 uint32
 
-
        Maximum number of keepalive probes to send without response before
        
-deciding the connection is dead. Default is to use the OS level configuration
        
+
        Maximum number of keepalive probes to send without response before
+deciding the connection is dead. Default is to use the OS level configuration
 (unless overridden, Linux defaults to 9.)
        
 
         		time
 Duration
 
-
        The time duration a connection needs to be idle before keep-alive
        
-probes start being sent. Default is to use the OS level configuration
        
+
        The time duration a connection needs to be idle before keep-alive
+probes start being sent. Default is to use the OS level configuration
 (unless overridden, Linux defaults to 7200s (ie 2 hours.)
        
 
         		interval
 Duration
 
-
        The time duration between keep-alive probes.
        
-Default is to use the OS level configuration
        
+
        The time duration between keep-alive probes.
+Default is to use the OS level configuration
 (unless overridden, Linux defaults to 75s.)
        
 
         		to
 map<string, uint32>
 
-
        Map of upstream localities to traffic distribution weights. The sum of
        
-all weights should be 100. Any locality not present will
        
+
        Map of upstream localities to traffic distribution weights. The sum of
+all weights should be 100. Any locality not present will
 receive no traffic.
        
 
 
        
@@ -1925,7 +1925,7 @@ 
        LocalityLoadBalancerSetting.Failov
 
        
@@ -1980,7 +1980,7 @@ 
        LoadBalancerSettings.SimpleLB
        
         
@@ -1988,8 +1988,8 @@ 
        LoadBalancerSettings.SimpleLB
        
         
@@ -1997,10 +1997,10 @@ 
        LoadBalancerSettings.SimpleLB
        
         
@@ -2008,9 +2008,9 @@ 
        LoadBalancerSettings.SimpleLB
        
         
@@ -2018,9 +2018,9 @@ 
        LoadBalancerSettings.SimpleLB
        
         
@@ -2057,7 +2057,7 @@ 
        ConnectionPoolSetti
 
        
@@ -2065,7 +2065,7 @@ 
        ConnectionPoolSetti
 
        
@@ -2102,7 +2102,7 @@ 
        ClientTLSSettings.TLSmode
        
         
@@ -2110,10 +2110,10 @@ 
        ClientTLSSettings.TLSmode
        
         
diff --git a/content/en/docs/reference/config/networking/envoy-filter/index.html b/content/en/docs/reference/config/networking/envoy-filter/index.html
index f086692c8a8d4..f3b121e84d482 100644
--- a/content/en/docs/reference/config/networking/envoy-filter/index.html
+++ b/content/en/docs/reference/config/networking/envoy-filter/index.html
@@ -10,39 +10,39 @@
 aliases: [/docs/reference/config/networking/v1alpha3/envoy-filter]
 number_of_entries: 18
 ---
-
        EnvoyFilter provides a mechanism to customize the Envoy
        
-configuration generated by Istio Pilot. Use EnvoyFilter to modify
        
-values for certain fields, add specific filters, or even add
        
-entirely new listeners, clusters, etc. This feature must be used
        
-with care, as incorrect configurations could potentially
        
-destabilize the entire mesh. Unlike other Istio networking objects,
        
-EnvoyFilters are additively applied. Any number of EnvoyFilters can
        
-exist for a given workload in a specific namespace. The order of
        
-application of these EnvoyFilters is as follows: all EnvoyFilters
        
-in the config root
        
-namespace        ,
        
+
        EnvoyFilter provides a mechanism to customize the Envoy
+configuration generated by Istio Pilot. Use EnvoyFilter to modify
+values for certain fields, add specific filters, or even add
+entirely new listeners, clusters, etc. This feature must be used
+with care, as incorrect configurations could potentially
+destabilize the entire mesh. Unlike other Istio networking objects,
+EnvoyFilters are additively applied. Any number of EnvoyFilters can
+exist for a given workload in a specific namespace. The order of
+application of these EnvoyFilters is as follows: all EnvoyFilters
+in the config root
+namespace,
 followed by all matching EnvoyFilters in the workload's namespace.
        
-
        NOTE 1: Some aspects of this API are deeply tied to the internal
        
-implementation in Istio networking subsystem as well as Envoy's XDS
        
-API. While the EnvoyFilter API by itself will maintain backward
        
-compatibility, any envoy configuration provided through this
        
-mechanism should be carefully monitored across Istio proxy version
        
-upgrades, to ensure that deprecated fields are removed and replaced
        
+
        NOTE 1: Some aspects of this API are deeply tied to the internal
+implementation in Istio networking subsystem as well as Envoy's XDS
+API. While the EnvoyFilter API by itself will maintain backward
+compatibility, any envoy configuration provided through this
+mechanism should be carefully monitored across Istio proxy version
+upgrades, to ensure that deprecated fields are removed and replaced
 appropriately.
        
-
        NOTE 2: When multiple EnvoyFilters are bound to the same
        
-workload in a given namespace, all patches will be processed
        
-sequentially in order of creation time.  The behavior is undefined
        
+
        NOTE 2: When multiple EnvoyFilters are bound to the same
+workload in a given namespace, all patches will be processed
+sequentially in order of creation time.  The behavior is undefined
 if multiple EnvoyFilter configurations conflict with each other.
        
-
        NOTE 3: To apply an EnvoyFilter resource to all workloads
        
-(sidecars and gateways) in the system, define the resource in the
        
-config root
        
-namespace        ,
        
+
        NOTE 3: To apply an EnvoyFilter resource to all workloads
+(sidecars and gateways) in the system, define the resource in the
+config root
+namespace,
 without a workloadSelector.
        
-
        The example below declares a global default EnvoyFilter resource in
        
-the root namespace called istio-config, that adds a custom
        
-protocol filter on all sidecars in the system, for outbound port
        
-9307. The filter should be added before the terminating tcp_proxy
        
-filter to take effect. In addition, it sets a 30s idle timeout for
        
+
        The example below declares a global default EnvoyFilter resource in
+the root namespace called istio-config, that adds a custom
+protocol filter on all sidecars in the system, for outbound port
+9307. The filter should be added before the terminating tcp_proxy
+filter to take effect. In addition, it sets a 30s idle timeout for
 all HTTP connections in both gateways and sidecars.
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
@@ -83,11 +83,11 @@
           common_http_protocol_options:
             idle_timeout: 30s
 
        
-
        The following example enables Envoy's Lua filter for all inbound
        
-HTTP calls arriving at service port 8080 of the reviews service pod
        
-with labels "app: reviews", in the bookinfo namespace. The lua
        
-filter calls out to an external service internal.org.net:8888 that
        
-requires a special cluster definition in envoy. The cluster is also
        
+
        The following example enables Envoy's Lua filter for all inbound
+HTTP calls arriving at service port 8080 of the reviews service pod
+with labels "app: reviews", in the bookinfo namespace. The lua
+filter calls out to an external service internal.org.net:8888 that
+requires a special cluster definition in envoy. The cluster is also
 added to the sidecar as part of this configuration.
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
@@ -152,9 +152,9 @@
                     address: "internal.org.net"
                     port_value: 8888
 
        
-
        The following example overwrites certain fields (HTTP idle timeout
        
-and X-Forward-For trusted hops) in the HTTP connection manager in a
        
-listener on the ingress gateway in istio-system namespace for the
        
+
        The following example overwrites certain fields (HTTP idle timeout
+and X-Forward-For trusted hops) in the HTTP connection manager in a
+listener on the ingress gateway in istio-system namespace for the
 SNI host app.example.com:
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
@@ -183,8 +183,8 @@
           common_http_protocol_options:
             idle_timeout: 30s
 
        
-
        The following example inserts an attributegen filter
        
-that produces istio_operationId attribute which is consumed
        
+
        The following example inserts an attributegen filter
+that produces istio_operationId attribute which is consumed
 by the istio.stats filter. filterClass: STATS encodes this dependency.
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
@@ -251,9 +251,9 @@
             - key: foo
               value: myauth.acme # required by local ext auth server.
 
        
-
        A workload in the myns namespace needs to access a different ext_auth server
        
-that does not accept initial metadata. Since proto merge cannot remove fields, the
        
-following configuration uses the REPLACE operation. If you do not need to inherit
        
+
        A workload in the myns namespace needs to access a different ext_auth server
+that does not accept initial metadata. Since proto merge cannot remove fields, the
+following configuration uses the REPLACE operation. If you do not need to inherit
 fields, REPLACE is preferred over MERGE.
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
@@ -331,9 +331,9 @@
             ads: {}
           type_urls: ["type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm"]
 
        
-
        The following example adds a Wasm service extension for all proxies using a locally available Wasm file.
        
-The singleton Wasm extension is used to maintain a shared state between workers executing Wasm filters.
        
-For example, a local rate limit extension would rely on a singleton to limit requests across all workers.
        
+
        The following example adds a Wasm service extension for all proxies using a locally available Wasm file.
+The singleton Wasm extension is used to maintain a shared state between workers executing Wasm filters.
+For example, a local rate limit extension would rely on a singleton to limit requests across all workers.
 As another example, an authorization Wasm extension can use a singleton to maintain a database of accounts.
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
@@ -366,7 +366,7 @@
 
 
        EnvoyFilter
        
 
        
-
        EnvoyFilter provides a mechanism to customize the Envoy configuration
        
+
        EnvoyFilter provides a mechanism to customize the Envoy configuration
 generated by Istio Pilot.
        
 
 
        to
 string
 
-
        Destination region the traffic will fail over to when endpoints in
        
+
        Destination region the traffic will fail over to when endpoints in
 the 'from' region becomes unhealthy.
        
 
 
        
 UNSPECIFIED
 
-
        No load balancing algorithm has been specified by the user. Istio
        
+
        No load balancing algorithm has been specified by the user. Istio
 will select an appropriate default.
        
 
 
        
 RANDOM
 
-
        The random load balancer selects a random healthy host. The random
        
-load balancer generally performs better than round robin if no health
        
+
        The random load balancer selects a random healthy host. The random
+load balancer generally performs better than round robin if no health
 checking policy is configured.
        
 
 
        
 PASSTHROUGH
 
-
        This option will forward the connection to the original IP address
        
-requested by the caller without doing any form of load
        
-balancing. This option must be used with care. It is meant for
        
-advanced use cases. Refer to Original Destination load balancer in
        
+
        This option will forward the connection to the original IP address
+requested by the caller without doing any form of load
+balancing. This option must be used with care. It is meant for
+advanced use cases. Refer to Original Destination load balancer in
 Envoy for further details.
        
 
 
        
 ROUND_ROBIN
 
-
        A basic round robin load balancing policy. This is generally unsafe
        
-for many scenarios (e.g. when enpoint weighting is used) as it can
        
-overburden endpoints. In general, prefer to use LEAST_REQUEST as a
        
+
        A basic round robin load balancing policy. This is generally unsafe
+for many scenarios (e.g. when enpoint weighting is used) as it can
+overburden endpoints. In general, prefer to use LEAST_REQUEST as a
 drop-in replacement for ROUND_ROBIN.
        
 
 
        
 LEAST_REQUEST
 
-
        The least request load balancer spreads load across endpoints, favoring
        
-endpoints with the least outstanding requests. This is generally safer
        
-and outperforms ROUND_ROBIN in nearly all cases. Prefer to use
        
+
        The least request load balancer spreads load across endpoints, favoring
+endpoints with the least outstanding requests. This is generally safer
+and outperforms ROUND_ROBIN in nearly all cases. Prefer to use
 LEAST_REQUEST as a drop-in replacement for ROUND_ROBIN.
        
 
 
        
 DO_NOT_UPGRADE
 
-
        Do not upgrade the connection to http2.
        
+
        Do not upgrade the connection to http2.
 This opt-out option overrides the default.
        
 
 
        
 UPGRADE
 
-
        Upgrade the connection to http2.
        
+
        Upgrade the connection to http2.
 This opt-in option overrides the default.
        
 
 
        
 MUTUAL
 
-
        Secure connections to the upstream using mutual TLS by presenting
        
+
        Secure connections to the upstream using mutual TLS by presenting
 client certificates for authentication.
        
 
 
        
 ISTIO_MUTUAL
 
-
        Secure connections to the upstream using mutual TLS by presenting
        
-client certificates for authentication.
        
-Compared to Mutual mode, this mode uses certificates generated
        
-automatically by Istio for mTLS authentication. When this mode is
        
+
        Secure connections to the upstream using mutual TLS by presenting
+client certificates for authentication.
+Compared to Mutual mode, this mode uses certificates generated
+automatically by Istio for mTLS authentication. When this mode is
 used, all other fields in ClientTLSSettings should be empty.
        
 
 
        
@@ -383,13 +383,13 @@ 
        EnvoyFilter
        
         
@@ -412,18 +412,18 @@ 
        EnvoyFilter
        
         
@@ -452,13 +452,13 @@ 
        EnvoyFilter.ProxyMatch
        
         
@@ -470,11 +470,11 @@ 
        EnvoyFilter.ProxyMatch
        
         
@@ -487,7 +487,7 @@ 
        EnvoyFilter.ProxyMatch
        
 
 
        EnvoyFilter.ClusterMatch
        
 
        
-
        Conditions specified in ClusterMatch must be met for the patch
        
+
        Conditions specified in ClusterMatch must be met for the patch
 to be applied to a cluster.
        
 
 
        workloadSelector
 WorkloadSelector
 
-
        Criteria used to select the specific set of pods/VMs on which
        
-this patch configuration should be applied. If omitted, the set
        
-of patches in this configuration will be applied to all workload
        
-instances in the same namespace.  If omitted, the EnvoyFilter
        
-patches will be applied to all workloads in the same
        
-namespace. If the EnvoyFilter is present in the config root
        
-namespace, it will be applied to all applicable workloads in any
        
+
        Criteria used to select the specific set of pods/VMs on which
+this patch configuration should be applied. If omitted, the set
+of patches in this configuration will be applied to all workload
+instances in the same namespace.  If omitted, the EnvoyFilter
+patches will be applied to all workloads in the same
+namespace. If the EnvoyFilter is present in the config root
+namespace, it will be applied to all applicable workloads in any
 namespace.
        
 
         		priority
 int32
 
-
        Priority defines the order in which patch sets are applied within a context.
        
-When one patch depends on another patch, the order of patch application
        
-is significant. The API provides two primary ways to order patches.
        
-Patch sets in the root namespace are applied before the patch sets in the
        
-workload namespace. Patches within a patch set are processed in the order
        
+
        Priority defines the order in which patch sets are applied within a context.
+When one patch depends on another patch, the order of patch application
+is significant. The API provides two primary ways to order patches.
+Patch sets in the root namespace are applied before the patch sets in the
+workload namespace. Patches within a patch set are processed in the order
 that they appear in the configPatches list.
        
-
        The default value for priority is 0 and the range is [ min-int32, max-int32 ].
        
-A patch set with a negative priority is processed before the default. A patch
        
+
        The default value for priority is 0 and the range is [ min-int32, max-int32 ].
+A patch set with a negative priority is processed before the default. A patch
 set with a positive priority is processed after the default.
        
-
        It is recommended to start with priority values that are multiples of 10
        
+
        It is recommended to start with priority values that are multiples of 10
 to leave room for further insertion.
        
-
        Patch sets are sorted in the following ascending key order:
        
+
        Patch sets are sorted in the following ascending key order:
 priority, creation time, fully qualified resource name.
        
 
         		proxyVersion
 string
 
-
        A regular expression in golang regex format (RE2) that can be
        
-used to select proxies using a specific version of istio
        
-proxy. The Istio version for a given proxy is obtained from the
        
-node metadata field ISTIO_VERSION supplied by the proxy when
        
-connecting to Pilot. This value is embedded as an environment
        
-variable (ISTIO_META_ISTIO_VERSION) in the Istio proxy docker
        
-image. Custom proxy implementations should provide this metadata
        
+
        A regular expression in golang regex format (RE2) that can be
+used to select proxies using a specific version of istio
+proxy. The Istio version for a given proxy is obtained from the
+node metadata field ISTIO_VERSION supplied by the proxy when
+connecting to Pilot. This value is embedded as an environment
+variable (ISTIO_META_ISTIO_VERSION) in the Istio proxy docker
+image. Custom proxy implementations should provide this metadata
 variable to take advantage of the Istio version check option.
        
 
         		metadata
 map<string, string>
 
-
        Match on the node metadata supplied by a proxy when connecting
        
-to Istio Pilot. Note that while Envoy's node metadata is of
        
-type Struct, only string key-value pairs are processed by
        
-Pilot. All keys specified in the metadata must match with exact
        
-values. The match will fail if any of the specified keys are
        
+
        Match on the node metadata supplied by a proxy when connecting
+to Istio Pilot. Note that while Envoy's node metadata is of
+type Struct, only string key-value pairs are processed by
+Pilot. All keys specified in the metadata must match with exact
+values. The match will fail if any of the specified keys are
 absent or the values fail to match.
        
 
 
        
@@ -504,8 +504,8 @@ 
        EnvoyFilter.ClusterMatch
        
         
@@ -517,10 +517,10 @@ 
        EnvoyFilter.ClusterMatch
        
         
@@ -532,7 +532,7 @@ 
        EnvoyFilter.ClusterMatch
        
         
@@ -544,9 +544,9 @@ 
        EnvoyFilter.ClusterMatch
        
         
@@ -559,8 +559,8 @@ 
        EnvoyFilter.ClusterMatch
        
 
 
        EnvoyFilter.RouteConfigurationMatch
        
 
        
-
        Conditions specified in RouteConfigurationMatch must be met for
        
-the patch to be applied to a route configuration object or a
        
+
        Conditions specified in RouteConfigurationMatch must be met for
+the patch to be applied to a route configuration object or a
 specific virtual host within the route configuration.
        
 
 
        portNumber
 uint32
 
-
        The service port for which this cluster was generated.  If
        
-omitted, applies to clusters for any port.
        
+
        The service port for which this cluster was generated.  If
+omitted, applies to clusters for any port.
 Note: for inbound cluster, it is the service target port.
        
 
         		service
 string
 
-
        The fully qualified service name for this cluster. If omitted,
        
-applies to clusters for any service. For services defined
        
-through service entries, the service name is same as the hosts
        
-defined in the service entry.
        
+
        The fully qualified service name for this cluster. If omitted,
+applies to clusters for any service. For services defined
+through service entries, the service name is same as the hosts
+defined in the service entry.
 Note: for inbound cluster, this is ignored.
        
 
         		subset
 string
 
-
        The subset associated with the service. If omitted, applies to
        
+
        The subset associated with the service. If omitted, applies to
 clusters for any subset of a service.
        
 
         		name
 string
 
-
        The exact name of the cluster to match. To match a specific
        
-cluster by name, such as the internally generated Passthrough
        
-cluster, leave all fields in clusterMatch empty, except the
        
+
        The exact name of the cluster to match. To match a specific
+cluster by name, such as the internally generated Passthrough
+cluster, leave all fields in clusterMatch empty, except the
 name.
        
 
 
        
@@ -577,8 +577,8 @@ 
        EnvoyFilter.RouteConfigurationMatch
 
        
@@ -590,7 +590,7 @@ 
        EnvoyFilter.RouteConfigurationMatch
 
        
@@ -602,11 +602,11 @@ 
        EnvoyFilter.RouteConfigurationMatch
 
        
@@ -618,7 +618,7 @@ 
        EnvoyFilter.RouteConfigurationMatch
 
        
@@ -630,8 +630,8 @@ 
        EnvoyFilter.RouteConfigurationMatch
 
        
@@ -644,8 +644,8 @@ 
        EnvoyFilter.RouteConfigurationMatch
 
 
        EnvoyFilter.ListenerMatch
        
 
        
-
        Conditions specified in a listener match must be met for the
        
-patch to be applied to a specific listener across all filter
        
+
        Conditions specified in a listener match must be met for the
+patch to be applied to a specific listener across all filter
 chains, or a specific filter chain inside the listener.
        
 
 
        portNumber
 uint32
 
-
        The service port number or gateway server port number for which
        
-this route configuration was generated. If omitted, applies to
        
+
        The service port number or gateway server port number for which
+this route configuration was generated. If omitted, applies to
 route configurations for all ports.
        
 
         		portName
 string
 
-
        Applicable only for GATEWAY context. The gateway server port
        
+
        Applicable only for GATEWAY context. The gateway server port
 name for which this route configuration was generated.
        
 
         		gateway
 string
 
-
        The Istio gateway config's namespace/name for which this route
        
-configuration was generated. Applies only if the context is
        
-GATEWAY. Should be in the namespace/name format. Use this field
        
-in conjunction with the portNumber and portName to accurately
        
-select the Envoy route configuration for a specific HTTPS
        
+
        The Istio gateway config's namespace/name for which this route
+configuration was generated. Applies only if the context is
+GATEWAY. Should be in the namespace/name format. Use this field
+in conjunction with the portNumber and portName to accurately
+select the Envoy route configuration for a specific HTTPS
 server within a gateway config object.
        
 
         		vhost
 VirtualHostMatch
 
-
        Match a specific virtual host in a route configuration and
        
+
        Match a specific virtual host in a route configuration and
 apply the patch to the virtual host.
        
 
         		name
 string
 
-
        Route configuration name to match on. Can be used to match a
        
-specific route configuration by name, such as the internally
        
+
        Route configuration name to match on. Can be used to match a
+specific route configuration by name, such as the internally
 generated http_proxy route configuration for all sidecars.
        
 
 
        
@@ -662,9 +662,9 @@ 
        EnvoyFilter.ListenerMatch
        
         
@@ -676,9 +676,9 @@ 
        EnvoyFilter.ListenerMatch
        
         
@@ -690,7 +690,7 @@ 
        EnvoyFilter.ListenerMatch
        
         
@@ -730,7 +730,7 @@ 
        EnvoyFilter.Patch
        
         
@@ -754,7 +754,7 @@ 
        EnvoyFilter.Patch
        
 
 
        EnvoyFilter.EnvoyConfigObjectMatch
        
 
        
-
        One or more match conditions to be met before a patch is applied
        
+
        One or more match conditions to be met before a patch is applied
 to the generated configuration for a given proxy.
        
 
 
        portNumber
 uint32
 
-
        The service port/gateway port to which traffic is being
        
-sent/received. If not specified, matches all listeners. Even though
        
-inbound listeners are generated for the instance/pod ports, only
        
+
        The service port/gateway port to which traffic is being
+sent/received. If not specified, matches all listeners. Even though
+inbound listeners are generated for the instance/pod ports, only
 service ports should be used to match listeners.
        
 
         		filterChain
 FilterChainMatch
 
-
        Match a specific filter chain in a listener. If specified, the
        
-patch will be applied to the filter chain (and a specific
        
-filter if specified) and not to other filter chains in the
        
+
        Match a specific filter chain in a listener. If specified, the
+patch will be applied to the filter chain (and a specific
+filter if specified) and not to other filter chains in the
 listener.
        
 
         		name
 string
 
-
        Match a specific listener by its name. The listeners generated
        
+
        Match a specific listener by its name. The listeners generated
 by Pilot are typically named as IP:Port.
        
 
         		value
 Struct
 
-
        The JSON config of the object being patched. This will be merged using
        
+
        The JSON config of the object being patched. This will be merged using
 proto merge semantics with the existing proto in the path.
        
 
 
        
@@ -771,8 +771,8 @@ 
        EnvoyFilter.EnvoyConfigObjectMatchcontext
 
        
@@ -845,14 +845,14 @@ 
        EnvoyFilter.EnvoyConfigObjectPatchapplyTo
 
        
@@ -903,9 +903,9 @@ 
        EnvoyFilter.RouteConfigu
 
        
@@ -945,9 +945,9 @@ 
        EnvoyFilter.RouteC
 
        
@@ -971,9 +971,9 @@ 
        EnvoyFilter.RouteC
 
 
        EnvoyFilter.ListenerMatch.FilterChainMatch
        
 
        
-
        For listeners with multiple filter chains (e.g., inbound
        
-listeners on sidecars with permissive mTLS, gateway listeners
        
-with multiple SNI matches), the filter chain match can be used
        
+
        For listeners with multiple filter chains (e.g., inbound
+listeners on sidecars with permissive mTLS, gateway listeners
+with multiple SNI matches), the filter chain match can be used
 to select a specific filter chain to patch.
        
 
 
        PatchContext
 
-
        The specific config generation context to match on. Istio Pilot
        
-generates envoy configuration in the context of a gateway,
        
+
        The specific config generation context to match on. Istio Pilot
+generates envoy configuration in the context of a gateway,
 inbound traffic to sidecar and outbound traffic from sidecar.
        
 
         		ApplyTo
 
-
        Specifies where in the Envoy configuration, the patch should be
        
-applied.  The match is expected to select the appropriate
        
-object based on applyTo.  For example, an applyTo with
        
-HTTP_FILTER is expected to have a match condition on the
        
-listeners, with a network filter selection on
        
-envoy.filters.network.http_connection_manager and a sub filter selection on the
        
-HTTP filter relative to which the insertion should be
        
-performed. Similarly, an applyTo on CLUSTER should have a match
        
+
        Specifies where in the Envoy configuration, the patch should be
+applied.  The match is expected to select the appropriate
+object based on applyTo.  For example, an applyTo with
+HTTP_FILTER is expected to have a match condition on the
+listeners, with a network filter selection on
+envoy.filters.network.http_connection_manager and a sub filter selection on the
+HTTP filter relative to which the insertion should be
+performed. Similarly, an applyTo on CLUSTER should have a match
 (if provided) on the cluster and not on a listener.
        
 
         		name
 string
 
-
        The Route objects generated by default are named as
        
-default.  Route objects generated using a virtual service
        
-will carry the name used in the virtual service's HTTP
        
+
        The Route objects generated by default are named as
+default.  Route objects generated using a virtual service
+will carry the name used in the virtual service's HTTP
 routes.
        
 
         		name
 string
 
-
        The VirtualHosts objects generated by Istio are named as
        
-host:port, where the host typically corresponds to the
        
-VirtualService's host field or the hostname of a service in the
        
+
        The VirtualHosts objects generated by Istio are named as
+host:port, where the host typically corresponds to the
+VirtualService's host field or the hostname of a service in the
 registry.
        
 
 
        
@@ -1001,8 +1001,8 @@ 
        EnvoyFilter.ListenerMatch.Fi
 
        
@@ -1014,10 +1014,10 @@ 
        EnvoyFilter.ListenerMatch.Fi
 
        
@@ -1063,7 +1063,7 @@ 
        EnvoyFilter.ListenerMatch.Fi
 
        
@@ -1092,8 +1092,8 @@ 
        EnvoyFilter.ListenerMatch.FilterM
 
        
@@ -1105,8 +1105,8 @@ 
        EnvoyFilter.ListenerMatch.FilterM
 
        
@@ -1119,9 +1119,9 @@ 
        EnvoyFilter.ListenerMatch.FilterM
 
 
        EnvoyFilter.ListenerMatch.SubFilterMatch
        
 
        
-
        Conditions to match a specific filter within another
        
-filter. This field is typically useful to match a HTTP filter
        
-inside the envoy.filters.network.http_connection_manager network filter.
        
+
        Conditions to match a specific filter within another
+filter. This field is typically useful to match a HTTP filter
+inside the envoy.filters.network.http_connection_manager network filter.
 This could also be applicable for thrift filters.
        
 
 
        sni
 string
 
-
        The SNI value used by a filter chain's match condition.  This
        
-condition will evaluate to false if the filter chain has no
        
+
        The SNI value used by a filter chain's match condition.  This
+condition will evaluate to false if the filter chain has no
 sni match.
        
 
         		transportProtocol
 string
 
-
        Applies only to SIDECAR_INBOUND context. If non-empty, a
        
-transport protocol to consider when determining a filter
        
-chain match.  This value will be compared against the
        
-transport protocol of a new connection, when it's detected by
        
+
        Applies only to SIDECAR_INBOUND context. If non-empty, a
+transport protocol to consider when determining a filter
+chain match.  This value will be compared against the
+transport protocol of a new connection, when it's detected by
 the tls_inspector listener filter.
        
 
        Accepted values include:
        
 
          
@@ -1034,10 +1034,10 @@ 
          EnvoyFilter.ListenerMatch.Fi
 
        		applicationProtocols
 string
 
-
        Applies only to sidecars. If non-empty, a comma separated set
        
-of application protocols to consider when determining a
        
-filter chain match.  This value will be compared against the
        
-application protocols of a new connection, when it's detected
        
+
        Applies only to sidecars. If non-empty, a comma separated set
+of application protocols to consider when determining a
+filter chain match.  This value will be compared against the
+application protocols of a new connection, when it's detected
 by one of the listener filters such as the http_inspector.
        
 
        Accepted values include: h2, http/1.1, http/1.0
        
 
@@ -1050,8 +1050,8 @@ 
        EnvoyFilter.ListenerMatch.Fi
 
        		filter
 FilterMatch
 
-
        The name of a specific filter to apply the patch to. Set this
        
-to envoy.filters.network.http_connection_manager to add a filter or apply a
        
+
        The name of a specific filter to apply the patch to. Set this
+to envoy.filters.network.http_connection_manager to add a filter or apply a
 patch to the HTTP connection manager.
        
 
         		destinationPort
 uint32
 
-
        The destination_port value used by a filter chain's match condition.
        
+
        The destination_port value used by a filter chain's match condition.
 This condition will evaluate to false if the filter chain has no destination_port match.
        
 
         		name
 string
 
-
        The filter name to match on.
        
-For standard Envoy filters, canonical filter
        
+
        The filter name to match on.
+For standard Envoy filters, canonical filter
 names should be used.
        
 
         		subFilter
 SubFilterMatch
 
-
        The next level filter within this filter to match
        
-upon. Typically used for HTTP Connection Manager filters and
        
+
        The next level filter within this filter to match
+upon. Typically used for HTTP Connection Manager filters and
 Thrift filters.
        
 
 
        
@@ -1193,7 +1193,7 @@ 
        EnvoyFilter.Route
 
 
        EnvoyFilter.Patch.Operation
        
 
        
-
        Operation denotes how the patch should be applied to the selected
        
+
        Operation denotes how the patch should be applied to the selected
 configuration.
        
 
 
        
@@ -1212,8 +1212,8 @@ 
        EnvoyFilter.Patch.Operation
        
         
@@ -1221,9 +1221,9 @@ 
        EnvoyFilter.Patch.Operation
        
         
@@ -1231,10 +1231,10 @@ 
        EnvoyFilter.Patch.Operation
        
         
@@ -1242,14 +1242,14 @@ 
        EnvoyFilter.Patch.Operation
        
         
@@ -1257,14 +1257,14 @@ 
        EnvoyFilter.Patch.Operation
        
         
@@ -1272,14 +1272,14 @@ 
        EnvoyFilter.Patch.Operation
        
         
@@ -1287,9 +1287,9 @@ 
        EnvoyFilter.Patch.Operation
        
         
@@ -1299,14 +1299,14 @@ 
        EnvoyFilter.Patch.Operation
        
 
 
        EnvoyFilter.Patch.FilterClass
        
 
        
-
        FilterClass determines the filter insertion point in the filter chain
        
-relative to the filters implicitly inserted by the control plane.
        
-It is used in conjuction with the ADD operation.
        
-This is the preferred insertion mechanism for adding filters over
        
-the INSERT_* operations since those operations rely on potentially unstable
        
-filter names.
        
-Filter ordering is important if your filter depends on or affects the
        
-functioning of a another filter in the filter chain.
        
+
        FilterClass determines the filter insertion point in the filter chain
+relative to the filters implicitly inserted by the control plane.
+It is used in conjuction with the ADD operation.
+This is the preferred insertion mechanism for adding filters over
+the INSERT_* operations since those operations rely on potentially unstable
+filter names.
+Filter ordering is important if your filter depends on or affects the
+functioning of a another filter in the filter chain.
 Within a filter class, filters are inserted in the order of processing.
        
 
 
        
 MERGE
 
-
        Merge the provided config with the generated config using
        
-proto merge semantics. If you are specifying config in its
        
+
        Merge the provided config with the generated config using
+proto merge semantics. If you are specifying config in its
 entirety, use REPLACE instead.
        
 
 
        
 ADD
 
-
        Add the provided config to an existing list (of listeners,
        
-clusters, virtual hosts, network filters, or http
        
-filters). This operation will be ignored when applyTo is set
        
+
        Add the provided config to an existing list (of listeners,
+clusters, virtual hosts, network filters, or http
+filters). This operation will be ignored when applyTo is set
 to ROUTE_CONFIGURATION, or HTTP_ROUTE.
        
 
 
        
 REMOVE
 
-
        Remove the selected object from the list (of listeners,
        
-clusters, virtual hosts, network filters, routes, or http
        
-filters). Does not require a value to be specified. This
        
-operation will be ignored when applyTo is set to
        
+
        Remove the selected object from the list (of listeners,
+clusters, virtual hosts, network filters, routes, or http
+filters). Does not require a value to be specified. This
+operation will be ignored when applyTo is set to
 ROUTE_CONFIGURATION, or HTTP_ROUTE.
        
 
 
        
 INSERT_BEFORE
 
-
        Insert operation on an array of named objects. This operation
        
-is typically useful only in the context of filters or routes,
        
-where the order of elements matter. Routes should be ordered
        
-based on most to least specific matching criteria since the
        
-first matching element is selected. For clusters and virtual hosts,
        
-order of the element in the array does not matter. Insert
        
-before the selected filter or sub filter. If no filter is
        
-selected, the specified filter will be inserted at the front
        
+
        Insert operation on an array of named objects. This operation
+is typically useful only in the context of filters or routes,
+where the order of elements matter. Routes should be ordered
+based on most to least specific matching criteria since the
+first matching element is selected. For clusters and virtual hosts,
+order of the element in the array does not matter. Insert
+before the selected filter or sub filter. If no filter is
+selected, the specified filter will be inserted at the front
 of the list.
        
 
 
        
 INSERT_AFTER
 
-
        Insert operation on an array of named objects. This operation
        
-is typically useful only in the context of filters or routes,
        
-where the order of elements matter. Routes should be ordered
        
-based on most to least specific matching criteria since the
        
-first matching element is selected. For clusters and virtual hosts,
        
-order of the element in the array does not matter. Insert
        
-after the selected filter or sub filter. If no filter is
        
-selected, the specified filter will be inserted at the end
        
+
        Insert operation on an array of named objects. This operation
+is typically useful only in the context of filters or routes,
+where the order of elements matter. Routes should be ordered
+based on most to least specific matching criteria since the
+first matching element is selected. For clusters and virtual hosts,
+order of the element in the array does not matter. Insert
+after the selected filter or sub filter. If no filter is
+selected, the specified filter will be inserted at the end
 of the list.
        
 
 
        
 INSERT_FIRST
 
-
        Insert operation on an array of named objects. This operation
        
-is typically useful only in the context of filters or routes,
        
-where the order of elements matter. Routes should be ordered
        
-based on most to least specific matching criteria since the
        
-first matching element is selected. For clusters and virtual hosts,
        
-order of the element in the array does not matter. Insert
        
-first in the list based on the presence of selected filter or not.
        
-This is specifically useful when you want your filter first in the
        
+
        Insert operation on an array of named objects. This operation
+is typically useful only in the context of filters or routes,
+where the order of elements matter. Routes should be ordered
+based on most to least specific matching criteria since the
+first matching element is selected. For clusters and virtual hosts,
+order of the element in the array does not matter. Insert
+first in the list based on the presence of selected filter or not.
+This is specifically useful when you want your filter first in the
 list based on a match condition specified in Match clause.
        
 
 
        
 REPLACE
 
-
        Replace contents of a named filter with new contents.
        
-REPLACE operation is only valid for HTTP_FILTER and
        
-NETWORK_FILTER. If the named filter is not found, this operation
        
+
        Replace contents of a named filter with new contents.
+REPLACE operation is only valid for HTTP_FILTER and
+NETWORK_FILTER. If the named filter is not found, this operation
 has no effect.
        
 
 
        
@@ -1320,7 +1320,7 @@ 
        EnvoyFilter.Patch.FilterClass
        
         
@@ -1383,7 +1383,7 @@ 
        EnvoyFilter.ApplyTo
        
         
@@ -1391,8 +1391,8 @@ 
        EnvoyFilter.ApplyTo
        
         
@@ -1400,9 +1400,9 @@ 
        EnvoyFilter.ApplyTo
        
         
@@ -1417,7 +1417,7 @@ 
        EnvoyFilter.ApplyTo
        
         
@@ -1432,7 +1432,7 @@ 
        EnvoyFilter.ApplyTo
        
         
@@ -1449,7 +1449,7 @@ 
        EnvoyFilter.ApplyTo
        
 
 
        EnvoyFilter.PatchContext
        
 
        
-
        PatchContext selects a class of configurations based on the
        
+
        PatchContext selects a class of configurations based on the
 traffic flow direction and workload type.
        
 
 
        
 UNSPECIFIED
 
-
        Control plane decides where to insert the filter.
        
+
        Control plane decides where to insert the filter.
 Do not specify FilterClass if the filter is independent of others.
        
 
 
        
 NETWORK_FILTER
 
-
        Applies the patch to the network filter chain, to modify an
        
+
        Applies the patch to the network filter chain, to modify an
 existing filter or add a new filter.
        
 
 
        
 HTTP_FILTER
 
-
        Applies the patch to the HTTP filter chain in the http
        
-connection manager, to modify an existing filter or add a new
        
+
        Applies the patch to the HTTP filter chain in the http
+connection manager, to modify an existing filter or add a new
 filter.
        
 
 
        
 ROUTE_CONFIGURATION
 
-
        Applies the patch to the Route configuration (rds output)
        
-inside a HTTP connection manager. This does not apply to the
        
-virtual host. Currently, only MERGE operation is allowed on the
        
+
        Applies the patch to the Route configuration (rds output)
+inside a HTTP connection manager. This does not apply to the
+virtual host. Currently, only MERGE operation is allowed on the
 route configuration objects.
        
 
 
        
 HTTP_ROUTE
 
-
        Applies the patch to a route object inside the matched virtual
        
+
        Applies the patch to a route object inside the matched virtual
 host in a route configuration.
        
 
 
        
 EXTENSION_CONFIG
 
-
        Applies the patch to or adds an extension config in ECDS output. Note that ECDS
        
+
        Applies the patch to or adds an extension config in ECDS output. Note that ECDS
 is only supported by HTTP filters.
        
 
 
        
diff --git a/content/en/docs/reference/config/networking/gateway/index.html b/content/en/docs/reference/config/networking/gateway/index.html
index 767df12ebc85e..ce493547a31ce 100644
--- a/content/en/docs/reference/config/networking/gateway/index.html
+++ b/content/en/docs/reference/config/networking/gateway/index.html
@@ -10,18 +10,18 @@
 aliases: [/docs/reference/config/networking/v1alpha3/gateway]
 number_of_entries: 6
 ---
-
        Gateway describes a load balancer operating at the edge of the mesh
        
-receiving incoming or outgoing HTTP/TCP connections. The specification
        
-describes a set of ports that should be exposed, the type of protocol to
        
+
        Gateway describes a load balancer operating at the edge of the mesh
+receiving incoming or outgoing HTTP/TCP connections. The specification
+describes a set of ports that should be exposed, the type of protocol to
 use, SNI configuration for the load balancer, etc.
        
-
        For example, the following Gateway configuration sets up a proxy to act
        
-as a load balancer exposing port 80 and 9080 (http), 443 (https),
        
-9443(https) and port 2379 (TCP) for ingress.  The gateway will be
        
-applied to the proxy running on a pod with labels app: my-gateway-controller. While Istio will configure the proxy to listen
        
-on these ports, it is the responsibility of the user to ensure that
        
+
        For example, the following Gateway configuration sets up a proxy to act
+as a load balancer exposing port 80 and 9080 (http), 443 (https),
+9443(https) and port 2379 (TCP) for ingress.  The gateway will be
+applied to the proxy running on a pod with labels app: my-gateway-controller. While Istio will configure the proxy to listen
+on these ports, it is the responsibility of the user to ensure that
 external traffic to these ports are allowed into the mesh.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -73,8 +73,8 @@
     hosts:
     - "*"
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -126,23 +126,23 @@
     hosts:
     - "*"
 
        
-
        {{}}
        
-{{}}
        
-
        The Gateway specification above describes the L4-L6 properties of a load
        
-balancer. A VirtualService can then be bound to a gateway to control
        
+
        {{}}
+{{}}
        
+
        The Gateway specification above describes the L4-L6 properties of a load
+balancer. A VirtualService can then be bound to a gateway to control
 the forwarding of traffic arriving at a particular host or gateway port.
        
-
        For example, the following VirtualService splits traffic for
        
-https://uk.bookinfo.com/reviews, https://eu.bookinfo.com/reviews,
        
-http://uk.bookinfo.com:9080/reviews,
        
-http://eu.bookinfo.com:9080/reviews into two versions (prod and qa) of
        
-an internal reviews service on port 9080. In addition, requests
        
-containing the cookie "user: dev-123" will be sent to special port 7777
        
-in the qa version. The same rule is also applicable inside the mesh for
        
-requests to the "reviews.prod.svc.cluster.local" service. This rule is
        
-applicable across ports 443, 9080. Note that http://uk.bookinfo.com
        
+
        For example, the following VirtualService splits traffic for
+https://uk.bookinfo.com/reviews, https://eu.bookinfo.com/reviews,
+http://uk.bookinfo.com:9080/reviews,
+http://eu.bookinfo.com:9080/reviews into two versions (prod and qa) of
+an internal reviews service on port 9080. In addition, requests
+containing the cookie "user: dev-123" will be sent to special port 7777
+in the qa version. The same rule is also applicable inside the mesh for
+requests to the "reviews.prod.svc.cluster.local" service. This rule is
+applicable across ports 443, 9080. Note that http://uk.bookinfo.com
 gets redirected to https://uk.bookinfo.com (i.e. 80 redirects to 443).
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -179,8 +179,8 @@
         host: reviews.qa.svc.cluster.local
       weight: 20
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -217,14 +217,14 @@
         host: reviews.qa.svc.cluster.local
       weight: 20
 
        
-
        {{}}
        
-{{}}
        
-
        The following VirtualService forwards traffic arriving at (external)
        
-port 27017 to internal Mongo server on port 5555. This rule is not
        
-applicable internally in the mesh as the gateway list omits the
        
+
        {{}}
+{{}}
        
+
        The following VirtualService forwards traffic arriving at (external)
+port 27017 to internal Mongo server on port 5555. This rule is not
+applicable internally in the mesh as the gateway list omits the
 reserved name mesh.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -244,8 +244,8 @@
         port:
           number: 5555
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -265,15 +265,15 @@
         port:
           number: 5555
 
        
-
        {{}}
        
-{{}}
        
-
        It is possible to restrict the set of virtual services that can bind to
        
-a gateway server using the namespace/hostname syntax in the hosts field.
        
-For example, the following Gateway allows any virtual service in the ns1
        
-namespace to bind to it, while restricting only the virtual service with
        
+
        {{}}
+{{}}
        
+
        It is possible to restrict the set of virtual services that can bind to
+a gateway server using the namespace/hostname syntax in the hosts field.
+For example, the following Gateway allows any virtual service in the ns1
+namespace to bind to it, while restricting only the virtual service with
 foo.bar.com host in the ns2 namespace to bind to it.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -291,8 +291,8 @@
     - "ns1/*"
     - "ns2/foo.bar.com"
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -310,12 +310,12 @@
     - "ns1/*"
     - "ns2/foo.bar.com"
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        Gateway
        
 
        
-
        Gateway describes a load balancer operating at the edge of the mesh
        
+
        Gateway describes a load balancer operating at the edge of the mesh
 receiving incoming or outgoing HTTP/TCP connections.
        
 
 
        
@@ -343,17 +343,17 @@ 
        Gateway
        
         
@@ -366,10 +366,10 @@ 
        Gateway
        
 
 
        Server
        
 
        
-
        Server describes the properties of the proxy on a given load balancer
        
+
        Server describes the properties of the proxy on a given load balancer
 port. For example,
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -385,8 +385,8 @@ 
        Server
        
     hosts:
     - "*"
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -402,11 +402,11 @@ 
        Server
        
     hosts:
     - "*"
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        Another example
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -422,8 +422,8 @@ 
        Server
        
     hosts:
     - "*"
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -439,11 +439,11 @@ 
        Server
        
     hosts:
     - "*"
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        The following is an example of TLS configuration for port 443
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -462,8 +462,8 @@ 
        Server
        
       mode: SIMPLE
       credentialName: tls-cert
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -482,8 +482,8 @@ 
        Server
        
       mode: SIMPLE
       credentialName: tls-cert
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        selector
 map<string, string>
 
-
        One or more labels that indicate a specific set of pods/VMs
        
-on which this gateway configuration should be applied.
        
-By default workloads are searched across all namespaces based on label selectors.
        
-This implies that a gateway resource in the namespace "foo" can select pods in
        
-the namespace "bar" based on labels.
        
-This behavior can be controlled via the PILOT_SCOPE_GATEWAY_TO_NAMESPACE
        
-environment variable in istiod. If this variable is set
        
-to true, the scope of label search is restricted to the configuration
        
-namespace in which the the resource is present. In other words, the Gateway
        
-resource must reside in the same namespace as the gateway workload
        
-instance.
        
+
        One or more labels that indicate a specific set of pods/VMs
+on which this gateway configuration should be applied.
+By default workloads are searched across all namespaces based on label selectors.
+This implies that a gateway resource in the namespace "foo" can select pods in
+the namespace "bar" based on labels.
+This behavior can be controlled via the PILOT_SCOPE_GATEWAY_TO_NAMESPACE
+environment variable in istiod. If this variable is set
+to true, the scope of label search is restricted to the configuration
+namespace in which the the resource is present. In other words, the Gateway
+resource must reside in the same namespace as the gateway workload
+instance.
 If selector is nil, the Gateway will be applied to all workloads.
        
 
 
        
@@ -499,7 +499,7 @@ 
        Server
        
         
@@ -511,13 +511,13 @@ 
        Server
        
         
@@ -529,31 +529,31 @@ 
        Server
        
         
@@ -565,8 +565,8 @@ 
        Server
        
         
@@ -578,8 +578,8 @@ 
        Server
        
         
@@ -619,9 +619,9 @@ 
        Port
        
         
@@ -644,7 +644,7 @@ 
        Port
        
         
@@ -671,7 +671,7 @@ 
        ServerTLSSettings
        
         
@@ -683,8 +683,8 @@ 
        ServerTLSSettings
        
         
@@ -696,7 +696,7 @@ 
        ServerTLSSettings
        
         
@@ -708,7 +708,7 @@ 
        ServerTLSSettings
        
         
@@ -720,8 +720,8 @@ 
        ServerTLSSettings
        
         
@@ -733,15 +733,15 @@ 
        ServerTLSSettings
        
         
@@ -753,7 +753,7 @@ 
        ServerTLSSettings
        
         
@@ -765,10 +765,10 @@ 
        ServerTLSSettings
        
         
@@ -780,11 +780,11 @@ 
        ServerTLSSettings
        
         
@@ -818,7 +818,7 @@ 
        ServerTLSSettings
        
         
@@ -844,8 +844,8 @@ 
        ServerTLSSettings.TLSmode
        
         
@@ -860,7 +860,7 @@ 
        ServerTLSSettings.TLSmode
        
         
@@ -868,16 +868,16 @@ 
        ServerTLSSettings.TLSmode
        
         
@@ -885,11 +885,11 @@ 
        ServerTLSSettings.TLSmode
        
         
diff --git a/content/en/docs/reference/config/networking/proxy-config/index.html b/content/en/docs/reference/config/networking/proxy-config/index.html
index a316d013e6f68..fb934b2343c19 100644
--- a/content/en/docs/reference/config/networking/proxy-config/index.html
+++ b/content/en/docs/reference/config/networking/proxy-config/index.html
@@ -10,15 +10,15 @@
 aliases: [/docs/reference/config/networking/v1beta1/proxy-config]
 number_of_entries: 2
 ---
-
        ProxyConfig exposes proxy level configuration options. ProxyConfig can be configured on a per-workload basis,
        
-a per-namespace basis, or mesh-wide. ProxyConfig is not a required resource; there are default values in place, which are documented
        
+
        ProxyConfig exposes proxy level configuration options. ProxyConfig can be configured on a per-workload basis,
+a per-namespace basis, or mesh-wide. ProxyConfig is not a required resource; there are default values in place, which are documented
 inline with each field.
        
 
        NOTE: fields in ProxyConfig are not dynamically configured - changes will require restart of workloads to take effect.
        
-
        For any namespace, including the root configuration namespace, it is only valid
        
+
        For any namespace, including the root configuration namespace, it is only valid
 to have a single workload selector-less ProxyConfig resource.
        
-
        For resources with a workload selector, it is only valid to have one resource selecting
        
+
        For resources with a workload selector, it is only valid to have one resource selecting
 any given workload.
        
-
        For mesh level configuration, put the resource in the root configuration namespace for
        
+
        For mesh level configuration, put the resource in the root configuration namespace for
 your Istio installation without a workload selector:
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: ProxyConfig
@@ -53,8 +53,8 @@
   image:
     imageType: debug
 
        
-
        If a ProxyConfig CR is defined that matches a workload it will merge with its proxy.istio.io/config annotation if present,
        
-with the CR taking precedence over the annotation for overlapping fields. Similarly, if a mesh wide ProxyConfig CR is defined and
        
+
        If a ProxyConfig CR is defined that matches a workload it will merge with its proxy.istio.io/config annotation if present,
+with the CR taking precedence over the annotation for overlapping fields. Similarly, if a mesh wide ProxyConfig CR is defined and
 meshConfig.DefaultConfig is set, the two resources will be merged with the CR taking precedence for overlapping fields.
        
 
 
        ProxyConfig
        
@@ -75,7 +75,7 @@ 
        ProxyConfig
        
         
@@ -87,8 +87,8 @@ 
        ProxyConfig
        
         
@@ -100,7 +100,7 @@ 
        ProxyConfig
        
         
@@ -124,9 +124,9 @@ 
        ProxyConfig
        
 
 
        ProxyImage
        
 
        
-
        The following values are used to construct proxy image url.
        
-format: ${hub}/${image_name}/${tag}-${image_type},
        
-example: docker.io/istio/proxyv2:1.11.1 or docker.io/istio/proxyv2:1.11.1-distroless.
        
+
        The following values are used to construct proxy image url.
+format: ${hub}/${image_name}/${tag}-${image_type},
+example: docker.io/istio/proxyv2:1.11.1 or docker.io/istio/proxyv2:1.11.1-distroless.
 This information was previously part of the Values API.
        
 
 
        
 
        port
 Port
 
-
        The Port on which the proxy should listen for incoming
        
+
        The Port on which the proxy should listen for incoming
 connections.
        
 
         		bind
 string
 
-
        The ip or the Unix domain socket to which the listener should be bound
        
-to. Format: x.x.x.x or unix:///path/to/uds or unix://@foobar
        
-(Linux abstract namespace). When using Unix domain sockets, the port
        
-number should be 0.
        
-This can be used to restrict the reachability of this server to be gateway internal only.
        
-This is typically used when a gateway needs to communicate to another mesh service
        
-e.g. publishing metrics. In such case, the server created with the
        
+
        The ip or the Unix domain socket to which the listener should be bound
+to. Format: x.x.x.x or unix:///path/to/uds or unix://@foobar
+(Linux abstract namespace). When using Unix domain sockets, the port
+number should be 0.
+This can be used to restrict the reachability of this server to be gateway internal only.
+This is typically used when a gateway needs to communicate to another mesh service
+e.g. publishing metrics. In such case, the server created with the
 specified bind will not be available to external gateway clients.
        
 
         		hosts
 string[]
 
-
        One or more hosts exposed by this gateway.
        
-While typically applicable to
        
-HTTP services, it can also be used for TCP services using TLS with SNI.
        
-A host is specified as a dnsName with an optional namespace/ prefix.
        
-The dnsName should be specified using FQDN format, optionally including
        
-a wildcard character in the left-most component (e.g., prod/*.example.com).
        
-Set the dnsName to * to select all VirtualService hosts from the
        
+
        One or more hosts exposed by this gateway.
+While typically applicable to
+HTTP services, it can also be used for TCP services using TLS with SNI.
+A host is specified as a dnsName with an optional namespace/ prefix.
+The dnsName should be specified using FQDN format, optionally including
+a wildcard character in the left-most component (e.g., prod/*.example.com).
+Set the dnsName to * to select all VirtualService hosts from the
 specified namespace (e.g.,prod/*).
        
-
        The namespace can be set to * or ., representing any or the current
        
-namespace, respectively. For example, */foo.example.com selects the
        
-service from any available namespace while ./foo.example.com only selects
        
-the service from the namespace of the sidecar. The default, if no namespace/
        
-is specified, is */, that is, select services from any namespace.
        
+
        The namespace can be set to * or ., representing any or the current
+namespace, respectively. For example, */foo.example.com selects the
+service from any available namespace while ./foo.example.com only selects
+the service from the namespace of the sidecar. The default, if no namespace/
+is specified, is */, that is, select services from any namespace.
 Any associated DestinationRule in the selected namespace will also be used.
        
-
        A VirtualService must be bound to the gateway and must have one or
        
-more hosts that match the hosts specified in a server. The match
        
-could be an exact match or a suffix match with the server's hosts. For
        
-example, if the server's hosts specifies *.example.com, a
        
-VirtualService with hosts dev.example.com or prod.example.com will
        
-match. However, a VirtualService with host example.com or
        
+
        A VirtualService must be bound to the gateway and must have one or
+more hosts that match the hosts specified in a server. The match
+could be an exact match or a suffix match with the server's hosts. For
+example, if the server's hosts specifies *.example.com, a
+VirtualService with hosts dev.example.com or prod.example.com will
+match. However, a VirtualService with host example.com or
 newexample.com will not match.
        
-
        NOTE: Only virtual services exported to the gateway's namespace
        
-(e.g., exportTo value of *) can be referenced.
        
-Private configurations (e.g., exportTo set to .) will not be
        
-available. Refer to the exportTo setting in VirtualService,
        
+
        NOTE: Only virtual services exported to the gateway's namespace
+(e.g., exportTo value of *) can be referenced.
+Private configurations (e.g., exportTo set to .) will not be
+available. Refer to the exportTo setting in VirtualService,
 DestinationRule, and ServiceEntry configurations for details.
        
 
         		tls
 ServerTLSSettings
 
-
        Set of TLS related options that govern the server's behavior. Use
        
-these options to control if all http requests should be redirected to
        
+
        Set of TLS related options that govern the server's behavior. Use
+these options to control if all http requests should be redirected to
 https, and the TLS modes to use.
        
 
         		name
 string
 
-
        An optional name of the server, when set must be unique across all servers.
        
-This will be used for variety of purposes like prefixing stats generated with
        
+
        An optional name of the server, when set must be unique across all servers.
+This will be used for variety of purposes like prefixing stats generated with
 this name etc.
        
 
         		protocol
 string
 
-
        The protocol exposed on the port.
        
-MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
        
-TLS implies the connection will be routed based on the SNI header to
        
+
        The protocol exposed on the port.
+MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
+TLS implies the connection will be routed based on the SNI header to
 the destination without terminating the TLS connection.
        
 
         		targetPort
 uint32
 
-
        The port number on the endpoint where the traffic will be
        
+
        The port number on the endpoint where the traffic will be
 received. Applicable only when used with ServiceEntries.
        
 
         		httpsRedirect
 bool
 
-
        If set to true, the load balancer will send a 301 redirect for
        
+
        If set to true, the load balancer will send a 301 redirect for
 all http connections, asking the clients to use HTTPS.
        
 
         		mode
 TLSmode
 
-
        Optional: Indicates whether connections to this port should be
        
-secured using TLS. The value of this field determines how TLS is
        
+
        Optional: Indicates whether connections to this port should be
+secured using TLS. The value of this field determines how TLS is
 enforced.
        
 
         		serverCertificate
 string
 
-
        REQUIRED if mode is SIMPLE or MUTUAL. The path to the file
        
+
        REQUIRED if mode is SIMPLE or MUTUAL. The path to the file
 holding the server-side TLS certificate to use.
        
 
         		privateKey
 string
 
-
        REQUIRED if mode is SIMPLE or MUTUAL. The path to the file
        
+
        REQUIRED if mode is SIMPLE or MUTUAL. The path to the file
 holding the server's private key.
        
 
         		caCertificates
 string
 
-
        REQUIRED if mode is MUTUAL. The path to a file containing
        
-certificate authority certificates to use in verifying a presented
        
+
        REQUIRED if mode is MUTUAL. The path to a file containing
+certificate authority certificates to use in verifying a presented
 client side certificate.
        
 
         		credentialName
 string
 
-
        For gateways running on Kubernetes, the name of the secret that
        
-holds the TLS certs including the CA certificates. Applicable
        
-only on Kubernetes. The secret (of type generic) should
        
-contain the following keys and values: key: <privateKey> and cert: <serverCert>. For mutual TLS,
        
-cacert: <CACertificate> can be provided in the same secret or
        
-a separate secret named <secret>-cacert.
        
-Secret of type tls for server certificates along with
        
-ca.crt key for CA certificates is also supported.
        
-Only one of server certificates and CA certificate
        
+
        For gateways running on Kubernetes, the name of the secret that
+holds the TLS certs including the CA certificates. Applicable
+only on Kubernetes. The secret (of type generic) should
+contain the following keys and values: key: <privateKey> and cert: <serverCert>. For mutual TLS,
+cacert: <CACertificate> can be provided in the same secret or
+a separate secret named <secret>-cacert.
+Secret of type tls for server certificates along with
+ca.crt key for CA certificates is also supported.
+Only one of server certificates and CA certificate
 or credentialName can be specified.
        
 
         		subjectAltNames
 string[]
 
-
        A list of alternate names to verify the subject identity in the
        
+
        A list of alternate names to verify the subject identity in the
 certificate presented by the client.
        
 
         		verifyCertificateSpki
 string[]
 
-
        An optional list of base64-encoded SHA-256 hashes of the SPKIs of
        
-authorized client certificates.
        
-Note: When both verify_certificate_hash and verify_certificate_spki
        
-are specified, a hash matching either value will result in the
        
+
        An optional list of base64-encoded SHA-256 hashes of the SPKIs of
+authorized client certificates.
+Note: When both verify_certificate_hash and verify_certificate_spki
+are specified, a hash matching either value will result in the
 certificate being accepted.
        
 
         		verifyCertificateHash
 string[]
 
-
        An optional list of hex-encoded SHA-256 hashes of the
        
-authorized client certificates. Both simple and colon separated
        
-formats are acceptable.
        
-Note: When both verify_certificate_hash and verify_certificate_spki
        
-are specified, a hash matching either value will result in the
        
+
        An optional list of hex-encoded SHA-256 hashes of the
+authorized client certificates. Both simple and colon separated
+formats are acceptable.
+Note: When both verify_certificate_hash and verify_certificate_spki
+are specified, a hash matching either value will result in the
 certificate being accepted.
        
 
         		cipherSuites
 string[]
 
-
        Optional: If specified, only support the specified cipher list.
        
+
        Optional: If specified, only support the specified cipher list.
 Otherwise default to the default cipher list supported by Envoy.
        
 
 
        
 PASSTHROUGH
 
-
        The SNI string presented by the client will be used as the
        
-match criterion in a VirtualService TLS route to determine
        
+
        The SNI string presented by the client will be used as the
+match criterion in a VirtualService TLS route to determine
 the destination service from the service registry.
        
 
 
        
 MUTUAL
 
-
        Secure connections to the downstream using mutual TLS by
        
+
        Secure connections to the downstream using mutual TLS by
 presenting server certificates for authentication.
        
 
 
        
 AUTO_PASSTHROUGH
 
-
        Similar to the passthrough mode, except servers with this TLS
        
-mode do not require an associated VirtualService to map from
        
-the SNI value to service in the registry. The destination
        
-details such as the service/subset/port are encoded in the
        
-SNI value. The proxy will forward to the upstream (Envoy)
        
-cluster (a group of endpoints) specified by the SNI
        
-value. This server is typically used to provide connectivity
        
-between services in disparate L3 networks that otherwise do
        
-not have direct connectivity between their respective
        
-endpoints. Use of this mode assumes that both the source and
        
+
        Similar to the passthrough mode, except servers with this TLS
+mode do not require an associated VirtualService to map from
+the SNI value to service in the registry. The destination
+details such as the service/subset/port are encoded in the
+SNI value. The proxy will forward to the upstream (Envoy)
+cluster (a group of endpoints) specified by the SNI
+value. This server is typically used to provide connectivity
+between services in disparate L3 networks that otherwise do
+not have direct connectivity between their respective
+endpoints. Use of this mode assumes that both the source and
 the destination are using Istio mTLS to secure traffic.
        
 
 
        
 ISTIO_MUTUAL
 
-
        Secure connections from the downstream using mutual TLS by
        
-presenting server certificates for authentication.  Compared
        
-to Mutual mode, this mode uses certificates, representing
        
-gateway workload identity, generated automatically by Istio
        
-for mTLS authentication. When this mode is used, all other
        
+
        Secure connections from the downstream using mutual TLS by
+presenting server certificates for authentication.  Compared
+to Mutual mode, this mode uses certificates, representing
+gateway workload identity, generated automatically by Istio
+for mTLS authentication. When this mode is used, all other
 fields in TLSOptions should be empty.
        
 
         		selector
 WorkloadSelector
 
-
        Optional. Selectors specify the set of pods/VMs on which this ProxyConfig resource should be applied.
        
+
        Optional. Selectors specify the set of pods/VMs on which this ProxyConfig resource should be applied.
 If not set, the ProxyConfig resource will be applied to all workloads in the namespace where this resource is defined.
        
 
         		concurrency
 Int32Value
 
-
        The number of worker threads to run.
        
-If unset, defaults to 2. If set to 0, this will be configured to use all cores on the machine using
        
+
        The number of worker threads to run.
+If unset, defaults to 2. If set to 0, this will be configured to use all cores on the machine using
 CPU requests and limits to choose a value, with limits taking precedence over requests.
        
 
         		environmentVariables
 map<string, string>
 
-
        Additional environment variables for the proxy.
        
+
        Additional environment variables for the proxy.
 Names starting with ISTIO_META_ will be included in the generated bootstrap configuration and sent to the XDS server.
        
 
 
        
@@ -143,9 +143,9 @@ 
        ProxyImage
        
         
diff --git a/content/en/docs/reference/config/networking/service-entry/index.html b/content/en/docs/reference/config/networking/service-entry/index.html
index 711bd469d916b..6a2bb119e01da 100644
--- a/content/en/docs/reference/config/networking/service-entry/index.html
+++ b/content/en/docs/reference/config/networking/service-entry/index.html
@@ -10,26 +10,26 @@
 aliases: [/docs/reference/config/networking/v1alpha3/service-entry]
 number_of_entries: 3
 ---
-
        ServiceEntry enables adding additional entries into Istio's
        
-internal service registry, so that auto-discovered services in the
        
-mesh can access/route to these manually specified services. A
        
-service entry describes the properties of a service (DNS name,
        
-VIPs, ports, protocols, endpoints). These services could be
        
-external to the mesh (e.g., web APIs) or mesh-internal services
        
-that are not part of the platform's service registry (e.g., a set
        
-of VMs talking to services in Kubernetes). In addition, the
        
-endpoints of a service entry can also be dynamically selected by
        
-using the workloadSelector field. These endpoints can be VM
        
-workloads declared using the WorkloadEntry object or Kubernetes
        
-pods. The ability to select both pods and VMs under a single
        
-service allows for migration of services from VMs to Kubernetes
        
-without having to change the existing DNS names associated with the
        
+
        ServiceEntry enables adding additional entries into Istio's
+internal service registry, so that auto-discovered services in the
+mesh can access/route to these manually specified services. A
+service entry describes the properties of a service (DNS name,
+VIPs, ports, protocols, endpoints). These services could be
+external to the mesh (e.g., web APIs) or mesh-internal services
+that are not part of the platform's service registry (e.g., a set
+of VMs talking to services in Kubernetes). In addition, the
+endpoints of a service entry can also be dynamically selected by
+using the workloadSelector field. These endpoints can be VM
+workloads declared using the WorkloadEntry object or Kubernetes
+pods. The ability to select both pods and VMs under a single
+service allows for migration of services from VMs to Kubernetes
+without having to change the existing DNS names associated with the
 services.
        
-
        The following example declares a few external APIs accessed by internal
        
-applications over HTTPS. The sidecar inspects the SNI value in the
        
+
        The following example declares a few external APIs accessed by internal
+applications over HTTPS. The sidecar inspects the SNI value in the
 ClientHello message to route to the appropriate external service.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -46,8 +46,8 @@
     protocol: TLS
   resolution: DNS
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -64,14 +64,14 @@
     protocol: TLS
   resolution: DNS
 
        
-
        {{}}
        
-{{}}
        
-
        The following configuration adds a set of MongoDB instances running on
        
-unmanaged VMs to Istio's registry, so that these services can be treated
        
-as any other service in the mesh. The associated DestinationRule is used
        
+
        {{}}
+{{}}
        
+
        The following configuration adds a set of MongoDB instances running on
+unmanaged VMs to Istio's registry, so that these services can be treated
+as any other service in the mesh. The associated DestinationRule is used
 to initiate mTLS connections to the database instances.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -91,8 +91,8 @@
   - address: 2.2.2.2
   - address: 3.3.3.3
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -112,11 +112,11 @@
   - address: 2.2.2.2
   - address: 3.3.3.3
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        and the associated DestinationRule
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -130,8 +130,8 @@
       privateKey: /etc/certs/client_private_key.pem
       caCertificates: /etc/certs/rootcacerts.pem
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -145,13 +145,13 @@
       privateKey: /etc/certs/client_private_key.pem
       caCertificates: /etc/certs/rootcacerts.pem
 
        
-
        {{}}
        
-{{}}
        
-
        The following example uses a combination of service entry and TLS
        
-routing in a virtual service to steer traffic based on the SNI value to
        
+
        {{}}
+{{}}
        
+
        The following example uses a combination of service entry and TLS
+routing in a virtual service to steer traffic based on the SNI value to
 an internal egress firewall.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -167,8 +167,8 @@
     protocol: TLS
   resolution: NONE
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -184,11 +184,11 @@
     protocol: TLS
   resolution: NONE
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        And the associated VirtualService to route based on the SNI value.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -206,8 +206,8 @@
     - destination:
         host: internal-egress-firewall.ns1.svc.cluster.local
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -225,20 +225,20 @@
     - destination:
         host: internal-egress-firewall.ns1.svc.cluster.local
 
        
-
        {{}}
        
-{{}}
        
-
        The virtual service with TLS match serves to override the default SNI
        
-match. In the absence of a virtual service, traffic will be forwarded to
        
+
        {{}}
+{{}}
        
+
        The virtual service with TLS match serves to override the default SNI
+match. In the absence of a virtual service, traffic will be forwarded to
 the wikipedia domains.
        
-
        The following example demonstrates the use of a dedicated egress gateway
        
-through which all external service traffic is forwarded.
        
-The 'exportTo' field allows for control over the visibility of a service
        
-declaration to other namespaces in the mesh. By default, a service is exported
        
-to all namespaces. The following example restricts the visibility to the
        
-current namespace, represented by ".", so that it cannot be used by other
        
+
        The following example demonstrates the use of a dedicated egress gateway
+through which all external service traffic is forwarded.
+The 'exportTo' field allows for control over the visibility of a service
+declaration to other namespaces in the mesh. By default, a service is exported
+to all namespaces. The following example restricts the visibility to the
+current namespace, represented by ".", so that it cannot be used by other
 namespaces.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -256,8 +256,8 @@
     protocol: HTTP
   resolution: DNS
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -275,11 +275,11 @@
     protocol: HTTP
   resolution: DNS
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        Define a gateway to handle all egress traffic.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -296,8 +296,8 @@
    hosts:
    - "*"
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -314,16 +314,16 @@
    hosts:
    - "*"
 
        
-
        {{}}
        
-{{}}
        
-
        And the associated VirtualService to route from the sidecar to the
        
-gateway service (istio-egressgateway.istio-system.svc.cluster.local), as
        
-well as route from the gateway to the external service. Note that the
        
-virtual service is exported to all namespaces enabling them to route traffic
        
-through the gateway to the external service. Forcing traffic to go through
        
+
        {{}}
+{{}}
        
+
        And the associated VirtualService to route from the sidecar to the
+gateway service (istio-egressgateway.istio-system.svc.cluster.local), as
+well as route from the gateway to the external service. Note that the
+virtual service is exported to all namespaces enabling them to route traffic
+through the gateway to the external service. Forcing traffic to go through
 a managed middle proxy like this is a common practice.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -353,8 +353,8 @@
     - destination:
         host: example.com
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -384,14 +384,14 @@
     - destination:
         host: example.com
 
        
-
        {{}}
        
-{{}}
        
-
        The following example demonstrates the use of wildcards in the hosts for
        
-external services. If the connection has to be routed to the IP address
        
-requested by the application (i.e. application resolves DNS and attempts
        
+
        {{}}
+{{}}
        
+
        The following example demonstrates the use of wildcards in the hosts for
+external services. If the connection has to be routed to the IP address
+requested by the application (i.e. application resolves DNS and attempts
 to connect to a specific IP), the discovery mode must be set to NONE.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -406,8 +406,8 @@
     protocol: HTTP
   resolution: NONE
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -422,13 +422,13 @@
     protocol: HTTP
   resolution: NONE
 
        
-
        {{}}
        
-{{}}
        
-
        The following example demonstrates a service that is available via a
        
-Unix Domain Socket on the host of the client. The resolution must be
        
+
        {{}}
+{{}}
        
+
        The following example demonstrates a service that is available via a
+Unix Domain Socket on the host of the client. The resolution must be
 set to STATIC to use Unix address endpoints.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -445,8 +445,8 @@
   endpoints:
   - address: unix:///var/run/example/socket
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -463,17 +463,17 @@
   endpoints:
   - address: unix:///var/run/example/socket
 
        
-
        {{}}
        
-{{}}
        
-
        For HTTP-based services, it is possible to create a VirtualService
        
-backed by multiple DNS addressable endpoints. In such a scenario, the
        
-application can use the HTTP_PROXY environment variable to transparently
        
-reroute API calls for the VirtualService to a chosen backend. For
        
-example, the following configuration creates a non-existent external
        
-service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
        
+
        {{}}
+{{}}
        
+
        For HTTP-based services, it is possible to create a VirtualService
+backed by multiple DNS addressable endpoints. In such a scenario, the
+application can use the HTTP_PROXY environment variable to transparently
+reroute API calls for the VirtualService to a chosen backend. For
+example, the following configuration creates a non-existent external
+service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
 uk.foo.bar.com:9080, and in.foo.bar.com:7080
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -498,8 +498,8 @@
     ports:
       http: 7080
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -524,17 +524,17 @@
     ports:
       http: 7080
 
        
-
        {{}}
        
-{{}}
        
-
        With HTTP_PROXY=http://localhost/, calls from the application to
        
-http://foo.bar.com will be load balanced across the three domains
        
-specified above. In other words, a call to http://foo.bar.com/baz would
        
+
        {{}}
+{{}}
        
+
        With HTTP_PROXY=http://localhost/, calls from the application to
+http://foo.bar.com will be load balanced across the three domains
+specified above. In other words, a call to http://foo.bar.com/baz would
 be translated to http://uk.foo.bar.com/baz.
        
-
        The following example illustrates the usage of a ServiceEntry
        
-containing a subject alternate name
        
+
        The following example illustrates the usage of a ServiceEntry
+containing a subject alternate name
 whose format conforms to the SPIFFE standard:
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -555,8 +555,8 @@
   subjectAltNames:
   - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -577,21 +577,21 @@
   subjectAltNames:
   - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
 
        
-
        {{}}
        
-{{}}
        
-
        The following example demonstrates the use of ServiceEntry with a
        
-workloadSelector to handle the migration of a service
        
-details.bookinfo.com from VMs to Kubernetes. The service has two
        
-VM-based instances with sidecars as well as a set of Kubernetes
        
-pods managed by a standard deployment object. Consumers of this
        
-service in the mesh will be automatically load balanced across the
        
-VMs and Kubernetes.  VM for the details.bookinfo.com
        
-service. This VM has sidecar installed and bootstrapped using the
        
-details-legacy service account. The sidecar receives HTTP traffic
        
-on port 80 (wrapped in istio mutual TLS) and forwards it to the
        
+
        {{}}
+{{}}
        
+
        The following example demonstrates the use of ServiceEntry with a
+workloadSelector to handle the migration of a service
+details.bookinfo.com from VMs to Kubernetes. The service has two
+VM-based instances with sidecars as well as a set of Kubernetes
+pods managed by a standard deployment object. Consumers of this
+service in the mesh will be automatically load balanced across the
+VMs and Kubernetes.  VM for the details.bookinfo.com
+service. This VM has sidecar installed and bootstrapped using the
+details-legacy service account. The sidecar receives HTTP traffic
+on port 80 (wrapped in istio mutual TLS) and forwards it to the
 application on the localhost on the same port.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: WorkloadEntry
 metadata:
@@ -614,8 +614,8 @@
     app: details
     instance-id: vm2
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: WorkloadEntry
 metadata:
@@ -638,14 +638,14 @@
     app: details
     instance-id: vm2
 
        
-
        {{}}
        
-{{}}
        
-
        Assuming there is also a Kubernetes deployment with pod labels
        
-app: details using the same service account details, the
        
-following service entry declares a service spanning both VMs and
        
+
        {{}}
+{{}}
        
+
        Assuming there is also a Kubernetes deployment with pod labels
+app: details using the same service account details, the
+following service entry declares a service spanning both VMs and
 Kubernetes:
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -663,8 +663,8 @@
     labels:
       app: details
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -682,12 +682,12 @@
     labels:
       app: details
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        ServiceEntry
        
 
        
-
        ServiceEntry enables adding additional entries into Istio's internal
        
+
        ServiceEntry enables adding additional entries into Istio's internal
 service registry.
        
 
 
        imageType
 string
 
-
        The image type of the image.
        
-Istio publishes default, debug, and distroless images.
        
-Other values are allowed if those image types (example: centos) are published to the specified hub.
        
+
        The image type of the image.
+Istio publishes default, debug, and distroless images.
+Other values are allowed if those image types (example: centos) are published to the specified hub.
 supported values: default, debug, distroless.
        
 
 
        
@@ -704,27 +704,27 @@ 
        ServiceEntry
        
         
@@ -761,8 +761,8 @@ 
        ServiceEntry
        
         
@@ -774,7 +774,7 @@ 
        ServiceEntry
        
         
@@ -786,9 +786,9 @@ 
        ServiceEntry
        
         
@@ -800,7 +800,7 @@ 
        ServiceEntry
        
         
@@ -812,11 +812,11 @@ 
        ServiceEntry
        
         
@@ -828,18 +828,18 @@ 
        ServiceEntry
        
         
@@ -851,11 +851,11 @@ 
        ServiceEntry
        
         
@@ -868,11 +868,11 @@ 
        ServiceEntry
        
 
 
        ServiceEntry.Location
        
 
        
-
        Location specifies whether the service is part of Istio mesh or
        
-outside the mesh.  Location determines the behavior of several
        
-features, such as service-to-service mTLS authentication, policy
        
-enforcement, etc. When communicating with services outside the mesh,
        
-Istio's mTLS authentication is disabled, and policy enforcement is
        
+
        Location specifies whether the service is part of Istio mesh or
+outside the mesh.  Location determines the behavior of several
+features, such as service-to-service mTLS authentication, policy
+enforcement, etc. When communicating with services outside the mesh,
+Istio's mTLS authentication is disabled, and policy enforcement is
 performed on the client-side as opposed to server-side.
        
 
 
        hosts
 string[]
 
-
        The hosts associated with the ServiceEntry. Could be a DNS
        
+
        The hosts associated with the ServiceEntry. Could be a DNS
 name with wildcard prefix.
        
 
          
 
        1. The hosts field is used to select matching hosts in VirtualServices and DestinationRules.
          2. 
 
        2. For HTTP traffic the HTTP Host/Authority header will be matched against the hosts field.
          3. 
-
        3. For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value
          
+
        4. For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value
 will be matched against the hosts field.
          5. 
 
        
-
        NOTE 1: When resolution is set to type DNS and no endpoints
        
-are specified, the host field will be used as the DNS name of the
        
+
        NOTE 1: When resolution is set to type DNS and no endpoints
+are specified, the host field will be used as the DNS name of the
 endpoint to route traffic to.
        
-
        NOTE 2: If the hostname matches with the name of a service
        
-from another service registry such as Kubernetes that also
        
-supplies its own set of endpoints, the ServiceEntry will be
        
-treated as a decorator of the existing Kubernetes
        
-service. Properties in the service entry will be added to the
        
-Kubernetes service if applicable. Currently, the only the
        
+
        NOTE 2: If the hostname matches with the name of a service
+from another service registry such as Kubernetes that also
+supplies its own set of endpoints, the ServiceEntry will be
+treated as a decorator of the existing Kubernetes
+service. Properties in the service entry will be added to the
+Kubernetes service if applicable. Currently, the only the
 following additional properties will be considered by istiod:
        
 
          
-
        1. subjectAltNames: In addition to verifying the SANs of the
          
-service accounts associated with the pods of the service, the
          
+
        2. subjectAltNames: In addition to verifying the SANs of the
+service accounts associated with the pods of the service, the
 SANs specified here will also be verified.
          3. 
 
        
 
@@ -737,19 +737,19 @@ 
        ServiceEntry
        
         		addresses
 string[]
 
-
        The virtual IP addresses associated with the service. Could be CIDR
        
-prefix. For HTTP traffic, generated route configurations will include http route
        
-domains for both the addresses and hosts field values and the destination will
        
-be identified based on the HTTP Host/Authority header.
        
-If one or more IP addresses are specified,
        
-the incoming traffic will be identified as belonging to this service
        
-if the destination IP matches the IP/CIDRs specified in the addresses
        
-field. If the Addresses field is empty, traffic will be identified
        
-solely based on the destination port. In such scenarios, the port on
        
-which the service is being accessed must not be shared by any other
        
-service in the mesh. In other words, the sidecar will behave as a
        
-simple TCP proxy, forwarding incoming traffic on a specified port to
        
-the specified destination endpoint IP/host. Unix domain socket
        
+
        The virtual IP addresses associated with the service. Could be CIDR
+prefix. For HTTP traffic, generated route configurations will include http route
+domains for both the addresses and hosts field values and the destination will
+be identified based on the HTTP Host/Authority header.
+If one or more IP addresses are specified,
+the incoming traffic will be identified as belonging to this service
+if the destination IP matches the IP/CIDRs specified in the addresses
+field. If the Addresses field is empty, traffic will be identified
+solely based on the destination port. In such scenarios, the port on
+which the service is being accessed must not be shared by any other
+service in the mesh. In other words, the sidecar will behave as a
+simple TCP proxy, forwarding incoming traffic on a specified port to
+the specified destination endpoint IP/host. Unix domain socket
 addresses are not supported in this field.
        
 
         		ports
 Port[]
 
-
        The ports associated with the external service. If the
        
-Endpoints are Unix domain socket addresses, there must be exactly one
        
+
        The ports associated with the external service. If the
+Endpoints are Unix domain socket addresses, there must be exactly one
 port.
        
 
         		location
 Location
 
-
        Specify whether the service should be considered external to the mesh
        
+
        Specify whether the service should be considered external to the mesh
 or part of the mesh.
        
 
         		resolution
 Resolution
 
-
        Service discovery mode for the hosts. Care must be taken
        
-when setting the resolution mode to NONE for a TCP port without
        
-accompanying IP addresses. In such cases, traffic to any IP on
        
+
        Service discovery mode for the hosts. Care must be taken
+when setting the resolution mode to NONE for a TCP port without
+accompanying IP addresses. In such cases, traffic to any IP on
 said port will be allowed (i.e. 0.0.0.0:<port>).
        
 
         		endpoints
 WorkloadEntry[]
 
-
        One or more endpoints associated with the service. Only one of
        
+
        One or more endpoints associated with the service. Only one of
 endpoints or workloadSelector can be specified.
        
 
         		workloadSelector
 WorkloadSelector
 
-
        Applicable only for MESH_INTERNAL services. Only one of
        
-endpoints or workloadSelector can be specified. Selects one
        
-or more Kubernetes pods or VM workloads (specified using
        
-WorkloadEntry) based on their labels. The WorkloadEntry object
        
-representing the VMs should be defined in the same namespace as
        
+
        Applicable only for MESH_INTERNAL services. Only one of
+endpoints or workloadSelector can be specified. Selects one
+or more Kubernetes pods or VM workloads (specified using
+WorkloadEntry) based on their labels. The WorkloadEntry object
+representing the VMs should be defined in the same namespace as
 the ServiceEntry.
        
 
         		exportTo
 string[]
 
-
        A list of namespaces to which this service is exported. Exporting a service
        
-allows it to be used by sidecars, gateways and virtual services defined in
        
-other namespaces. This feature provides a mechanism for service owners
        
-and mesh administrators to control the visibility of services across
        
+
        A list of namespaces to which this service is exported. Exporting a service
+allows it to be used by sidecars, gateways and virtual services defined in
+other namespaces. This feature provides a mechanism for service owners
+and mesh administrators to control the visibility of services across
 namespace boundaries.
        
-
        If no namespaces are specified then the service is exported to all
        
+
        If no namespaces are specified then the service is exported to all
 namespaces by default.
        
-
        The value "." is reserved and defines an export to the same namespace that
        
-the service is declared in. Similarly the value "*" is reserved and
        
+
        The value "." is reserved and defines an export to the same namespace that
+the service is declared in. Similarly the value "*" is reserved and
 defines an export to all namespaces.
        
-
        For a Kubernetes Service, the equivalent effect can be achieved by setting
        
-the annotation "networking.istio.io/exportTo" to a comma-separated list
        
+
        For a Kubernetes Service, the equivalent effect can be achieved by setting
+the annotation "networking.istio.io/exportTo" to a comma-separated list
 of namespace names.
        
 
         		subjectAltNames
 string[]
 
-
        If specified, the proxy will verify that the server certificate's
        
+
        If specified, the proxy will verify that the server certificate's
 subject alternate name matches one of the specified values.
        
-
        NOTE: When using the workloadEntry with workloadSelectors, the
        
-service account specified in the workloadEntry will also be used
        
-to derive the additional subject alternate names that should be
        
+
        NOTE: When using the workloadEntry with workloadSelectors, the
+service account specified in the workloadEntry will also be used
+to derive the additional subject alternate names that should be
 verified.
        
 
 
        
@@ -886,7 +886,7 @@ 
        ServiceEntry.Location
        
         
@@ -894,9 +894,9 @@ 
        ServiceEntry.Location
        
         
@@ -906,14 +906,14 @@ 
        ServiceEntry.Location
        
 
 
        ServiceEntry.Resolution
        
 
        
-
        Resolution determines how the proxy will resolve the IP addresses of
        
-the network endpoints associated with the service, so that it can
        
-route to one of them. The resolution mode specified here has no impact
        
-on how the application resolves the IP address associated with the
        
-service. The application may still have to use DNS to resolve the
        
-service to an IP so that the outbound traffic can be captured by the
        
-Proxy. Alternatively, for HTTP services, the application could
        
-directly communicate with the proxy (e.g., by setting HTTP_PROXY) to
        
+
        Resolution determines how the proxy will resolve the IP addresses of
+the network endpoints associated with the service, so that it can
+route to one of them. The resolution mode specified here has no impact
+on how the application resolves the IP address associated with the
+service. The application may still have to use DNS to resolve the
+service to an IP so that the outbound traffic can be captured by the
+Proxy. Alternatively, for HTTP services, the application could
+directly communicate with the proxy (e.g., by setting HTTP_PROXY) to
 talk to these services.
        
 
 
        
 MESH_EXTERNAL
 
-
        Signifies that the service is external to the mesh. Typically used
        
+
        Signifies that the service is external to the mesh. Typically used
 to indicate external services consumed through APIs.
        
 
 
        
 MESH_INTERNAL
 
-
        Signifies that the service is part of the mesh. Typically used to
        
-indicate services added explicitly as part of expanding the service
        
-mesh to include unmanaged infrastructure (e.g., VMs added to a
        
+
        Signifies that the service is part of the mesh. Typically used to
+indicate services added explicitly as part of expanding the service
+mesh to include unmanaged infrastructure (e.g., VMs added to a
 Kubernetes based service mesh).
        
 
 
        
@@ -927,11 +927,11 @@ 
        ServiceEntry.Resolution
        
         
@@ -939,7 +939,7 @@ 
        ServiceEntry.Resolution
        
         
@@ -947,12 +947,12 @@ 
        ServiceEntry.Resolution
        
         
@@ -960,15 +960,15 @@ 
        ServiceEntry.Resolution
        
         
diff --git a/content/en/docs/reference/config/networking/sidecar/index.html b/content/en/docs/reference/config/networking/sidecar/index.html
index 469a6c88cc9e7..7bf3b1bee4413 100644
--- a/content/en/docs/reference/config/networking/sidecar/index.html
+++ b/content/en/docs/reference/config/networking/sidecar/index.html
@@ -10,45 +10,45 @@
 aliases: [/docs/reference/config/networking/v1alpha3/sidecar]
 number_of_entries: 7
 ---
-
        Sidecar describes the configuration of the sidecar proxy that mediates
        
-inbound and outbound communication to the workload instance it is attached to. By
        
-default, Istio will program all sidecar proxies in the mesh with the
        
-necessary configuration required to reach every workload instance in the mesh, as
        
-well as accept traffic on all the ports associated with the
        
-workload. The Sidecar configuration provides a way to fine tune the set of
        
-ports, protocols that the proxy will accept when forwarding traffic to
        
-and from the workload. In addition, it is possible to restrict the set
        
-of services that the proxy can reach when forwarding outbound traffic
        
+
        Sidecar describes the configuration of the sidecar proxy that mediates
+inbound and outbound communication to the workload instance it is attached to. By
+default, Istio will program all sidecar proxies in the mesh with the
+necessary configuration required to reach every workload instance in the mesh, as
+well as accept traffic on all the ports associated with the
+workload. The Sidecar configuration provides a way to fine tune the set of
+ports, protocols that the proxy will accept when forwarding traffic to
+and from the workload. In addition, it is possible to restrict the set
+of services that the proxy can reach when forwarding outbound traffic
 from workload instances.
        
-
        Services and configuration in a mesh are organized into one or more
        
-namespaces (e.g., a Kubernetes namespace or a CF org/space). A Sidecar
        
-configuration in a namespace will apply to one or more workload instances in the same
        
-namespace, selected using the workloadSelector field. In the absence of a
        
-workloadSelector, it will apply to all workload instances in the same
        
-namespace. When determining the Sidecar configuration to be applied to a
        
-workload instance, preference will be given to the resource with a
        
-workloadSelector that selects this workload instance, over a Sidecar configuration
        
+
        Services and configuration in a mesh are organized into one or more
+namespaces (e.g., a Kubernetes namespace or a CF org/space). A Sidecar
+configuration in a namespace will apply to one or more workload instances in the same
+namespace, selected using the workloadSelector field. In the absence of a
+workloadSelector, it will apply to all workload instances in the same
+namespace. When determining the Sidecar configuration to be applied to a
+workload instance, preference will be given to the resource with a
+workloadSelector that selects this workload instance, over a Sidecar configuration
 without any workloadSelector.
        
-
        NOTE 1: Each namespace can have only one Sidecar
        
-configuration without any workloadSelector         that specifies the
        
-default for all pods in that namespace        . It is recommended to use
        
-the name default for the namespace-wide sidecar. The behavior of
        
-the system is undefined if more than one selector-less Sidecar
        
-configurations exist in a given namespace. The behavior of the
        
-system is undefined if two or more Sidecar configurations with a
        
+
        NOTE 1: Each namespace can have only one Sidecar
+configuration without any workloadSelector that specifies the
+default for all pods in that namespace. It is recommended to use
+the name default for the namespace-wide sidecar. The behavior of
+the system is undefined if more than one selector-less Sidecar
+configurations exist in a given namespace. The behavior of the
+system is undefined if two or more Sidecar configurations with a
 workloadSelector select the same workload instance.
        
-
        NOTE 2: A Sidecar configuration in the MeshConfig
        
-root namespace
        
-will be applied by default to all namespaces without a Sidecar
        
-configuration        . This global default Sidecar configuration should not have
        
+
        NOTE 2: A Sidecar configuration in the MeshConfig
+root namespace
+will be applied by default to all namespaces without a Sidecar
+configuration. This global default Sidecar configuration should not have
 any workloadSelector.
        
-
        The example below declares a global default Sidecar configuration
        
-in the root namespace called istio-config, that configures
        
-sidecars in all namespaces to allow egress traffic only to other
        
-workloads in the same namespace as well as to services in the
        
+
        The example below declares a global default Sidecar configuration
+in the root namespace called istio-config, that configures
+sidecars in all namespaces to allow egress traffic only to other
+workloads in the same namespace as well as to services in the
 istio-system namespace.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -60,8 +60,8 @@
     - "./*"
     - "istio-system/*"
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -73,15 +73,15 @@
     - "./*"
     - "istio-system/*"
 
        
-
        {{}}
        
-{{}}
        
-
        The example below declares a Sidecar configuration in the
        
-prod-us1 namespace that overrides the global default defined
        
-above, and configures the sidecars in the namespace to allow egress
        
-traffic to public services in the prod-us1, prod-apis, and the
        
+
        {{}}
+{{}}
        
+
        The example below declares a Sidecar configuration in the
+prod-us1 namespace that overrides the global default defined
+above, and configures the sidecars in the namespace to allow egress
+traffic to public services in the prod-us1, prod-apis, and the
 istio-system namespaces.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -94,8 +94,8 @@
     - "prod-apis/*"
     - "istio-system/*"
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -108,18 +108,18 @@
     - "prod-apis/*"
     - "istio-system/*"
 
        
-
        {{}}
        
-{{}}
        
-
        The following example declares a Sidecar configuration in the
        
-prod-us1 namespace for all pods with labels app: ratings
        
-belonging to the ratings.prod-us1 service.  The workload accepts
        
-inbound HTTP traffic on port 9080. The traffic is then forwarded to
        
-the attached workload instance listening on a Unix domain
        
-socket. In the egress direction, in addition to the istio-system
        
-namespace, the sidecar proxies only HTTP traffic bound for port
        
+
        {{}}
+{{}}
        
+
        The following example declares a Sidecar configuration in the
+prod-us1 namespace for all pods with labels app: ratings
+belonging to the ratings.prod-us1 service.  The workload accepts
+inbound HTTP traffic on port 9080. The traffic is then forwarded to
+the attached workload instance listening on a Unix domain
+socket. In the egress direction, in addition to the istio-system
+namespace, the sidecar proxies only HTTP traffic bound for port
 9080 for services in the prod-us1 namespace.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -145,8 +145,8 @@
   - hosts:
     - "istio-system/*"
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -172,24 +172,24 @@
   - hosts:
     - "istio-system/*"
 
        
-
        {{}}
        
-{{}}
        
-
        If the workload is deployed without IPTables-based traffic capture,
        
-the Sidecar configuration is the only way to configure the ports
        
-on the proxy attached to the workload instance. The following
        
-example declares a Sidecar configuration in the prod-us1
        
-namespace for all pods with labels app: productpage belonging to
        
-the productpage.prod-us1 service. Assuming that these pods are
        
-deployed without IPtable rules (i.e. the istio-init container)
        
-and the proxy metadata ISTIO_META_INTERCEPTION_MODE is set to
        
-NONE, the specification, below, allows such pods to receive HTTP
        
-traffic on port 9080 (wrapped inside Istio mutual TLS) and forward
        
-it to the application listening on 127.0.0.1:8080. It also allows
        
-the application to communicate with a backing MySQL database on
        
-127.0.0.1:3306, that then gets proxied to the externally hosted
        
+
        {{}}
+{{}}
        
+
        If the workload is deployed without IPTables-based traffic capture,
+the Sidecar configuration is the only way to configure the ports
+on the proxy attached to the workload instance. The following
+example declares a Sidecar configuration in the prod-us1
+namespace for all pods with labels app: productpage belonging to
+the productpage.prod-us1 service. Assuming that these pods are
+deployed without IPtable rules (i.e. the istio-init container)
+and the proxy metadata ISTIO_META_INTERCEPTION_MODE is set to
+NONE, the specification, below, allows such pods to receive HTTP
+traffic on port 9080 (wrapped inside Istio mutual TLS) and forward
+it to the application listening on 127.0.0.1:8080. It also allows
+the application to communicate with a backing MySQL database on
+127.0.0.1:3306, that then gets proxied to the externally hosted
 MySQL service at mysql.foo.com:3306.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -216,8 +216,8 @@
     hosts:
     - "*/mysql.foo.com"
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -244,11 +244,11 @@
     hosts:
     - "*/mysql.foo.com"
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        And the associated service entry for routing to mysql.foo.com:3306
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -264,8 +264,8 @@
   location: MESH_EXTERNAL
   resolution: DNS
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -281,21 +281,21 @@
   location: MESH_EXTERNAL
   resolution: DNS
 
        
-
        {{}}
        
-{{}}
        
-
        It is also possible to mix and match traffic capture modes in a single
        
-proxy. For example, consider a setup where internal services are on the
        
-192.168.0.0/16 subnet. So, IP tables are setup on the VM to capture all
        
-outbound traffic on 192.168.0.0/16 subnet. Assume that the VM has an
        
-additional network interface on 172.16.0.0/16 subnet for inbound
        
-traffic. The following Sidecar configuration allows the VM to expose a
        
-listener on 172.16.1.32:80 (the VM's IP) for traffic arriving from the
        
+
        {{}}
+{{}}
        
+
        It is also possible to mix and match traffic capture modes in a single
+proxy. For example, consider a setup where internal services are on the
+192.168.0.0/16 subnet. So, IP tables are setup on the VM to capture all
+outbound traffic on 192.168.0.0/16 subnet. Assume that the VM has an
+additional network interface on 172.16.0.0/16 subnet for inbound
+traffic. The following Sidecar configuration allows the VM to expose a
+listener on 172.16.1.32:80 (the VM's IP) for traffic arriving from the
 172.16.0.0/16 subnet.
        
-
        NOTE: The ISTIO_META_INTERCEPTION_MODE metadata on the
        
-proxy in the VM should contain REDIRECT or TPROXY as its value,
        
+
        NOTE: The ISTIO_META_INTERCEPTION_MODE metadata on the
+proxy in the VM should contain REDIRECT or TPROXY as its value,
 implying that IP tables based traffic capture is active.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -322,8 +322,8 @@
     hosts:
     - "*/*"
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -350,22 +350,22 @@
     hosts:
     - "*/*"
 
        
-
        {{}}
        
-{{}}
        
-
        The following example declares a Sidecar configuration in the
        
-prod-us1 namespace for all pods with labels app: ratings
        
-belonging to the ratings.prod-us1 service.  The service accepts
        
-inbound HTTPS traffic on port 8443 and the sidecar proxy terminates
        
-one way TLS using the given server certificates.
        
-The traffic is then forwarded to the attached workload instance
        
-listening on a Unix domain socket.
        
-It is expected that PeerAuthentication policy would be configured
        
-in order to set mTLS mode to "DISABLE" on specific
        
-ports.
        
-In this example, the mTLS mode is disabled on PORT 80.
        
+
        {{}}
+{{}}
        
+
        The following example declares a Sidecar configuration in the
+prod-us1 namespace for all pods with labels app: ratings
+belonging to the ratings.prod-us1 service.  The service accepts
+inbound HTTPS traffic on port 8443 and the sidecar proxy terminates
+one way TLS using the given server certificates.
+The traffic is then forwarded to the attached workload instance
+listening on a Unix domain socket.
+It is expected that PeerAuthentication policy would be configured
+in order to set mTLS mode to "DISABLE" on specific
+ports.
+In this example, the mTLS mode is disabled on PORT 80.
 This feature is currently experimental.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -386,8 +386,8 @@
       privateKey: "/etc/certs/privatekey.pem"
       serverCertificate: "/etc/certs/servercert.pem"
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: v1
 kind: Service
 metadata:
@@ -403,8 +403,8 @@
   selector:
     app: ratings
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
@@ -420,13 +420,13 @@
     80:
       mode: DISABLE
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        Sidecar
        
 
        
-
        Sidecar describes the configuration of the sidecar proxy that mediates
        
-inbound and outbound communication of the workload instance to which it is
        
+
        Sidecar describes the configuration of the sidecar proxy that mediates
+inbound and outbound communication of the workload instance to which it is
 attached.
        
 
 
        
 NONE
 
-
        Assume that incoming connections have already been resolved (to a
        
-specific destination IP address). Such connections are typically
        
-routed via the proxy using mechanisms such as IP table REDIRECT/
        
-eBPF. After performing any routing related transformations, the
        
-proxy will forward the connection to the IP address to which the
        
+
        Assume that incoming connections have already been resolved (to a
+specific destination IP address). Such connections are typically
+routed via the proxy using mechanisms such as IP table REDIRECT/
+eBPF. After performing any routing related transformations, the
+proxy will forward the connection to the IP address to which the
 connection was bound.
        
 
 
        
 STATIC
 
-
        Use the static IP addresses specified in endpoints (see below) as the
        
+
        Use the static IP addresses specified in endpoints (see below) as the
 backing instances associated with the service.
        
 
 
        
 DNS
 
-
        Attempt to resolve the IP address by querying the ambient DNS,
        
-asynchronously. If no endpoints are specified, the proxy
        
-will resolve the DNS address specified in the hosts field, if
        
-wildcards are not used. If endpoints are specified, the DNS
        
-addresses specified in the endpoints will be resolved to determine
        
-the destination IP address.  DNS resolution cannot be used with Unix
        
+
        Attempt to resolve the IP address by querying the ambient DNS,
+asynchronously. If no endpoints are specified, the proxy
+will resolve the DNS address specified in the hosts field, if
+wildcards are not used. If endpoints are specified, the DNS
+addresses specified in the endpoints will be resolved to determine
+the destination IP address.  DNS resolution cannot be used with Unix
 domain socket endpoints.
        
 
 
        
 DNS_ROUND_ROBIN
 
-
        Attempt to resolve the IP address by querying the ambient DNS,
        
-asynchronously. Unlike DNS, DNS_ROUND_ROBIN only uses the
        
-first IP address returned when a new connection needs to be initiated
        
-without relying on complete results of DNS resolution, and connections
        
-made to hosts will be retained even if DNS records change frequently
        
-eliminating draining connection pools and connection cycling.
        
-This is best suited for large web scale services that
        
-must be accessed via DNS. The proxy will resolve the DNS address
        
-specified in the hosts field, if wildcards are not used. DNS resolution
        
+
        Attempt to resolve the IP address by querying the ambient DNS,
+asynchronously. Unlike DNS, DNS_ROUND_ROBIN only uses the
+first IP address returned when a new connection needs to be initiated
+without relying on complete results of DNS resolution, and connections
+made to hosts will be retained even if DNS records change frequently
+eliminating draining connection pools and connection cycling.
+This is best suited for large web scale services that
+must be accessed via DNS. The proxy will resolve the DNS address
+specified in the hosts field, if wildcards are not used. DNS resolution
 cannot be used with Unix domain socket endpoints.
        
 
 
        
@@ -443,8 +443,8 @@ 
        Sidecar
        
         
@@ -456,11 +456,11 @@ 
        Sidecar
        
         
@@ -472,9 +472,9 @@ 
        Sidecar
        
         
@@ -486,12 +486,12 @@ 
        Sidecar
        
         
@@ -504,7 +504,7 @@ 
        Sidecar
        
 
 
        IstioIngressListener
        
 
        
-
        IstioIngressListener specifies the properties of an inbound
        
+
        IstioIngressListener specifies the properties of an inbound
 traffic listener on the sidecar proxy attached to a workload instance.
        
 
 
        workloadSelector
 WorkloadSelector
 
-
        Criteria used to select the specific set of pods/VMs on which this
        
-Sidecar configuration should be applied. If omitted, the Sidecar
        
+
        Criteria used to select the specific set of pods/VMs on which this
+Sidecar configuration should be applied. If omitted, the Sidecar
 configuration will be applied to all workload instances in the same namespace.
        
 
         		ingress
 IstioIngressListener[]
 
-
        Ingress specifies the configuration of the sidecar for processing
        
-inbound traffic to the attached workload instance. If omitted, Istio will
        
-automatically configure the sidecar based on the information about the workload
        
-obtained from the orchestration platform (e.g., exposed ports, services,
        
-etc.). If specified, inbound ports are configured if and only if the
        
+
        Ingress specifies the configuration of the sidecar for processing
+inbound traffic to the attached workload instance. If omitted, Istio will
+automatically configure the sidecar based on the information about the workload
+obtained from the orchestration platform (e.g., exposed ports, services,
+etc.). If specified, inbound ports are configured if and only if the
 workload instance is associated with a service.
        
 
         		egress
 IstioEgressListener[]
 
-
        Egress specifies the configuration of the sidecar for processing
        
-outbound traffic from the attached workload instance to other
        
-services in the mesh. If not specified, inherits the system
        
+
        Egress specifies the configuration of the sidecar for processing
+outbound traffic from the attached workload instance to other
+services in the mesh. If not specified, inherits the system
 detected defaults from the namespace-wide or the global default Sidecar.
        
 
         		outboundTrafficPolicy
 OutboundTrafficPolicy
 
-
        Configuration for the outbound traffic policy.  If your
        
-application uses one or more external services that are not known
        
-apriori, setting the policy to ALLOW_ANY will cause the
        
-sidecars to route any unknown traffic originating from the
        
-application to its requested destination. If not specified,
        
-inherits the system detected defaults from the namespace-wide or
        
+
        Configuration for the outbound traffic policy.  If your
+application uses one or more external services that are not known
+apriori, setting the policy to ALLOW_ANY will cause the
+sidecars to route any unknown traffic originating from the
+application to its requested destination. If not specified,
+inherits the system detected defaults from the namespace-wide or
 the global default Sidecar.
        
 
 
        
@@ -532,11 +532,11 @@ 
        IstioIngressListener
        
         
@@ -548,7 +548,7 @@ 
        IstioIngressListener
        
         
@@ -560,13 +560,13 @@ 
        IstioIngressListener
        
         
@@ -578,8 +578,8 @@ 
        IstioIngressListener
        
         
@@ -592,7 +592,7 @@ 
        IstioIngressListener
        
 
 
        IstioEgressListener
        
 
        
-
        IstioEgressListener specifies the properties of an outbound traffic
        
+
        IstioEgressListener specifies the properties of an outbound traffic
 listener on the sidecar proxy attached to a workload instance.
        
 
 
        bind
 string
 
-
        The IP(IPv4 or IPv6) to which the listener should be bound.
        
-Unix domain socket addresses are not allowed in
        
-the bind field for ingress listeners. If omitted, Istio will
        
-automatically configure the defaults based on imported services
        
-and the workload instances to which this configuration is applied
        
+
        The IP(IPv4 or IPv6) to which the listener should be bound.
+Unix domain socket addresses are not allowed in
+the bind field for ingress listeners. If omitted, Istio will
+automatically configure the defaults based on imported services
+and the workload instances to which this configuration is applied
 to.
        
 
         		captureMode
 CaptureMode
 
-
        The captureMode option dictates how traffic to the listener is
        
+
        The captureMode option dictates how traffic to the listener is
 expected to be captured (or not).
        
 
         		defaultEndpoint
 string
 
-
        The IP endpoint or Unix domain socket to which
        
-traffic should be forwarded to. This configuration can be used to
        
-redirect traffic arriving at the bind IP:Port on the sidecar to a localhost:port
        
-or Unix domain socket where the application workload instance is listening for
        
-connections. Arbitrary IPs are not supported. Format should be one of
        
-127.0.0.1:PORT, [::1]:PORT (forward to localhost),
        
-0.0.0.0:PORT, [::]:PORT (forward to the instance IP),
        
+
        The IP endpoint or Unix domain socket to which
+traffic should be forwarded to. This configuration can be used to
+redirect traffic arriving at the bind IP:Port on the sidecar to a localhost:port
+or Unix domain socket where the application workload instance is listening for
+connections. Arbitrary IPs are not supported. Format should be one of
+127.0.0.1:PORT, [::1]:PORT (forward to localhost),
+0.0.0.0:PORT, [::]:PORT (forward to the instance IP),
 or unix:///path/to/socket (forward to Unix domain socket).
        
 
         		tls
 ServerTLSSettings
 
-
        Set of TLS related options that will enable TLS termination on the
        
-sidecar for requests originating from outside the mesh.
        
+
        Set of TLS related options that will enable TLS termination on the
+sidecar for requests originating from outside the mesh.
 Currently supports only SIMPLE and MUTUAL TLS modes.
        
 
 
        
@@ -609,14 +609,14 @@ 
        IstioEgressListener
        
         
@@ -628,12 +628,12 @@ 
        IstioEgressListener
        
         
@@ -645,8 +645,8 @@ 
        IstioEgressListener
        
         
@@ -658,29 +658,29 @@ 
        IstioEgressListener
        
         
@@ -693,14 +693,14 @@ 
        IstioEgressListener
        
 
 
        WorkloadSelector
        
 
        
-
        WorkloadSelector specifies the criteria used to determine if the
        
-Gateway, Sidecar, EnvoyFilter, ServiceEntry, or DestinationRule
        
-configuration can be applied to a proxy. The matching criteria
        
-includes the metadata associated with a proxy, workload instance
        
-info such as labels attached to the pod/VM, or any other info that
        
-the proxy provides to Istio during the initial handshake. If
        
-multiple conditions are specified, all conditions need to match in
        
-order for the workload instance to be selected. Currently, only
        
+
        WorkloadSelector specifies the criteria used to determine if the
+Gateway, Sidecar, EnvoyFilter, ServiceEntry, or DestinationRule
+configuration can be applied to a proxy. The matching criteria
+includes the metadata associated with a proxy, workload instance
+info such as labels attached to the pod/VM, or any other info that
+the proxy provides to Istio during the initial handshake. If
+multiple conditions are specified, all conditions need to match in
+order for the workload instance to be selected. Currently, only
 label based selection mechanism is supported.
        
 
 
        port
 Port
 
-
        The port associated with the listener. If using Unix domain socket,
        
-use 0 as the port number, with a valid protocol. The port if
        
-specified, will be used as the default destination port associated
        
-with the imported hosts. If the port is omitted, Istio will infer the
        
-listener ports based on the imported hosts. Note that when multiple
        
-egress listeners are specified, where one or more listeners have
        
-specific ports while others have no port, the hosts exposed on a
        
-listener port will be based on the listener with the most specific
        
+
        The port associated with the listener. If using Unix domain socket,
+use 0 as the port number, with a valid protocol. The port if
+specified, will be used as the default destination port associated
+with the imported hosts. If the port is omitted, Istio will infer the
+listener ports based on the imported hosts. Note that when multiple
+egress listeners are specified, where one or more listeners have
+specific ports while others have no port, the hosts exposed on a
+listener port will be based on the listener with the most specific
 port.
        
 
         		bind
 string
 
-
        The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound
        
-to. Port MUST be specified if bind is not empty. Format: IPv4 or IPv6 address formats or
        
-unix:///path/to/uds or unix://@foobar (Linux abstract namespace). If
        
-omitted, Istio will automatically configure the defaults based on imported
        
-services, the workload instances to which this configuration is applied to and
        
-the captureMode. If captureMode is NONE, bind will default to
        
+
        The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound
+to. Port MUST be specified if bind is not empty. Format: IPv4 or IPv6 address formats or
+unix:///path/to/uds or unix://@foobar (Linux abstract namespace). If
+omitted, Istio will automatically configure the defaults based on imported
+services, the workload instances to which this configuration is applied to and
+the captureMode. If captureMode is NONE, bind will default to
 127.0.0.1.
        
 
         		captureMode
 CaptureMode
 
-
        When the bind address is an IP, the captureMode option dictates
        
-how traffic to the listener is expected to be captured (or not).
        
+
        When the bind address is an IP, the captureMode option dictates
+how traffic to the listener is expected to be captured (or not).
 captureMode must be DEFAULT or NONE for Unix domain socket binds.
        
 
         		hosts
 string[]
 
-
        One or more service hosts exposed by the listener
        
-in namespace/dnsName format. Services in the specified namespace
        
-matching dnsName will be exposed.
        
-The corresponding service can be a service in the service registry
        
-(e.g., a Kubernetes or cloud foundry service) or a service specified
        
-using a ServiceEntry or VirtualService configuration. Any
        
+
        One or more service hosts exposed by the listener
+in namespace/dnsName format. Services in the specified namespace
+matching dnsName will be exposed.
+The corresponding service can be a service in the service registry
+(e.g., a Kubernetes or cloud foundry service) or a service specified
+using a ServiceEntry or VirtualService configuration. Any
 associated DestinationRule in the same namespace will also be used.
        
-
        The dnsName should be specified using FQDN format, optionally including
        
-a wildcard character in the left-most component (e.g., prod/*.example.com).
        
-Set the dnsName to * to select all services from the specified namespace
        
+
        The dnsName should be specified using FQDN format, optionally including
+a wildcard character in the left-most component (e.g., prod/*.example.com).
+Set the dnsName to * to select all services from the specified namespace
 (e.g., prod/*).
        
-
        The namespace can be set to *, ., or ~, representing any, the current,
        
-or no namespace, respectively. For example, */foo.example.com selects the
        
-service from any available namespace while ./foo.example.com only selects
        
-the service from the namespace of the sidecar. If a host is set to */*,
        
-Istio will configure the sidecar to be able to reach every service in the
        
-mesh that is exported to the sidecar's namespace. The value ~/* can be used
        
-to completely trim the configuration for sidecars that simply receive traffic
        
+
        The namespace can be set to *, ., or ~, representing any, the current,
+or no namespace, respectively. For example, */foo.example.com selects the
+service from any available namespace while ./foo.example.com only selects
+the service from the namespace of the sidecar. If a host is set to */*,
+Istio will configure the sidecar to be able to reach every service in the
+mesh that is exported to the sidecar's namespace. The value ~/* can be used
+to completely trim the configuration for sidecars that simply receive traffic
 and respond, but make no outbound connections of their own.
        
-
        NOTE: Only services and configuration artifacts exported to the sidecar's
        
-namespace (e.g., exportTo value of *) can be referenced.
        
-Private configurations (e.g., exportTo set to .) will
        
-not be available. Refer to the exportTo setting in VirtualService,
        
+
        NOTE: Only services and configuration artifacts exported to the sidecar's
+namespace (e.g., exportTo value of *) can be referenced.
+Private configurations (e.g., exportTo set to .) will
+not be available. Refer to the exportTo setting in VirtualService,
 DestinationRule, and ServiceEntry configurations for details.
        
 
 
        
@@ -717,9 +717,9 @@ 
        WorkloadSelector
        
         
@@ -732,14 +732,14 @@ 
        WorkloadSelector
        
 
 
        OutboundTrafficPolicy
        
 
        
-
        OutboundTrafficPolicy sets the default behavior of the sidecar for
        
-handling outbound traffic from the application.
        
-If your application uses one or more external
        
-services that are not known apriori, setting the policy to ALLOW_ANY
        
-will cause the sidecars to route any unknown traffic originating from
        
-the application to its requested destination.  Users are strongly
        
-encouraged to use ServiceEntry configurations to explicitly declare any external
        
-dependencies, instead of using ALLOW_ANY, so that traffic to these
        
+
        OutboundTrafficPolicy sets the default behavior of the sidecar for
+handling outbound traffic from the application.
+If your application uses one or more external
+services that are not known apriori, setting the policy to ALLOW_ANY
+will cause the sidecars to route any unknown traffic originating from
+the application to its requested destination.  Users are strongly
+encouraged to use ServiceEntry configurations to explicitly declare any external
+dependencies, instead of using ALLOW_ANY, so that traffic to these
 services can be monitored.
        
 
 
        labels
 map<string, string>
 
-
        One or more labels that indicate a specific set of pods/VMs
        
-on which the configuration should be applied. The scope of
        
-label search is restricted to the configuration namespace in which the
        
+
        One or more labels that indicate a specific set of pods/VMs
+on which the configuration should be applied. The scope of
+label search is restricted to the configuration namespace in which the
 the resource is present.
        
 
 
        
@@ -777,7 +777,7 @@ 
        OutboundTrafficPolicy.Mode
        
         
@@ -785,7 +785,7 @@ 
        OutboundTrafficPolicy.Mode
        
         
@@ -795,7 +795,7 @@ 
        OutboundTrafficPolicy.Mode
        
 
 
        CaptureMode
        
 
        
-
        CaptureMode describes how traffic to a listener is expected to be
        
+
        CaptureMode describes how traffic to a listener is expected to be
 captured. Applicable only when the listener is bound to an IP.
        
 
 
        
 REGISTRY_ONLY
 
-
        Outbound traffic will be restricted to services defined in the
        
+
        Outbound traffic will be restricted to services defined in the
 service registry as well as those defined through ServiceEntry configurations.
        
 
 
        
 ALLOW_ANY
 
-
        Outbound traffic to unknown destinations will be allowed, in case
        
+
        Outbound traffic to unknown destinations will be allowed, in case
 there are no services or ServiceEntry configurations for the destination port.
        
 
 
        
@@ -823,10 +823,10 @@ 
        CaptureMode
        
         
diff --git a/content/en/docs/reference/config/networking/virtual-service/index.html b/content/en/docs/reference/config/networking/virtual-service/index.html
index 857e045e37e18..f1e6743618a26 100644
--- a/content/en/docs/reference/config/networking/virtual-service/index.html
+++ b/content/en/docs/reference/config/networking/virtual-service/index.html
@@ -10,41 +10,41 @@
 aliases: [/docs/reference/config/networking/v1alpha3/virtual-service]
 number_of_entries: 27
 ---
-
        Configuration affecting traffic routing. Here are a few terms useful to define
        
+
        Configuration affecting traffic routing. Here are a few terms useful to define
 in the context of traffic routing.
        
-
        Service a unit of application behavior bound to a unique name in a
        
-service registry. Services consist of multiple network endpoints
        
+
        Service a unit of application behavior bound to a unique name in a
+service registry. Services consist of multiple network endpoints
 implemented by workload instances running on pods, containers, VMs etc.
        
-
        Service versions (a.k.a. subsets) - In a continuous deployment
        
-scenario, for a given service, there can be distinct subsets of
        
-instances running different variants of the application binary. These
        
-variants are not necessarily different API versions. They could be
        
-iterative changes to the same service, deployed in different
        
-environments (prod, staging, dev, etc.). Common scenarios where this
        
-occurs include A/B testing, canary rollouts, etc. The choice of a
        
-particular version can be decided based on various criterion (headers,
        
-url, etc.) and/or by weights assigned to each version. Each service has
        
+
        Service versions (a.k.a. subsets) - In a continuous deployment
+scenario, for a given service, there can be distinct subsets of
+instances running different variants of the application binary. These
+variants are not necessarily different API versions. They could be
+iterative changes to the same service, deployed in different
+environments (prod, staging, dev, etc.). Common scenarios where this
+occurs include A/B testing, canary rollouts, etc. The choice of a
+particular version can be decided based on various criterion (headers,
+url, etc.) and/or by weights assigned to each version. Each service has
 a default version consisting of all its instances.
        
 
        Source - A downstream client calling a service.
        
-
        Host - The address used by a client when attempting to connect to a
        
+
        Host - The address used by a client when attempting to connect to a
 service.
        
-
        Access model - Applications address only the destination service
        
-(Host) without knowledge of individual service versions (subsets). The
        
-actual choice of the version is determined by the proxy/sidecar, enabling the
        
-application code to decouple itself from the evolution of dependent
        
+
        Access model - Applications address only the destination service
+(Host) without knowledge of individual service versions (subsets). The
+actual choice of the version is determined by the proxy/sidecar, enabling the
+application code to decouple itself from the evolution of dependent
 services.
        
-
        A VirtualService defines a set of traffic routing rules to apply when a host is
        
-addressed. Each routing rule defines matching criteria for traffic of a specific
        
-protocol. If the traffic is matched, then it is sent to a named destination service
        
+
        A VirtualService defines a set of traffic routing rules to apply when a host is
+addressed. Each routing rule defines matching criteria for traffic of a specific
+protocol. If the traffic is matched, then it is sent to a named destination service
 (or subset/version of it) defined in the registry.
        
-
        The source of traffic can also be matched in a routing rule. This allows routing
        
+
        The source of traffic can also be matched in a routing rule. This allows routing
 to be customized for specific client contexts.
        
-
        The following example on Kubernetes, routes all HTTP traffic by default to
        
-pods of the reviews service with label "version: v1". In addition,
        
-HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will
        
+
        The following example on Kubernetes, routes all HTTP traffic by default to
+pods of the reviews service with label "version: v1". In addition,
+HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will
 be rewritten to /newcatalog and sent to pods with label "version: v2".
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -71,8 +71,8 @@
         host: reviews.prod.svc.cluster.local
         subset: v1
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -99,13 +99,13 @@
         host: reviews.prod.svc.cluster.local
         subset: v1
 
        
-
        {{}}
        
-{{}}
        
-
        A subset/version of a route destination is identified with a reference
        
-to a named service subset which must be declared in a corresponding
        
+
        {{}}
+{{}}
        
+
        A subset/version of a route destination is identified with a reference
+to a named service subset which must be declared in a corresponding
 DestinationRule.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -120,8 +120,8 @@
     labels:
       version: v2
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -136,8 +136,8 @@
     labels:
       version: v2
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        VirtualService
        
 
        
@@ -157,29 +157,29 @@ 
        VirtualService
        
 
        
@@ -215,10 +215,10 @@ 
        VirtualService
        
         
@@ -230,14 +230,14 @@ 
        VirtualService
        
         
@@ -249,8 +249,8 @@ 
        VirtualService
        
         
@@ -262,15 +262,15 @@ 
        VirtualService
        
         
@@ -283,26 +283,26 @@ 
        VirtualService
        
 
 
        Destination
        
 
        
-
        Destination indicates the network addressable service to which the
        
-request/connection will be sent after processing a routing rule. The
        
-destination.host should unambiguously refer to a service in the service
        
-registry. Istio's service registry is composed of all the services found
        
-in the platform's service registry (e.g., Kubernetes services, Consul
        
-services), as well as services declared through the
        
+
        Destination indicates the network addressable service to which the
+request/connection will be sent after processing a routing rule. The
+destination.host should unambiguously refer to a service in the service
+registry. Istio's service registry is composed of all the services found
+in the platform's service registry (e.g., Kubernetes services, Consul
+services), as well as services declared through the
 ServiceEntry resource.
        
-
        Note for Kubernetes users: When short names are used (e.g. "reviews"
        
-instead of "reviews.default.svc.cluster.local"), Istio will interpret
        
-the short name based on the namespace of the rule, not the service. A
        
-rule in the "default" namespace containing a host "reviews will be
        
-interpreted as "reviews.default.svc.cluster.local", irrespective of the
        
-actual namespace associated with the reviews service. To avoid potential
        
-misconfigurations, it is recommended to always use fully qualified
        
+
        Note for Kubernetes users: When short names are used (e.g. "reviews"
+instead of "reviews.default.svc.cluster.local"), Istio will interpret
+the short name based on the namespace of the rule, not the service. A
+rule in the "default" namespace containing a host "reviews will be
+interpreted as "reviews.default.svc.cluster.local", irrespective of the
+actual namespace associated with the reviews service. To avoid potential
+misconfigurations, it is recommended to always use fully qualified
 domain names over short names.
        
-
        The following Kubernetes example routes all traffic by default to pods
        
-of the reviews service with label "version: v1" (i.e., subset v1), and
        
+
        The following Kubernetes example routes all traffic by default to pods
+of the reviews service with label "version: v1" (i.e., subset v1), and
 some to subset v2, in a Kubernetes environment.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -328,8 +328,8 @@ 
        Destination
        
         host: reviews # interpreted as reviews.foo.svc.cluster.local
         subset: v1
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -355,11 +355,11 @@ 
        Destination
        
         host: reviews # interpreted as reviews.foo.svc.cluster.local
         subset: v1
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        And the associated DestinationRule
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -375,8 +375,8 @@ 
        Destination
        
     labels:
       version: v2
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -392,19 +392,19 @@ 
        Destination
        
     labels:
       version: v2
 
        
-
        {{}}
        
-{{}}
        
-
        The following VirtualService sets a timeout of 5s for all calls to
        
-productpage.prod.svc.cluster.local service in Kubernetes. Notice that
        
-there are no subsets defined in this rule. Istio will fetch all
        
-instances of productpage.prod.svc.cluster.local service from the service
        
-registry and populate the sidecar's load balancing pool. Also, notice
        
-that this rule is set in the istio-system namespace but uses the fully
        
-qualified domain name of the productpage service,
        
-productpage.prod.svc.cluster.local. Therefore the rule's namespace does
        
+
        {{}}
+{{}}
        
+
        The following VirtualService sets a timeout of 5s for all calls to
+productpage.prod.svc.cluster.local service in Kubernetes. Notice that
+there are no subsets defined in this rule. Istio will fetch all
+instances of productpage.prod.svc.cluster.local service from the service
+registry and populate the sidecar's load balancing pool. Also, notice
+that this rule is set in the istio-system namespace but uses the fully
+qualified domain name of the productpage service,
+productpage.prod.svc.cluster.local. Therefore the rule's namespace does
 not have an impact in resolving the name of the productpage service.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -419,8 +419,8 @@ 
        Destination
        
     - destination:
         host: productpage.prod.svc.cluster.local
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -435,15 +435,15 @@ 
        Destination
        
     - destination:
         host: productpage.prod.svc.cluster.local
 
        
-
        {{}}
        
-{{}}
        
-
        To control routing for traffic bound to services outside the mesh, external
        
-services must first be added to Istio's internal service registry using the
        
-ServiceEntry resource. VirtualServices can then be defined to control traffic
        
-bound to these external services. For example, the following rules define a
        
+
        {{}}
+{{}}
        
+
        To control routing for traffic bound to services outside the mesh, external
+services must first be added to Istio's internal service registry using the
+ServiceEntry resource. VirtualServices can then be defined to control traffic
+bound to these external services. For example, the following rules define a
 Service for wikipedia.org and set a timeout of 5s for HTTP requests.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -471,8 +471,8 @@ 
        Destination
        
     - destination:
         host: wikipedia.org
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -500,8 +500,8 @@ 
        Destination
        
     - destination:
         host: wikipedia.org
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        
 NONE
 
-
        No traffic capture. When used in an egress listener, the application is
        
-expected to explicitly communicate with the listener port or Unix
        
-domain socket. When used in an ingress listener, care needs to be taken
        
-to ensure that the listener port is not in use by other processes on
        
+
        No traffic capture. When used in an egress listener, the application is
+expected to explicitly communicate with the listener port or Unix
+domain socket. When used in an ingress listener, care needs to be taken
+to ensure that the listener port is not in use by other processes on
 the host.
        
 
         		hosts
 string[]
 
-
        The destination hosts to which traffic is being sent. Could
        
-be a DNS name with wildcard prefix or an IP address.  Depending on the
        
-platform, short-names can also be used instead of a FQDN (i.e. has no
        
-dots in the name). In such a scenario, the FQDN of the host would be
        
+
        The destination hosts to which traffic is being sent. Could
+be a DNS name with wildcard prefix or an IP address.  Depending on the
+platform, short-names can also be used instead of a FQDN (i.e. has no
+dots in the name). In such a scenario, the FQDN of the host would be
 derived based on the underlying platform.
        
-
        A single VirtualService can be used to describe all the traffic
        
-properties of the corresponding hosts, including those for multiple
        
-HTTP and TCP ports. Alternatively, the traffic properties of a host
        
-can be defined using more than one VirtualService, with certain
        
-caveats. Refer to the
        
-Operations Guide
        
+
        A single VirtualService can be used to describe all the traffic
+properties of the corresponding hosts, including those for multiple
+HTTP and TCP ports. Alternatively, the traffic properties of a host
+can be defined using more than one VirtualService, with certain
+caveats. Refer to the
+Operations Guide
 for details.
        
-
        Note for Kubernetes users: When short names are used (e.g. "reviews"
        
-instead of "reviews.default.svc.cluster.local"), Istio will interpret
        
-the short name based on the namespace of the rule, not the service. A
        
-rule in the "default" namespace containing a host "reviews" will be
        
-interpreted as "reviews.default.svc.cluster.local", irrespective of
        
-the actual namespace associated with the reviews service. To avoid
        
-potential misconfigurations, it is recommended to always use fully
        
+
        Note for Kubernetes users: When short names are used (e.g. "reviews"
+instead of "reviews.default.svc.cluster.local"), Istio will interpret
+the short name based on the namespace of the rule, not the service. A
+rule in the "default" namespace containing a host "reviews" will be
+interpreted as "reviews.default.svc.cluster.local", irrespective of
+the actual namespace associated with the reviews service. To avoid
+potential misconfigurations, it is recommended to always use fully
 qualified domain names over short names.
        
-
        The hosts field applies to both HTTP and TCP services. Service inside
        
-the mesh, i.e., those found in the service registry, must always be
        
-referred to using their alphanumeric names. IP addresses are allowed
        
+
        The hosts field applies to both HTTP and TCP services. Service inside
+the mesh, i.e., those found in the service registry, must always be
+referred to using their alphanumeric names. IP addresses are allowed
 only for services defined via the Gateway.
        
 
        Note: It must be empty for a delegate VirtualService.
        
 
@@ -192,18 +192,18 @@ 
        VirtualService
        
         		gateways
 string[]
 
-
        The names of gateways and sidecars that should apply these routes.
        
-Gateways in other namespaces may be referred to by
        
-<gateway namespace>/<gateway name>; specifying a gateway with no
        
-namespace qualifier is the same as specifying the VirtualService's
        
-namespace. A single VirtualService is used for sidecars inside the mesh as
        
-well as for one or more gateways. The selection condition imposed by this
        
-field can be overridden using the source field in the match conditions
        
-of protocol-specific routes. The reserved word mesh is used to imply
        
-all the sidecars in the mesh. When this field is omitted, the default
        
-gateway (mesh) will be used, which would apply the rule to all
        
-sidecars in the mesh. If a list of gateway names is provided, the
        
-rules will apply only to the gateways. To apply the rules to both
        
+
        The names of gateways and sidecars that should apply these routes.
+Gateways in other namespaces may be referred to by
+<gateway namespace>/<gateway name>; specifying a gateway with no
+namespace qualifier is the same as specifying the VirtualService's
+namespace. A single VirtualService is used for sidecars inside the mesh as
+well as for one or more gateways. The selection condition imposed by this
+field can be overridden using the source field in the match conditions
+of protocol-specific routes. The reserved word mesh is used to imply
+all the sidecars in the mesh. When this field is omitted, the default
+gateway (mesh) will be used, which would apply the rule to all
+sidecars in the mesh. If a list of gateway names is provided, the
+rules will apply only to the gateways. To apply the rules to both
 gateways and sidecars, specify mesh as one of the gateway names.
        
 
         		http
 HTTPRoute[]
 
-
        An ordered list of route rules for HTTP traffic. HTTP routes will be
        
-applied to platform service ports named 'http-'/'http2-'/'grpc-*', gateway
        
-ports with protocol HTTP/HTTP2/GRPC/ TLS-terminated-HTTPS and service
        
-entry ports using HTTP/HTTP2/GRPC protocols.  The first rule matching
        
+
        An ordered list of route rules for HTTP traffic. HTTP routes will be
+applied to platform service ports named 'http-'/'http2-'/'grpc-*', gateway
+ports with protocol HTTP/HTTP2/GRPC/ TLS-terminated-HTTPS and service
+entry ports using HTTP/HTTP2/GRPC protocols.  The first rule matching
 an incoming request is used.
        
 
         		tls
 TLSRoute[]
 
-
        An ordered list of route rule for non-terminated TLS & HTTPS
        
-traffic. Routing is typically performed using the SNI value presented
        
-by the ClientHello message. TLS routes will be applied to platform
        
-service ports named 'https-', 'tls-', unterminated gateway ports using
        
-HTTPS/TLS protocols (i.e. with "passthrough" TLS mode) and service
        
-entry ports using HTTPS/TLS protocols.  The first rule matching an
        
-incoming request is used.  NOTE: Traffic 'https-' or 'tls-' ports
        
-without associated virtual service will be treated as opaque TCP
        
+
        An ordered list of route rule for non-terminated TLS & HTTPS
+traffic. Routing is typically performed using the SNI value presented
+by the ClientHello message. TLS routes will be applied to platform
+service ports named 'https-', 'tls-', unterminated gateway ports using
+HTTPS/TLS protocols (i.e. with "passthrough" TLS mode) and service
+entry ports using HTTPS/TLS protocols.  The first rule matching an
+incoming request is used.  NOTE: Traffic 'https-' or 'tls-' ports
+without associated virtual service will be treated as opaque TCP
 traffic.
        
 
         		tcp
 TCPRoute[]
 
-
        An ordered list of route rules for opaque TCP traffic. TCP routes will
        
-be applied to any port that is not a HTTP or TLS port. The first rule
        
+
        An ordered list of route rules for opaque TCP traffic. TCP routes will
+be applied to any port that is not a HTTP or TLS port. The first rule
 matching an incoming request is used.
        
 
         		exportTo
 string[]
 
-
        A list of namespaces to which this virtual service is exported. Exporting a
        
-virtual service allows it to be used by sidecars and gateways defined in
        
-other namespaces. This feature provides a mechanism for service owners
        
-and mesh administrators to control the visibility of virtual services
        
+
        A list of namespaces to which this virtual service is exported. Exporting a
+virtual service allows it to be used by sidecars and gateways defined in
+other namespaces. This feature provides a mechanism for service owners
+and mesh administrators to control the visibility of virtual services
 across namespace boundaries.
        
-
        If no namespaces are specified then the virtual service is exported to all
        
+
        If no namespaces are specified then the virtual service is exported to all
 namespaces by default.
        
-
        The value "." is reserved and defines an export to the same namespace that
        
-the virtual service is declared in. Similarly the value "*" is reserved and
        
+
        The value "." is reserved and defines an export to the same namespace that
+the virtual service is declared in. Similarly the value "*" is reserved and
 defines an export to all namespaces.
        
 
 
        
@@ -517,18 +517,18 @@ 
        Destination
        
         
@@ -540,8 +540,8 @@ 
        Destination
        
         
@@ -553,8 +553,8 @@ 
        Destination
        
         
@@ -567,7 +567,7 @@ 
        Destination
        
 
 
        HTTPRoute
        
 
        
-
        Describes match conditions and actions for routing HTTP/1.1, HTTP2, and
        
+
        Describes match conditions and actions for routing HTTP/1.1, HTTP2, and
 gRPC traffic. See VirtualService for usage examples.
        
 
 
        
 
        host
 string
 
-
        The name of a service from the service registry. Service
        
-names are looked up from the platform's service registry (e.g.,
        
-Kubernetes services, Consul services, etc.) and from the hosts
        
-declared by ServiceEntry. Traffic forwarded to
        
+
        The name of a service from the service registry. Service
+names are looked up from the platform's service registry (e.g.,
+Kubernetes services, Consul services, etc.) and from the hosts
+declared by ServiceEntry. Traffic forwarded to
 destinations that are not found in either of the two, will be dropped.
        
-
        Note for Kubernetes users: When short names are used (e.g. "reviews"
        
-instead of "reviews.default.svc.cluster.local"), Istio will interpret
        
-the short name based on the namespace of the rule, not the service. A
        
-rule in the "default" namespace containing a host "reviews will be
        
-interpreted as "reviews.default.svc.cluster.local", irrespective of
        
-the actual namespace associated with the reviews service. To avoid
        
-potential misconfiguration, it is recommended to always use fully
        
+
        Note for Kubernetes users: When short names are used (e.g. "reviews"
+instead of "reviews.default.svc.cluster.local"), Istio will interpret
+the short name based on the namespace of the rule, not the service. A
+rule in the "default" namespace containing a host "reviews will be
+interpreted as "reviews.default.svc.cluster.local", irrespective of
+the actual namespace associated with the reviews service. To avoid
+potential misconfiguration, it is recommended to always use fully
 qualified domain names over short names.
        
 
         		subset
 string
 
-
        The name of a subset within the service. Applicable only to services
        
-within the mesh. The subset must be defined in a corresponding
        
+
        The name of a subset within the service. Applicable only to services
+within the mesh. The subset must be defined in a corresponding
 DestinationRule.
        
 
         		port
 PortSelector
 
-
        Specifies the port on the host that is being addressed. If a service
        
-exposes only a single port it is not required to explicitly select the
        
+
        Specifies the port on the host that is being addressed. If a service
+exposes only a single port it is not required to explicitly select the
 port.
        
 
 
        
@@ -584,9 +584,9 @@ 
        HTTPRoute
        
         
@@ -598,9 +598,9 @@ 
        HTTPRoute
        
         
@@ -612,9 +612,9 @@ 
        HTTPRoute
        
         
@@ -626,9 +626,9 @@ 
        HTTPRoute
        
         
@@ -640,8 +640,8 @@ 
        HTTPRoute
        
         
@@ -709,8 +709,8 @@ 
        HTTPRoute
        
         
@@ -722,11 +722,11 @@ 
        HTTPRoute
        
         
@@ -738,8 +738,8 @@ 
        HTTPRoute
        
         
@@ -751,8 +751,8 @@ 
        HTTPRoute
        
         
@@ -776,8 +776,8 @@ 
        HTTPRoute
        
 
 
        Delegate
        
 
        
-
        Describes the delegate VirtualService.
        
-The following routing rules forward the traffic to /productpage by a delegate VirtualService named productpage,
        
+
        Describes the delegate VirtualService.
+The following routing rules forward the traffic to /productpage by a delegate VirtualService named productpage,
 forward the traffic to /reviews by a delegate VirtualService named reviews.
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
@@ -856,7 +856,7 @@ 
        Delegate
        
 
        
@@ -869,15 +869,15 @@ 
        Delegate
        
 
 
        Headers
        
 
        
-
        Message headers can be manipulated when Envoy forwards requests to,
        
-or responses from, a destination service. Header manipulation rules can
        
-be specified for a specific route destination or for all destinations.
        
-The following VirtualService adds a test header with the value true
        
-to requests that are routed to any reviews service destination.
        
-It also removes the foo response header, but only from responses
        
+
        Message headers can be manipulated when Envoy forwards requests to,
+or responses from, a destination service. Header manipulation rules can
+be specified for a specific route destination or for all destinations.
+The following VirtualService adds a test header with the value true
+to requests that are routed to any reviews service destination.
+It also removes the foo response header, but only from responses
 coming from the v1 subset (version) of the reviews service.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -904,8 +904,8 @@ 
        Headers
        
           - foo
       weight: 75
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -932,8 +932,8 @@ 
        Headers
        
           - foo
       weight: 75
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        name
 string
 
-
        The name assigned to the route for debugging purposes. The
        
-route's name will be concatenated with the match's name and will
        
-be logged in the access logs for requests matching this
        
+
        The name assigned to the route for debugging purposes. The
+route's name will be concatenated with the match's name and will
+be logged in the access logs for requests matching this
 route/match.
        
 
         		match
 HTTPMatchRequest[]
 
-
        Match conditions to be satisfied for the rule to be
        
-activated. All conditions inside a single match block have AND
        
-semantics, while the list of match blocks have OR semantics. The rule
        
+
        Match conditions to be satisfied for the rule to be
+activated. All conditions inside a single match block have AND
+semantics, while the list of match blocks have OR semantics. The rule
 is matched if any one of the match blocks succeed.
        
 
         		route
 HTTPRouteDestination[]
 
-
        A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
        
-The forwarding target can be one of several versions of a service (see
        
-glossary in beginning of document). Weights associated with the
        
+
        A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
+The forwarding target can be one of several versions of a service (see
+glossary in beginning of document). Weights associated with the
 service version determine the proportion of traffic it receives.
        
 
         		redirect
 HTTPRedirect
 
-
        A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
        
-If traffic passthrough option is specified in the rule,
        
-route/redirect will be ignored. The redirect primitive can be used to
        
+
        A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
+If traffic passthrough option is specified in the rule,
+route/redirect will be ignored. The redirect primitive can be used to
 send a HTTP 301 redirect to a different URI or Authority.
        
 
         		directResponse
 HTTPDirectResponse
 
-
        A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
        
-Direct Response is used to specify a fixed response that should
        
+
        A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
+Direct Response is used to specify a fixed response that should
 be sent to clients.
        
 
        It can be set only when Route and Redirect are empty.
        
 
@@ -654,15 +654,15 @@ 
        HTTPRoute
        
         		delegate
 Delegate
 
-
        Delegate is used to specify the particular VirtualService which
        
+
        Delegate is used to specify the particular VirtualService which
 can be used to define delegate HTTPRoute.
        
-
        It can be set only when Route and Redirect are empty, and the route
        
-rules of the delegate VirtualService will be merged with that in the
        
+
        It can be set only when Route and Redirect are empty, and the route
+rules of the delegate VirtualService will be merged with that in the
 current one.
        
 
        NOTE:
        
 
          
 
        1. Only one level delegation is supported.
          2. 
-
        2. The delegate's HTTPMatchRequest must be a strict subset of the root's,
          
+
        3. The delegate's HTTPMatchRequest must be a strict subset of the root's,
 otherwise there is a conflict and the HTTPRoute will not take effect.
          4. 
 
        
 
@@ -675,7 +675,7 @@ 
        HTTPRoute
        
         		rewrite
 HTTPRewrite
 
-
        Rewrite HTTP URIs and Authority headers. Rewrite cannot be used with
        
+
        Rewrite HTTP URIs and Authority headers. Rewrite cannot be used with
 Redirect primitive. Rewrite will be performed before forwarding.
        
 
         		fault
 HTTPFaultInjection
 
-
        Fault injection policy to apply on HTTP traffic at the client side.
        
-Note that timeouts or retries will not be enabled when faults are
        
+
        Fault injection policy to apply on HTTP traffic at the client side.
+Note that timeouts or retries will not be enabled when faults are
 enabled on the client side.
        
 
         		mirror
 Destination
 
-
        Mirror HTTP traffic to a another destination in addition to forwarding
        
-the requests to the intended destination. Mirrored traffic is on a
        
-best effort basis where the sidecar/gateway will not wait for the
        
-mirrored cluster to respond before returning the response from the
        
-original destination.  Statistics will be generated for the mirrored
        
+
        Mirror HTTP traffic to a another destination in addition to forwarding
+the requests to the intended destination. Mirrored traffic is on a
+best effort basis where the sidecar/gateway will not wait for the
+mirrored cluster to respond before returning the response from the
+original destination.  Statistics will be generated for the mirrored
 destination.
        
 
         		mirrorPercentage
 Percent
 
-
        Percentage of the traffic to be mirrored by the mirror field.
        
-If this field is absent, all the traffic (100%) will be mirrored.
        
+
        Percentage of the traffic to be mirrored by the mirror field.
+If this field is absent, all the traffic (100%) will be mirrored.
 Max value is 100.
        
 
         		corsPolicy
 CorsPolicy
 
-
        Cross-Origin Resource Sharing policy (CORS). Refer to
        
-CORS
        
+
        Cross-Origin Resource Sharing policy (CORS). Refer to
+CORS
 for further details about cross origin resource sharing.
        
 
         		namespace
 string
 
-
        Namespace specifies the namespace where the delegate VirtualService resides.
        
+
        Namespace specifies the namespace where the delegate VirtualService resides.
 By default, it is same to the root's.
        
 
 
        
@@ -949,7 +949,7 @@ 
        Headers
        
         
@@ -961,7 +961,7 @@ 
        Headers
        
         
@@ -974,12 +974,12 @@ 
        Headers
        
 
 
        TLSRoute
        
 
        
-
        Describes match conditions and actions for routing unterminated TLS
        
-traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
        
-traffic arriving at port 443 of gateway called "mygateway" to internal
        
+
        Describes match conditions and actions for routing unterminated TLS
+traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
+traffic arriving at port 443 of gateway called "mygateway" to internal
 services in the mesh based on the SNI value.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1005,8 +1005,8 @@ 
        TLSRoute
        
     - destination:
         host: reviews.prod.svc.cluster.local
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1032,8 +1032,8 @@ 
        TLSRoute
        
     - destination:
         host: reviews.prod.svc.cluster.local
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        
 
        request
 HeaderOperations
 
-
        Header manipulation rules to apply before forwarding a request
        
+
        Header manipulation rules to apply before forwarding a request
 to the destination service
        
 
         		response
 HeaderOperations
 
-
        Header manipulation rules to apply before returning a response
        
+
        Header manipulation rules to apply before returning a response
 to the caller
        
 
 
        
@@ -1049,9 +1049,9 @@ 
        TLSRoute
        
         
@@ -1075,11 +1075,11 @@ 
        TLSRoute
        
 
 
        TCPRoute
        
 
        
-
        Describes match conditions and actions for routing TCP traffic. The
        
-following routing rule forwards traffic arriving at port 27017 for
        
+
        Describes match conditions and actions for routing TCP traffic. The
+following routing rule forwards traffic arriving at port 27017 for
 mongo.prod.svc.cluster.local to another Mongo server on port 5555.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1096,8 +1096,8 @@ 
        TCPRoute
        
         port:
           number: 5555
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1114,8 +1114,8 @@ 
        TCPRoute
        
         port:
           number: 5555
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        
 
        match
 TLSMatchAttributes[]
 
-
        Match conditions to be satisfied for the rule to be
        
-activated. All conditions inside a single match block have AND
        
-semantics, while the list of match blocks have OR semantics. The rule
        
+
        Match conditions to be satisfied for the rule to be
+activated. All conditions inside a single match block have AND
+semantics, while the list of match blocks have OR semantics. The rule
 is matched if any one of the match blocks succeed.
        
 
 
        
@@ -1131,9 +1131,9 @@ 
        TCPRoute
        
         
@@ -1157,13 +1157,13 @@ 
        TCPRoute
        
 
 
        HTTPMatchRequest
        
 
        
-
        HttpMatchRequest specifies a set of criterion to be met in order for the
        
-rule to be applied to the HTTP request. For example, the following
        
-restricts the rule to match only requests where the URL path
        
-starts with /ratings/v2/ and the request contains a custom end-user header
        
+
        HttpMatchRequest specifies a set of criterion to be met in order for the
+rule to be applied to the HTTP request. For example, the following
+restricts the rule to match only requests where the URL path
+starts with /ratings/v2/ and the request contains a custom end-user header
 with value jason.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1183,8 +1183,8 @@ 
        HTTPMatchRequest
        
     - destination:
         host: ratings.prod.svc.cluster.local
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1204,9 +1204,9 @@ 
        HTTPMatchRequest
        
     - destination:
         host: ratings.prod.svc.cluster.local
 
        
-
        {{}}
        
-{{}}
        
-
        HTTPMatchRequest CANNOT be empty.
        
+
        {{}}
+{{}}
        
+
        HTTPMatchRequest CANNOT be empty.
 Note: No regex string match can be set when delegate VirtualService is specified.
        
 
 
        
 
        match
 L4MatchAttributes[]
 
-
        Match conditions to be satisfied for the rule to be
        
-activated. All conditions inside a single match block have AND
        
-semantics, while the list of match blocks have OR semantics. The rule
        
+
        Match conditions to be satisfied for the rule to be
+activated. All conditions inside a single match block have AND
+semantics, while the list of match blocks have OR semantics. The rule
 is matched if any one of the match blocks succeed.
        
 
 
        
@@ -1223,8 +1223,8 @@ 
        HTTPMatchRequest
        
         
@@ -1236,7 +1236,7 @@ 
        HTTPMatchRequest
        
         
@@ -1261,7 +1261,7 @@ 
        HTTPMatchRequest
        
         
@@ -1356,8 +1356,8 @@ 
        HTTPMatchRequest
        
         
@@ -1369,9 +1369,9 @@ 
        HTTPMatchRequest
        
         
@@ -1383,8 +1383,8 @@ 
        HTTPMatchRequest
        
         
@@ -1400,16 +1400,16 @@ 
        HTTPMatchRequest
        
 
        Ex:
        
 
          
 
        • 
-
          For a query parameter like "?key=true", the map key would be "key" and
          
+
          For a query parameter like "?key=true", the map key would be "key" and
 the string match could be defined as exact: "true".
          
 
          • 
 
        • 
-
          For a query parameter like "?key", the map key would be "key" and the
          
+
          For a query parameter like "?key", the map key would be "key" and the
 string match could be defined as exact: "".
          
 
          • 
 
        • 
-
          For a query parameter like "?key=123", the map key would be "key" and the
          
-string match could be defined as regex: "\d+$". Note that this
          
+
          For a query parameter like "?key=123", the map key would be "key" and the
+string match could be defined as regex: "\d+$". Note that this
 configuration will only match values like "123" but not "a123" or "123a".
          
 
          • 
 
        
@@ -1425,7 +1425,7 @@ 
        HTTPMatchRequest
        
         
@@ -1437,7 +1437,7 @@ 
        HTTPMatchRequest
        
         
@@ -1449,8 +1449,8 @@ 
        HTTPMatchRequest
        
         
@@ -1462,11 +1462,11 @@ 
        HTTPMatchRequest
        
         
@@ -1479,14 +1479,14 @@ 
        HTTPMatchRequest
        
 
 
        HTTPRouteDestination
        
 
        
-
        Each routing rule is associated with one or more service versions (see
        
-glossary in beginning of document). Weights associated with the version
        
-determine the proportion of traffic it receives. For example, the
        
-following rule will route 25% of traffic for the "reviews" service to
        
-instances with the "v2" tag and the remaining traffic (i.e., 75%) to
        
+
        Each routing rule is associated with one or more service versions (see
+glossary in beginning of document). Weights associated with the version
+determine the proportion of traffic it receives. For example, the
+following rule will route 25% of traffic for the "reviews" service to
+instances with the "v2" tag and the remaining traffic (i.e., 75%) to
 "v1".
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1505,8 +1505,8 @@ 
        HTTPRouteDestination
        
         subset: v1
       weight: 75
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1525,11 +1525,11 @@ 
        HTTPRouteDestination
        
         subset: v1
       weight: 75
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        And the associated DestinationRule
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -1544,8 +1544,8 @@ 
        HTTPRouteDestination
        
     labels:
       version: v2
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -1560,13 +1560,13 @@ 
        HTTPRouteDestination
        
     labels:
       version: v2
 
        
-
        {{}}
        
-{{}}
        
-
        Traffic can also be split across two entirely different services without
        
-having to define new subsets. For example, the following rule forwards 25% of
        
+
        {{}}
+{{}}
        
+
        Traffic can also be split across two entirely different services without
+having to define new subsets. For example, the following rule forwards 25% of
 traffic to reviews.com to dev.reviews.com
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1583,8 +1583,8 @@ 
        HTTPRouteDestination
        
         host: reviews.com
       weight: 75
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1601,8 +1601,8 @@ 
        HTTPRouteDestination
        
         host: reviews.com
       weight: 75
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        name
 string
 
-
        The name assigned to a match. The match's name will be
        
-concatenated with the parent route's name and will be logged in
        
+
        The name assigned to a match. The match's name will be
+concatenated with the parent route's name and will be logged in
 the access logs for requests matching this route.
        
 
         		uri
 StringMatch
 
-
        URI to match
        
+
        URI to match
 values are case-sensitive and formatted as follows:
        
 
-
        Note: Case-insensitive matching could be enabled via the
        
+
        Note: Case-insensitive matching could be enabled via the
 ignore_uri_case flag.
        
 
         		scheme
 StringMatch
 
-
        URI Scheme
        
+
        URI Scheme
 values are case-sensitive and formatted as follows:
        
 
          
 
        • 
@@ -1284,7 +1284,7 @@ 
          HTTPMatchRequest
          
 
        		method
 StringMatch
 
-
        HTTP Method
        
+
        HTTP Method
 values are case-sensitive and formatted as follows:
        
 
          
 
        • 
@@ -1307,7 +1307,7 @@ 
          HTTPMatchRequest
          
 
        		authority
 StringMatch
 
-
        HTTP Authority
        
+
        HTTP Authority
 values are case-sensitive and formatted as follows:
        
 
          
 
        • 
@@ -1330,7 +1330,7 @@ 
          HTTPMatchRequest
          
 
        		headers
 map<string, StringMatch>
 
-
        The header keys must be lowercase and use hyphen as the separator,
        
+
        The header keys must be lowercase and use hyphen as the separator,
 e.g. x-request-id.
        
 
        Header values are case-sensitive and formatted as follows:
        
 
-
        If the value is empty and only the name of header is specfied, presence of the header is checked.
        
+
        If the value is empty and only the name of header is specfied, presence of the header is checked.
 Note: The keys uri, scheme, method, and authority will be ignored.
        
 
         		port
 uint32
 
-
        Specifies the ports on the host that is being addressed. Many services
        
-only expose a single port or label ports with the protocols they support,
        
+
        Specifies the ports on the host that is being addressed. Many services
+only expose a single port or label ports with the protocols they support,
 in these cases it is not required to explicitly select the port.
        
 
         		sourceLabels
 map<string, string>
 
-
        One or more labels that constrain the applicability of a rule to source (client) workloads
        
-with the given labels. If the VirtualService has a list of gateways specified
        
-in the top-level gateways field, it must include the reserved gateway
        
+
        One or more labels that constrain the applicability of a rule to source (client) workloads
+with the given labels. If the VirtualService has a list of gateways specified
+in the top-level gateways field, it must include the reserved gateway
 mesh for this field to be applicable.
        
 
         		gateways
 string[]
 
-
        Names of gateways where the rule should be applied. Gateway names
        
-in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
        
+
        Names of gateways where the rule should be applied. Gateway names
+in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
 match is independent of sourceLabels.
        
 
         		bool
 
 
        Flag to specify whether the URI matching should be case-insensitive.
        
-
        Note: The case will be ignored only in the case of exact and prefix
        
+
        Note: The case will be ignored only in the case of exact and prefix
 URI matches.
        
 
         		withoutHeaders
 map<string, StringMatch>
 
-
        withoutHeader has the same syntax with the header, but has opposite meaning.
        
+
        withoutHeader has the same syntax with the header, but has opposite meaning.
 If a header is matched with a matching rule among withoutHeader, the traffic becomes not matched one.
        
 
         		sourceNamespace
 string
 
-
        Source namespace constraining the applicability of a rule to workloads in that namespace.
        
-If the VirtualService has a list of gateways specified in the top-level gateways field,
        
+
        Source namespace constraining the applicability of a rule to workloads in that namespace.
+If the VirtualService has a list of gateways specified in the top-level gateways field,
 it must include the reserved gateway mesh for this field to be applicable.
        
 
         		statPrefix
 string
 
-
        The human readable prefix to use when emitting statistics for this route.
        
-The statistics are generated with prefix route.<stat_prefix>.
        
-This should be set for highly critical routes that one wishes to get "per-route" statistics on.
        
-This prefix is only for proxy-level statistics (envoy_) and not service-level (istio_) statistics.
        
-Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-route-stat-prefix
        
+
        The human readable prefix to use when emitting statistics for this route.
+The statistics are generated with prefix route.<stat_prefix>.
+This should be set for highly critical routes that one wishes to get "per-route" statistics on.
+This prefix is only for proxy-level statistics (envoy_) and not service-level (istio_) statistics.
+Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-route-stat-prefix
 for statistics that are generated when this is configured.
        
 
 
        
@@ -1618,7 +1618,7 @@ 
        HTTPRouteDestination
        
         
@@ -1630,8 +1630,8 @@ 
        HTTPRouteDestination
        
         
@@ -1671,7 +1671,7 @@ 
        RouteDestination
        
         
@@ -1683,8 +1683,8 @@ 
        RouteDestination
        
         
@@ -1697,7 +1697,7 @@ 
        RouteDestination
        
 
 
        L4MatchAttributes
        
 
        
-
        L4 connection match attributes. Note that L4 connection matching support
        
+
        L4 connection match attributes. Note that L4 connection matching support
 is incomplete.
        
 
 
        
 
        destination
 Destination
 
-
        Destination uniquely identifies the instances of a service
        
+
        Destination uniquely identifies the instances of a service
 to which the request/connection should be forwarded to.
        
 
         		weight
 int32
 
-
        Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests.
        
-If there is only one destination in a rule, it will receive all traffic.
        
+
        Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests.
+If there is only one destination in a rule, it will receive all traffic.
 Otherwise, if weight is 0, the destination will not receive any traffic.
        
 
         		destination
 Destination
 
-
        Destination uniquely identifies the instances of a service
        
+
        Destination uniquely identifies the instances of a service
 to which the request/connection should be forwarded to.
        
 
         		weight
 int32
 
-
        Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests.
        
-If there is only one destination in a rule, it will receive all traffic.
        
+
        Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests.
+If there is only one destination in a rule, it will receive all traffic.
 Otherwise, if weight is 0, the destination will not receive any traffic.
        
 
 
        
@@ -1714,7 +1714,7 @@ 
        L4MatchAttributes
        
         
@@ -1726,8 +1726,8 @@ 
        L4MatchAttributes
        
         
@@ -1739,9 +1739,9 @@ 
        L4MatchAttributes
        
         
@@ -1753,8 +1753,8 @@ 
        L4MatchAttributes
        
         
@@ -1766,8 +1766,8 @@ 
        L4MatchAttributes
        
         
@@ -1796,9 +1796,9 @@ 
        TLSMatchAttributes
        
         
@@ -1810,7 +1810,7 @@ 
        TLSMatchAttributes
        
         
@@ -1822,9 +1822,9 @@ 
        TLSMatchAttributes
        
         
@@ -1836,9 +1836,9 @@ 
        TLSMatchAttributes
        
         
@@ -1850,8 +1850,8 @@ 
        TLSMatchAttributes
        
         
@@ -1863,8 +1863,8 @@ 
        TLSMatchAttributes
        
         
@@ -1877,13 +1877,13 @@ 
        TLSMatchAttributes
        
 
 
        HTTPRedirect
        
 
        
-
        HTTPRedirect can be used to send a 301 redirect response to the caller,
        
-where the Authority/Host and the URI in the response can be swapped with
        
-the specified values. For example, the following rule redirects
        
-requests for /v1/getProductRatings API on the ratings service to
        
+
        HTTPRedirect can be used to send a 301 redirect response to the caller,
+where the Authority/Host and the URI in the response can be swapped with
+the specified values. For example, the following rule redirects
+requests for /v1/getProductRatings API on the ratings service to
 /v1/bookRatings provided by the bookratings service.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1900,8 +1900,8 @@ 
        HTTPRedirect
        
       authority: newratings.default.svc.cluster.local
   ...
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1918,8 +1918,8 @@ 
        HTTPRedirect
        
       authority: newratings.default.svc.cluster.local
   ...
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        destinationSubnets
 string[]
 
-
        IPv4 or IPv6 ip addresses of destination with optional subnet.  E.g.,
        
+
        IPv4 or IPv6 ip addresses of destination with optional subnet.  E.g.,
 a.b.c.d/xx form or just a.b.c.d.
        
 
         		port
 uint32
 
-
        Specifies the port on the host that is being addressed. Many services
        
-only expose a single port or label ports with the protocols they support,
        
+
        Specifies the port on the host that is being addressed. Many services
+only expose a single port or label ports with the protocols they support,
 in these cases it is not required to explicitly select the port.
        
 
         		sourceLabels
 map<string, string>
 
-
        One or more labels that constrain the applicability of a rule to
        
-workloads with the given labels. If the VirtualService has a list of
        
-gateways specified in the top-level gateways field, it should include the reserved gateway
        
+
        One or more labels that constrain the applicability of a rule to
+workloads with the given labels. If the VirtualService has a list of
+gateways specified in the top-level gateways field, it should include the reserved gateway
 mesh in order for this field to be applicable.
        
 
         		gateways
 string[]
 
-
        Names of gateways where the rule should be applied. Gateway names
        
-in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
        
+
        Names of gateways where the rule should be applied. Gateway names
+in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
 match is independent of sourceLabels.
        
 
         		sourceNamespace
 string
 
-
        Source namespace constraining the applicability of a rule to workloads in that namespace.
        
-If the VirtualService has a list of gateways specified in the top-level gateways field,
        
+
        Source namespace constraining the applicability of a rule to workloads in that namespace.
+If the VirtualService has a list of gateways specified in the top-level gateways field,
 it must include the reserved gateway mesh for this field to be applicable.
        
 
         		sniHosts
 string[]
 
-
        SNI (server name indicator) to match on. Wildcard prefixes
        
-can be used in the SNI value, e.g., *.com will match foo.example.com
        
-as well as example.com. An SNI value must be a subset (i.e., fall
        
+
        SNI (server name indicator) to match on. Wildcard prefixes
+can be used in the SNI value, e.g., *.com will match foo.example.com
+as well as example.com. An SNI value must be a subset (i.e., fall
 within the domain) of the corresponding virtual serivce's hosts.
        
 
         		destinationSubnets
 string[]
 
-
        IPv4 or IPv6 ip addresses of destination with optional subnet.  E.g.,
        
+
        IPv4 or IPv6 ip addresses of destination with optional subnet.  E.g.,
 a.b.c.d/xx form or just a.b.c.d.
        
 
         		port
 uint32
 
-
        Specifies the port on the host that is being addressed. Many services
        
-only expose a single port or label ports with the protocols they
        
-support, in these cases it is not required to explicitly select the
        
+
        Specifies the port on the host that is being addressed. Many services
+only expose a single port or label ports with the protocols they
+support, in these cases it is not required to explicitly select the
 port.
        
 
         		sourceLabels
 map<string, string>
 
-
        One or more labels that constrain the applicability of a rule to
        
-workloads with the given labels. If the VirtualService has a list of
        
-gateways specified in the top-level gateways field, it should include the reserved gateway
        
+
        One or more labels that constrain the applicability of a rule to
+workloads with the given labels. If the VirtualService has a list of
+gateways specified in the top-level gateways field, it should include the reserved gateway
 mesh in order for this field to be applicable.
        
 
         		gateways
 string[]
 
-
        Names of gateways where the rule should be applied. Gateway names
        
-in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
        
+
        Names of gateways where the rule should be applied. Gateway names
+in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
 match is independent of sourceLabels.
        
 
         		sourceNamespace
 string
 
-
        Source namespace constraining the applicability of a rule to workloads in that namespace.
        
-If the VirtualService has a list of gateways specified in the top-level gateways field,
        
+
        Source namespace constraining the applicability of a rule to workloads in that namespace.
+If the VirtualService has a list of gateways specified in the top-level gateways field,
 it must include the reserved gateway mesh for this field to be applicable.
        
 
 
        
@@ -1935,8 +1935,8 @@ 
        HTTPRedirect
        
         
@@ -1948,7 +1948,7 @@ 
        HTTPRedirect
        
         
@@ -1986,9 +1986,9 @@ 
        HTTPRedirect
        
         
@@ -2000,7 +2000,7 @@ 
        HTTPRedirect
        
         
@@ -2013,11 +2013,11 @@ 
        HTTPRedirect
        
 
 
        HTTPDirectResponse
        
 
        
-
        HTTPDirectResponse can be used to send a fixed response to clients.
        
-For example, the following rule returns a fixed 503 status with a body
        
+
        HTTPDirectResponse can be used to send a fixed response to clients.
+For example, the following rule returns a fixed 503 status with a body
 to requests for /v1/getProductRatings API.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2035,8 +2035,8 @@ 
        HTTPDirectResponse
        
         string: "unknown error"
   ...
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2054,12 +2054,12 @@ 
        HTTPDirectResponse
        
         string: "unknown error"
   ...
 
        
-
        {{}}
        
-{{}}
        
-
        It is also possible to specify a binary response body.
        
+
        {{}}
+{{}}
        
+
        It is also possible to specify a binary response body.
 This is mostly useful for non text-based protocols such as gRPC.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2077,8 +2077,8 @@ 
        HTTPDirectResponse
        
         bytes: "dW5rbm93biBlcnJvcg==" # "unknown error" in base64
   ...
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2096,13 +2096,13 @@ 
        HTTPDirectResponse
        
         bytes: "dW5rbm93biBlcnJvcg==" # "unknown error" in base64
   ...
 
        
-
        {{}}
        
-{{}}
        
-
        It is good practice to add headers in the HTTPRoute
        
-as well as the direct_response, for example to specify
        
+
        {{}}
+{{}}
        
+
        It is good practice to add headers in the HTTPRoute
+as well as the direct_response, for example to specify
 the returned Content-Type.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2124,8 +2124,8 @@ 
        HTTPDirectResponse
        
           content-type: "appliation/json"
   ...
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2147,8 +2147,8 @@ 
        HTTPDirectResponse
        
           content-type: "text/plain"
   ...
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        
 
        uri
 string
 
-
        On a redirect, overwrite the Path portion of the URL with this
        
-value. Note that the entire path will be replaced, irrespective of the
        
+
        On a redirect, overwrite the Path portion of the URL with this
+value. Note that the entire path will be replaced, irrespective of the
 request URI being matched as an exact path or prefix.
        
 
         		authority
 string
 
-
        On a redirect, overwrite the Authority/Host portion of the URL with
        
+
        On a redirect, overwrite the Authority/Host portion of the URL with
 this value.
        
 
         		scheme
 string
 
-
        On a redirect, overwrite the scheme portion of the URL with this value.
        
-For example, http or https.
        
-If unset, the original scheme will be used.
        
+
        On a redirect, overwrite the scheme portion of the URL with this value.
+For example, http or https.
+If unset, the original scheme will be used.
 If derivePort is set to FROM_PROTOCOL_DEFAULT, this will impact the port used as well
        
 
         		redirectCode
 uint32
 
-
        On a redirect, Specifies the HTTP status code to use in the redirect
        
+
        On a redirect, Specifies the HTTP status code to use in the redirect
 response. The default response code is MOVED_PERMANENTLY (301).
        
 
 
        
@@ -2175,7 +2175,7 @@ 
        HTTPDirectResponse
        
         
@@ -2225,13 +2225,13 @@ 
        HTTPBody
        
 
 
        HTTPRewrite
        
 
        
-
        HTTPRewrite can be used to rewrite specific parts of a HTTP request
        
-before forwarding the request to the destination. Rewrite primitive can
        
-be used only with HTTPRouteDestination. The following example
        
-demonstrates how to rewrite the URL prefix for api call (/ratings) to
        
+
        HTTPRewrite can be used to rewrite specific parts of a HTTP request
+before forwarding the request to the destination. Rewrite primitive can
+be used only with HTTPRouteDestination. The following example
+demonstrates how to rewrite the URL prefix for api call (/ratings) to
 ratings service before making the actual API call.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2250,8 +2250,8 @@ 
        HTTPRewrite
        
         host: ratings.prod.svc.cluster.local
         subset: v1
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2270,8 +2270,8 @@ 
        HTTPRewrite
        
         host: ratings.prod.svc.cluster.local
         subset: v1
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        
 
        body
 HTTPBody
 
-
        Specifies the content of the response body. If this setting is omitted,
        
+
        Specifies the content of the response body. If this setting is omitted,
 no body is included in the generated response.
        
 
 
        
@@ -2287,8 +2287,8 @@ 
        HTTPRewrite
        
         
@@ -2312,7 +2312,7 @@ 
        HTTPRewrite
        
 
 
        StringMatch
        
 
        
-
        Describes how to match a given string in HTTP headers. Match is
        
+
        Describes how to match a given string in HTTP headers. Match is
 case-sensitive.
        
 
 
        
 
        uri
 string
 
-
        rewrite the path (or the prefix) portion of the URI with this
        
-value. If the original URI was matched based on prefix, the value
        
+
        rewrite the path (or the prefix) portion of the URI with this
+value. If the original URI was matched based on prefix, the value
 provided in this field will replace the corresponding matched prefix.
        
 
 
        
@@ -2363,13 +2363,13 @@ 
        StringMatch
        
 
 
        HTTPRetry
        
 
        
-
        Describes the retry policy to use when a HTTP request fails. For
        
-example, the following rule sets the maximum number of retries to 3 when
        
-calling ratings:v1 service, with a 2s timeout per retry attempt.
        
-A retry will be attempted if there is a connect-failure, refused_stream
        
+
        Describes the retry policy to use when a HTTP request fails. For
+example, the following rule sets the maximum number of retries to 3 when
+calling ratings:v1 service, with a 2s timeout per retry attempt.
+A retry will be attempted if there is a connect-failure, refused_stream
 or when the upstream server responds with Service Unavailable(503).
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2387,8 +2387,8 @@ 
        HTTPRetry
        
       perTryTimeout: 2s
       retryOn: connect-failure,refused-stream,503
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2406,8 +2406,8 @@ 
        HTTPRetry
        
       perTryTimeout: 2s
       retryOn: gateway-error,connect-failure,refused-stream
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        
@@ -2423,10 +2423,10 @@ 
        HTTPRetry
        
         
@@ -2438,9 +2438,9 @@ 
        HTTPRetry
        
         
@@ -2452,10 +2452,10 @@ 
        HTTPRetry
        
         
@@ -2467,7 +2467,7 @@ 
        HTTPRetry
        
         
@@ -2480,15 +2480,15 @@ 
        HTTPRetry
        
 
 
        CorsPolicy
        
 
        
-
        Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
        
-service. Refer to CORS
        
-for further details about cross origin resource sharing. For example,
        
-the following rule restricts cross origin requests to those originating
        
-from example.com domain using HTTP POST/GET, and sets the
        
-Access-Control-Allow-Credentials header to false. In addition, it only
        
+
        Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
+service. Refer to CORS
+for further details about cross origin resource sharing. For example,
+the following rule restricts cross origin requests to those originating
+from example.com domain using HTTP POST/GET, and sets the
+Access-Control-Allow-Credentials header to false. In addition, it only
 exposes X-Foo-bar header and sets an expiry period of 1 day.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2512,8 +2512,8 @@ 
        CorsPolicy
        
       - X-Foo-Bar
       maxAge: "24h"
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2537,8 +2537,8 @@ 
        CorsPolicy
        
       - X-Foo-Bar
       maxAge: "24h"
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        
 
        attempts
 int32
 
-
        Number of retries to be allowed for a given request. The interval
        
-between retries will be determined automatically (25ms+). When request
        
-timeout of the HTTP route
        
-or per_try_timeout is configured, the actual number of retries attempted also depends on
        
+
        Number of retries to be allowed for a given request. The interval
+between retries will be determined automatically (25ms+). When request
+timeout of the HTTP route
+or per_try_timeout is configured, the actual number of retries attempted also depends on
 the specified request timeout and per_try_timeout values.
        
 
         		perTryTimeout
 Duration
 
-
        Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST BE >=1ms.
        
-Default is same value as request
        
-timeout of the HTTP route,
        
+
        Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST BE >=1ms.
+Default is same value as request
+timeout of the HTTP route,
 which means no timeout.
        
 
         		retryOn
 string
 
-
        Specifies the conditions under which retry takes place.
        
-One or more policies can be specified using a ‘,’ delimited list.
        
-If retry_on specifies a valid HTTP status, it will be added to retriable_status_codes retry policy.
        
-See the retry policies
        
+
        Specifies the conditions under which retry takes place.
+One or more policies can be specified using a ‘,’ delimited list.
+If retry_on specifies a valid HTTP status, it will be added to retriable_status_codes retry policy.
+See the retry policies
 and gRPC retry policies for more details.
        
 
         		retryRemoteLocalities
 BoolValue
 
-
        Flag to specify whether the retries should retry to other localities.
        
+
        Flag to specify whether the retries should retry to other localities.
 See the retry plugin configuration for more details.
        
 
 
        
@@ -2554,8 +2554,8 @@ 
        CorsPolicy
        
         
@@ -2567,7 +2567,7 @@ 
        CorsPolicy
        
         
@@ -2579,7 +2579,7 @@ 
        CorsPolicy
        
         
@@ -2591,7 +2591,7 @@ 
        CorsPolicy
        
         
@@ -2603,7 +2603,7 @@ 
        CorsPolicy
        
         
@@ -2615,8 +2615,8 @@ 
        CorsPolicy
        
         
@@ -2629,12 +2629,12 @@ 
        CorsPolicy
        
 
 
        HTTPFaultInjection
        
 
        
-
        HTTPFaultInjection can be used to specify one or more faults to inject
        
-while forwarding HTTP requests to the destination specified in a route.
        
-Fault specification is part of a VirtualService rule. Faults include
        
-aborting the Http request from downstream service, and/or delaying
        
+
        HTTPFaultInjection can be used to specify one or more faults to inject
+while forwarding HTTP requests to the destination specified in a route.
+Fault specification is part of a VirtualService rule. Faults include
+aborting the Http request from downstream service, and/or delaying
 proxying of requests. A fault rule MUST HAVE delay or abort or both.
        
-
        Note: Delay and abort faults are independent of one another, even if
        
+
        Note: Delay and abort faults are independent of one another, even if
 both are specified simultaneously.
        
 
 
        
 
        allowOrigins
 StringMatch[]
 
-
        String patterns that match allowed origins.
        
-An origin is allowed if any of the string matchers match.
        
+
        String patterns that match allowed origins.
+An origin is allowed if any of the string matchers match.
 If a match is found, then the outgoing Access-Control-Allow-Origin would be set to the origin as provided by the client.
        
 
         		allowMethods
 string[]
 
-
        List of HTTP methods allowed to access the resource. The content will
        
+
        List of HTTP methods allowed to access the resource. The content will
 be serialized into the Access-Control-Allow-Methods header.
        
 
         		allowHeaders
 string[]
 
-
        List of HTTP headers that can be used when requesting the
        
+
        List of HTTP headers that can be used when requesting the
 resource. Serialized to Access-Control-Allow-Headers header.
        
 
         		exposeHeaders
 string[]
 
-
        A list of HTTP headers that the browsers are allowed to
        
+
        A list of HTTP headers that the browsers are allowed to
 access. Serialized into Access-Control-Expose-Headers header.
        
 
         		maxAge
 Duration
 
-
        Specifies how long the results of a preflight request can be
        
+
        Specifies how long the results of a preflight request can be
 cached. Translates to the Access-Control-Max-Age header.
        
 
         		allowCredentials
 BoolValue
 
-
        Indicates whether the caller is allowed to send the actual request
        
-(not the preflight) using credentials. Translates to
        
+
        Indicates whether the caller is allowed to send the actual request
+(not the preflight) using credentials. Translates to
 Access-Control-Allow-Credentials header.
        
 
 
        
@@ -2651,7 +2651,7 @@ 
        HTTPFaultInjection
        
         
@@ -2663,7 +2663,7 @@ 
        HTTPFaultInjection
        
         
@@ -2676,7 +2676,7 @@ 
        HTTPFaultInjection
        
 
 
        PortSelector
        
 
        
-
        PortSelector specifies the number of a port to be used for
        
+
        PortSelector specifies the number of a port to be used for
 matching or selection for final routing.
        
 
 
        delay
 Delay
 
-
        Delay requests before forwarding, emulating various failures such as
        
+
        Delay requests before forwarding, emulating various failures such as
 network issues, overloaded upstream service, etc.
        
 
         		abort
 Abort
 
-
        Abort Http request attempts and return error codes back to downstream
        
+
        Abort Http request attempts and return error codes back to downstream
 service, giving the impression that the upstream service is faulty.
        
 
 
        
@@ -2758,7 +2758,7 @@ 
        Headers.HeaderOperations
        
         
@@ -2782,12 +2782,12 @@ 
        Headers.HeaderOperations
        
 
 
        HTTPFaultInjection.Delay
        
 
        
-
        Delay specification is used to inject latency into the request
        
-forwarding path. The following example will introduce a 5 second delay
        
-in 1 out of every 1000 requests to the "v1" version of the "reviews"
        
+
        Delay specification is used to inject latency into the request
+forwarding path. The following example will introduce a 5 second delay
+in 1 out of every 1000 requests to the "v1" version of the "reviews"
 service from all pods with label env: prod
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2809,8 +2809,8 @@ 
        HTTPFaultInjection.Delay
        
           value: 0.1
         fixedDelay: 5s
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2832,10 +2832,10 @@ 
        HTTPFaultInjection.Delay
        
           value: 0.1
         fixedDelay: 5s
 
        
-
        {{}}
        
-{{}}
        
-
        The fixedDelay field is used to indicate the amount of delay in seconds.
        
-The optional percentage field can be used to only delay a certain
        
+
        {{}}
+{{}}
        
+
        The fixedDelay field is used to indicate the amount of delay in seconds.
+The optional percentage field can be used to only delay a certain
 percentage of requests. If left unspecified, all request will be delayed.
        
 
 
        add
 map<string, string>
 
-
        Append the given values to the headers specified by keys
        
+
        Append the given values to the headers specified by keys
 (will create a comma-separated list of values)
        
 
 
        
@@ -2852,7 +2852,7 @@ 
        HTTPFaultInjection.Delay
        
         
@@ -2875,8 +2875,8 @@ 
        HTTPFaultInjection.Delay
        
         
@@ -2889,11 +2889,11 @@ 
        HTTPFaultInjection.Delay
        
 
 
        HTTPFaultInjection.Abort
        
 
        
-
        Abort specification is used to prematurely abort a request with a
        
-pre-specified error code. The following example will return an HTTP 400
        
+
        Abort specification is used to prematurely abort a request with a
+pre-specified error code. The following example will return an HTTP 400
 error code for 1 out of every 1000 requests to the "ratings" service "v1".
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2912,8 +2912,8 @@ 
        HTTPFaultInjection.Abort
        
           value: 0.1
         httpStatus: 400
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2932,11 +2932,11 @@ 
        HTTPFaultInjection.Abort
        
           value: 0.1
         httpStatus: 400
 
        
-
        {{}}
        
-{{}}
        
-
        The httpStatus field is used to indicate the HTTP status code to
        
-return to the caller. The optional percentage field can be used to only
        
-abort a certain percentage of requests. If not specified, all requests are
        
+
        {{}}
+{{}}
        
+
        The httpStatus field is used to indicate the HTTP status code to
+return to the caller. The optional percentage field can be used to only
+abort a certain percentage of requests. If not specified, all requests are
 aborted.
        
 
 
        fixedDelay
 Duration (oneof)
 
-
        Add a fixed delay before forwarding the request. Format:
        
+
        Add a fixed delay before forwarding the request. Format:
 1h/1m/1s/1ms. MUST be >=1ms.
        
 
         		percent
 int32
 
-
        Percentage of requests on which the delay will be injected (0-100).
        
-Use of integer percent value is deprecated. Use the double percentage
        
+
        Percentage of requests on which the delay will be injected (0-100).
+Use of integer percent value is deprecated. Use the double percentage
 field instead.
        
 
 
        
@@ -2964,9 +2964,9 @@ 
        HTTPFaultInjection.Abort
        
         
diff --git a/content/en/docs/reference/config/networking/workload-entry/index.html b/content/en/docs/reference/config/networking/workload-entry/index.html
index 73dfc1e017da1..a6156b31ad36a 100644
--- a/content/en/docs/reference/config/networking/workload-entry/index.html
+++ b/content/en/docs/reference/config/networking/workload-entry/index.html
@@ -10,28 +10,28 @@
 aliases: [/docs/reference/config/networking/v1alpha3/workload-entry]
 number_of_entries: 1
 ---
-
        WorkloadEntry enables operators to describe the properties of a
        
-single non-Kubernetes workload such as a VM or a bare metal server
        
-as it is onboarded into the mesh. A WorkloadEntry must be
        
-accompanied by an Istio ServiceEntry that selects the workload
        
-through the appropriate labels and provides the service definition
        
-for a MESH_INTERNAL service (hostnames, port properties, etc.). A
        
-ServiceEntry object can select multiple workload entries as well
        
-as Kubernetes pods based on the label selector specified in the
        
+
        WorkloadEntry enables operators to describe the properties of a
+single non-Kubernetes workload such as a VM or a bare metal server
+as it is onboarded into the mesh. A WorkloadEntry must be
+accompanied by an Istio ServiceEntry that selects the workload
+through the appropriate labels and provides the service definition
+for a MESH_INTERNAL service (hostnames, port properties, etc.). A
+ServiceEntry object can select multiple workload entries as well
+as Kubernetes pods based on the label selector specified in the
 service entry.
        
-
        When a workload connects to istiod, the status field in the
        
-custom resource will be updated to indicate the health of the
        
-workload along with other details, similar to how Kubernetes
        
+
        When a workload connects to istiod, the status field in the
+custom resource will be updated to indicate the health of the
+workload along with other details, similar to how Kubernetes
 updates the status of a pod.
        
-
        The following example declares a workload entry representing a VM
        
-for the details.bookinfo.com service. This VM has sidecar
        
-installed and bootstrapped using the details-legacy service
        
-account. The service is exposed on port 80 to applications in the
        
-mesh. The HTTP traffic to this service is wrapped in Istio mutual
        
-TLS and sent to sidecars on VMs on target port 8080, that in turn
        
+
        The following example declares a workload entry representing a VM
+for the details.bookinfo.com service. This VM has sidecar
+installed and bootstrapped using the details-legacy service
+account. The service is exposed on port 80 to applications in the
+mesh. The HTTP traffic to this service is wrapped in Istio mutual
+TLS and sent to sidecars on VMs on target port 8080, that in turn
 forward it to the application on localhost on the same port.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: WorkloadEntry
 metadata:
@@ -47,8 +47,8 @@
     app: details-legacy
     instance-id: vm1
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: WorkloadEntry
 metadata:
@@ -64,11 +64,11 @@
     app: details-legacy
     instance-id: vm1
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        and the associated service entry
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -87,8 +87,8 @@
     labels:
       app: details-legacy
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -107,15 +107,15 @@
     labels:
       app: details-legacy
 
        
-
        {{}}
        
-{{}}
        
-
        The following example declares the same VM workload using
        
-its fully qualified DNS name. The service entry's resolution
        
-mode should be changed to DNS to indicate that the client-side
        
-sidecars should dynamically resolve the DNS name at runtime before
        
+
        {{}}
+{{}}
        
+
        The following example declares the same VM workload using
+its fully qualified DNS name. The service entry's resolution
+mode should be changed to DNS to indicate that the client-side
+sidecars should dynamically resolve the DNS name at runtime before
 forwarding the request.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: WorkloadEntry
 metadata:
@@ -131,8 +131,8 @@
     app: details-legacy
     instance-id: vm1
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: WorkloadEntry
 metadata:
@@ -148,11 +148,11 @@
     app: details-legacy
     instance-id: vm1
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        and the associated service entry
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -171,8 +171,8 @@
     labels:
       app: details-legacy
 
        
-
        {{}}
        
-
        {{}}
        
+
        {{}}
        
+
        {{}}
        
 
        apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -191,8 +191,8 @@
     labels:
       app: details-legacy
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        WorkloadEntry
        
 
        
@@ -212,9 +212,9 @@ 
        WorkloadEntry
        
 
        
@@ -226,15 +226,15 @@ 
        WorkloadEntry
        
         
@@ -277,22 +277,22 @@ 
        WorkloadEntry
        
         
@@ -304,7 +304,7 @@ 
        WorkloadEntry
        
         
@@ -316,9 +316,9 @@ 
        WorkloadEntry
        
         
diff --git a/content/en/docs/reference/config/networking/workload-group/index.html b/content/en/docs/reference/config/networking/workload-group/index.html
index 73e9f034fed92..e0b073bfa4629 100644
--- a/content/en/docs/reference/config/networking/workload-group/index.html
+++ b/content/en/docs/reference/config/networking/workload-group/index.html
@@ -10,20 +10,20 @@
 aliases: [/docs/reference/config/networking/v1alpha3/workload-group]
 number_of_entries: 7
 ---
-
        WorkloadGroup describes a collection of workload instances.
        
-It provides a specification that the workload instances can use to bootstrap
        
-their proxies, including the metadata and identity. It is only intended to
        
-be used with non-k8s workloads like Virtual Machines, and is meant to mimic
        
-the existing sidecar injection and deployment specification model used for
        
+
        WorkloadGroup describes a collection of workload instances.
+It provides a specification that the workload instances can use to bootstrap
+their proxies, including the metadata and identity. It is only intended to
+be used with non-k8s workloads like Virtual Machines, and is meant to mimic
+the existing sidecar injection and deployment specification model used for
 Kubernetes workloads to bootstrap Istio proxies.
        
-
        The following example declares a workload group representing a collection
        
-of workloads that will be registered under reviews in namespace
        
-bookinfo. The set of labels will be associated with each workload
        
-instance during the bootstrap process, and the ports 3550 and 8080
        
-will be associated with the workload group and use service account default.
        
+
        The following example declares a workload group representing a collection
+of workloads that will be registered under reviews in namespace
+bookinfo. The set of labels will be associated with each workload
+instance during the bootstrap process, and the ports 3550 and 8080
+will be associated with the workload group and use service account default.
 app.kubernetes.io/version is just an arbitrary example of a label.
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
        apiVersion: networking.istio.io/v1alpha3
 kind: WorkloadGroup
 metadata:
@@ -54,15 +54,15 @@
      - name: Lit-Header
        value: Im-The-Best
 
        
-
        {{}}
        
-{{}}
        
+
        {{}}
+{{}}
        
 
 
        WorkloadGroup
        
 
        
-
        WorkloadGroup enables specifying the properties of a single workload for bootstrap and
        
-provides a template for WorkloadEntry, similar to how Deployment specifies properties
        
-of workloads via Pod templates. A WorkloadGroup can have more than one WorkloadEntry.
        
-WorkloadGroup has no relationship to resources which control service registry like ServiceEntry
        
+
        WorkloadGroup enables specifying the properties of a single workload for bootstrap and
+provides a template for WorkloadEntry, similar to how Deployment specifies properties
+of workloads via Pod templates. A WorkloadGroup can have more than one WorkloadEntry.
+WorkloadGroup has no relationship to resources which control service registry like ServiceEntry
 and as such doesn't configure host name for these workloads.
        
 
 
        grpcStatus
 string (oneof)
 
-
        GRPC status code to use to abort the request. The supported
        
-codes are documented in https://github.com/grpc/grpc/blob/master/doc/statuscodes.md
        
-Note: If you want to return the status "Unavailable", then you should
        
+
        GRPC status code to use to abort the request. The supported
+codes are documented in https://github.com/grpc/grpc/blob/master/doc/statuscodes.md
+Note: If you want to return the status "Unavailable", then you should
 specify the code as UNAVAILABLE(all caps), but not 14.
        
 
         		address
 string
 
-
        Address associated with the network endpoint without the
        
-port.  Domain names can be used if and only if the resolution is set
        
-to DNS, and must be fully-qualified without wildcards. Use the form
        
+
        Address associated with the network endpoint without the
+port.  Domain names can be used if and only if the resolution is set
+to DNS, and must be fully-qualified without wildcards. Use the form
 unix:///absolute/path/to/socket for Unix domain socket endpoints.
        
 
         		ports
 map<string, uint32>
 
-
        Set of ports associated with the endpoint. If the port map is
        
-specified, it must be a map of servicePortName to this endpoint's
        
-port, such that traffic to the service port will be forwarded to
        
-the endpoint port that maps to the service's portName. If
        
-omitted, and the targetPort is specified as part of the service's
        
-port specification, traffic to the service port will be forwarded
        
-to one of the endpoints on the specified targetPort. If both
        
-the targetPort and endpoint's port map are not specified, traffic
        
-to a service port will be forwarded to one of the endpoints on
        
+
        Set of ports associated with the endpoint. If the port map is
+specified, it must be a map of servicePortName to this endpoint's
+port, such that traffic to the service port will be forwarded to
+the endpoint port that maps to the service's portName. If
+omitted, and the targetPort is specified as part of the service's
+port specification, traffic to the service port will be forwarded
+to one of the endpoints on the specified targetPort. If both
+the targetPort and endpoint's port map are not specified, traffic
+to a service port will be forwarded to one of the endpoints on
 the same port.
        
 
        NOTE 1: Do not use for unix:// addresses.
        
 
        NOTE 2: endpoint port map takes precedence over targetPort.
        
@@ -259,13 +259,13 @@ 
        WorkloadEntry
        
         		network
 string
 
-
        Network enables Istio to group endpoints resident in the same L3
        
-domain/network. All endpoints in the same network are assumed to be
        
-directly reachable from one another. When endpoints in different
        
-networks cannot reach each other directly, an Istio Gateway can be
        
-used to establish connectivity (usually using the
        
-AUTO_PASSTHROUGH mode in a Gateway Server). This is
        
-an advanced configuration used typically for spanning an Istio mesh
        
+
        Network enables Istio to group endpoints resident in the same L3
+domain/network. All endpoints in the same network are assumed to be
+directly reachable from one another. When endpoints in different
+networks cannot reach each other directly, an Istio Gateway can be
+used to establish connectivity (usually using the
+AUTO_PASSTHROUGH mode in a Gateway Server). This is
+an advanced configuration used typically for spanning an Istio mesh
 over multiple clusters.
        
 
         		locality
 string
 
-
        The locality associated with the endpoint. A locality corresponds
        
-to a failure domain (e.g., country/region/zone). Arbitrary failure
        
-domain hierarchies can be represented by separating each
        
-encapsulating failure domain by /. For example, the locality of an
        
-an endpoint in US, in US-East-1 region, within availability zone
        
-az-1, in data center rack r11 can be represented as
        
-us/us-east-1/az-1/r11. Istio will configure the sidecar to route to
        
-endpoints within the same locality as the sidecar. If none of the
        
-endpoints in the locality are available, endpoints parent locality
        
-(but within the same network ID) will be chosen. For example, if
        
-there are two endpoints in same network (networkID "n1"), say e1
        
-with locality us/us-east-1/az-1/r11 and e2 with locality
        
-us/us-east-1/az-2/r12, a sidecar from us/us-east-1/az-1/r11 locality
        
-will prefer e1 from the same locality over e2 from a different
        
-locality. Endpoint e2 could be the IP associated with a gateway
        
-(that bridges networks n1 and n2), or the IP associated with a
        
+
        The locality associated with the endpoint. A locality corresponds
+to a failure domain (e.g., country/region/zone). Arbitrary failure
+domain hierarchies can be represented by separating each
+encapsulating failure domain by /. For example, the locality of an
+an endpoint in US, in US-East-1 region, within availability zone
+az-1, in data center rack r11 can be represented as
+us/us-east-1/az-1/r11. Istio will configure the sidecar to route to
+endpoints within the same locality as the sidecar. If none of the
+endpoints in the locality are available, endpoints parent locality
+(but within the same network ID) will be chosen. For example, if
+there are two endpoints in same network (networkID "n1"), say e1
+with locality us/us-east-1/az-1/r11 and e2 with locality
+us/us-east-1/az-2/r12, a sidecar from us/us-east-1/az-1/r11 locality
+will prefer e1 from the same locality over e2 from a different
+locality. Endpoint e2 could be the IP associated with a gateway
+(that bridges networks n1 and n2), or the IP associated with a
 standard service endpoint.
        
 
         		weight
 uint32
 
-
        The load balancing weight associated with the endpoint. Endpoints
        
+
        The load balancing weight associated with the endpoint. Endpoints
 with higher weights will receive proportionally higher traffic.
        
 
         		serviceAccount
 string
 
-
        The service account associated with the workload if a sidecar
        
-is present in the workload. The service account must be present
        
-in the same namespace as the configuration ( WorkloadEntry or a
        
+
        The service account associated with the workload if a sidecar
+is present in the workload. The service account must be present
+in the same namespace as the configuration ( WorkloadEntry or a
 ServiceEntry)
        
 
 
        
@@ -79,7 +79,7 @@ 
        WorkloadGroup
        
         
@@ -91,10 +91,10 @@ 
        WorkloadGroup
        
         
@@ -106,7 +106,7 @@ 
        WorkloadGroup
        
         
@@ -144,7 +144,7 @@ 
        ReadinessProbe
        
         
@@ -156,7 +156,7 @@ 
        ReadinessProbe
        
         
@@ -168,7 +168,7 @@ 
        ReadinessProbe
        
         
@@ -180,7 +180,7 @@ 
        ReadinessProbe
        
         
@@ -192,7 +192,7 @@ 
        ReadinessProbe
        
         
@@ -263,7 +263,7 @@ 
        HTTPHealthCheckConfig
        
         
@@ -286,7 +286,7 @@ 
        HTTPHealthCheckConfig
        
         
@@ -399,7 +399,7 @@ 
        ExecHealthCheckConfig
        
 
 
        WorkloadGroup.ObjectMeta
        
 
        
-
        ObjectMeta describes metadata that will be attached to a WorkloadEntry.
        
+
        ObjectMeta describes metadata that will be attached to a WorkloadEntry.
 It is a subset of the supported Kubernetes metadata.
        
 
 
        metadata
 ObjectMeta
 
-
        Metadata that will be used for all corresponding WorkloadEntries.
        
+
        Metadata that will be used for all corresponding WorkloadEntries.
 User labels for a workload group should be set here in metadata rather than in template.
        
 
         		template
 WorkloadEntry
 
-
        Template to be used for the generation of WorkloadEntry resources that belong to this WorkloadGroup.
        
-Please note that address and labels fields should not be set in the template, and an empty serviceAccount
        
-should default to default. The workload identities (mTLS certificates) will be bootstrapped using the
        
-specified service account's token. Workload entries in this group will be in the same namespace as the
        
+
        Template to be used for the generation of WorkloadEntry resources that belong to this WorkloadGroup.
+Please note that address and labels fields should not be set in the template, and an empty serviceAccount
+should default to default. The workload identities (mTLS certificates) will be bootstrapped using the
+specified service account's token. Workload entries in this group will be in the same namespace as the
 workload group, and inherit the labels and annotations from the above metadata field.
        
 
         		probe
 ReadinessProbe
 
-
        ReadinessProbe describes the configuration the user must provide for healthchecking on their workload.
        
+
        ReadinessProbe describes the configuration the user must provide for healthchecking on their workload.
 This configuration mirrors K8S in both syntax and logic for the most part.
        
 
         		timeoutSeconds
 int32
 
-
        Number of seconds after which the probe times out.
        
+
        Number of seconds after which the probe times out.
 Defaults to 1 second. Minimum value is 1 second.
        
 
         		periodSeconds
 int32
 
-
        How often (in seconds) to perform the probe.
        
+
        How often (in seconds) to perform the probe.
 Default to 10 seconds. Minimum value is 1 second.
        
 
         		successThreshold
 int32
 
-
        Minimum consecutive successes for the probe to be considered successful after having failed.
        
+
        Minimum consecutive successes for the probe to be considered successful after having failed.
 Defaults to 1 second.
        
 
         		failureThreshold
 int32
 
-
        Minimum consecutive failures for the probe to be considered failed after having succeeded.
        
+
        Minimum consecutive failures for the probe to be considered failed after having succeeded.
 Defaults to 3 seconds.
        
 
         		httpGet
 HTTPHealthCheckConfig (oneof)
 
-
        httpGet is performed to a given endpoint
        
+
        httpGet is performed to a given endpoint
 and the status/able to connect determines health.
        
 
         		host
 string
 
-
        Host name to connect to, defaults to the pod IP. You probably want to set
        
+
        Host name to connect to, defaults to the pod IP. You probably want to set
 "Host" in httpHeaders instead.
        
 
         		httpHeaders
 HTTPHeader[]
 
-
        Headers the proxy will pass on to make the request.
        
+
        Headers the proxy will pass on to make the request.
 Allows repeated headers.
        
 
 
        
diff --git a/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html b/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html
index cbdf0aced391b..5aed926a36e3d 100644
--- a/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html
+++ b/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html
@@ -10,15 +10,15 @@
 aliases: [/docs/reference/config/extensions/v1alpha1/wasm-plugin]
 number_of_entries: 6
 ---
-
        WasmPlugins provides a mechanism to extend the functionality provided by
        
+
        WasmPlugins provides a mechanism to extend the functionality provided by
 the Istio proxy through WebAssembly filters.
        
-
        Order of execution (as part of Envoy's filter chain) is determined by
        
-phase and priority settings, allowing the configuration of complex
        
-interactions between user-supplied WasmPlugins and Istio's internal
        
+
        Order of execution (as part of Envoy's filter chain) is determined by
+phase and priority settings, allowing the configuration of complex
+interactions between user-supplied WasmPlugins and Istio's internal
 filters.
        
 
        Examples:
        
-
        AuthN Filter deployed to ingress-gateway that implements an OpenID flow
        
-and populates the Authorization header with a JWT to be consumed by
        
+
        AuthN Filter deployed to ingress-gateway that implements an OpenID flow
+and populates the Authorization header with a JWT to be consumed by
 Istio AuthN.
        
 
        apiVersion: extensions.istio.io/v1alpha1
 kind: WasmPlugin
@@ -101,18 +101,18 @@
     - name: TRUST_DOMAIN
       value: "cluster.local"
 
        
-
        And a more complex example that deploys three WasmPlugins and orders them
        
-using phase and priority. The (hypothetical) setup is that the
        
-openid-connect filter performs an OpenID Connect flow to authenticate the
        
-user, writing a signed JWT into the Authorization header of the request,
        
-which can be verified by the Istio authn plugin. Then, the acl-check plugin
        
-kicks in, passing the JWT to a policy server, which in turn responds with a
        
-signed token that contains information about which files and functions of the
        
-system are available to the user that was previously authenticated. The
        
-acl-check filter writes this token to a header. Finally, the check-header
        
-filter verifies the token in that header and makes sure that the token's
        
+
        And a more complex example that deploys three WasmPlugins and orders them
+using phase and priority. The (hypothetical) setup is that the
+openid-connect filter performs an OpenID Connect flow to authenticate the
+user, writing a signed JWT into the Authorization header of the request,
+which can be verified by the Istio authn plugin. Then, the acl-check plugin
+kicks in, passing the JWT to a policy server, which in turn responds with a
+signed token that contains information about which files and functions of the
+system are available to the user that was previously authenticated. The
+acl-check filter writes this token to a header. Finally, the check-header
+filter verifies the token in that header and makes sure that the token's
 contents (the permitted 'function') matches its plugin configuration.
        
-
        The resulting filter chain looks like this:
        
+
        The resulting filter chain looks like this:
 -> openid-connect -> istio.authn -> acl-check -> check-header -> router
        
 
        apiVersion: extensions.istio.io/v1alpha1
 kind: WasmPlugin
@@ -171,7 +171,7 @@
 
 
        WasmPlugin
        
 
        
-
        WasmPlugins provides a mechanism to extend the functionality provided by
        
+
        WasmPlugins provides a mechanism to extend the functionality provided by
 the Istio proxy through WebAssembly filters.
        
 
 
        
@@ -188,11 +188,11 @@ 
        WasmPlugin
        
         
@@ -204,10 +204,10 @@ 
        WasmPlugin
        
         
@@ -219,10 +219,10 @@ 
        WasmPlugin
        
         
@@ -234,11 +234,11 @@ 
        WasmPlugin
        
         
@@ -250,9 +250,9 @@ 
        WasmPlugin
        
         
@@ -275,8 +275,8 @@ 
        WasmPlugin
        
         
@@ -299,11 +299,11 @@ 
        WasmPlugin
        
         
@@ -315,7 +315,7 @@ 
        WasmPlugin
        
         
@@ -328,7 +328,7 @@ 
        WasmPlugin
        
 
 
        VmConfig
        
 
        
-
        Configuration for a Wasm VM.
        
+
        Configuration for a Wasm VM.
 more details can be found here.
        
 
 
        selector
 WorkloadSelector
 
-
        Criteria used to select the specific set of pods/VMs on which
        
-this plugin configuration should be applied. If omitted, this
        
-configuration will be applied to all workload instances in the same
        
-namespace. If the WasmPlugin is present in the config root
        
-namespace, it will be applied to all applicable workloads in any
        
+
        Criteria used to select the specific set of pods/VMs on which
+this plugin configuration should be applied. If omitted, this
+configuration will be applied to all workload instances in the same
+namespace. If the WasmPlugin is present in the config root
+namespace, it will be applied to all applicable workloads in any
 namespace.
        
 
         		url
 string
 
-
        URL of a Wasm module or OCI container. If no scheme is present,
        
-defaults to oci://, referencing an OCI image. Other valid schemes
        
-are file:// for referencing .wasm module files present locally
        
-within the proxy container, and http[s]:// for .wasm module files
        
+
        URL of a Wasm module or OCI container. If no scheme is present,
+defaults to oci://, referencing an OCI image. Other valid schemes
+are file:// for referencing .wasm module files present locally
+within the proxy container, and http[s]:// for .wasm module files
 hosted remotely.
        
 
         		sha256
 string
 
-
        SHA256 checksum that will be used to verify Wasm module or OCI container.
        
-If the url field already references a SHA256 (using the @sha256:
        
-notation), it must match the value of this field. If an OCI image is
        
-referenced by tag and this field is set, its checksum will be verified
        
+
        SHA256 checksum that will be used to verify Wasm module or OCI container.
+If the url field already references a SHA256 (using the @sha256:
+notation), it must match the value of this field. If an OCI image is
+referenced by tag and this field is set, its checksum will be verified
 against the contents of this field after pulling.
        
 
         		imagePullPolicy
 PullPolicy
 
-
        The pull behaviour to be applied when fetching Wasm module by either
        
-OCI image or http/https. Only relevant when referencing Wasm module without
        
-any digest, including the digest in OCI image URL or sha256 field in vm_config.
        
-Defaults to IfNotPresent, except when an OCI image is referenced in the url
        
-and the latest tag is used, in which case Always is the default,
        
+
        The pull behaviour to be applied when fetching Wasm module by either
+OCI image or http/https. Only relevant when referencing Wasm module without
+any digest, including the digest in OCI image URL or sha256 field in vm_config.
+Defaults to IfNotPresent, except when an OCI image is referenced in the url
+and the latest tag is used, in which case Always is the default,
 mirroring K8s behaviour.
        
 
         		imagePullSecret
 string
 
-
        Credentials to use for OCI image pulling.
        
-Name of a K8s Secret in the same namespace as the WasmPlugin that
        
-contains a docker pull secret which is to be used to authenticate
        
+
        Credentials to use for OCI image pulling.
+Name of a K8s Secret in the same namespace as the WasmPlugin that
+contains a docker pull secret which is to be used to authenticate
 against the registry when pulling the image.
        
 
         		pluginName
 string
 
-
        The plugin name to be used in the Envoy configuration (used to be called
        
-rootID). Some .wasm modules might require this value to select the Wasm
        
+
        The plugin name to be used in the Envoy configuration (used to be called
+rootID). Some .wasm modules might require this value to select the Wasm
 plugin to execute.
        
 
         		priority
 Int64Value
 
-
        Determines ordering of WasmPlugins in the same phase.
        
-When multiple WasmPlugins are applied to the same workload in the
        
-same phase, they will be applied by priority, in descending order.
        
-If priority is not set, or two WasmPlugins exist with the same
        
-value, the ordering will be deterministically derived from name and
        
+
        Determines ordering of WasmPlugins in the same phase.
+When multiple WasmPlugins are applied to the same workload in the
+same phase, they will be applied by priority, in descending order.
+If priority is not set, or two WasmPlugins exist with the same
+value, the ordering will be deterministically derived from name and
 namespace of the WasmPlugins. Defaults to 0.
        
 
         		vmConfig
 VmConfig
 
-
        Configuration for a Wasm VM.
        
+
        Configuration for a Wasm VM.
 more details can be found here.
        
 
 
        
@@ -345,7 +345,7 @@ 
        VmConfig
        
         
@@ -372,7 +372,7 @@ 
        EnvVar
        
         
@@ -384,7 +384,7 @@ 
        EnvVar
        
         
@@ -396,8 +396,8 @@ 
        EnvVar
        
         
@@ -423,8 +423,8 @@ 
        PluginPhase
        
         
@@ -455,7 +455,7 @@ 
        PluginPhase
        
 
 
        PullPolicy
        
 
        
-
        The pull behaviour to be applied when fetching a Wam module,
        
+
        The pull behaviour to be applied when fetching a Wam module,
 mirroring K8s behaviour.
        
 
 
        env
 EnvVar[]
 
-
        Specifies environment variables to be injected to this VM.
        
+
        Specifies environment variables to be injected to this VM.
 Note that if a key does not exist, it will be ignored.
        
 
         		name
 string
 
-
        Required
        
+
        Required
 Name of the environment variable. Must be a C_IDENTIFIER.
        
 
         		valueFrom
 EnvValueSource
 
-
        Required
        
+
        Required
 Source for the environment variable's value.
        
 
         		value
 string
 
-
        Value for the environment variable.
        
-Note that if value_from is HOST, it will be ignored.
        
+
        Value for the environment variable.
+Note that if value_from is HOST, it will be ignored.
 Defaults to "".
        
 
 
        
 UNSPECIFIED_PHASE
 
-
        Control plane decides where to insert the plugin. This will generally
        
-be at the end of the filter chain, right before the Router.
        
+
        Control plane decides where to insert the plugin. This will generally
+be at the end of the filter chain, right before the Router.
 Do not specify PluginPhase if the plugin is independent of others.
        
 
 
        
@@ -469,7 +469,7 @@ 
        PullPolicy
        
         
@@ -477,8 +477,8 @@ 
        PullPolicy
        
         
@@ -486,7 +486,7 @@ 
        PullPolicy
        
         
diff --git a/content/en/docs/reference/config/security/authorization-policy/index.html b/content/en/docs/reference/config/security/authorization-policy/index.html
index df3a10b883f67..5587f17689834 100644
--- a/content/en/docs/reference/config/security/authorization-policy/index.html
+++ b/content/en/docs/reference/config/security/authorization-policy/index.html
@@ -12,8 +12,8 @@
 number_of_entries: 9
 ---
 
        Istio Authorization Policy enables access control on workloads in the mesh.
        
-
        Authorization policy supports CUSTOM, DENY and ALLOW actions for access control. When CUSTOM, DENY and ALLOW actions
        
-are used for a workload at the same time, the CUSTOM action is evaluated first, then the DENY action, and finally the ALLOW action.
        
+
        Authorization policy supports CUSTOM, DENY and ALLOW actions for access control. When CUSTOM, DENY and ALLOW actions
+are used for a workload at the same time, the CUSTOM action is evaluated first, then the DENY action, and finally the ALLOW action.
 The evaluation is determined by the following rules:
        
 
          
 
        1. If there are any CUSTOM policies that match the request, evaluate and deny the request if the evaluation result is deny.
          2. 
@@ -22,15 +22,15 @@
 
        2. If any of the ALLOW policies match the request, allow the request.
          3. 
 
        3. Deny the request.
          4. 
 
        
-
        Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.
        
-AUDIT policies do not affect whether requests are allowed or denied to the workload.
        
+
        Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.
+AUDIT policies do not affect whether requests are allowed or denied to the workload.
 Requests will be allowed or denied based solely on CUSTOM, DENY and ALLOW actions.
        
-
        A request will be internally marked that it should be audited if there is an AUDIT policy on the workload that matches the request.
        
-A separate plugin must be configured and enabled to actually fulfill the audit decision and complete the audit behavior.
        
-The request will not be audited if there are no such supporting plugins enabled.
        
+
        A request will be internally marked that it should be audited if there is an AUDIT policy on the workload that matches the request.
+A separate plugin must be configured and enabled to actually fulfill the audit decision and complete the audit behavior.
+The request will not be audited if there are no such supporting plugins enabled.
 Currently, the only supported plugin is the Stackdriver plugin.
        
 
        Here is an example of Istio Authorization Policy:
        
-
        It sets the action to "ALLOW" to create an allow policy. The default action is "ALLOW"
        
+
        It sets the action to "ALLOW" to create an allow policy. The default action is "ALLOW"
 but it is useful to be explicit in the policy.
        
 
        It allows requests from:
        
 
          
@@ -68,8 +68,8 @@
     - key: request.auth.claims[iss]
       values: ["https://accounts.google.com"]
 
-
          The following is another example that sets action to "DENY" to create a deny policy.
          
-It denies requests from the "dev" namespace to the "POST" method on all workloads
          
+
          The following is another example that sets action to "DENY" to create a deny policy.
+It denies requests from the "dev" namespace to the "POST" method on all workloads
 in the "foo" namespace.
          
 
          apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -86,7 +86,7 @@
     - operation:
         methods: ["POST"]
 
          
-
          The following authorization policy sets the action to "AUDIT". It will audit any GET requests to the path with the
          
+
          The following authorization policy sets the action to "AUDIT". It will audit any GET requests to the path with the
 prefix "/user/profile".
          
 
          apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -104,15 +104,15 @@
         methods: ["GET"]
         paths: ["/user/profile/*"]
 
          
-
          Authorization Policy scope (target) is determined by "metadata/namespace" and
          
+
          Authorization Policy scope (target) is determined by "metadata/namespace" and
 an optional "selector".
          
 
            
-
          • "metadata/namespace" tells which namespace the policy applies. If set to root
            
+
          • "metadata/namespace" tells which namespace the policy applies. If set to root
 namespace, the policy applies to all namespaces in a mesh.
            • 
 
          • workload "selector" can be used to further restrict where a policy applies.
            • 
 
          
 
          For example,
          
-
          The following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
          
+
          The following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
 all requests to workloads in namespace foo.
          
 
          apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -132,7 +132,7 @@
  rules:
  - {}
 
          
-
          The following authorization policy applies to workloads containing label "app: httpbin" in namespace bar. It allows
          
+
          The following authorization policy applies to workloads containing label "app: httpbin" in namespace bar. It allows
 nothing and effectively denies all requests to the selected workloads.
          
 
          apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -144,7 +144,7 @@
     matchLabels:
       app: httpbin
 
          
-
          The following authorization policy applies to workloads containing label "version: v1" in all namespaces in the mesh.
          
+
          The following authorization policy applies to workloads containing label "version: v1" in all namespaces in the mesh.
 (Assuming the root namespace is configured to "istio-system").
          
 
          apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -175,8 +175,8 @@ 
          AuthorizationPolicy
          
 
        
@@ -225,8 +225,8 @@ 
        AuthorizationPolicy
        
 
 
        Rule
        
 
        
-
        Rule matches requests from a list of sources that perform a list of operations subject to a
        
-list of conditions. A match occurs when at least one source, one operation and all conditions
        
+
        Rule matches requests from a list of sources that perform a list of operations subject to a
+list of conditions. A match occurs when at least one source, one operation and all conditions
 matches the request. An empty rule is always matched.
        
 
        Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
        
 
          
@@ -287,9 +287,9 @@ 
          Rule
          
 
        
 
        Source
        
 
        
-
        Source specifies the source identities of a request. Fields in the source are
        
+
        Source specifies the source identities of a request. Fields in the source are
 ANDed together.
        
-
        For example, the following source matches if the principal is "admin" or "dev"
        
+
        For example, the following source matches if the principal is "admin" or "dev"
 and the namespace is "prod" or "test" and the ip is not "1.2.3.4".
        
 
        principals: ["admin", "dev"]
 namespaces: ["prod", "test"]
@@ -310,8 +310,8 @@ 
        Source
        
 
        
@@ -586,7 +586,7 @@ 
        Condition
        
         
@@ -598,7 +598,7 @@ 
        Condition
        
         
@@ -625,7 +625,7 @@ 
        AuthorizationPolicy.ExtensionProv
 
        
@@ -728,16 +728,16 @@ 
        AuthorizationPolicy.Action
        
         
@@ -63,9 +63,9 @@ 
        JWTRule
        
         
@@ -133,12 +133,12 @@ 
        JWTRule
        
         
@@ -150,8 +150,8 @@ 
        JWTRule
        
         
@@ -202,8 +202,8 @@ 
        JWTHeader
        
         
diff --git a/content/en/docs/reference/config/security/peer_authentication/index.html b/content/en/docs/reference/config/security/peer_authentication/index.html
index da546d9c40c95..7f7cfc272dde4 100644
--- a/content/en/docs/reference/config/security/peer_authentication/index.html
+++ b/content/en/docs/reference/config/security/peer_authentication/index.html
@@ -25,7 +25,7 @@ 
        PeerAuthentication
        
     mode: STRICT
         
 
        For mesh level, put the policy in root-namespace according to your Istio installation.
        
-
        Policies to allow both mTLS & plaintext traffic for all workloads under namespace foo, but
        
+
        Policies to allow both mTLS & plaintext traffic for all workloads under namespace foo, but
 require mTLS for workload finance.
        
 
        apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
@@ -48,7 +48,7 @@ 
        PeerAuthentication
        
   mtls:
     mode: STRICT
 
        
-
        Policy to allow mTLS strict for all workloads, but leave port 8080 to
        
+
        Policy to allow mTLS strict for all workloads, but leave port 8080 to
 plaintext:
        
 
        apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
@@ -65,7 +65,7 @@ 
        PeerAuthentication
        
     8080:
       mode: DISABLE
 
        
-
        Policy to inherit mTLS mode from namespace (or mesh) settings, and overwrite
        
+
        Policy to inherit mTLS mode from namespace (or mesh) settings, and overwrite
 settings for port 8080
        
 
        apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
@@ -97,7 +97,7 @@ 
        PeerAuthentication
        
 
        
@@ -120,7 +120,7 @@ 
        PeerAuthentication
        
         
diff --git a/content/en/docs/reference/config/security/request_authentication/index.html b/content/en/docs/reference/config/security/request_authentication/index.html
index a08d8e82fd1f8..78df3bad23197 100644
--- a/content/en/docs/reference/config/security/request_authentication/index.html
+++ b/content/en/docs/reference/config/security/request_authentication/index.html
@@ -12,11 +12,11 @@
 ---
 
        RequestAuthentication
        
 
        
-
        RequestAuthentication defines what request authentication methods are supported by a workload.
        
-It will reject a request if the request contains invalid authentication information, based on the
        
-configured authentication rules. A request that does not contain any authentication credentials
        
-will be accepted but will not have any authenticated identity. To restrict access to authenticated
        
-requests only, this should be accompanied by an authorization rule.
        
+
        RequestAuthentication defines what request authentication methods are supported by a workload.
+It will reject a request if the request contains invalid authentication information, based on the
+configured authentication rules. A request that does not contain any authentication credentials
+will be accepted but will not have any authenticated identity. To restrict access to authenticated
+requests only, this should be accompanied by an authorization rule.
 Examples:
        
 
          
 
        • Require JWT for all request for workloads that have label app:httpbin
          • 
@@ -49,8 +49,8 @@ 
          RequestAuthentication
          
         requestPrincipals: ["*"]
           
 
            
-
          • A policy in the root namespace ("istio-system" by default) applies to workloads in all namespaces
            
-in a mesh. The following policy makes all workloads only accept requests that contain a
            
+
          • A policy in the root namespace ("istio-system" by default) applies to workloads in all namespaces
+in a mesh. The following policy makes all workloads only accept requests that contain a
 valid JWT token.
            • 
 
          
 
          apiVersion: security.istio.io/v1beta1
@@ -75,8 +75,8 @@ 
          RequestAuthentication
          
         requestPrincipals: ["*"]
 
          
 
            
-
          • The next example shows how to set a different JWT requirement for a different host. The RequestAuthentication
            
-declares it can accept JWTs issued by either issuer-foo or issuer-bar (the public key set is implicitly
            
+
          • The next example shows how to set a different JWT requirement for a different host. The RequestAuthentication
+declares it can accept JWTs issued by either issuer-foo or issuer-bar (the public key set is implicitly
 set from the OpenID Connect spec).
            • 
 
          
 
          apiVersion: security.istio.io/v1beta1
@@ -116,8 +116,8 @@ 
          RequestAuthentication
          
         hosts: ["another-host.com"]
 
          
 
            
-
          • You can fine tune the authorization policy to set different requirement per path. For example,
            
-to require JWT on all paths, except /healthz, the same RequestAuthentication can be used, but the
            
+
          • You can fine tune the authorization policy to set different requirement per path. For example,
+to require JWT on all paths, except /healthz, the same RequestAuthentication can be used, but the
 authorization policy could be:
            • 
 
          
 
          apiVersion: security.istio.io/v1beta1
@@ -137,11 +137,11 @@ 
          RequestAuthentication
          
     - operation:
         paths: ["/healthz"]
 
          
-
          [Experimental] Routing based on derived metadata
          
-is now supported. A prefix '@' is used to denote a match against internal metadata instead of the headers in the request.
          
+
          [Experimental] Routing based on derived metadata
+is now supported. A prefix '@' is used to denote a match against internal metadata instead of the headers in the request.
 Currently this feature is only supported for the following metadata:
          
 
            
-
          • request.auth.claims.{claim-name}[.{sub-claim}]* which are extracted from validated JWT tokens. The claim name
            
+
          • request.auth.claims.{claim-name}[.{sub-claim}]* which are extracted from validated JWT tokens. The claim name
 currently does not support the . character. Examples: request.auth.claims.sub and request.auth.claims.name.givenName.
            • 
 
          
 
          The use of matches against JWT claim metadata is only supported in Gateways. The following example shows:
          
@@ -217,8 +217,8 @@ 
          RequestAuthentication
          
 
        
diff --git a/content/en/docs/reference/config/telemetry/index.html b/content/en/docs/reference/config/telemetry/index.html
index a804b1b146268..fcd55d89239ed 100644
--- a/content/en/docs/reference/config/telemetry/index.html
+++ b/content/en/docs/reference/config/telemetry/index.html
@@ -11,11 +11,11 @@
 number_of_entries: 18
 ---
 
        Telemetry defines how the telemetry is generated for workloads within a mesh.
        
-
        For mesh level configuration, put the resource in root configuration
        
+
        For mesh level configuration, put the resource in root configuration
 namespace for your Istio installation without a workload selector.
        
-
        For any namespace, including the root configuration namespace, it is only
        
+
        For any namespace, including the root configuration namespace, it is only
 valid to have a single workload selector-less Telemetry resource.
        
-
        For resources with a workload selector, it is only valid to have one resource
        
+
        For resources with a workload selector, it is only valid to have one resource
 selecting any given workload.
        
 
        The hierarchy of Telemetry configuration is as follows:
        
 
          
@@ -35,7 +35,7 @@
   tracing:
   - randomSamplingPercentage: 10.00
 
-
          Policy to disable trace reporting for the "foo" workload (note: tracing
          
+
          Policy to disable trace reporting for the "foo" workload (note: tracing
 context will still be propagated):
          
 
          apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
@@ -115,7 +115,7 @@
         request_host:
           value: "request.host"
 
          
-
          Policy to remove the response_code dimension on some Prometheus metrics for
          
+
          Policy to remove the response_code dimension on some Prometheus metrics for
 the bar.foo workload:
          
 
          apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
@@ -196,8 +196,8 @@ 
          Telemetry
          
 
        
@@ -209,7 +209,7 @@ 
        Telemetry
        
         
@@ -221,7 +221,7 @@ 
        Telemetry
        
         
@@ -233,7 +233,7 @@ 
        Telemetry
        
         
@@ -246,13 +246,13 @@ 
        Telemetry
        
 
 
        Tracing
        
 
        
-
        Tracing configures tracing behavior for workloads within a mesh.
        
-It can be used to enable/disable tracing, as well as to set sampling
        
+
        Tracing configures tracing behavior for workloads within a mesh.
+It can be used to enable/disable tracing, as well as to set sampling
 rates and custom tag extraction.
        
-
        Tracing configuration support overrides of the fields providers,
        
-random_sampling_percentage, disable_span_reporting, and custom_tags at
        
-each level in the configuration hierarchy, with missing values filled in
        
-from parent resources. However, when specified, custom_tags will
        
+
        Tracing configuration support overrides of the fields providers,
+random_sampling_percentage, disable_span_reporting, and custom_tags at
+each level in the configuration hierarchy, with missing values filled in
+from parent resources. However, when specified, custom_tags will
 fully replace any values provided by parent configuration.
        
 
 
        
 UNSPECIFIED_POLICY
 
-
        Defaults to IfNotPresent, except for OCI images with tag latest, for which
        
+
        Defaults to IfNotPresent, except for OCI images with tag latest, for which
 the default will be Always.
        
 
 
        
 IfNotPresent
 
-
        If an existing version of the image has been pulled before, that
        
-will be used. If no version of the image is present locally, we
        
+
        If an existing version of the image has been pulled before, that
+will be used. If no version of the image is present locally, we
 will pull the latest version.
        
 
 
        
 Always
 
-
        We will always pull the latest version of an image when changing
        
+
        We will always pull the latest version of an image when changing
 this plugin. Note that the change includes metadata field as well.
        
 
         		selector
 WorkloadSelector
 
-
        Optional. The selector decides where to apply the authorization policy. The selector will match with workloads
        
-in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector
        
+
        Optional. The selector decides where to apply the authorization policy. The selector will match with workloads
+in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector
 will additionally match with workloads in all namespaces.
        
 
        If not set, the selector will match all workloads.
        
 
@@ -190,7 +190,7 @@ 
        AuthorizationPolicy
        
         		Rule[]
 
 
        Optional. A list of rules to match the request. A match occurs when at least one rule matches the request.
        
-
        If not set, the match will never occur. This is equivalent to setting a default of deny for the target workloads if
        
+
        If not set, the match will never occur. This is equivalent to setting a default of deny for the target workloads if
 the action is ALLOW.
        
 
         		principals
 string[]
 
-
        Optional. A list of peer identities derived from the peer certificate. The peer identity is in the format of
        
-"<TRUST_DOMAIN>/ns/<NAMESPACE>/sa/<SERVICE_ACCOUNT>", for example, "cluster.local/ns/default/sa/productpage".
        
+
        Optional. A list of peer identities derived from the peer certificate. The peer identity is in the format of
+"<TRUST_DOMAIN>/ns/<NAMESPACE>/sa/<SERVICE_ACCOUNT>", for example, "cluster.local/ns/default/sa/productpage".
 This field requires mTLS enabled and is the same as the source.principal attribute.
        
 
        If not set, any principal is allowed.
        
 
@@ -335,8 +335,8 @@ 
        Source
        
         		requestPrincipals
 string[]
 
-
        Optional. A list of request identities derived from the JWT. The request identity is in the format of
        
-"<ISS>/<SUB>", for example, "example.com/sub-1". This field requires request authentication enabled and is the
        
+
        Optional. A list of request identities derived from the JWT. The request identity is in the format of
+"<ISS>/<SUB>", for example, "example.com/sub-1". This field requires request authentication enabled and is the
 same as the request.auth.principal attribute.
        
 
        If not set, any request principal is allowed.
        
 
@@ -360,7 +360,7 @@ 
        Source
        
         		namespaces
 string[]
 
-
        Optional. A list of namespaces derived from the peer certificate.
        
+
        Optional. A list of namespaces derived from the peer certificate.
 This field requires mTLS enabled and is the same as the source.namespace attribute.
        
 
        If not set, any namespace is allowed.
        
 
@@ -384,7 +384,7 @@ 
        Source
        
         		ipBlocks
 string[]
 
-
        Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. "1.2.3.4") and
        
+
        Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. "1.2.3.4") and
 CIDR (e.g. "1.2.3.0/24") are supported. This is the same as the source.ip attribute.
        
 
        If not set, any IP is allowed.
        
 
@@ -408,11 +408,11 @@ 
        Source
        
         		remoteIpBlocks
 string[]
 
-
        Optional. A list of IP blocks, populated from X-Forwarded-For header or proxy protocol.
        
-To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig
        
-when you install Istio or using an annotation on the ingress gateway.  See the documentation here:
        
-Configuring Gateway Network Topology.
        
-Single IP (e.g. "1.2.3.4") and CIDR (e.g. "1.2.3.0/24") are supported.
        
+
        Optional. A list of IP blocks, populated from X-Forwarded-For header or proxy protocol.
+To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig
+when you install Istio or using an annotation on the ingress gateway.  See the documentation here:
+Configuring Gateway Network Topology.
+Single IP (e.g. "1.2.3.4") and CIDR (e.g. "1.2.3.0/24") are supported.
 This is the same as the remote.ip attribute.
        
 
        If not set, any IP is allowed.
        
 
@@ -437,9 +437,9 @@ 
        Source
        
 
 
        Operation
        
 
        
-
        Operation specifies the operations of a request. Fields in the operation are
        
+
        Operation specifies the operations of a request. Fields in the operation are
 ANDed together.
        
-
        For example, the following operation matches if the host has suffix ".example.com"
        
+
        For example, the following operation matches if the host has suffix ".example.com"
 and the method is "GET" or "HEAD" and the path doesn't have prefix "/admin".
        
 
        hosts: ["*.example.com"]
 methods: ["GET", "HEAD"]
@@ -460,8 +460,8 @@ 
        Operation
        
 
        		hosts
 string[]
 
-
        Optional. A list of hosts as specified in the HTTP request. The match is case-insensitive.
        
-See the security best practices for
        
+
        Optional. A list of hosts as specified in the HTTP request. The match is case-insensitive.
+See the security best practices for
 recommended usage of this field.
        
 
        If not set, any host is allowed. Must be used only with HTTP.
        
 
@@ -508,7 +508,7 @@ 
        Operation
        
         		methods
 string[]
 
-
        Optional. A list of methods as specified in the HTTP request.
        
+
        Optional. A list of methods as specified in the HTTP request.
 For gRPC service, this will always be "POST".
        
 
        If not set, any method is allowed. Must be used only with HTTP.
        
 
@@ -532,8 +532,8 @@ 
        Operation
        
         		paths
 string[]
 
-
        Optional. A list of paths as specified in the HTTP request. See the Authorization Policy Normalization
        
-for details of the path normalization.
        
+
        Optional. A list of paths as specified in the HTTP request. See the Authorization Policy Normalization
+for details of the path normalization.
 For gRPC service, this will be the fully-qualified name in the form of "/package.service/method".
        
 
        If not set, any path is allowed. Must be used only with HTTP.
        
 
@@ -574,7 +574,7 @@ 
        Condition
        
         		key
 string
 
-
        The name of an Istio attribute.
        
+
        The name of an Istio attribute.
 See the full list of supported attributes.
        
 
         		values
 string[]
 
-
        Optional. A list of allowed values for the attribute.
        
+
        Optional. A list of allowed values for the attribute.
 Note: at least one of values or not_values must be set.
        
 
         		notValues
 string[]
 
-
        Optional. A list of negative match of values for the attribute.
        
+
        Optional. A list of negative match of values for the attribute.
 Note: at least one of values or not_values must be set.
        
 
         		name
 string
 
-
        Specifies the name of the extension provider. The list of available providers is defined in the MeshConfig.
        
+
        Specifies the name of the extension provider. The list of available providers is defined in the MeshConfig.
 Note, currently at most 1 extension provider is allowed per workload. Different workloads can use different extension provider.
        
 
 
        
 CUSTOM
 
-
        The CUSTOM action allows an extension to handle the user request if the matching rules evaluate to true.
        
-The extension is evaluated independently and before the native ALLOW and DENY actions. When used together, A request
        
-is allowed if and only if all the actions return allow, in other words, the extension cannot bypass the
        
-authorization decision made by ALLOW and DENY action.
        
-Extension behavior is defined by the named providers declared in MeshConfig. The authorization policy refers to
        
-the extension by specifying the name of the provider.
        
-One example use case of the extension is to integrate with a custom external authorization system to delegate
        
+
        The CUSTOM action allows an extension to handle the user request if the matching rules evaluate to true.
+The extension is evaluated independently and before the native ALLOW and DENY actions. When used together, A request
+is allowed if and only if all the actions return allow, in other words, the extension cannot bypass the
+authorization decision made by ALLOW and DENY action.
+Extension behavior is defined by the named providers declared in MeshConfig. The authorization policy refers to
+the extension by specifying the name of the provider.
+One example use case of the extension is to integrate with a custom external authorization system to delegate
 the authorization decision to it.
        
 
        Note: The CUSTOM action is currently an alpha feature and is subject to breaking changes in later versions.
        
-
        The following authorization policy applies to an ingress gateway and delegates the authorization check to a named extension
        
+
        The following authorization policy applies to an ingress gateway and delegates the authorization check to a named extension
 "my-custom-authz" if the request path has prefix "/admin/".
        
 
        apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
diff --git a/content/en/docs/reference/config/security/jwt/index.html b/content/en/docs/reference/config/security/jwt/index.html
index 1140a31a09e45..35690218ff4be 100644
--- a/content/en/docs/reference/config/security/jwt/index.html
+++ b/content/en/docs/reference/config/security/jwt/index.html
@@ -12,21 +12,21 @@
 ---
 
        JWTRule
        
 
        
-
        JSON Web Token (JWT) token format for authentication as defined by
        
-RFC 7519. See OAuth 2.0 and
        
-OIDC 1.0 for how this is used in the whole
        
+
        JSON Web Token (JWT) token format for authentication as defined by
+RFC 7519. See OAuth 2.0 and
+OIDC 1.0 for how this is used in the whole
 authentication flow.
        
 
        Examples:
        
-
        Spec for a JWT that is issued by https://example.com, with the audience claims must be either
        
-bookstore_android.apps.example.com or bookstore_web.apps.example.com.
        
-The token should be presented at the Authorization header (default). The JSON Web Key Set (JWKS)
        
+
        Spec for a JWT that is issued by https://example.com, with the audience claims must be either
+bookstore_android.apps.example.com or bookstore_web.apps.example.com.
+The token should be presented at the Authorization header (default). The JSON Web Key Set (JWKS)
 will be discovered following OpenID Connect protocol.
        
 
        issuer: https://example.com
 audiences:
 - bookstore_android.apps.example.com
   bookstore_web.apps.example.com
 
        
-
        This example specifies a token in a non-default location (x-goog-iap-jwt-assertion header). It also
        
+
        This example specifies a token in a non-default location (x-goog-iap-jwt-assertion header). It also
 defines the URI to fetch JWKS explicitly.
        
 
        issuer: https://example.com
 jwksUri: https://example.com/.secret/jwks.json
@@ -48,10 +48,10 @@ 
        JWTRule
        
 
        		issuer
 string
 
-
        Identifies the issuer that issued the JWT. See
        
-issuer
        
+
        Identifies the issuer that issued the JWT. See
+issuer
 A JWT with different iss claim will be rejected.
        
-
        Example: https://foobar.auth0.com
        
+
        Example: https://foobar.auth0.com
 Example: 1234567-compute@developer.gserviceaccount.com
        
 
         		audiences
 string[]
 
-
        The list of JWT
        
-audiences.
        
-that are allowed to access. A JWT containing any of these
        
+
        The list of JWT
+audiences.
+that are allowed to access. A JWT containing any of these
 audiences will be accepted.
        
 
        The service name will be accepted if audiences is empty.
        
 
        Example:
        
@@ -83,12 +83,12 @@ 
        JWTRule
        
         		jwksUri
 string
 
-
        URL of the provider's public key set to validate signature of the
        
+
        URL of the provider's public key set to validate signature of the
 JWT. See OpenID Discovery.
        
-
        Optional if the key set document can either (a) be retrieved from
        
-OpenID
        
-Discovery         of
        
-the issuer or (b) inferred from the email domain of the issuer (e.g. a
        
+
        Optional if the key set document can either (a) be retrieved from
+OpenID
+Discovery of
+the issuer or (b) inferred from the email domain of the issuer (e.g. a
 Google service account).
        
 
        Example: https://www.googleapis.com/oauth2/v1/certs
        
 
        Note: Only one of jwksUri and jwks should be used.
        
@@ -102,7 +102,7 @@ 
        JWTRule
        
         		jwks
 string
 
-
        JSON Web Key Set of public keys to validate signature of the JWT.
        
+
        JSON Web Key Set of public keys to validate signature of the JWT.
 See https://auth0.com/docs/jwks.
        
 
        Note: Only one of jwksUri and jwks should be used.
        
 
@@ -115,13 +115,13 @@ 
        JWTRule
        
         		fromHeaders
 JWTHeader[]
 
-
        List of header locations from which JWT is expected. For example, below is the location spec
        
+
        List of header locations from which JWT is expected. For example, below is the location spec
 if JWT is expected to be found in x-jwt-assertion header, and have "Bearer " prefix:
        
 
          fromHeaders:
   - name: x-jwt-assertion
     prefix: "Bearer "
 
        
-
        Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
        
+
        Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
 such requests is undefined.
        
 
         		fromParams
 string[]
 
-
        List of query parameters from which JWT is expected. For example, if JWT is provided via query
        
-parameter my_token (e.g /path?my_token=), the config is:
        
+
        List of query parameters from which JWT is expected. For example, if JWT is provided via query
+parameter my_token (e.g /path?my_token=), the config is:
        
 
          fromParams:
   - "my_token"
 
        
-
        Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
        
+
        Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
 such requests is undefined.
        
 
         		outputPayloadToHeader
 string
 
-
        This field specifies the header name to output a successfully verified JWT payload to the
        
-backend. The forwarded data is base64_encoded(jwt_payload_in_JSON). If it is not specified,
        
+
        This field specifies the header name to output a successfully verified JWT payload to the
+backend. The forwarded data is base64_encoded(jwt_payload_in_JSON). If it is not specified,
 the payload will not be emitted.
        
 
         		prefix
 string
 
-
        The prefix that should be stripped before decoding the token.
        
-For example, for "Authorization: Bearer ", prefix="Bearer " with a space at the end.
        
+
        The prefix that should be stripped before decoding the token.
+For example, for "Authorization: Bearer ", prefix="Bearer " with a space at the end.
 If the header doesn't have this exact prefix, it is considered invalid.
        
 
         		selector
 WorkloadSelector
 
-
        The selector determines the workloads to apply the ChannelAuthentication on.
        
+
        The selector determines the workloads to apply the ChannelAuthentication on.
 If not set, the policy will be applied to all workloads in the same namespace as the policy.
        
 
         		portLevelMtls
 map<uint32, MutualTLS>
 
-
        Port specific mutual TLS settings. These only apply when a workload selector
        
+
        Port specific mutual TLS settings. These only apply when a workload selector
 is specified.
        
 
         		selector
 WorkloadSelector
 
-
        Optional. The selector decides where to apply the request authentication policy. The selector will match with workloads
        
-in the same namespace as the request authentication policy. If the request authentication policy is in the root namespace,
        
+
        Optional. The selector decides where to apply the request authentication policy. The selector will match with workloads
+in the same namespace as the request authentication policy. If the request authentication policy is in the root namespace,
 the selector will additionally match with workloads in all namespaces.
        
 
        If not set, the selector will match all workloads.
        
 
@@ -231,12 +231,12 @@ 
        RequestAuthentication
        
         		jwtRules
 JWTRule[]
 
-
        Define the list of JWTs that can be validated at the selected workloads' proxy. A valid token
        
-will be used to extract the authenticated identity.
        
-Each rule will be activated only when a token is presented at the location recognized by the
        
-rule. The token will be validated based on the JWT rule config. If validation fails, the request will
        
-be rejected.
        
-Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
        
+
        Define the list of JWTs that can be validated at the selected workloads' proxy. A valid token
+will be used to extract the authenticated identity.
+Each rule will be activated only when a token is presented at the location recognized by the
+rule. The token will be validated based on the JWT rule config. If validation fails, the request will
+be rejected.
+Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
 such requests is undefined.
        
 
         		selector
 WorkloadSelector
 
-
        Optional. The selector decides where to apply the Telemetry policy.
        
-If not set, the Telemetry policy will be applied to all workloads in the
        
+
        Optional. The selector decides where to apply the Telemetry policy.
+If not set, the Telemetry policy will be applied to all workloads in the
 same namespace as the Telemetry policy.
        
 
         		tracing
 Tracing[]
 
-
        Optional. Tracing configures the tracing behavior for all
        
+
        Optional. Tracing configures the tracing behavior for all
 selected workloads.
        
 
         		metrics
 Metrics[]
 
-
        Optional. Metrics configure the metrics behavior for all
        
+
        Optional. Metrics configure the metrics behavior for all
 selected workloads.
        
 
         		accessLogging
 AccessLogging[]
 
-
        Optional. AccessLogging configures the access logging behavior for all
        
+
        Optional. AccessLogging configures the access logging behavior for all
 selected workloads.
        
 
 
        
@@ -280,10 +280,10 @@ 
        Tracing
        
         
@@ -295,13 +295,13 @@ 
        Tracing
        
         
@@ -313,8 +313,8 @@ 
        Tracing
        
         
@@ -338,7 +338,7 @@ 
        Tracing
        
 
 
        ProviderRef
        
 
        
-
        Used to bind Telemetry configuration to specific providers for
        
+
        Used to bind Telemetry configuration to specific providers for
 targeted customization.
        
 
 
        providers
 ProviderRef[]
 
-
        Optional. Name of provider(s) to use for span reporting. If a provider is
        
-not specified, the default tracing
        
-provider         will be
        
-used. NOTE: At the moment, only a single provider can be specified in a
        
+
        Optional. Name of provider(s) to use for span reporting. If a provider is
+not specified, the default tracing
+provider will be
+used. NOTE: At the moment, only a single provider can be specified in a
 given Tracing rule.
        
 
         		randomSamplingPercentage
 DoubleValue
 
-
        Controls the rate at which traffic will be selected for tracing if no
        
-prior sampling decision has been made. If a prior sampling decision has
        
-been made, that decision will be respected. However, if no sampling
        
-decision has been made (example: no x-b3-sampled tracing header was
        
-present in the requests), the traffic will be selected for telemetry
        
+
        Controls the rate at which traffic will be selected for tracing if no
+prior sampling decision has been made. If a prior sampling decision has
+been made, that decision will be respected. However, if no sampling
+decision has been made (example: no x-b3-sampled tracing header was
+present in the requests), the traffic will be selected for telemetry
 generation at the percentage specified.
        
-
        Defaults to 0%. Valid values [0.00-100.00]. Can be specified in 0.01%
        
+
        Defaults to 0%. Valid values [0.00-100.00]. Can be specified in 0.01%
 increments.
        
 
         		disableSpanReporting
 BoolValue
 
-
        Controls span reporting. If set to true, no spans will be reported for
        
-impacted workloads. This does NOT impact context propagation or trace
        
+
        Controls span reporting. If set to true, no spans will be reported for
+impacted workloads. This does NOT impact context propagation or trace
 sampling behavior.
        
 
 
        
@@ -367,8 +367,8 @@ 
        ProviderRef
        
 
 
        Metrics
        
 
        
-
        Metrics defines the workload-level overrides for metrics generation behavior
        
-within a mesh. It can be used to enable/disable metrics generation, as well
        
+
        Metrics defines the workload-level overrides for metrics generation behavior
+within a mesh. It can be used to enable/disable metrics generation, as well
 as to customize the dimensions of the generated metrics.
        
 
 
        
@@ -385,9 +385,9 @@ 
        Metrics
        
         
@@ -400,17 +400,17 @@ 
        Metrics
        
         
@@ -423,7 +423,7 @@ 
        Metrics
        
 
 
        MetricSelector
        
 
        
-
        Provides a mechanism for matching metrics for the application of override
        
+
        Provides a mechanism for matching metrics for the application of override
 behaviors.
        
 
 
        providers
 ProviderRef[]
 
-
        Optional. Name of providers to which this configuration should apply.
        
-If a provider is not specified, the default metrics
        
-provider         will be
        
+
        Optional. Name of providers to which this configuration should apply.
+If a provider is not specified, the default metrics
+provider will be
 used.
        
 
         		MetricsOverrides[]
 
 
        Optional. Ordered list of overrides to metrics generation behavior.
        
-
        Specified overrides will be applied in order. They will be applied on
        
-top of inherited overrides from other resources in the hierarchy in the
        
+
        Specified overrides will be applied in order. They will be applied on
+top of inherited overrides from other resources in the hierarchy in the
 following order:
        
 
          
 
        1. Mesh-scoped overrides
          2. 
 
        2. Namespace-scoped overrides
          3. 
 
        3. Workload-scoped overrides
          4. 
 
        
-
        Because overrides are applied in order, users are advised to order their
        
-overrides from least specific to most specific matches. That is, it is
        
-a best practice to list any universal overrides first, with tailored
        
+
        Because overrides are applied in order, users are advised to order their
+overrides from least specific to most specific matches. That is, it is
+a best practice to list any universal overrides first, with tailored
 overrides following them.
        
 
 
        
@@ -451,7 +451,7 @@ 
        MetricSelector
        
         
@@ -463,7 +463,7 @@ 
        MetricSelector
        
         
@@ -476,7 +476,7 @@ 
        MetricSelector
        
 
 
        MetricsOverrides
        
 
        
-
        MetricsOverrides defines custom metric generation behavior for an individual
        
+
        MetricsOverrides defines custom metric generation behavior for an individual
 metric or the set of all standard metrics.
        
 
 
        customMetric
 string (oneof)
 
-
        Allows free-form specification of a metric. No validation of custom
        
+
        Allows free-form specification of a metric. No validation of custom
 metrics is provided.
        
 
         		mode
 WorkloadMode
 
-
        Controls which mode of metrics generation is selected: CLIENT and/or
        
+
        Controls which mode of metrics generation is selected: CLIENT and/or
 SERVER.
        
 
 
        
@@ -493,10 +493,10 @@ 
        MetricsOverrides
        
         
@@ -508,9 +508,9 @@ 
        MetricsOverrides
        
         
@@ -522,11 +522,11 @@ 
        MetricsOverrides
        
         
@@ -539,8 +539,8 @@ 
        MetricsOverrides
        
 
 
        AccessLogging
        
 
        
-
        Access logging defines the workload-level overrides for access log
        
-generation. It can be used to select provider or enable/disable access log
        
+
        Access logging defines the workload-level overrides for access log
+generation. It can be used to select provider or enable/disable access log
 generation for a workload.
        
 
 
        match
 MetricSelector
 
-
        Match allows provides the scope of the override. It can be used to select
        
-individual metrics, as well as the workload modes (server and/or client)
        
+
        Match allows provides the scope of the override. It can be used to select
+individual metrics, as well as the workload modes (server and/or client)
 in which the metrics will be generated.
        
-
        If match is not specified, the overrides will apply to all metrics for
        
+
        If match is not specified, the overrides will apply to all metrics for
 both modes of operation (client and server).
        
 
         		disabled
 BoolValue
 
-
        Optional. Must explicitly set this to "true" to turn off metrics reporting
        
-for the listed metrics. If disabled has been set to "true" in a parent
        
-configuration, it must explicitly be set to "false" to turn metrics
        
+
        Optional. Must explicitly set this to "true" to turn off metrics reporting
+for the listed metrics. If disabled has been set to "true" in a parent
+configuration, it must explicitly be set to "false" to turn metrics
 reporting on in the workloads selected by the Telemetry resource.
        
 
         		tagOverrides
 map<string, TagOverride>
 
-
        Optional. Collection of tag names and tag expressions to override in the
        
-selected metric(s).
        
-The key in the map is the name of the tag.
        
-The value in the map is the operation to perform on the the tag.
        
-WARNING: some providers may not support adding/removing tags.
        
+
        Optional. Collection of tag names and tag expressions to override in the
+selected metric(s).
+The key in the map is the name of the tag.
+The value in the map is the operation to perform on the the tag.
+WARNING: some providers may not support adding/removing tags.
 See also: https://istio.io/latest/docs/reference/config/metrics/#labels
        
 
 
        
@@ -568,8 +568,8 @@ 
        AccessLogging
        
         
@@ -581,10 +581,10 @@ 
        AccessLogging
        
         
@@ -596,7 +596,7 @@ 
        AccessLogging
        
         
@@ -609,7 +609,7 @@ 
        AccessLogging
        
 
 
        Tracing.TracingSelector
        
 
        
-
        TracingSelector provides a coarse-grained ability to configure tracing
        
+
        TracingSelector provides a coarse-grained ability to configure tracing
 behavior based on certain traffic metadata (such as traffic direction).
        
 
 
        providers
 ProviderRef[]
 
-
        Optional. Name of providers to which this configuration should apply.
        
-If a provider is not specified, the default logging
        
+
        Optional. Name of providers to which this configuration should apply.
+If a provider is not specified, the default logging
 provider will be used.
        
 
         		disabled
 BoolValue
 
-
        Controls logging. If set to true, no access logs will be generated for
        
-impacted workloads (for the specified providers).
        
-NOTE: currently default behavior will be controlled by the provider(s)
        
-selected above. Customization controls will be added to this API in
        
+
        Controls logging. If set to true, no access logs will be generated for
+impacted workloads (for the specified providers).
+NOTE: currently default behavior will be controlled by the provider(s)
+selected above. Customization controls will be added to this API in
 future releases.
        
 
         		filter
 Filter
 
-
        Optional. If specified, this filter will be used to select specific
        
+
        Optional. If specified, this filter will be used to select specific
 requests/connections for logging.
        
 
 
        
@@ -626,7 +626,7 @@ 
        Tracing.TracingSelector
        
         
@@ -639,11 +639,11 @@ 
        Tracing.TracingSelector
        
 
 
        Tracing.CustomTag
        
 
        
-
        CustomTag defines a tag to be added to a trace span that is based on
        
-an operator-supplied value. This value can either be a hard-coded value,
        
-a value taken from an environment variable known to the sidecar proxy, or
        
+
        CustomTag defines a tag to be added to a trace span that is based on
+an operator-supplied value. This value can either be a hard-coded value,
+a value taken from an environment variable known to the sidecar proxy, or
 from a request header.
        
-
        NOTE: when specified, custom_tags will fully replace any values provided
        
+
        NOTE: when specified, custom_tags will fully replace any values provided
 by parent configuration.
        
 
 
        mode
 WorkloadMode
 
-
        This determines whether or not to apply the tracing configuration
        
+
        This determines whether or not to apply the tracing configuration
 based on the direction of traffic relative to the proxied workload.
        
 
 
        
@@ -682,7 +682,7 @@ 
        Tracing.CustomTag
        
         
@@ -746,7 +746,7 @@ 
        Tracing.Environment
        
         
@@ -784,7 +784,7 @@ 
        Tracing.RequestHeader
        
         
@@ -797,8 +797,8 @@ 
        Tracing.RequestHeader
        
 
 
        MetricsOverrides.TagOverride
        
 
        
-
        TagOverride specifies an operation to perform on a metric dimension (also
        
-known as a label). Tags may be added, removed, or have their default
        
+
        TagOverride specifies an operation to perform on a metric dimension (also
+known as a label). Tags may be added, removed, or have their default
 values overridden.
        
 
 
        header
 RequestHeader (oneof)
 
-
        RequestHeader adds the value of an header from the request to each
        
+
        RequestHeader adds the value of an header from the request to each
 span.
        
 
         		defaultValue
 string
 
-
        Optional. If the environment variable is not found, this value will be
        
+
        Optional. If the environment variable is not found, this value will be
 used instead.
        
 
         		defaultValue
 string
 
-
        Optional. If the header is not found, this value will be
        
+
        Optional. If the header is not found, this value will be
 used instead.
        
 
 
        
@@ -826,13 +826,13 @@ 
        MetricsOverrides.TagOverride
        
         
@@ -845,11 +845,11 @@ 
        MetricsOverrides.TagOverride
        
 
 
        AccessLogging.LogSelector
        
 
        
-
        LogSelector provides a coarse-grained ability to configure logging behavior
        
-based on certain traffic metadata (such as traffic direction). LogSelector
        
-applies to traffic metadata which is not represented in the attribute set
        
-currently supported by Filters. It allows control planes to limit the
        
-configuration sent to individual workloads. Finer-grained logging behavior
        
+
        LogSelector provides a coarse-grained ability to configure logging behavior
+based on certain traffic metadata (such as traffic direction). LogSelector
+applies to traffic metadata which is not represented in the attribute set
+currently supported by Filters. It allows control planes to limit the
+configuration sent to individual workloads. Finer-grained logging behavior
 can be further configured via filter.
        
 
 
        value
 string
 
-
        Value is only considered if the operation is UPSERT.
        
-Values are CEL expressions over
        
-attributes. Examples include: "string(destination.port)" and
        
-"request.host". Istio exposes all standard Envoy
        
-attributes        .
        
-Additionally, Istio exposes node metadata as attributes.
        
-More information is provided in the customization
        
+
        Value is only considered if the operation is UPSERT.
+Values are CEL expressions over
+attributes. Examples include: "string(destination.port)" and
+"request.host". Istio exposes all standard Envoy
+attributes.
+Additionally, Istio exposes node metadata as attributes.
+More information is provided in the customization
 docs.
        
 
 
        
@@ -866,7 +866,7 @@ 
        AccessLogging.LogSelector
        
         
@@ -912,8 +912,8 @@ 
        AccessLogging.Filter
        
 
 
        MetricSelector.IstioMetric
        
 
        
-
        Curated list of known metric types that is supported by Istio metric
        
-providers. See also:
        
+
        Curated list of known metric types that is supported by Istio metric
+providers. See also:
 https://istio.io/latest/docs/reference/config/metrics/#metrics
        
 
 
        mode
 WorkloadMode
 
-
        This determines whether or not to apply the access logging configuration
        
+
        This determines whether or not to apply the access logging configuration
 based on the direction of traffic relative to the proxied workload.
        
 
 
        
@@ -927,7 +927,7 @@ 
        MetricSelector.IstioMetric
        
         
@@ -935,7 +935,7 @@ 
        MetricSelector.IstioMetric
        
         
@@ -1058,7 +1058,7 @@ 
        MetricSelector.IstioMetric
        
         
@@ -1079,7 +1079,7 @@ 
        MetricsOverrides.TagOverride.Ope
 
        
@@ -1087,7 +1087,7 @@ 
        MetricsOverrides.TagOverride.Ope
 
        
@@ -1097,11 +1097,11 @@ 
        MetricsOverrides.TagOverride.Ope
 
 
        WorkloadMode
        
 
        
-
        WorkloadMode allows selection of the role of the underlying workload in
        
-network traffic. A workload is considered as acting as a SERVER if it is
        
-the destination of the traffic (that is, traffic direction, from the
        
-perspective of the workload is inbound). If the workload is the source of
        
-the network traffic, it is considered to be in CLIENT mode (traffic is
        
+
        WorkloadMode allows selection of the role of the underlying workload in
+network traffic. A workload is considered as acting as a SERVER if it is
+the destination of the traffic (that is, traffic direction, from the
+perspective of the workload is inbound). If the workload is the source of
+the network traffic, it is considered to be in CLIENT mode (traffic is
 outbound from the workload).
        
 
 
        
 ALL_METRICS
 
-
        Use of this enum indicates that the override should apply to all Istio
        
+
        Use of this enum indicates that the override should apply to all Istio
 default metrics.
        
 
 
        
 REQUEST_COUNT
 
-
        Counter of requests to/from an application, generated for HTTP, HTTP/2,
        
+
        Counter of requests to/from an application, generated for HTTP, HTTP/2,
 and GRPC traffic.
        
 
        The Prometheus provider exports this metric as: istio_requests_total.
        
 
        The Stackdriver provider exports this metric as:
        
@@ -949,9 +949,9 @@ 
        MetricSelector.IstioMetric
        
 
        
 REQUEST_DURATION
 
-
        Histogram of request durations, generated for HTTP, HTTP/2, and GRPC
        
+
        Histogram of request durations, generated for HTTP, HTTP/2, and GRPC
 traffic.
        
-
        The Prometheus provider exports this metric as:
        
+
        The Prometheus provider exports this metric as:
 istio_request_duration_milliseconds.
        
 
        The Stackdriver provider exports this metric as:
        
 
          
@@ -964,7 +964,7 @@ 
          MetricSelector.IstioMetric
          
 
        
 REQUEST_SIZE
 
-
        Histogram of request body sizes, generated for HTTP, HTTP/2, and GRPC
        
+
        Histogram of request body sizes, generated for HTTP, HTTP/2, and GRPC
 traffic.
        
 
        The Prometheus provider exports this metric as: istio_request_bytes.
        
 
        The Stackdriver provider exports this metric as:
        
@@ -978,7 +978,7 @@ 
        MetricSelector.IstioMetric
        
 
        
 RESPONSE_SIZE
 
-
        Histogram of response body sizes, generated for HTTP, HTTP/2, and GRPC
        
+
        Histogram of response body sizes, generated for HTTP, HTTP/2, and GRPC
 traffic.
        
 
        The Prometheus provider exports this metric as: istio_response_bytes.
        
 
        The Stackdriver provider exports this metric as:
        
@@ -993,7 +993,7 @@ 
        MetricSelector.IstioMetric
        
         		TCP_OPENED_CONNECTIONS
 
 
        Counter of TCP connections opened over lifetime of workload.
        
-
        The Prometheus provider exports this metric as:
        
+
        The Prometheus provider exports this metric as:
 istio_tcp_connections_opened_total.
        
 
        The Stackdriver provider exports this metric as:
        
 
          
@@ -1007,7 +1007,7 @@ 
          MetricSelector.IstioMetric
          
 
        		TCP_CLOSED_CONNECTIONS
 
 
        Counter of TCP connections closed over lifetime of workload.
        
-
        The Prometheus provider exports this metric as:
        
+
        The Prometheus provider exports this metric as:
 istio_tcp_connections_closed_total.
        
 
        The Stackdriver provider exports this metric as:
        
 
          
@@ -1021,7 +1021,7 @@ 
          MetricSelector.IstioMetric
          
 
        		TCP_SENT_BYTES
 
 
        Counter of bytes sent during a response over a TCP connection.
        
-
        The Prometheus provider exports this metric as:
        
+
        The Prometheus provider exports this metric as:
 istio_tcp_sent_bytes_total.
        
 
        The Stackdriver provider exports this metric as:
        
 
          
@@ -1035,7 +1035,7 @@ 
          MetricSelector.IstioMetric
          
 
        		TCP_RECEIVED_BYTES
 
 
        Counter of bytes received during a request over a TCP connection.
        
-
        The Prometheus provider exports this metric as:
        
+
        The Prometheus provider exports this metric as:
 istio_tcp_received_bytes_total.
        
 
        The Stackdriver provider exports this metric as:
        
 
          
@@ -1049,7 +1049,7 @@ 
          MetricSelector.IstioMetric
          
 
        		GRPC_REQUEST_MESSAGES
 
 
        Counter incremented for every gRPC messages sent from a client.
        
-
        The Prometheus provider exports this metric as:
        
+
        The Prometheus provider exports this metric as:
 istio_request_messages_total
        
 
         		GRPC_RESPONSE_MESSAGES
 
 
        Counter incremented for every gRPC messages sent from a server.
        
-
        The Prometheus provider exports this metric as:
        
+
        The Prometheus provider exports this metric as:
 istio_response_messages_total
        
 
 
        
 UPSERT
 
-
        Insert or Update the tag with the provided value expression. The
        
+
        Insert or Update the tag with the provided value expression. The
 value field MUST be specified if UPSERT is used as the operation.
        
 
 
        
 REMOVE
 
-
        Specifies that the tag should not be included in the metric when
        
+
        Specifies that the tag should not be included in the metric when
 generated.
        
 
 
        
@@ -1115,7 +1115,7 @@ 
        WorkloadMode
        
         
@@ -1123,7 +1123,7 @@ 
        WorkloadMode
        
         
@@ -1131,7 +1131,7 @@ 
        WorkloadMode
        
         
diff --git a/content/en/docs/reference/config/type/workload-selector/index.html b/content/en/docs/reference/config/type/workload-selector/index.html
index b070f64ded174..3c494d39d60f0 100644
--- a/content/en/docs/reference/config/type/workload-selector/index.html
+++ b/content/en/docs/reference/config/type/workload-selector/index.html
@@ -10,11 +10,11 @@
 ---
 
        WorkloadSelector
        
 
        
-
        WorkloadSelector specifies the criteria used to determine if a policy can be applied
        
-to a proxy. The matching criteria includes the metadata associated with a proxy,
        
-workload instance info such as labels attached to the pod/VM, or any other info
        
-that the proxy provides to Istio during the initial handshake. If multiple conditions are
        
-specified, all conditions need to match in order for the workload instance to be
        
+
        WorkloadSelector specifies the criteria used to determine if a policy can be applied
+to a proxy. The matching criteria includes the metadata associated with a proxy,
+workload instance info such as labels attached to the pod/VM, or any other info
+that the proxy provides to Istio during the initial handshake. If multiple conditions are
+specified, all conditions need to match in order for the workload instance to be
 selected. Currently, only label based selection mechanism is supported.
        
 
 
        
 CLIENT_AND_SERVER
 
-
        Selects for scenarios when the workload is either the
        
+
        Selects for scenarios when the workload is either the
 source or destination of the network traffic.
        
 
 
        
 CLIENT
 
-
        Selects for scenarios when the workload is the
        
+
        Selects for scenarios when the workload is the
 source of the network traffic.
        
 
 
        
 SERVER
 
-
        Selects for scenarios when the workload is the
        
+
        Selects for scenarios when the workload is the
 destination of the network traffic.
        
 
 
        
@@ -31,8 +31,8 @@ 
        WorkloadSelector
        
         
@@ -45,7 +45,7 @@ 
        WorkloadSelector
        
 
 
        PortSelector
        
 
        
-
        PortSelector is the criteria for specifying if a policy can be applied to
        
+
        PortSelector is the criteria for specifying if a policy can be applied to
 a listener having a specific port.
        
 
 
        matchLabels
 map<string, string>
 
-
        One or more labels that indicate a specific set of pods/VMs
        
-on which a policy should be applied. The scope of label search is restricted to
        
+
        One or more labels that indicate a specific set of pods/VMs
+on which a policy should be applied. The scope of label search is restricted to
 the configuration namespace in which the resource is present.
        
 
 
        
@@ -74,11 +74,11 @@ 
        PortSelector
        
 
 
        WorkloadMode
        
 
        
-
        WorkloadMode allows selection of the role of the underlying workload in
        
-network traffic. A workload is considered as acting as a SERVER if it is
        
-the destination of the traffic (that is, traffic direction, from the
        
-perspective of the workload is inbound). If the workload is the source of
        
-the network traffic, it is considered to be in CLIENT mode (traffic is
        
+
        WorkloadMode allows selection of the role of the underlying workload in
+network traffic. A workload is considered as acting as a SERVER if it is
+the destination of the traffic (that is, traffic direction, from the
+perspective of the workload is inbound). If the workload is the source of
+the network traffic, it is considered to be in CLIENT mode (traffic is
 outbound from the workload).
        
 
 
        
@@ -99,8 +99,8 @@ 
        WorkloadMode
        
         
@@ -108,7 +108,7 @@ 
        WorkloadMode
        
         
@@ -116,7 +116,7 @@ 
        WorkloadMode
        
         
diff --git a/content/zh/docs/reference/config/istio.analysis.v1alpha1/index.html b/content/zh/docs/reference/config/istio.analysis.v1alpha1/index.html
index 10c9ba25ee134..be16cc59a07b1 100644
--- a/content/zh/docs/reference/config/istio.analysis.v1alpha1/index.html
+++ b/content/zh/docs/reference/config/istio.analysis.v1alpha1/index.html
@@ -13,7 +13,7 @@
 
 
        AnalysisMessageBase
        
 
        
-
        AnalysisMessageBase describes some common information that is needed for all
        
+
        AnalysisMessageBase describes some common information that is needed for all
 messages. All information should be static with respect to the error code.
        
 
 
        
 CLIENT
 
-
        Selects for scenarios when the workload is the
        
-source of the network traffic. In addition,
        
+
        Selects for scenarios when the workload is the
+source of the network traffic. In addition,
 if the workload is a gateway, selects this.
        
 
 
        
 SERVER
 
-
        Selects for scenarios when the workload is the
        
+
        Selects for scenarios when the workload is the
 destination of the network traffic.
        
 
 
        
 CLIENT_AND_SERVER
 
-
        Selects for scenarios when the workload is either the
        
+
        Selects for scenarios when the workload is either the
 source or destination of the network traffic.
        
 
 
        
@@ -50,9 +50,9 @@ 
        AnalysisMessageBase
        
         
@@ -65,9 +65,9 @@ 
        AnalysisMessageBase
        
 
 
        AnalysisMessageWeakSchema
        
 
        
-
        AnalysisMessageWeakSchema is the set of information that's needed to define a
        
-weakly-typed schema. The purpose of this proto is to provide a mechanism for
        
-validating istio/istio/galley/pkg/config/analysis/msg/messages.yaml to make
        
+
        AnalysisMessageWeakSchema is the set of information that's needed to define a
+weakly-typed schema. The purpose of this proto is to provide a mechanism for
+validating istio/istio/galley/pkg/config/analysis/msg/messages.yaml to make
 sure that we don't allow committing underspecified types.
        
 
 
        documentationUrl
 string
 
-
        A url pointing to the Istio documentation for this specific error type.
        
-Should be of the form
        
-^http(s)?://(preliminary\.)?istio.io/docs/reference/config/analysis/
        
+
        A url pointing to the Istio documentation for this specific error type.
+Should be of the form
+^http(s)?://(preliminary\.)?istio.io/docs/reference/config/analysis/
 Required.
        
 
 
        
@@ -106,8 +106,8 @@ 
        AnalysisMessageWeakSchema
        
         
@@ -131,11 +131,11 @@ 
        AnalysisMessageWeakSchema
        
 
 
        GenericAnalysisMessage
        
 
        
-
        GenericAnalysisMessage is an instance of an AnalysisMessage defined by a
        
-schema, whose metaschema is AnalysisMessageWeakSchema. (Names are hard.) Code
        
-should be able to perform validation of arguments as needed by using the
        
-message type information to look at the AnalysisMessageWeakSchema and examine the
        
-list of args at runtime. Developers can also create stronger-typed versions
        
+
        GenericAnalysisMessage is an instance of an AnalysisMessage defined by a
+schema, whose metaschema is AnalysisMessageWeakSchema. (Names are hard.) Code
+should be able to perform validation of arguments as needed by using the
+message type information to look at the AnalysisMessageWeakSchema and examine the
+list of args at runtime. Developers can also create stronger-typed versions
 of GenericAnalysisMessage for well-known and stable message types.
        
 
 
        template
 string
 
-
        A go-style template string (https://golang.org/pkg/fmt/#hdr-Printing)
        
-defining how to combine the args for a  particular message into a log line.
        
+
        A go-style template string (https://golang.org/pkg/fmt/#hdr-Printing)
+defining how to combine the args for a  particular message into a log line.
 Required.
        
 
 
        
@@ -174,11 +174,11 @@ 
        GenericAnalysisMessage
        
         
@@ -191,7 +191,7 @@ 
        GenericAnalysisMessage
        
 
 
        InternalErrorAnalysisMessage
        
 
        
-
        InternalErrorAnalysisMessage is a strongly-typed message representing some
        
+
        InternalErrorAnalysisMessage is a strongly-typed message representing some
 error in Istio code that prevented us from performing analysis at all.
        
 
 
        resourcePaths
 string[]
 
-
        A list of strings specifying the resource identifiers that were the cause
        
-of message generation. A "path" here is a (NAMESPACE/)?RESOURCETYPE/NAME
        
-tuple that uniquely identifies a particular resource. There doesn't seem to
        
-be a single concept for this, but this is intuitively taken from
        
-https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology
        
+
        A list of strings specifying the resource identifiers that were the cause
+of message generation. A "path" here is a (NAMESPACE/)?RESOURCETYPE/NAME
+tuple that uniquely identifies a particular resource. There doesn't seem to
+be a single concept for this, but this is intuitively taken from
+https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology
 At least one is required.
        
 
 
        
@@ -231,9 +231,9 @@ 
        InternalErrorAnalysisMessage
        
 
 
        AnalysisMessageBase.Type
        
 
        
-
        A unique identifier for the type of message. Name is intended to be
        
-human-readable, code is intended to be machine readable. There should be a
        
-one-to-one mapping between name and code. (i.e. do not re-use names or
        
+
        A unique identifier for the type of message. Name is intended to be
+human-readable, code is intended to be machine readable. There should be a
+one-to-one mapping between name and code. (i.e. do not re-use names or
 codes between message types.)
        
 
 
        
@@ -250,8 +250,8 @@ 
        AnalysisMessageBase.Type
        
         
@@ -263,8 +263,8 @@ 
        AnalysisMessageBase.Type
        
         
@@ -302,9 +302,9 @@ 
        AnalysisMessageWeakSchema.ArgType
        goType
         
@@ -317,7 +317,7 @@ 
        AnalysisMessageWeakSchema.ArgType
        
 
        AnalysisMessageBase.Level
        
 
        
-
        The values here are chosen so that more severe messages get sorted higher,
        
+
        The values here are chosen so that more severe messages get sorted higher,
 as well as leaving space in between to add more later
        
 
 
        name
 string
 
-
        A human-readable name for the message type. e.g. "InternalError",
        
-"PodMissingProxy". This should be the same for all messages of the same type.
        
+
        A human-readable name for the message type. e.g. "InternalError",
+"PodMissingProxy". This should be the same for all messages of the same type.
 Required.
        
 
         		code
 string
 
-
        A 7 character code matching ^IST[0-9]{4}$ intended to uniquely identify
        
-the message type. (e.g. "IST0001" is mapped to the "InternalError" message
        
+
        A 7 character code matching ^IST[0-9]{4}$ intended to uniquely identify
+the message type. (e.g. "IST0001" is mapped to the "InternalError" message
 type.) 0000-0100 are reserved. Required.
        
 
         		string
 
-
        Required. Should be a golang type, used in code generation.
        
-Ideally this will change to a less language-pinned type before this gets
        
-out of alpha, but for compatibility with current istio/istio code it's
        
+
        Required. Should be a golang type, used in code generation.
+Ideally this will change to a less language-pinned type before this gets
+out of alpha, but for compatibility with current istio/istio code it's
 go_type for now.
        
 
 
        
diff --git a/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html b/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
index cc5af4388de0f..308ebb3a6b012 100644
--- a/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
+++ b/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
@@ -29,7 +29,7 @@ 
        MeshConfig
        
         
@@ -52,7 +52,7 @@ 
        MeshConfig
        
         
@@ -64,15 +64,15 @@ 
        MeshConfig
        
         
@@ -95,8 +95,8 @@ 
        MeshConfig
        
         
@@ -108,7 +108,7 @@ 
        MeshConfig
        
         
@@ -120,7 +120,7 @@ 
        MeshConfig
        
         
@@ -132,10 +132,10 @@ 
        MeshConfig
        
         
@@ -147,7 +147,7 @@ 
        MeshConfig
        
         
@@ -159,7 +159,7 @@ 
        MeshConfig
        
         
@@ -171,7 +171,7 @@ 
        MeshConfig
        
         
@@ -183,7 +183,7 @@ 
        MeshConfig
        
         
@@ -195,9 +195,9 @@ 
        MeshConfig
        
         
@@ -209,9 +209,9 @@ 
        MeshConfig
        
         
@@ -223,10 +223,10 @@ 
        MeshConfig
        
         
@@ -238,17 +238,17 @@ 
        MeshConfig
        
         
@@ -260,8 +260,8 @@ 
        MeshConfig
        
         
@@ -273,16 +273,16 @@ 
        MeshConfig
        
         
@@ -294,7 +294,7 @@ 
        MeshConfig
        
         
@@ -306,12 +306,12 @@ 
        MeshConfig
        
         
@@ -323,9 +323,9 @@ 
        MeshConfig
        
         
@@ -337,26 +337,26 @@ 
        MeshConfig
        
         
@@ -368,9 +368,9 @@ 
        MeshConfig
        
         
@@ -382,9 +382,9 @@ 
        MeshConfig
        
         
@@ -396,12 +396,12 @@ 
        MeshConfig
        
         
@@ -424,7 +424,7 @@ 
        MeshConfig
        
         
@@ -436,9 +436,9 @@ 
        MeshConfig
        
         
@@ -450,9 +450,9 @@ 
        MeshConfig
        
         
@@ -533,7 +533,7 @@ 
        MeshConfig
        
         
@@ -556,11 +556,11 @@ 
        MeshConfig
        
         
@@ -589,12 +589,12 @@ 
        MeshConfig
        
         
@@ -606,13 +606,13 @@ 
        MeshConfig
        
         
@@ -636,8 +636,8 @@ 
        MeshConfig
        
 
 
        ConfigSource
        
 
        
-
        ConfigSource describes information about a configuration store inside a
        
-mesh. A single control plane instance can interact with one or more data
        
+
        ConfigSource describes information about a configuration store inside a
+mesh. A single control plane instance can interact with one or more data
 sources.
        
 
 
        proxyListenPort
 int32
 
-
        Port on which Envoy should listen for incoming connections from
        
+
        Port on which Envoy should listen for incoming connections from
 other services. Default port is 15001.
        
 
         		connectTimeout
 Duration
 
-
        Connection timeout used by Envoy. (MUST BE >=1ms)
        
+
        Connection timeout used by Envoy. (MUST BE >=1ms)
 Default timeout is 10s.
        
 
         		protocolDetectionTimeout
 Duration
 
-
        Automatic protocol detection uses a set of heuristics to
        
-determine whether the connection is using TLS or not (on the
        
-server side), as well as the application protocol being used
        
-(e.g., http vs tcp). These heuristics rely on the client sending
        
-the first bits of data. For server first protocols like MySQL,
        
-MongoDB, etc. Envoy will timeout on the protocol detection after
        
-the specified period, defaulting to non mTLS plain TCP
        
-traffic. Set this field to tweak the period that Envoy will wait
        
-for the client to send the first bits of data. (MUST BE >=1ms or
        
+
        Automatic protocol detection uses a set of heuristics to
+determine whether the connection is using TLS or not (on the
+server side), as well as the application protocol being used
+(e.g., http vs tcp). These heuristics rely on the client sending
+the first bits of data. For server first protocols like MySQL,
+MongoDB, etc. Envoy will timeout on the protocol detection after
+the specified period, defaulting to non mTLS plain TCP
+traffic. Set this field to tweak the period that Envoy will wait
+for the client to send the first bits of data. (MUST BE >=1ms or
 0s to disable). Default detection timeout is 0s (no timeout).
        
 
         		ingressClass
 string
 
-
        Class of ingress resources to be processed by Istio ingress
        
-controller. This corresponds to the value of
        
+
        Class of ingress resources to be processed by Istio ingress
+controller. This corresponds to the value of
 kubernetes.io/ingress.class annotation.
        
 
         		ingressService
 string
 
-
        Name of the Kubernetes service used for the istio ingress controller.
        
+
        Name of the Kubernetes service used for the istio ingress controller.
 If no ingress controller is specified, the default value istio-ingressgateway is used.
        
 
         		ingressControllerMode
 IngressControllerMode
 
-
        Defines whether to use Istio ingress controller for annotated or all ingress resources.
        
+
        Defines whether to use Istio ingress controller for annotated or all ingress resources.
 Default mode is STRICT.
        
 
         		ingressSelector
 string
 
-
        Defines which gateway deployment to use as the Ingress controller. This field corresponds to
        
-the Gateway.selector field, and will be set as istio: INGRESS_SELECTOR.
        
-By default, ingressgateway is used, which will select the default IngressGateway as it has the
        
-istio: ingressgateway labels.
        
+
        Defines which gateway deployment to use as the Ingress controller. This field corresponds to
+the Gateway.selector field, and will be set as istio: INGRESS_SELECTOR.
+By default, ingressgateway is used, which will select the default IngressGateway as it has the
+istio: ingressgateway labels.
 It is recommended that this is the same value as ingress_service.
        
 
         		enableTracing
 bool
 
-
        Flag to control generation of trace spans and request IDs.
        
+
        Flag to control generation of trace spans and request IDs.
 Requires a trace span collector defined in the proxy configuration.
        
 
         		accessLogFile
 string
 
-
        File address for the proxy access log (e.g. /dev/stdout).
        
+
        File address for the proxy access log (e.g. /dev/stdout).
 Empty value disables access logging.
        
 
         		accessLogFormat
 string
 
-
        Format for the proxy access log
        
+
        Format for the proxy access log
 Empty value results in proxy's default access log format
        
 
         		accessLogEncoding
 AccessLogEncoding
 
-
        Encoding for the proxy access log (TEXT or JSON).
        
+
        Encoding for the proxy access log (TEXT or JSON).
 Default value is TEXT.
        
 
         		enableEnvoyAccessLogService
 bool
 
-
        This flag enables Envoy's gRPC Access Log Service.
        
-See Access Log Service
        
-for details about Envoy's gRPC Access Log Service API.
        
+
        This flag enables Envoy's gRPC Access Log Service.
+See Access Log Service
+for details about Envoy's gRPC Access Log Service API.
 Default value is false.
        
 
         		disableEnvoyListenerLog
 bool
 
-
        This flag disables Envoy Listener logs.
        
-See Listener Access Log
        
-Istio Enables Envoy's listener access logs on "NoRoute" response flag.
        
+
        This flag disables Envoy Listener logs.
+See Listener Access Log
+Istio Enables Envoy's listener access logs on "NoRoute" response flag.
 Default value is false.
        
 
         		defaultConfig
 ProxyConfig
 
-
        Default proxy config used by gateway and sidecars.
        
-In case of Kubernetes, the proxy config is applied once during the injection process,
        
-and remain constant for the duration of the pod. The rest of the mesh config can be changed
        
-at runtime and config gets distributed dynamically.
        
+
        Default proxy config used by gateway and sidecars.
+In case of Kubernetes, the proxy config is applied once during the injection process,
+and remain constant for the duration of the pod. The rest of the mesh config can be changed
+at runtime and config gets distributed dynamically.
 On Kubernetes, this can be overridden on individual pods with the proxy.istio.io/config annotation.
        
 
         		outboundTrafficPolicy
 OutboundTrafficPolicy
 
-
        Set the default behavior of the sidecar for handling outbound
        
-traffic from the application.  If your application uses one or
        
-more external services that are not known apriori, setting the
        
-policy to ALLOW_ANY will cause the sidecars to route any unknown
        
-traffic originating from the application to its requested
        
-destination. Users are strongly encouraged to use ServiceEntries
        
-to explicitly declare any external dependencies, instead of using
        
-ALLOW_ANY, so that traffic to these services can be
        
-monitored. Can be overridden at a Sidecar level by setting the
        
-OutboundTrafficPolicy in the Sidecar
        
-API        .
        
+
        Set the default behavior of the sidecar for handling outbound
+traffic from the application.  If your application uses one or
+more external services that are not known apriori, setting the
+policy to ALLOW_ANY will cause the sidecars to route any unknown
+traffic originating from the application to its requested
+destination. Users are strongly encouraged to use ServiceEntries
+to explicitly declare any external dependencies, instead of using
+ALLOW_ANY, so that traffic to these services can be
+monitored. Can be overridden at a Sidecar level by setting the
+OutboundTrafficPolicy in the Sidecar
+API.
 Default mode is ALLOW_ANY which means outbound traffic to unknown destinations will be allowed.
        
 
         		configSources
 ConfigSource[]
 
-
        ConfigSource describes a source of configuration data for networking
        
-rules, and other Istio configuration artifacts. Multiple data sources
        
+
        ConfigSource describes a source of configuration data for networking
+rules, and other Istio configuration artifacts. Multiple data sources
 can be configured for a single control plane.
        
 
         		enableAutoMtls
 BoolValue
 
-
        This flag is used to enable mutual TLS automatically for service to service communication
        
-within the mesh, default true.
        
-If set to true, and a given service does not have a corresponding DestinationRule configured,
        
-or its DestinationRule does not have ClientTLSSettings specified, Istio configures client side
        
-TLS configuration appropriately. More specifically,
        
-If the upstream authentication policy is in STRICT mode, use Istio provisioned certificate
        
-for mutual TLS to connect to upstream.
        
-If upstream service is in plain text mode, use plain text.
        
-If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
        
-mutual TLS when server sides are capable of accepting mutual TLS traffic.
        
+
        This flag is used to enable mutual TLS automatically for service to service communication
+within the mesh, default true.
+If set to true, and a given service does not have a corresponding DestinationRule configured,
+or its DestinationRule does not have ClientTLSSettings specified, Istio configures client side
+TLS configuration appropriately. More specifically,
+If the upstream authentication policy is in STRICT mode, use Istio provisioned certificate
+for mutual TLS to connect to upstream.
+If upstream service is in plain text mode, use plain text.
+If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
+mutual TLS when server sides are capable of accepting mutual TLS traffic.
 If service DestinationRule exists and has ClientTLSSettings specified, that is always used instead.
        
 
         		trustDomain
 string
 
-
        The trust domain corresponds to the trust root of a system.
        
+
        The trust domain corresponds to the trust root of a system.
 Refer to SPIFFE-ID
        
 
         		trustDomainAliases
 string[]
 
-
        The trust domain aliases represent the aliases of trust_domain.
        
+
        The trust domain aliases represent the aliases of trust_domain.
 For example, if we have
        
 
        trustDomain: td1
 trustDomainAliases: ["td2", "td3"]
 
        
-
        Any service with the identity td1/ns/foo/sa/a-service-account, td2/ns/foo/sa/a-service-account,
        
+
        Any service with the identity td1/ns/foo/sa/a-service-account, td2/ns/foo/sa/a-service-account,
 or td3/ns/foo/sa/a-service-account will be treated the same in the Istio mesh.
        
 
         		caCertificates
 CertificateData[]
 
-
        The extra root certificates for workload-to-workload communication.
        
-The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret)
        
-are automatically added by Istiod.
        
+
        The extra root certificates for workload-to-workload communication.
+The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret)
+are automatically added by Istiod.
 The CA certificate that signs the workload certificates is automatically added by Istio Agent.
        
 
         		defaultServiceExportTo
 string[]
 
-
        The default value for the ServiceEntry.export_to field and services
        
-imported through container registry integrations, e.g. this applies to
        
-Kubernetes Service resources. The value is a list of namespace names and
        
+
        The default value for the ServiceEntry.export_to field and services
+imported through container registry integrations, e.g. this applies to
+Kubernetes Service resources. The value is a list of namespace names and
 reserved namespace aliases. The allowed namespace aliases are:
        
 
        * - All Namespaces
 . - Current Namespace
 ~ - No Namespace
 
        
-
        If not set the system will use "*" as the default value which implies that
        
+
        If not set the system will use "*" as the default value which implies that
 services are exported to all namespaces.
        
-
        All namespaces is a reasonable default for implementations that don't
        
-need to restrict access or visibility of services across namespace
        
-boundaries. If that requirement is present it is generally good practice to
        
-make the default Current namespace so that services are only visible
        
-within their own namespaces by default. Operators can then expand the
        
-visibility of services to other namespaces as needed. Use of No Namespace
        
-is expected to be rare but can have utility for deployments where
        
-dependency management needs to be precise even within the scope of a single
        
+
        All namespaces is a reasonable default for implementations that don't
+need to restrict access or visibility of services across namespace
+boundaries. If that requirement is present it is generally good practice to
+make the default Current namespace so that services are only visible
+within their own namespaces by default. Operators can then expand the
+visibility of services to other namespaces as needed. Use of No Namespace
+is expected to be rare but can have utility for deployments where
+dependency management needs to be precise even within the scope of a single
 namespace.
        
-
        For further discussion see the reference documentation for ServiceEntry,
        
+
        For further discussion see the reference documentation for ServiceEntry,
 Sidecar, and Gateway.
        
 
         		defaultVirtualServiceExportTo
 string[]
 
-
        The default value for the VirtualService.export_to field. Has the same
        
+
        The default value for the VirtualService.export_to field. Has the same
 syntax as default_service_export_to.
        
-
        If not set the system will use "*" as the default value which implies that
        
+
        If not set the system will use "*" as the default value which implies that
 virtual services are exported to all namespaces
        
 
         		defaultDestinationRuleExportTo
 string[]
 
-
        The default value for the DestinationRule.export_to field. Has the same
        
+
        The default value for the DestinationRule.export_to field. Has the same
 syntax as default_service_export_to.
        
-
        If not set the system will use "*" as the default value which implies that
        
+
        If not set the system will use "*" as the default value which implies that
 destination rules are exported to all namespaces
        
 
         		rootNamespace
 string
 
-
        The namespace to treat as the administrative root namespace for
        
-Istio configuration. When processing a leaf namespace Istio will search for
        
-declarations in that namespace first and if none are found it will
        
-search in the root namespace. Any matching declaration found in the root
        
+
        The namespace to treat as the administrative root namespace for
+Istio configuration. When processing a leaf namespace Istio will search for
+declarations in that namespace first and if none are found it will
+search in the root namespace. Any matching declaration found in the root
 namespace is processed as if it were declared in the leaf namespace.
        
-
        The precise semantics of this processing are documented on each resource
        
+
        The precise semantics of this processing are documented on each resource
 type.
        
 
         		dnsRefreshRate
 Duration
 
-
        Configures DNS refresh rate for Envoy clusters of type STRICT_DNS
        
+
        Configures DNS refresh rate for Envoy clusters of type STRICT_DNS
 Default refresh rate is 5s.
        
 
         		h2UpgradePolicy
 H2UpgradePolicy
 
-
        Specify if http1.1 connections should be upgraded to http2 by default.
        
-if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE.
        
-If one or more services or namespaces do not have sidecar(s), then this should be set to DO_NOT_UPGRADE.
        
+
        Specify if http1.1 connections should be upgraded to http2 by default.
+if sidecar is installed on all pods in the mesh, then this should be set to UPGRADE.
+If one or more services or namespaces do not have sidecar(s), then this should be set to DO_NOT_UPGRADE.
 It can be enabled by destination using the destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy override.
        
 
         		inboundClusterStatName
 string
 
-
        Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for
        
-network filters like TCP and Redis.
        
-By default, Istio emits statistics with the pattern inbound|<port>|<port-name>|<service-FQDN>.
        
+
        Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for
+network filters like TCP and Redis.
+By default, Istio emits statistics with the pattern inbound|<port>|<port-name>|<service-FQDN>.
 For example inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local. This can be used to override that pattern.
        
 
        A Pattern can be composed of various pre-defined variables. The following variables are supported.
        
 
          
@@ -476,9 +476,9 @@ 
          MeshConfig
          
 
        		outboundClusterStatName
 string
 
-
        Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for
        
-network filters like TCP and Redis.
        
-By default, Istio emits statistics with the pattern outbound|<port>|<subsetname>|<service-FQDN>.
        
+
        Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for
+network filters like TCP and Redis.
+By default, Istio emits statistics with the pattern outbound|<port>|<subsetname>|<service-FQDN>.
 For example outbound|8080|v2|reviews.prod.svc.cluster.local. This can be used to override that pattern.
        
 
        A Pattern can be composed of various pre-defined variables. The following variables are supported.
        
 
          
@@ -514,14 +514,14 @@ 
          MeshConfig
          
 
        		enablePrometheusMerge
 BoolValue
 
-
        If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
        
-and Istio agent. The sidecar injection will replace prometheus.io annotations present on the pod
        
-and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
        
-This relies on the annotations prometheus.io/scrape, prometheus.io/port, and
        
-prometheus.io/path annotations.
        
-If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide.
        
-In this case, it is recommended to disable aggregation on that deployment with the
        
-prometheus.istio.io/merge-metrics: "false" annotation.
        
+
        If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
+and Istio agent. The sidecar injection will replace prometheus.io annotations present on the pod
+and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
+This relies on the annotations prometheus.io/scrape, prometheus.io/port, and
+prometheus.io/path annotations.
+If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide.
+In this case, it is recommended to disable aggregation on that deployment with the
+prometheus.istio.io/merge-metrics: "false" annotation.
 If not specified, this will be enabled by default.
        
 
         		extensionProviders
 ExtensionProvider[]
 
-
        Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy
        
+
        Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy
 can be used with an extension provider to delegate the authorization decision to a custom authorization system.
        
 
         		discoverySelectors
 LabelSelector[]
 
-
        A list of Kubernetes selectors that specify the set of namespaces that Istio considers when
        
-computing configuration updates for sidecars. This can be used to reduce Istio's computational load
        
-by limiting the number of entities (including services, pods, and endpoints) that are watched and processed.
        
-If omitted, Istio will use the default behavior of processing all namespaces in the cluster.
        
-Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector.
        
+
        A list of Kubernetes selectors that specify the set of namespaces that Istio considers when
+computing configuration updates for sidecars. This can be used to reduce Istio's computational load
+by limiting the number of entities (including services, pods, and endpoints) that are watched and processed.
+If omitted, Istio will use the default behavior of processing all namespaces in the cluster.
+Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector.
 The following example selects any namespace that matches either below:
        
 
          
 
        1. The namespace has both of these labels: env: prod and region: us-east1
          2. 
@@ -577,7 +577,7 @@ 
          MeshConfig
          
         - cassandra
         - spark
 
-
          Refer to the kubernetes selector docs
          
+
          Refer to the kubernetes selector docs
 for additional detail on selector semantics.
          
 
 
        		pathNormalization
 ProxyPathNormalization
 
-
        ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are
        
-normalized by the sidecars and gateways.
        
-The normalized paths will be used in all aspects through the requests' lifetime on the
        
-sidecars and gateways, which includes routing decisions in outbound direction (client proxy),
        
-authorization policy match and enforcement in inbound direction (server proxy), and the URL
        
-path proxied to the upstream service.
        
+
        ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are
+normalized by the sidecars and gateways.
+The normalized paths will be used in all aspects through the requests' lifetime on the
+sidecars and gateways, which includes routing decisions in outbound direction (client proxy),
+authorization policy match and enforcement in inbound direction (server proxy), and the URL
+path proxied to the upstream service.
 If not set, the NormalizationType.DEFAULT configuration will be used.
        
 
         		defaultHttpRetryPolicy
 HTTPRetry
 
-
        Configure the default HTTP retry policy.
        
-The default number of retry attempts is set at 2 for these errors:
        
-"connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes".
        
-Setting the number of attempts to 0 disables retry policy globally.
        
-This setting can be overriden on a per-host basis using the Virtual Service
        
-API.
        
-All settings in the retry policy except perTryTimeout can currently be
        
+
        Configure the default HTTP retry policy.
+The default number of retry attempts is set at 2 for these errors:
+"connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes".
+Setting the number of attempts to 0 disables retry policy globally.
+This setting can be overriden on a per-host basis using the Virtual Service
+API.
+All settings in the retry policy except perTryTimeout can currently be
 configured globally via this field.
        
 
 
        
@@ -654,9 +654,9 @@ 
        ConfigSource
        
         
@@ -668,8 +668,8 @@ 
        ConfigSource
        
         
@@ -742,10 +742,10 @@ 
        MeshConfig.CertificateData
        
         
@@ -757,8 +757,8 @@ 
        MeshConfig.CertificateData
        
         
@@ -770,14 +770,14 @@ 
        MeshConfig.CertificateData
        
         
@@ -804,8 +804,8 @@ 
        MeshConfig.ThriftConfig
        
         
@@ -843,8 +843,8 @@ 
        MeshConfig.CA
        
         
@@ -856,13 +856,13 @@ 
        MeshConfig.CA
        
         
@@ -887,7 +887,7 @@ 
        MeshConfig.CA
        
         
@@ -958,9 +958,9 @@ 
        MeshConfig.ExtensionProvider
        
         
@@ -1083,9 +1083,9 @@ 
        MeshConfig.ExtensionProvider
        
 
 
        MeshConfig.DefaultProviders
        
 
        
-
        Holds the name references to the providers that will be used by default
        
+
        Holds the name references to the providers that will be used by default
 in other Istio configuration resources if the provider is not specified.
        
-
        These names must match a provider defined in extension_providers that is
        
+
        These names must match a provider defined in extension_providers that is
 one of the supported tracing providers.
        
 
 
        address
 string
 
-
        Address of the server implementing the Istio Mesh Configuration
        
-protocol (MCP). Can be IP address or a fully qualified DNS name.
        
-Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or
        
+
        Address of the server implementing the Istio Mesh Configuration
+protocol (MCP). Can be IP address or a fully qualified DNS name.
+Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or
 fs:/// to specify a file-based backend with absolute path to the directory.
        
 
         		tlsSettings
 ClientTLSSettings
 
-
        Use the tls_settings to specify the tls mode to use. If the MCP server
        
-uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
        
+
        Use the tls_settings to specify the tls mode to use. If the MCP server
+uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
 mode as ISTIO_MUTUAL.
        
 
         		spiffeBundleUrl
 string (oneof)
 
-
        The SPIFFE bundle endpoint URL that complies to:
        
-https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle
        
-The endpoint should support authentication based on Web PKI:
        
-https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki
        
+
        The SPIFFE bundle endpoint URL that complies to:
+https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle
+The endpoint should support authentication based on Web PKI:
+https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki
 The certificate is retrieved from the endpoint.
        
 
         		certSigners
 string[]
 
-
        Optional. Specify the kubernetes signers (External CA) that use this trustAnchor
        
-when Istiod is acting as RA(registration authority)
        
+
        Optional. Specify the kubernetes signers (External CA) that use this trustAnchor
+when Istiod is acting as RA(registration authority)
 If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.
        
 
         		trustDomains
 string[]
 
-
        Optional. Specify the list of trust domains to which this trustAnchor data belongs.
        
-If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
        
-and its aliases.
        
-Note that we can have multiple trustAnchor data for a same trust_domain.
        
-In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
        
-If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers.
        
-If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers.
        
-If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains.
        
+
        Optional. Specify the list of trust domains to which this trustAnchor data belongs.
+If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
+and its aliases.
+Note that we can have multiple trustAnchor data for a same trust_domain.
+In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
+If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers.
+If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers.
+If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains.
 If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains.
        
 
         		rateLimitUrl
 string
 
-
        Specify thrift rate limit service URL. If pilot has thrift protocol support enabled,
        
-this will enable the rate limit service for destinations that have matching rate
        
+
        Specify thrift rate limit service URL. If pilot has thrift protocol support enabled,
+this will enable the rate limit service for destinations that have matching rate
 limit configurations.
        
 
         		address
 string
 
-
        REQUIRED. Address of the CA server implementing the Istio CA gRPC API.
        
-Can be IP address or a fully qualified DNS name with port
        
+
        REQUIRED. Address of the CA server implementing the Istio CA gRPC API.
+Can be IP address or a fully qualified DNS name with port
 Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000
        
 
         		tlsSettings
 ClientTLSSettings
 
-
        Use the tls_settings to specify the tls mode to use.
        
+
        Use the tls_settings to specify the tls mode to use.
 Regarding tls_settings:
        
 
          
-
        • DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
          
+
        • DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
 DISABLE MODE can also be used for testing
          • 
-
        • TLS MUTUAL MODE be on by default. If the CA certificates
          
-(cert bundle to verify the CA server's certificate) is omitted, Istiod will
          
+
        • TLS MUTUAL MODE be on by default. If the CA certificates
+(cert bundle to verify the CA server's certificate) is omitted, Istiod will
 use the system root certs to verify the CA server's certificate.
          • 
 
        
 
@@ -875,7 +875,7 @@ 
        MeshConfig.CA
        
         		requestTimeout
 Duration
 
-
        timeout for forward CSR requests from Istiod to External CA
        
+
        timeout for forward CSR requests from Istiod to External CA
 Default: 10s
        
 
         		istiodSide
 bool
 
-
        Use istiod_side to specify CA Server integrate to Istiod side or Agent side
        
+
        Use istiod_side to specify CA Server integrate to Istiod side or Agent side
 Default: true
        
 
         		lightstep
 LightstepTracingProvider (oneof)
 
-
        Configures a Lightstep tracing provider.
        
-Note: For Istio 1.15+, configuring this provider will result in
        
-using an OpenTelemetryTracingProvider configured specially for
        
+
        Configures a Lightstep tracing provider.
+Note: For Istio 1.15+, configuring this provider will result in
+using an OpenTelemetryTracingProvider configured specially for
 Lightstep. This is part of the Lightstep transition to OpenTelemetry.
        
 
 
        
@@ -1174,11 +1174,11 @@ 
        MeshConfig.TLSConfig
        
         
@@ -1207,21 +1207,21 @@ 
        MeshConfig.ServiceSettings.Settings
 
        
@@ -1248,10 +1248,10 @@ 
        Mesh
 
        
@@ -1263,9 +1263,9 @@ 
        Mesh
 
        
@@ -1277,9 +1277,9 @@ 
        Mesh
 
        
@@ -1306,9 +1306,9 @@ 
        Mes
 
        
@@ -1345,8 +1345,8 @@ 
        Mes
 
        
@@ -1358,8 +1358,8 @@ 
        Mes
 
        
@@ -1371,7 +1371,7 @@ 
        Mes
 
        
@@ -1394,15 +1394,15 @@ 
        Mes
 
        
@@ -1443,11 +1443,11 @@ 
        Mes
 
        
@@ -1563,8 +1563,8 @@ 
        Mes
 
        
@@ -1576,7 +1576,7 @@ 
        Mes
 
        
@@ -1616,9 +1616,9 @@ 
        MeshConfig.Extension
 
        
@@ -1655,8 +1655,8 @@ 
        MeshConfig.Extension
 
 
        MeshConfig.ExtensionProvider.LightstepTracingProvider
        
 
        
-
        Defines configuration for a Lightstep tracer.
        
-Note: Lightstep has moved to OpenTelemetry-based integrations. Istio 1.15+
        
+
        Defines configuration for a Lightstep tracer.
+Note: Lightstep has moved to OpenTelemetry-based integrations. Istio 1.15+
 will generate OpenTelemetry-compatible configuration when using this option.
        
 
 
        minProtocolVersion
 TLSProtocol
 
-
        Optional: the minimum TLS protocol version. The default minimum
        
-TLS version will be TLS 1.2. As servers may not be Envoy and be
        
-set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the
        
-minimum TLS version for clients may also be TLS 1.2.
        
-In the current Istio implementation, the maximum TLS protocol version
        
+
        Optional: the minimum TLS protocol version. The default minimum
+TLS version will be TLS 1.2. As servers may not be Envoy and be
+set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the
+minimum TLS version for clients may also be TLS 1.2.
+In the current Istio implementation, the maximum TLS protocol version
 is TLS 1.3.
        
 
         		clusterLocal
 bool
 
-
        If true, specifies that the client and service endpoints must reside in the same cluster.
        
-By default, in multi-cluster deployments, the Istio control plane assumes all service
        
-endpoints to be reachable from any client in any of the clusters which are part of the
        
-mesh. This configuration option limits the set of service endpoints visible to a client
        
+
        If true, specifies that the client and service endpoints must reside in the same cluster.
+By default, in multi-cluster deployments, the Istio control plane assumes all service
+endpoints to be reachable from any client in any of the clusters which are part of the
+mesh. This configuration option limits the set of service endpoints visible to a client
 to be cluster scoped.
        
 
        There are some common scenarios when this can be useful:
        
 
          
-
        • A service (or group of services) is inherently local to the cluster and has local storage
          
+
        • A service (or group of services) is inherently local to the cluster and has local storage
 for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).
          • 
-
        • A mesh administrator wants to slowly migrate services to Istio. They might start by first
          
-having services cluster-local and then slowly transition them to mesh-wide. They could do
          
-this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group
          
+
        • A mesh administrator wants to slowly migrate services to Istio. They might start by first
+having services cluster-local and then slowly transition them to mesh-wide. They could do
+this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group
 (e.g. *.myns.svc.cluster.local).
          • 
 
        
-
        By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all
        
+
        By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all
 services in the kube-system namespace to be cluster-local, unless explicitly overridden here.
        
 
         		maxRequestBytes
 uint32
 
-
        Sets the maximum size of a message body that the ext-authz filter will hold in memory.
        
-If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
        
-Otherwise the request will be sent to the provider with a partial message.
        
-Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
        
+
        Sets the maximum size of a message body that the ext-authz filter will hold in memory.
+If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large).
+Otherwise the request will be sent to the provider with a partial message.
+Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the
 fail_open is set to true.
        
 
         		allowPartialMessage
 bool
 
-
        When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
        
-The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
        
-A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
        
+
        When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
+The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
+A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
 indicating if the body data is partial.
        
 
         		packAsBytes
 bool
 
-
        If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
        
-in the raw_body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
        
-Otherwise, it will be filled with UTF-8 string in the body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
        
+
        If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
+in the raw_body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
+Otherwise, it will be filled with UTF-8 string in the body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
 This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.
        
 
         		service
 string
 
-
        REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service.
        
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
        
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
        
+
        REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
        
 
        Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".
        
 
@@ -1332,8 +1332,8 @@ 
        Mes
 
        		timeout
 Duration
 
-
        The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
        
-When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
        
+
        The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
+When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
 In this situation, the response sent back to the client will depend on the configured fail_open field.
        
 
         		pathPrefix
 string
 
-
        Sets a prefix to the value of authorization request header Path.
        
-For example, setting this to "/check" for an original user request at path "/admin" will cause the
        
+
        Sets a prefix to the value of authorization request header Path.
+For example, setting this to "/check" for an original user request at path "/admin" will cause the
 authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin".
        
 
         		failOpen
 bool
 
-
        If true, the user request will be allowed even if the communication with the authorization service has failed,
        
-or if the authorization service has returned a HTTP 5xx error.
        
+
        If true, the user request will be allowed even if the communication with the authorization service has failed,
+or if the authorization service has returned a HTTP 5xx error.
 Default is false and the request will be rejected with "Forbidden" response.
        
 
         		statusOnError
 string
 
-
        Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
        
+
        Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
 The default status is "403" (HTTP Forbidden).
        
 
         		includeRequestHeadersInCheck
 string[]
 
-
        List of client request headers that should be included in the authorization request sent to the authorization service.
        
+
        List of client request headers that should be included in the authorization request sent to the authorization service.
 Note that in addition to the headers specified here following headers are included by default:
        
 
          
 
        1. Host, Method, Path and Content-Length are automatically sent.
          2. 
-
        2. Content-Length will be set to 0 and the request will not have a message body. However, the authorization
          
-request can include the buffered client request body (controlled by include_request_body_in_check setting),
          
+
        3. Content-Length will be set to 0 and the request will not have a message body. However, the authorization
+request can include the buffered client request body (controlled by include_request_body_in_check setting),
 consequently the value of Content-Length of the authorization request reflects the size of its payload size.
          4. 
 
        
-
        Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
        
+
        Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
 https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
        
 
          
 
        • Exact match: "abc" will match on value "abc".
          • 
@@ -1419,8 +1419,8 @@ 
          Mes
 
        		includeAdditionalHeadersInCheck
 map<string, string>
 
-
        Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
        
-Key is the header name and value is the header value.
        
+
        Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
+Key is the header name and value is the header value.
 Note that client request of the same key or headers specified in include_request_headers_in_check will be overridden.
        
 
         		headersToUpstreamOnAllow
 string[]
 
-
        List of headers from the authorization service that should be added or overridden in the original request and
        
-forwarded to the upstream when the authorization check result is allowed (HTTP code 200).
        
-If not specified, the original request will not be modified and forwarded to backend as-is.
        
+
        List of headers from the authorization service that should be added or overridden in the original request and
+forwarded to the upstream when the authorization check result is allowed (HTTP code 200).
+If not specified, the original request will not be modified and forwarded to backend as-is.
 Note, any existing headers will be overridden.
        
-
        Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
        
+
        Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
 https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
        
 
          
 
        • Exact match: "abc" will match on value "abc".
          • 
@@ -1464,14 +1464,14 @@ 
          Mes
 
        		headersToDownstreamOnDeny
 string[]
 
-
        List of headers from the authorization service that should be forwarded to downstream when the authorization
        
-check result is not allowed (HTTP code other than 200).
        
-If not specified, all the authorization response headers, except Authority (Host) will be in the response to
        
-the downstream.
        
-When a header is included in this list, Path, Status, Content-Length, WWWAuthenticate and Location are
        
-automatically added.
        
+
        List of headers from the authorization service that should be forwarded to downstream when the authorization
+check result is not allowed (HTTP code other than 200).
+If not specified, all the authorization response headers, except Authority (Host) will be in the response to
+the downstream.
+When a header is included in this list, Path, Status, Content-Length, WWWAuthenticate and Location are
+automatically added.
 Note, the body from the authorization service is always included in the response to downstream.
        
-
        Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
        
+
        Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
 https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
        
 
          
 
        • Exact match: "abc" will match on value "abc".
          • 
@@ -1488,11 +1488,11 @@ 
          Mes
 
        		headersToDownstreamOnAllow
 string[]
 
-
        List of headers from the authorization service that should be forwarded to downstream when the authorization
        
-check result is allowed (HTTP code 200).
        
-If not specified, the original response will not be modified and forwarded to downstream as-is.
        
+
        List of headers from the authorization service that should be forwarded to downstream when the authorization
+check result is allowed (HTTP code 200).
+If not specified, the original response will not be modified and forwarded to downstream as-is.
 Note, any existing headers will be overridden.
        
-
        Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
        
+
        Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
 https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
        
 
          
 
        • Exact match: "abc" will match on value "abc".
          • 
@@ -1524,9 +1524,9 @@ 
          Mes
 
        		service
 string
 
-
        REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service.
        
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
        
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
        
+
        REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
        
 
        Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".
        
 
@@ -1550,8 +1550,8 @@ 
        Mes
 
        		timeout
 Duration
 
-
        The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
        
-When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
        
+
        The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
+When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
 In this situation, the response sent back to the client will depend on the configured fail_open field.
        
 
         		failOpen
 bool
 
-
        If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed,
        
-or if the authorization service has returned a HTTP 5xx error.
        
+
        If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed,
+or if the authorization service has returned a HTTP 5xx error.
 Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately.
        
 
         		statusOnError
 string
 
-
        Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
        
+
        Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
 The default status is "403" (HTTP Forbidden).
        
 
         		service
 string
 
-
        REQUIRED. Specifies the service that the Zipkin API.
        
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
        
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
        
+
        REQUIRED. Specifies the service that the Zipkin API.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
        
 
        Example: "zipkin.default.svc.cluster.local" or "bar/zipkin.example.com".
        
 
@@ -1642,7 +1642,7 @@ 
        MeshConfig.Extension
 
        		maxTagLength
 uint32
 
-
        Optional. Controls the overall path length allowed in a reported span.
        
+
        Optional. Controls the overall path length allowed in a reported span.
 NOTE: currently only controls max length of the path tag.
        
 
 
        
@@ -1673,9 +1673,9 @@ 
        MeshConfig.Extens
 
        
@@ -1739,9 +1739,9 @@ 
        MeshConfig.Extensio
 
        
@@ -1794,9 +1794,9 @@ 
        MeshConfig.Exten
 
        service
 string
 
-
        REQUIRED. Specifies the service for the Lightstep collector.
        
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
        
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
        
+
        REQUIRED. Specifies the service for the Lightstep collector.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
        
 
        Example: "lightstep.default.svc.cluster.local" or "bar/lightstep.example.com".
        
 
@@ -1710,7 +1710,7 @@ 
        MeshConfig.Extens
 
        		maxTagLength
 uint32
 
-
        Optional. Controls the overall path length allowed in a reported span.
        
+
        Optional. Controls the overall path length allowed in a reported span.
 NOTE: currently only controls max length of the path tag.
        
 
         		service
 string
 
-
        REQUIRED. Specifies the service for the Datadog agent.
        
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
        
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
        
+
        REQUIRED. Specifies the service for the Datadog agent.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
        
 
        Example: "datadog.default.svc.cluster.local" or "bar/datadog.example.com".
        
 
@@ -1765,7 +1765,7 @@ 
        MeshConfig.Extensio
 
        		maxTagLength
 uint32
 
-
        Optional. Controls the overall path length allowed in a reported span.
        
+
        Optional. Controls the overall path length allowed in a reported span.
 NOTE: currently only controls max length of the path tag.
        
 
         		service
 string
 
-
        REQUIRED. Specifies the service for the SkyWalking receiver.
        
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
        
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
        
+
        REQUIRED. Specifies the service for the SkyWalking receiver.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
        
 
        Example: "skywalking.default.svc.cluster.local" or "bar/skywalking.example.com".
        
 
@@ -1833,8 +1833,8 @@ 
        MeshConfig.Exten
 
        MeshConfig.ExtensionProvider.StackdriverProvider
        
 
        
 
        Defines configuration for Stackdriver.
        
-
        WARNING: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used
        
-alongside any OpenCensus provider configuration. This is due to a limitation in the implementation of OpenCensus
        
+
        WARNING: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used
+alongside any OpenCensus provider configuration. This is due to a limitation in the implementation of OpenCensus
 driver in Envoy.
        
 
 
@@ -1851,7 +1851,7 @@ 
        MeshConfig.ExtensionPr
 
        
@@ -1876,12 +1876,12 @@ 
        MeshConfig.ExtensionPr
 
        MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider
        
 
        Defines configuration for an OpenCensus tracer writing to an OpenCensus backend.
        
-
        WARNING: OpenCensusAgentTracingProviders should be used with extreme care. Configuration of
        
-OpenCensus providers CANNOT be changed during the course of proxy's lifetime due to a limitation
        
-in the implementation of OpenCensus driver in Envoy. This means only a single provider configuration
        
-may be used for OpenCensus at any given time for a proxy or group of proxies AND that any change to the provider
        
+
        WARNING: OpenCensusAgentTracingProviders should be used with extreme care. Configuration of
+OpenCensus providers CANNOT be changed during the course of proxy's lifetime due to a limitation
+in the implementation of OpenCensus driver in Envoy. This means only a single provider configuration
+may be used for OpenCensus at any given time for a proxy or group of proxies AND that any change to the provider
 configuration MUST be accompanied by a restart of all proxies that will use that configuration.
        
-
        NOTE: Stackdriver tracing uses OpenCensus configuraiton under the hood and, as a result, cannot be used
        
+
        NOTE: Stackdriver tracing uses OpenCensus configuraiton under the hood and, as a result, cannot be used
 alongside OpenCensus provider configuration.
        
 
 
        maxTagLength
 uint32
 
-
        Optional. Controls the overall path length allowed in a reported span.
        
+
        Optional. Controls the overall path length allowed in a reported span.
 NOTE: currently only controls max length of the path tag.
        
 
         		
 
        
@@ -1898,9 +1898,9 @@ 
        MeshConfig.
 
        
@@ -1938,7 +1938,7 @@ 
        MeshConfig.
 
        
@@ -1954,7 +1954,7 @@ 
        MeshConfig.Exten
 
 
        MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider
        
-
        Defines configuration for Envoy-based access logging that writes to
        
+
        Defines configuration for Envoy-based access logging that writes to
 local files (and/or standard streams).
        
 
 
        service
 string
 
-
        REQUIRED. Specifies the service for the OpenCensusAgent.
        
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
        
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
        
+
        REQUIRED. Specifies the service for the OpenCensusAgent.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
        
 
        Example: "ocagent.default.svc.cluster.local" or "bar/ocagent.example.com".
        
 
@@ -1924,9 +1924,9 @@ 
        MeshConfig.
 
        		context
 TraceContext[]
 
-
        Specifies the set of context propagation headers used for distributed
        
-tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified,
        
-the proxy will attempt to read each header for each request and will
        
+
        Specifies the set of context propagation headers used for distributed
+tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified,
+the proxy will attempt to read each header for each request and will
 write all headers.
        
 
         		maxTagLength
 uint32
 
-
        Optional. Controls the overall path length allowed in a reported span.
        
+
        Optional. Controls the overall path length allowed in a reported span.
 NOTE: currently only controls max length of the path tag.
        
 
         		
 
        
@@ -1971,8 +1971,8 @@ 
        MeshConfig.Exte
 
        
@@ -1996,7 +1996,7 @@ 
        MeshConfig.Exte
 
 
        MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider
        
-
        Defines configuration for an Envoy Access Logging Service
        
+
        Defines configuration for an Envoy Access Logging Service
 integration for HTTP traffic.
        
 
 
        path
 string
 
-
        Path to a local file to write the access log entries.
        
-This may be used to write to streams, via /dev/stderr and /dev/stdout
        
+
        Path to a local file to write the access log entries.
+This may be used to write to streams, via /dev/stderr and /dev/stdout
 If unspecified, defaults to /dev/stdout.
        
 
         		
 
        
@@ -2013,9 +2013,9 @@ 
        MeshConfig.Exte
 
        service
 string
 
-
        REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
        
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
        
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
        
+
        REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
        
 
        Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
        
 
@@ -2039,7 +2039,7 @@ 
        MeshConfig.Exte
 
        		logName
 string
 
-
        Optional. The friendly name of the access log.
        
+
        Optional. The friendly name of the access log.
 Defaults:
        
 
          
 
        • "http_envoy_accesslog"
          • 
@@ -2100,7 +2100,7 @@ 
          MeshConfig.Exte
 
 
          MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider
          
 
          
-
          Defines configuration for an Envoy Access Logging Service
          
+
          Defines configuration for an Envoy Access Logging Service
 integration for TCP traffic.
          
 
 
@@ -2117,9 +2117,9 @@ 
          MeshConfig.Exten
 
          
@@ -2255,12 +2255,12 @@ 
          MeshConfig.Ext
 
          
@@ -2287,8 +2287,8 @@ 
          MeshC
 
          
@@ -2353,12 +2353,12 @@ 
          Me
 
          service
 string
 
-
          REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
          
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
          
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
          
+
          REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
 
          Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
          
 
@@ -2143,7 +2143,7 @@ 
          MeshConfig.Exten
 
          		logName
 string
 
-
          Optional. The friendly name of the access log.
          
+
          Optional. The friendly name of the access log.
 Defaults:
          
 
            
 
          • "tcp_envoy_accesslog"
            • 
@@ -2187,9 +2187,9 @@ 
            MeshConfig.E
 
          		service
 string
 
-
          REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
          
-The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
          
-to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
          
+
          REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
+The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
+to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
 
          Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
          
 
@@ -2213,7 +2213,7 @@ 
          MeshConfig.E
 
          		logName
 string
 
-
          Optional. The friendly name of the access log.
          
+
          Optional. The friendly name of the access log.
 Defaults:
          
 
            
 
          • "otel_envoy_accesslog"
            • 
@@ -2228,7 +2228,7 @@ 
            MeshConfig.E
 
          		logFormat
 LogFormat
 
-
          Optional. Format for the proxy access log
          
+
          Optional. Format for the proxy access log
 Empty value results in proxy's default access log format, following Envoy access logging formatting.
          
 
           		labels
 map<string, string>
 
-
          Collection of tag names and tag expressions to include in the log
          
-entry. Conflicts are resolved by the tag name by overriding previously
          
+
          Collection of tag names and tag expressions to include in the log
+entry. Conflicts are resolved by the tag name by overriding previously
 supplied values.
          
-
          Example:
          
-labels:
          
-path: request.url_path
          
+
          Example:
+labels:
+path: request.url_path
 foo: request.headers['x-foo']
          
 
           		text
 string (oneof)
 
-
          Textual format for the envoy access logs. Envoy command operators may be
          
-used in the format. The format string documentation
          
+
          Textual format for the envoy access logs. Envoy command operators may be
+used in the format. The format string documentation
 provides more information.
          
 
          NOTE: Istio will insert a newline ('\n') on all formats (if missing).
          
 
          Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"
          
@@ -2302,11 +2302,11 @@ 
          MeshC
 
          		labels
 Struct (oneof)
 
-
          JSON structured format for the envoy access logs. Envoy command operators
          
-can be used as values for fields within the Struct. Values are rendered
          
-as strings, numbers, or boolean values, as appropriate
          
-(see: format dictionaries). Nested JSON is
          
-supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
          
+
          JSON structured format for the envoy access logs. Envoy command operators
+can be used as values for fields within the Struct. Values are rendered
+as strings, numbers, or boolean values, as appropriate
+(see: format dictionaries). Nested JSON is
+supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
 Use labels: {} for default envoy JSON log format.
          
 
          Example:
          
 
          labels:
@@ -2338,10 +2338,10 @@ 
          Me
 
          		text
 string
 
-
          Textual format for the envoy access logs. Envoy command operators may be
          
-used in the format. The format string documentation
          
-provides more information.
          
-Alias to body filed in Open Telemetry
          
+
          Textual format for the envoy access logs. Envoy command operators may be
+used in the format. The format string documentation
+provides more information.
+Alias to body filed in Open Telemetry
 Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"
          
 
           		labels
 Struct
 
-
          Optional. Additional attributes that describe the specific event occurrence.
          
-Structured format for the envoy access logs. Envoy command operators
          
-can be used as values for fields within the Struct. Values are rendered
          
-as strings, numbers, or boolean values, as appropriate
          
-(see: format dictionaries). Nested JSON is
          
-supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
          
+
          Optional. Additional attributes that describe the specific event occurrence.
+Structured format for the envoy access logs. Envoy command operators
+can be used as values for fields within the Struct. Values are rendered
+as strings, numbers, or boolean values, as appropriate
+(see: format dictionaries). Nested JSON is
+supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
 Alias to attributes filed in Open Telemetry
          
 
          Example:
          
 
          labels:
@@ -2376,9 +2376,9 @@ 
          Me
 
 
          k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector
          
 
          
-
          A label selector is a label query over a set of resources. The result of matchLabels and
          
-matchExpressions are ANDed. An empty label selector matches all objects. A null
          
-label selector matches no objects.
          
+
          A label selector is a label query over a set of resources. The result of matchLabels and
+matchExpressions are ANDed. An empty label selector matches all objects. A null
+label selector matches no objects.
 +structType=atomic
          
 
 
@@ -2395,9 +2395,9 @@ 
          k8s.io.apimachinery.
 
          
@@ -2409,7 +2409,7 @@ 
          k8s.io.apimachinery.
 
          
@@ -2449,8 +2449,8 @@ 
          Tracing
          
@@ -2495,7 +2495,7 @@ 
          Tracing
          
@@ -2507,8 +2507,8 @@ 
          Tracing
          
@@ -2521,7 +2521,7 @@ 
          Tracing
          PrivateKeyProvider
          
-
          PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured
          
+
          PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured
 mesh wide or individual per-workload basis.
          
 
 
          matchLabels
 map<string, string>
 
-
          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
          
-map is equivalent to an element of matchExpressions, whose key field is "key", the
          
-operator is "In", and the values array contains only "value". The requirements are ANDed.
          
+
          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
 +optional
          
 
           		matchExpressions
 LabelSelectorRequirement[]
 
-
          matchExpressions is a list of label selector requirements. The requirements are ANDed.
          
+
          matchExpressions is a list of label selector requirements. The requirements are ANDed.
 +optional
          
 
           		
 lightstep
 Lightstep (oneof)
 
-
          Use a Lightstep tracer.
          
-NOTE: For Istio 1.15+, this configuration option will result
          
+
          Use a Lightstep tracer.
+NOTE: For Istio 1.15+, this configuration option will result
 in using OpenTelemetry-based Lightstep integration.
          
 
           		
 sampling
 double
 
-
          The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation,
          
+
          The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation,
 if not requested by the client or not forced. Default is 1.0.
          
 
           		
 tlsSettings
 ClientTLSSettings
 
-
          Use the tls_settings to specify the tls mode to use. If the remote tracing service
          
-uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
          
+
          Use the tls_settings to specify the tls mode to use. If the remote tracing service
+uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
 mode as ISTIO_MUTUAL.
          
 
           		
 
 
 
          
@@ -2548,8 +2548,8 @@ 
          PrivateKeyProvider
          ProxyConfig
          
-
          ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis
          
-as well as by the mesh-wide defaults.
          
+
          ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis
+as well as by the mesh-wide defaults.
 To set the mesh wide defaults, configure the defaultConfig section of meshConfig. For example:
          
 
          meshConfig:
   defaultConfig:
@@ -2560,9 +2560,9 @@ 
          ProxyConfig
          
   proxy.istio.io/config: |
     discoveryAddress: istiod:15012
 
          
-
          If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults.
          
-This is different than a deep merge provided by protobuf.
          
-For example, "tracing": { "sampling": 5 } would completely override a setting configuring a tracing provider
          
+
          If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults.
+This is different than a deep merge provided by protobuf.
+For example, "tracing": { "sampling": 5 } would completely override a setting configuring a tracing provider
 such as "tracing": { "zipkin": { "address": "..." } }.
          
 
          Note: fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.
          
 
@@ -2580,7 +2580,7 @@ 
          ProxyConfig
          
 
          
@@ -2603,17 +2603,17 @@ 
          ProxyConfig
          
@@ -2625,7 +2625,7 @@ 
          ProxyConfig
          
@@ -2637,8 +2637,8 @@ 
          ProxyConfig
          
@@ -2650,9 +2650,9 @@ 
          ProxyConfig
          
@@ -2664,7 +2664,7 @@ 
          ProxyConfig
          
@@ -2687,7 +2687,7 @@ 
          ProxyConfig
          
@@ -2699,7 +2699,7 @@ 
          ProxyConfig
          
@@ -2711,7 +2711,7 @@ 
          ProxyConfig
          
@@ -2723,10 +2723,10 @@ 
          ProxyConfig
          
@@ -2738,9 +2738,9 @@ 
          ProxyConfig
          
@@ -2785,9 +2785,9 @@ 
          ProxyConfig
          
@@ -2799,8 +2799,8 @@ 
          ProxyConfig
          
@@ -2812,7 +2812,7 @@ 
          ProxyConfig
          
@@ -2824,7 +2824,7 @@ 
          ProxyConfig
          
@@ -2836,7 +2836,7 @@ 
          ProxyConfig
          
@@ -2848,9 +2848,9 @@ 
          ProxyConfig
          
@@ -2862,10 +2862,10 @@ 
          ProxyConfig
          
@@ -2877,8 +2877,8 @@ 
          ProxyConfig
          
@@ -2890,8 +2890,8 @@ 
          ProxyConfig
          
@@ -2903,16 +2903,16 @@ 
          ProxyConfig
          
@@ -2934,9 +2934,9 @@ 
          ProxyConfig
          
@@ -2948,9 +2948,9 @@ 
          ProxyConfig
          
@@ -2984,8 +2984,8 @@ 
          ProxyConfig
          
@@ -3024,8 +3024,8 @@ 
          RemoteService
          
@@ -3105,9 +3105,9 @@ 
          Tracing.Datadog
          Tracing.Stackdriver
          
-
          Stackdriver defines configuration for a Stackdriver tracer.
          
-See Envoy's OpenCensus trace configuration
          
-and
          
+
          Stackdriver defines configuration for a Stackdriver tracer.
+See Envoy's OpenCensus trace configuration
+and
 OpenCensus trace config for details.
          
 
 
          
 
 
 
          configPath
 string
 
-
          Path to the generated configuration file directory.
          
+
          Path to the generated configuration file directory.
 Proxy agent generates the actual configuration and stores it in this directory.
          
 
           		
 serviceCluster
 string (oneof)
 
-
          Service cluster defines the name for the service_cluster that is
          
-shared by all Envoy instances. This setting corresponds to
          
---service-cluster flag in Envoy.  In a typical Envoy deployment, the
          
-service-cluster flag is used to identify the caller, for
          
+
          Service cluster defines the name for the service_cluster that is
+shared by all Envoy instances. This setting corresponds to
+--service-cluster flag in Envoy.  In a typical Envoy deployment, the
+service-cluster flag is used to identify the caller, for
 source-based routing scenarios.
          
-
          Since Istio does not assign a local service/service version to each
          
-Envoy instance, the name is same for all of them.  However, the
          
-source/caller's identity (e.g., IP address) is encoded in the
          
---service-node flag when launching Envoy.  When the RDS service
          
-receives API calls from Envoy, it uses the value of the service-node
          
-flag to compute routes that are relative to the service instances
          
+
          Since Istio does not assign a local service/service version to each
+Envoy instance, the name is same for all of them.  However, the
+source/caller's identity (e.g., IP address) is encoded in the
+--service-node flag when launching Envoy.  When the RDS service
+receives API calls from Envoy, it uses the value of the service-node
+flag to compute routes that are relative to the service instances
 located at that IP address.
          
 
           		
 tracingServiceName
 TracingServiceName (oneof)
 
-
          Used by Envoy proxies to assign the values for the service names in trace
          
+
          Used by Envoy proxies to assign the values for the service names in trace
 spans.
          
 
           		
 drainDuration
 Duration
 
-
          The time in seconds that Envoy will drain connections during a hot
          
-restart. MUST be >=1s (e.g., 1s/1m/1h)
          
+
          The time in seconds that Envoy will drain connections during a hot
+restart. MUST be >=1s (e.g., 1s/1m/1h)
 Default drain duration is 45s.
          
 
           		
 parentShutdownDuration
 Duration
 
-
          The time in seconds that Envoy will wait before shutting down the
          
-parent process during a hot restart. MUST be >=1s (e.g., 1s/1m/1h).
          
-MUST BE greater than drain_duration parameter.
          
+
          The time in seconds that Envoy will wait before shutting down the
+parent process during a hot restart. MUST be >=1s (e.g., 1s/1m/1h).
+MUST BE greater than drain_duration parameter.
 Default shutdown duration is 60s.
          
 
           		
 discoveryAddress
 string
 
-
          Address of the discovery service exposing xDS with mTLS connection.
          
+
          Address of the discovery service exposing xDS with mTLS connection.
 The inject configuration may override this value.
          
 
           		
 proxyAdminPort
 int32
 
-
          Port on which Envoy should listen for administrative commands.
          
+
          Port on which Envoy should listen for administrative commands.
 Default port is 15000.
          
 
           		
 controlPlaneAuthPolicy
 AuthenticationPolicy
 
-
          AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
          
+
          AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
 Default is set to MUTUAL_TLS.
          
 
           		
 customConfigFile
 string
 
-
          File path of custom proxy configuration, currently used by proxies
          
+
          File path of custom proxy configuration, currently used by proxies
 in front of Mixer and Pilot.
          
 
           		
 statNameLength
 int32
 
-
          Maximum length of name field in Envoy's metrics. The length of the name field
          
-is determined by the length of a name field in a service and the set of labels that
          
-comprise a particular version of the service. The default value is set to 189 characters.
          
-Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric.
          
+
          Maximum length of name field in Envoy's metrics. The length of the name field
+is determined by the length of a name field in a service and the set of labels that
+comprise a particular version of the service. The default value is set to 189 characters.
+Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric.
 Increase the value of this field if you find that the metrics from Envoys are truncated.
          
 
           		
 concurrency
 Int32Value
 
-
          The number of worker threads to run.
          
-If unset, this will be automatically determined based on CPU requests/limits.
          
-If set to 0, all cores on the machine will be used.
          
+
          The number of worker threads to run.
+If unset, this will be automatically determined based on CPU requests/limits.
+If set to 0, all cores on the machine will be used.
 Default is 2 worker threads.
          
 
           		
 envoyAccessLogService
 RemoteService
 
-
          Address of the service to which access logs from Envoys should be
          
-sent. (e.g. accesslog-service:15000). See Access Log
          
-Service
          
+
          Address of the service to which access logs from Envoys should be
+sent. (e.g. accesslog-service:15000). See Access Log
+Service
 for details about Envoy's gRPC Access Log Service API.
          
 
           		
 envoyMetricsService
 RemoteService
 
-
          Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000).
          
-See Metric Service
          
+
          Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000).
+See Metric Service
 for details about Envoy's Metrics Service API.
          
 
           		
 proxyMetadata
 map<string, string>
 
-
          Additional environment variables for the proxy.
          
+
          Additional environment variables for the proxy.
 Names starting with ISTIO_META_ will be included in the generated bootstrap and sent to the XDS server.
          
 
           		
 runtimeValues
 map<string, string>
 
-
          Envoy runtime configuration to set during bootstrapping.
          
+
          Envoy runtime configuration to set during bootstrapping.
 This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.
          
 
           		
 statusPort
 int32
 
-
          Port on which the agent should listen for administrative commands such as readiness probe.
          
+
          Port on which the agent should listen for administrative commands such as readiness probe.
 Default is set to port 15020.
          
 
           		
 extraStatTags
 string[]
 
-
          An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be
          
-added by configuring the telemetry extension. Each additional tag needs to be present in this list.
          
-Extra tags emitted by the telemetry extensions must be listed here so that they can be processed
          
+
          An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be
+added by configuring the telemetry extension. Each additional tag needs to be present in this list.
+Extra tags emitted by the telemetry extensions must be listed here so that they can be processed
 and exposed as Prometheus metrics.
          
 
           		
 terminationDrainDuration
 Duration
 
-
          The amount of time allowed for connections to complete on proxy shutdown.
          
-On receiving SIGTERM or SIGINT, istio-agent tells the active Envoy to start draining,
          
-preventing any new connections and allowing existing connections to complete. It then
          
-sleeps for the termination_drain_duration and then kills any remaining active Envoy processes.
          
+
          The amount of time allowed for connections to complete on proxy shutdown.
+On receiving SIGTERM or SIGINT, istio-agent tells the active Envoy to start draining,
+preventing any new connections and allowing existing connections to complete. It then
+sleeps for the termination_drain_duration and then kills any remaining active Envoy processes.
 If not set, a default of 5s will be applied.
          
 
           		
 meshId
 string
 
-
          The unique identifier for the service mesh
          
-All control planes running in the same service mesh should specify the same mesh ID.
          
+
          The unique identifier for the service mesh
+All control planes running in the same service mesh should specify the same mesh ID.
 Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.
          
 
           		
 readinessProbe
 ReadinessProbe
 
-
          VM Health Checking readiness probe. This health check config exactly mirrors the
          
-kubernetes readiness probe configuration both in schema and logic.
          
+
          VM Health Checking readiness probe. This health check config exactly mirrors the
+kubernetes readiness probe configuration both in schema and logic.
 Only one health check method of 3 can be set at a time.
          
 
           		
 proxyStatsMatcher
 ProxyStatsMatcher
 
-
          Proxy stats matcher defines configuration for reporting custom Envoy stats.
          
-To reduce memory and CPU overhead from Envoy stats system, Istio proxies by
          
-default create and expose only a subset of Envoy stats. This option is to
          
-control creation of additional Envoy stats with prefix, suffix, and regex
          
-expressions match on the name of the stats. This replaces the stats
          
-inclusion annotations
          
-(sidecar.istio.io/statsInclusionPrefixes,
          
-sidecar.istio.io/statsInclusionRegexps, and
          
-sidecar.istio.io/statsInclusionSuffixes). For example, to enable stats
          
-for circuit breaker, retry, and upstream connections, you can specify stats
          
+
          Proxy stats matcher defines configuration for reporting custom Envoy stats.
+To reduce memory and CPU overhead from Envoy stats system, Istio proxies by
+default create and expose only a subset of Envoy stats. This option is to
+control creation of additional Envoy stats with prefix, suffix, and regex
+expressions match on the name of the stats. This replaces the stats
+inclusion annotations
+(sidecar.istio.io/statsInclusionPrefixes,
+sidecar.istio.io/statsInclusionRegexps, and
+sidecar.istio.io/statsInclusionSuffixes). For example, to enable stats
+for circuit breaker, retry, and upstream connections, you can specify stats
 matcher as follow:
          
 
          proxyStatsMatcher:
   inclusionRegexps:
@@ -2921,8 +2921,8 @@ 
          ProxyConfig
          
     - upstream_rq_retry
     - upstream_cx
 
          
-
          Note including more Envoy stats might increase number of time series
          
-collected by prometheus significantly. Care needs to be taken on Prometheus
          
+
          Note including more Envoy stats might increase number of time series
+collected by prometheus significantly. Care needs to be taken on Prometheus
 resource provision and configuration to reduce cardinality.
          
 
           		
 holdApplicationUntilProxyStarts
 BoolValue
 
-
          Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior.
          
-This feature adds hooks to delay application startup until the pod proxy
          
-is ready to accept traffic, mitigating some startup race conditions.
          
+
          Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior.
+This feature adds hooks to delay application startup until the pod proxy
+is ready to accept traffic, mitigating some startup race conditions.
 Default value is 'false'.
          
 
           		
 caCertificatesPem
 string[]
 
-
          The PEM data of the extra root certificates for workload-to-workload communication.
          
-This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA.
          
-The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret)
          
+
          The PEM data of the extra root certificates for workload-to-workload communication.
+This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA.
+The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret)
 are added automatically by Istiod.
          
 
           		
 zipkinAddress
 string
 
-
          Address of the Zipkin service (e.g. zipkin:9411).
          
-DEPRECATED: Use tracing instead.
          
+
          Address of the Zipkin service (e.g. zipkin:9411).
+DEPRECATED: Use tracing instead.
          
 
           		
 
@@ -3011,8 +3011,8 @@ 
          RemoteService
          
           		address
 string
 
-
          Address of a remove service used for various purposes (access log
          
-receiver, metrics receiver, etc.). Can be IP address or a fully
          
+
          Address of a remove service used for various purposes (access log
+receiver, metrics receiver, etc.). Can be IP address or a fully
 qualified DNS name.
          
 
           		
 tlsSettings
 ClientTLSSettings
 
-
          Use the tls_settings to specify the tls mode to use. If the remote service
          
-uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
          
+
          Use the tls_settings to specify the tls mode to use. If the remote service
+uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
 mode as ISTIO_MUTUAL.
          
 
           		
 
 
 
          
@@ -3125,11 +3125,11 @@ 
          Tracing.Stackdriver
          Tracing.OpenCensusAgent
          
-
          OpenCensusAgent defines configuration for an OpenCensus tracer writing to
          
-an OpenCensus agent backend. See
          
-Envoy's OpenCensus trace configuration
          
-and
          
-OpenCensus trace config
          
+
          OpenCensusAgent defines configuration for an OpenCensus tracer writing to
+an OpenCensus agent backend. See
+Envoy's OpenCensus trace configuration
+and
+OpenCensus trace config
 for details.
          
 
 
          
 
 
 
          
@@ -3146,9 +3146,9 @@ 
          Tracing.OpenCensusAgent
          
@@ -3160,9 +3160,9 @@ 
          Tracing.OpenCensusAgent
          
@@ -3191,11 +3191,11 @@ 
          PrivateKeyProvider.CryptoMb
          
@@ -3208,7 +3208,7 @@ 
          PrivateKeyProvider.CryptoMb
          ProxyConfig.ProxyStatsMatcher
          
-
          Proxy stats name matchers for stats creation. Note this is in addition to
          
+
          Proxy stats name matchers for stats creation. Note this is in addition to
 the minimum Envoy stats that Istio generates by default.
          
 
 
          
 
          address
 string
 
-
          gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or
          
-unix:path). See gRPC naming
          
-docs           for
          
+
          gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or
+unix:path). See gRPC naming
+docs for
 details.
          
 
           		
 context
 TraceContext[]
 
-
          Specifies the set of context propagation headers used for distributed
          
-tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified,
          
-the proxy will attempt to read each header for each request and will
          
+
          Specifies the set of context propagation headers used for distributed
+tracing. Default is ["W3C_TRACE_CONTEXT"]. If multiple values are specified,
+the proxy will attempt to read each header for each request and will
 write all headers.
          
 
           		
 pollDelay
 Duration
 
-
          How long to wait until the per-thread processing queue should be processed. If the processing queue
          
-gets full (eight sign or decrypt requests are received) it is processed immediately.
          
-However, if the queue is not filled before the delay has expired, the requests already in the queue
          
-are processed, even if the queue is not full.
          
-In effect, this value controls the balance between latency and throughput.
          
+
          How long to wait until the per-thread processing queue should be processed. If the processing queue
+gets full (eight sign or decrypt requests are received) it is processed immediately.
+However, if the queue is not filled before the delay has expired, the requests already in the queue
+are processed, even if the queue is not full.
+In effect, this value controls the balance between latency and throughput.
 The duration needs to be set to a non-zero value.
          
 
           		
 
 
 
          
@@ -3259,10 +3259,10 @@ 
          ProxyConfig.ProxyStatsMatcher
          Network
          
-
          Network provides information about the endpoints in a routable L3
          
-network. A single routable L3 network can have one or more service
          
-registries. Note that the network has no relation to the locality of the
          
-endpoint. The endpoint locality will be obtained from the service
          
+
          Network provides information about the endpoints in a routable L3
+network. A single routable L3 network can have one or more service
+registries. Note that the network has no relation to the locality of the
+endpoint. The endpoint locality will be obtained from the service
 registry.
          
 
 
          
 
 
 
          
@@ -3279,8 +3279,8 @@ 
          Network
          
@@ -3304,7 +3304,7 @@ 
          Network
          MeshNetworks
          
-
          MeshNetworks (config map) provides information about the set of networks
          
+
          MeshNetworks (config map) provides information about the set of networks
 inside a mesh and how to route to endpoints in each network. For example
          
 
          MeshNetworks(file/config map):
          
 
          networks:
@@ -3335,8 +3335,8 @@ 
          MeshNetworks
          
 
          
@@ -3349,23 +3349,23 @@ 
          MeshNetworks
          
 
 
          Network.NetworkEndpoints
          
 
          
-
          NetworkEndpoints describes how the network associated with an endpoint
          
-should be inferred. An endpoint will be assigned to a network based on
          
+
          NetworkEndpoints describes how the network associated with an endpoint
+should be inferred. An endpoint will be assigned to a network based on
 the following rules:
          
 
            
 
          1. 
-
            Implicitly: If the registry explicitly provides information about
            
-the network to which the endpoint belongs to. In some cases, its
            
-possible to indicate the network associated with the endpoint by
            
+
            Implicitly: If the registry explicitly provides information about
+the network to which the endpoint belongs to. In some cases, its
+possible to indicate the network associated with the endpoint by
 adding the ISTIO_META_NETWORK environment variable to the sidecar.
            
 
            2. 
 
          2. 
 
            Explicitly:
            
-
            a. By matching the registry name with one of the "fromRegistry"
            
-in the mesh config. A "from_registry" can only be assigned to a
            
+
            a. By matching the registry name with one of the "fromRegistry"
+in the mesh config. A "from_registry" can only be assigned to a
 single network.
            
-
            b. By matching the IP against one of the CIDR ranges in a mesh
            
-config network. The CIDR ranges must not overlap and be assigned to
            
+
            b. By matching the IP against one of the CIDR ranges in a mesh
+config network. The CIDR ranges must not overlap and be assigned to
 a single network.
            
 
            3. 
 
          
@@ -3385,7 +3385,7 @@ 
          Network.NetworkEndpoints
          
 
          
@@ -3397,9 +3397,9 @@ 
          Network.NetworkEndpoints
          
           
@@ -3412,8 +3412,8 @@ 
          Network.NetworkEndpoints
          
 
 
          Network.IstioNetworkGateway
          
 
          
-
          The gateway associated with this network. Traffic from remote networks
          
-will arrive at the specified gateway:port. All incoming traffic must
          
+
          The gateway associated with this network. Traffic from remote networks
+will arrive at the specified gateway:port. All incoming traffic must
 use mTLS.
          
 
 
          
 
          endpoints
 NetworkEndpoints[]
 
-
          The list of endpoints in the network (obtained through the
          
-constituent service registries or from CIDR ranges). All endpoints in
          
+
          The list of endpoints in the network (obtained through the
+constituent service registries or from CIDR ranges). All endpoints in
 the network are directly accessible to one another.
          
 
           		
 
 
 networks
 map<string, Network>
 
-
          The set of networks inside this mesh. Each network should
          
-have a unique name and information about how to infer the endpoints in
          
+
          The set of networks inside this mesh. Each network should
+have a unique name and information about how to infer the endpoints in
 the network as well as the gateways associated with the network.
          
 
           		fromCidr
 string (oneof)
 
-
          A CIDR range for the set of endpoints in this network. The CIDR
          
+
          A CIDR range for the set of endpoints in this network. The CIDR
 ranges for endpoints from different networks must not overlap.
          
 
           		fromRegistry
 string (oneof)
 
-
          Add all endpoints from the specified registry into this network.
          
-The names of the registries should correspond to the kubeconfig file name
          
-inside the secret that was used to configure the registry (Kubernetes
          
+
          Add all endpoints from the specified registry into this network.
+The names of the registries should correspond to the kubeconfig file name
+inside the secret that was used to configure the registry (Kubernetes
 multicluster) or supplied by MCP server.
          
 
 
          
@@ -3430,12 +3430,12 @@ 
          Network.IstioNetworkGateway
          
           
@@ -3492,7 +3492,7 @@ 
          MeshConfig.OutboundTrafficPolicy.
 
          
@@ -3500,7 +3500,7 @@ 
          MeshConfig.OutboundTrafficPolicy.
 
          
@@ -3510,7 +3510,7 @@ 
          MeshConfig.OutboundTrafficPolicy.
 
 
          MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContext
          
 
          
-
          TraceContext selects the context propagation headers used for
          
+
          TraceContext selects the context propagation headers used for
 distributed tracing.
          
 
 
          registryServiceName
 string (oneof)
 
-
          A fully qualified domain name of the gateway service.  Pilot will
          
-lookup the service from the service registries in the network and
          
-obtain the endpoint IPs of the gateway from the service
          
-registry. Note that while the service name is a fully qualified
          
-domain name, it need not be resolvable outside the orchestration
          
-platform for the registry. e.g., this could be
          
+
          A fully qualified domain name of the gateway service.  Pilot will
+lookup the service from the service registries in the network and
+obtain the endpoint IPs of the gateway from the service
+registry. Note that while the service name is a fully qualified
+domain name, it need not be resolvable outside the orchestration
+platform for the registry. e.g., this could be
 istio-ingressgateway.istio-system.svc.cluster.local.
          
 
 
          
 REGISTRY_ONLY
 
-
          outbound traffic will be restricted to services defined in the
          
+
          outbound traffic will be restricted to services defined in the
 service registry as well as those defined through ServiceEntries
          
 
 
          
 ALLOW_ANY
 
-
          outbound traffic to unknown destinations will be allowed, in case
          
+
          outbound traffic to unknown destinations will be allowed, in case
 there are no services or ServiceEntries for the destination port
          
 
 
          
@@ -3524,8 +3524,8 @@ 
          
 
          
@@ -3540,7 +3540,7 @@ 
          
 
          
@@ -3548,9 +3548,9 @@ 
          
 
          
@@ -3585,8 +3585,8 @@ 
          MeshConfig.ProxyPat
 
          
@@ -3594,7 +3594,7 @@ 
          MeshConfig.ProxyPat
 
          
@@ -3602,8 +3602,8 @@ 
          MeshConfig.ProxyPat
 
          
@@ -3674,10 +3674,10 @@ 
          MeshConfig.IngressControllerMode
          
           
@@ -3685,10 +3685,10 @@ 
          MeshConfig.IngressControllerMode
          
           
@@ -3767,8 +3767,8 @@ 
          Resource
          
           
@@ -3778,7 +3778,7 @@ 
          Resource
          
 
 
          Tracing.OpenCensusAgent.TraceContext
          
 
          
-
          TraceContext selects the context propagation headers used for
          
+
          TraceContext selects the context propagation headers used for
 distributed tracing.
          
 
 
          W3C_TRACE_CONTEXT
 
-
          Use W3C Trace Context propagation using the traceparent HTTP header.
          
-See the
          
+
          Use W3C Trace Context propagation using the traceparent HTTP header.
+See the
 Trace Context documentation for details.
          
 
           		CLOUD_TRACE_CONTEXT
 
-
          Use Cloud Trace context propagation using the
          
+
          Use Cloud Trace context propagation using the
 X-Cloud-Trace-Context http header.
          
 
           		B3
 
-
          Use multi-header B3 context propagation using the X-B3-TraceId,
          
-X-B3-SpanId, and X-B3-Sampled HTTP headers. See
          
-B3 header propagation README
          
+
          Use multi-header B3 context propagation using the X-B3-TraceId,
+X-B3-SpanId, and X-B3-Sampled HTTP headers. See
+B3 header propagation README
 for details.
          
 
 
          
 BASE
 
-
          Normalize according to RFC 3986.
          
-For Envoy proxies, this is the normalize_path option.
          
+
          Normalize according to RFC 3986.
+For Envoy proxies, this is the normalize_path option.
 For example, /a/../b normalizes to /b.
          
 
 
          
 MERGE_SLASHES
 
-
          In addition to the BASE normalization, consecutive slashes are also merged.
          
+
          In addition to the BASE normalization, consecutive slashes are also merged.
 For example, /a//b normalizes to a/b.
          
 
 
          
 DECODE_AND_MERGE_SLASHES
 
-
          In addition to normalization in MERGE_SLASHES, slash characters are UTF-8 decoded (case insensitive) prior to merging.
          
-This means %2F, %2f, %5C, and %5c sequences in the request path will be rewritten to / or \.
          
+
          In addition to normalization in MERGE_SLASHES, slash characters are UTF-8 decoded (case insensitive) prior to merging.
+This means %2F, %2f, %5C, and %5c sequences in the request path will be rewritten to / or \.
 For example, /a%2f/b normalizes to a/b.
          
 
 
          
 DEFAULT
 
-
          Istio ingress controller will act on ingress resources that do not
          
-contain any annotation or whose annotations match the value
          
-specified in the ingress_class parameter described earlier. Use this
          
-mode if Istio ingress controller will be the default ingress
          
+
          Istio ingress controller will act on ingress resources that do not
+contain any annotation or whose annotations match the value
+specified in the ingress_class parameter described earlier. Use this
+mode if Istio ingress controller will be the default ingress
 controller for the entire Kubernetes cluster.
          
 
 
          
 STRICT
 
-
          Istio ingress controller will only act on ingress resources whose
          
-annotations match the value specified in the ingress_class parameter
          
-described earlier. Use this mode if Istio ingress controller will be
          
-a secondary ingress controller (e.g., in addition to a
          
+
          Istio ingress controller will only act on ingress resources whose
+annotations match the value specified in the ingress_class parameter
+described earlier. Use this mode if Istio ingress controller will be
+a secondary ingress controller (e.g., in addition to a
 cloud-provided ingress controller).
          
 
 
          
 SERVICE_REGISTRY
 
-
          Set to only receive service entries that are generated by the platform.
          
-These auto generated service entries are combination of services and endpoints
          
+
          Set to only receive service entries that are generated by the platform.
+These auto generated service entries are combination of services and endpoints
 that are generated by a specific platform e.g. k8
          
 
 
          
@@ -3792,8 +3792,8 @@ 
          Tracing.OpenCensusAgent.TraceConte
 
          
@@ -3808,7 +3808,7 @@ 
          Tracing.OpenCensusAgent.TraceConte
 
          
@@ -3816,9 +3816,9 @@ 
          Tracing.OpenCensusAgent.TraceConte
 
          
@@ -3828,8 +3828,8 @@ 
          Tracing.OpenCensusAgent.TraceConte
 
 
          ProxyConfig.TracingServiceName
          
 
          
-
          Allows specification of various Istio-supported naming schemes for the
          
-Envoy service_cluster value. The servce_cluster value is primarily used
          
+
          Allows specification of various Istio-supported naming schemes for the
+Envoy service_cluster value. The servce_cluster value is primarily used
 by Envoys to provide service names for tracing spans.
          
 
 
          
 W3C_TRACE_CONTEXT
 
-
          Use W3C Trace Context propagation using the traceparent HTTP header.
          
-See the
          
+
          Use W3C Trace Context propagation using the traceparent HTTP header.
+See the
 Trace Context documentation for details.
          
 
 
          
 CLOUD_TRACE_CONTEXT
 
-
          Use Cloud Trace context propagation using the
          
+
          Use Cloud Trace context propagation using the
 X-Cloud-Trace-Context http header.
          
 
 
          
 B3
 
-
          Use multi-header B3 context propagation using the X-B3-TraceId,
          
-X-B3-SpanId, and X-B3-Sampled HTTP headers. See
          
-B3 header propagation README
          
+
          Use multi-header B3 context propagation using the X-B3-TraceId,
+X-B3-SpanId, and X-B3-Sampled HTTP headers. See
+B3 header propagation README
 for details.
          
 
 
          
@@ -3843,7 +3843,7 @@ 
          ProxyConfig.TracingServiceName
          
           
@@ -3867,8 +3867,8 @@ 
          ProxyConfig.TracingServiceName
          
 
 
          ProxyConfig.InboundInterceptionMode
          
 
          
-
          The mode used to redirect inbound traffic to Envoy.
          
-This setting has no effect on outbound traffic: iptables REDIRECT is always used for
          
+
          The mode used to redirect inbound traffic to Envoy.
+This setting has no effect on outbound traffic: iptables REDIRECT is always used for
 outbound connections.
          
 
 
          
 APP_LABEL_AND_NAMESPACE
 
-
          Default scheme. Uses the app label and workload namespace to construct
          
+
          Default scheme. Uses the app label and workload namespace to construct
 a cluster name. If the app label does not exist istio-proxy is used.
          
 
 
          
@@ -3882,7 +3882,7 @@ 
          ProxyConfig.InboundInterceptionMode
 
          
@@ -3890,9 +3890,9 @@ 
          ProxyConfig.InboundInterceptionMode
 
          
@@ -3900,7 +3900,7 @@ 
          ProxyConfig.InboundInterceptionMode
 
          
@@ -3910,8 +3910,8 @@ 
          ProxyConfig.InboundInterceptionMode
 
 
          AuthenticationPolicy
          
 
          
-
          AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
          
-It can be set for two different scopes, mesh-wide or set on a per-pod basis using the ProxyConfig annotation.
          
+
          AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
+It can be set for two different scopes, mesh-wide or set on a per-pod basis using the ProxyConfig annotation.
 Mesh policy cannot be INHERIT.
          
 
 
          
 REDIRECT
 
-
          The REDIRECT mode uses iptables REDIRECT to NAT and redirect to Envoy. This mode loses
          
+
          The REDIRECT mode uses iptables REDIRECT to NAT and redirect to Envoy. This mode loses
 source IP addresses during redirection.
          
 
 
          
 TPROXY
 
-
          The TPROXY mode uses iptables TPROXY to redirect to Envoy. This mode preserves both the
          
-source and destination IP addresses and ports, so that they can be used for advanced
          
-filtering and manipulation. This mode also configures the sidecar to run with the
          
+
          The TPROXY mode uses iptables TPROXY to redirect to Envoy. This mode preserves both the
+source and destination IP addresses and ports, so that they can be used for advanced
+filtering and manipulation. This mode also configures the sidecar to run with the
 CAP_NET_ADMIN capability, which is required to use TPROXY.
          
 
 
          
 NONE
 
-
          The NONE mode does not configure redirect to Envoy at all. This is an advanced
          
+
          The NONE mode does not configure redirect to Envoy at all. This is an advanced
 configuration that typically requires changes to user applications.
          
 
 
          
@@ -3939,7 +3939,7 @@ 
          AuthenticationPolicy
          
           
diff --git a/content/zh/docs/reference/config/istio.operator.v1alpha1/index.html b/content/zh/docs/reference/config/istio.operator.v1alpha1/index.html
index 93f058bd5aab4..7578af3f61ccc 100644
--- a/content/zh/docs/reference/config/istio.operator.v1alpha1/index.html
+++ b/content/zh/docs/reference/config/istio.operator.v1alpha1/index.html
@@ -9,17 +9,17 @@
 weight: 20
 number_of_entries: 74
 ---
-
          Configuration affecting Istio control plane installation version and shape.
          
-Note: unlike other Istio protos, field names must use camelCase. This is asserted in tests.
          
-Without camelCase, the json tag on the Go struct will not match the user's JSON representation.
          
-This leads to Kubernetes merge libraries, which rely on this tag, to fail.
          
+
          Configuration affecting Istio control plane installation version and shape.
+Note: unlike other Istio protos, field names must use camelCase. This is asserted in tests.
+Without camelCase, the json tag on the Go struct will not match the user's JSON representation.
+This leads to Kubernetes merge libraries, which rely on this tag, to fail.
 All other usages use jsonpb which does not use the json tag.
          
 
 
          IstioOperatorSpec
          
 
          
-
          IstioOperatorSpec defines the desired installed state of Istio components.
          
-The spec is a used to define a customization of the default profile values that are supplied with each Istio release.
          
-Because the spec is a customization API, specifying an empty IstioOperatorSpec results in a default Istio
          
+
          IstioOperatorSpec defines the desired installed state of Istio components.
+The spec is a used to define a customization of the default profile values that are supplied with each Istio release.
+Because the spec is a customization API, specifying an empty IstioOperatorSpec results in a default Istio
 component values.
          
 
          apiVersion: install.istio.io/v1alpha1
 kind: IstioOperator
@@ -103,9 +103,9 @@ 
          IstioOperatorSpec
          
 
          
@@ -117,7 +117,7 @@ 
          IstioOperatorSpec
          
           
@@ -129,7 +129,7 @@ 
          IstioOperatorSpec
          
           
@@ -152,7 +152,7 @@ 
          IstioOperatorSpec
          
           
@@ -164,9 +164,9 @@ 
          IstioOperatorSpec
          
           
@@ -189,8 +189,8 @@ 
          IstioOperatorSpec
          
           
@@ -650,7 +650,7 @@ 
          KubernetesResourcesSpec
          
           
@@ -662,7 +662,7 @@ 
          KubernetesResourcesSpec
          
           
@@ -674,7 +674,7 @@ 
          KubernetesResourcesSpec
          
           
@@ -686,7 +686,7 @@ 
          KubernetesResourcesSpec
          
           
@@ -698,7 +698,7 @@ 
          KubernetesResourcesSpec
          
           
@@ -710,7 +710,7 @@ 
          KubernetesResourcesSpec
          
           
@@ -722,7 +722,7 @@ 
          KubernetesResourcesSpec
          
           
@@ -734,7 +734,7 @@ 
          KubernetesResourcesSpec
          
           
@@ -746,8 +746,8 @@ 
          KubernetesResourcesSpec
          
           
@@ -759,7 +759,7 @@ 
          KubernetesResourcesSpec
          
           
@@ -771,7 +771,7 @@ 
          KubernetesResourcesSpec
          
           
@@ -783,7 +783,7 @@ 
          KubernetesResourcesSpec
          
           
@@ -795,7 +795,7 @@ 
          KubernetesResourcesSpec
          
           
@@ -807,7 +807,7 @@ 
          KubernetesResourcesSpec
          
           
@@ -819,7 +819,7 @@ 
          KubernetesResourcesSpec
          
           
@@ -831,7 +831,7 @@ 
          KubernetesResourcesSpec
          
           
@@ -843,8 +843,8 @@ 
          KubernetesResourcesSpec
          
           
@@ -856,7 +856,7 @@ 
          KubernetesResourcesSpec
          
           
@@ -918,7 +918,7 @@ 
          K8sObjectOverlay
          
           
@@ -2260,7 +2260,7 @@ 
          ObjectMetricSource
          
           
@@ -3626,9 +3626,9 @@ 
          SeccompProfile
          
 
 
          IntOrString
          
 
          
-
          IntOrString is a type that can hold an int32 or a string.  When used in
          
-JSON or YAML marshalling and unmarshalling, it produces or consumes the
          
-inner type.  This allows you to have, for example, a JSON field that can
          
+
          IntOrString is a type that can hold an int32 or a string.  When used in
+JSON or YAML marshalling and unmarshalling, it produces or consumes the
+inner type.  This allows you to have, for example, a JSON field that can
 accept a name or number.
          
 
 
          
 INHERIT
 
-
          Use the policy defined by the parent scope. Should not be used for mesh
          
+
          Use the policy defined by the parent scope. Should not be used for mesh
 policy.
          
 
           		namespace
 string
 
-
          Namespace to install control plane resources into. If unset, Istio will be installed into the same namespace
          
-as the IstioOperator CR. You must also set values.global.istioNamespace if you wish to install Istio in
          
-a custom namespace.
          
+
          Namespace to install control plane resources into. If unset, Istio will be installed into the same namespace
+as the IstioOperator CR. You must also set values.global.istioNamespace if you wish to install Istio in
+a custom namespace.
 If you have enabled CNI, you must  exclude this namespace by adding it to the list values.cni.excludeNamespaces.
          
 
           		revision
 string
 
-
          Identify the revision this installation is associated with.
          
+
          Identify the revision this installation is associated with.
 This option is currently experimental.
          
 
           		defaultRevision
 bool
 
-
          Identify whether this revision is the default revision for the cluster
          
+
          Identify whether this revision is the default revision for the cluster
 This option is currently experimental.
          
 
           		components
 IstioComponentSetSpec
 
-
          Kubernetes resource settings, enablement and component-specific settings that are not internal to the
          
+
          Kubernetes resource settings, enablement and component-specific settings that are not internal to the
 component.
          
 
           		values
 Struct
 
-
          Overrides for default values.yaml. This is a validated pass-through to Helm templates.
          
-See the Helm installation options for schema details.
          
-Anything that is available in IstioOperatorSpec should be set above rather than using the passthrough. This
          
+
          Overrides for default values.yaml. This is a validated pass-through to Helm templates.
+See the Helm installation options for schema details.
+Anything that is available in IstioOperatorSpec should be set above rather than using the passthrough. This
 includes Kubernetes resource settings for components in KubernetesResourcesSpec.
          
 
           		addonComponents
 map<string, ExternalComponentSpec>
 
-
          Deprecated.
          
-Users should manage the installation of addon components on their own.
          
+
          Deprecated.
+Users should manage the installation of addon components on their own.
 Refer to samples/addons for demo installation of addon components.
          
 
           		affinity
 Affinity
 
-
          k8s affinity.
          
+
          k8s affinity.
 https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
          
 
           		env
 EnvVar[]
 
-
          Deployment environment variables.
          
+
          Deployment environment variables.
 https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/
          
 
           		hpaSpec
 HorizontalPodAutoscalerSpec
 
-
          k8s HorizontalPodAutoscaler settings.
          
+
          k8s HorizontalPodAutoscaler settings.
 https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
          
 
           		imagePullPolicy
 string
 
-
          k8s imagePullPolicy.
          
+
          k8s imagePullPolicy.
 https://kubernetes.io/docs/concepts/containers/images/
          
 
           		nodeSelector
 map<string, string>
 
-
          k8s nodeSelector.
          
+
          k8s nodeSelector.
 https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
          
 
           		podDisruptionBudget
 PodDisruptionBudgetSpec
 
-
          k8s PodDisruptionBudget settings.
          
+
          k8s PodDisruptionBudget settings.
 https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#how-disruption-budgets-work
          
 
           		podAnnotations
 map<string, string>
 
-
          k8s pod annotations.
          
+
          k8s pod annotations.
 https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
          
 
           		priorityClassName
 string
 
-
          k8s priority_class_name. Default for all resources unless overridden.
          
+
          k8s priority_class_name. Default for all resources unless overridden.
 https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
          
 
           		readinessProbe
 ReadinessProbe
 
-
          k8s readinessProbe settings.
          
-https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
          
+
          k8s readinessProbe settings.
+https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
 k8s.io.api.core.v1.Probe readiness_probe = 9;
          
 
           		replicaCount
 uint32
 
-
          k8s Deployment replicas setting.
          
+
          k8s Deployment replicas setting.
 https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
          
 
           		resources
 Resources
 
-
          k8s resources settings.
          
+
          k8s resources settings.
 https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
          
 
           		service
 ServiceSpec
 
-
          k8s Service settings.
          
+
          k8s Service settings.
 https://kubernetes.io/docs/concepts/services-networking/service/
          
 
           		strategy
 DeploymentStrategy
 
-
          k8s deployment strategy.
          
+
          k8s deployment strategy.
 https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
          
 
           		tolerations
 Toleration[]
 
-
          k8s toleration
          
+
          k8s toleration
 https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
          
 
           		serviceAnnotations
 map<string, string>
 
-
          k8s service annotations.
          
+
          k8s service annotations.
 https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
          
 
           		securityContext
 PodSecurityContext
 
-
          k8s pod security context
          
+
          k8s pod security context
 https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
          
 
           		volumes
 Volume[]
 
-
          k8s volume
          
-https://kubernetes.io/docs/concepts/storage/volumes/
          
+
          k8s volume
+https://kubernetes.io/docs/concepts/storage/volumes/
 Volumes defines the collection of Volume to inject into the pod.
          
 
           		volumeMounts
 VolumeMount[]
 
-
          k8s volumeMounts
          
+
          k8s volumeMounts
 VolumeMounts defines the collection of VolumeMount to inject into containers.
          
 
           		name
 string
 
-
          Name of resource.
          
+
          Name of resource.
 Namespace is always the component namespace.
          
 
           		target
 Value
 
-
          Type changes from CrossVersionObjectReference to ResourceMetricTarget in autoscaling v2beta2/v2 compared with v2beta1
          
+
          Type changes from CrossVersionObjectReference to ResourceMetricTarget in autoscaling v2beta2/v2 compared with v2beta1
 Change it to dynamic type to keep backward compatible
          
 
 
          
@@ -3731,9 +3731,9 @@ 
          K8sObjectOverlay.PathValue
          
           
@@ -3745,10 +3745,10 @@ 
          K8sObjectOverlay.PathValue
          
           
@@ -3761,9 +3761,9 @@ 
          K8sObjectOverlay.PathValue
          
 
 
          google.protobuf.Value
          
 
          
-
          Value represents a dynamically typed value which can be either
          
-null, a number, a string, a boolean, a recursive struct value, or a
          
-list of values. A producer of value is expected to set one of that
          
+
          Value represents a dynamically typed value which can be either
+null, a number, a string, a boolean, a recursive struct value, or a
+list of values. A producer of value is expected to set one of that
 variants, absence of any variant indicates an error.
          
 
          The JSON representation for Value is JSON value.
          
 
@@ -3864,8 +3864,8 @@ 
          k8s.io.api.core.v1.Volume
          
 
          
@@ -3877,8 +3877,8 @@ 
          k8s.io.api.core.v1.Volume
          
           
@@ -3918,8 +3918,8 @@ 
          k8s.io.api.core.v1.VolumeMount
          
           
@@ -3931,7 +3931,7 @@ 
          k8s.io.api.core.v1.VolumeMount
          
           
@@ -3943,8 +3943,8 @@ 
          k8s.io.api.core.v1.VolumeMount
          
           
@@ -3956,10 +3956,10 @@ 
          k8s.io.api.core.v1.VolumeMount
          
           
@@ -3971,10 +3971,10 @@ 
          k8s.io.api.core.v1.VolumeMount
          
           
@@ -3987,9 +3987,9 @@ 
          k8s.io.api.core.v1.VolumeMount
          
 
 
          k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector
          
 
          
-
          A label selector is a label query over a set of resources. The result of matchLabels and
          
-matchExpressions are ANDed. An empty label selector matches all objects. A null
          
-label selector matches no objects.
          
+
          A label selector is a label query over a set of resources. The result of matchLabels and
+matchExpressions are ANDed. An empty label selector matches all objects. A null
+label selector matches no objects.
 +structType=atomic
          
 
 
          path
 string
 
-
          Path of the form a.[key1:value1].b.[:value2]
          
-Where [key1:value1] is a selector for a key-value pair to identify a list element and [:value] is a value
          
-selector to identify a list element in a leaf list.
          
+
          Path of the form a.[key1:value1].b.[:value2]
+Where [key1:value1] is a selector for a key-value pair to identify a list element and [:value] is a value
+selector to identify a list element in a leaf list.
 All path intermediate nodes must exist.
          
 
           		value
 Value
 
-
          Value to add, delete or replace.
          
-For add, the path should be a new leaf.
          
-For delete, value should be unset.
          
-For replace, path should reference an existing node.
          
+
          Value to add, delete or replace.
+For add, the path should be a new leaf.
+For delete, value should be unset.
+For replace, path should reference an existing node.
 All values are strings but are converted into appropriate type based on schema.
          
 
           		name
 string
 
-
          name of the volume.
          
-Must be a DNS_LABEL and unique within the pod.
          
+
          name of the volume.
+Must be a DNS_LABEL and unique within the pod.
 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
          
 
           		volumeSource
 VolumeSource
 
-
          volumeSource represents the location and type of the mounted volume.
          
-If not specified, the Volume is implied to be an EmptyDir.
          
+
          volumeSource represents the location and type of the mounted volume.
+If not specified, the Volume is implied to be an EmptyDir.
 This implied behavior is deprecated and will be removed in a future version.
          
 
           		readOnly
 bool
 
-
          Mounted read-only if true, read-write otherwise (false or unspecified).
          
-Defaults to false.
          
+
          Mounted read-only if true, read-write otherwise (false or unspecified).
+Defaults to false.
 +optional
          
 
           		mountPath
 string
 
-
          Path within the container at which the volume should be mounted.  Must
          
+
          Path within the container at which the volume should be mounted.  Must
 not contain ':'.
          
 
           		subPath
 string
 
-
          Path within the volume from which the container's volume should be mounted.
          
-Defaults to "" (volume's root).
          
+
          Path within the volume from which the container's volume should be mounted.
+Defaults to "" (volume's root).
 +optional
          
 
           		mountPropagation
 string
 
-
          mountPropagation determines how mounts are propagated from the host
          
-to container and the other way around.
          
-When not set, MountPropagationNone is used.
          
-This field is beta in 1.10.
          
+
          mountPropagation determines how mounts are propagated from the host
+to container and the other way around.
+When not set, MountPropagationNone is used.
+This field is beta in 1.10.
 +optional
          
 
           		subPathExpr
 string
 
-
          Expanded path within the volume from which the container's volume should be mounted.
          
-Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
          
-Defaults to "" (volume's root).
          
-SubPathExpr and SubPath are mutually exclusive.
          
+
          Expanded path within the volume from which the container's volume should be mounted.
+Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
+Defaults to "" (volume's root).
+SubPathExpr and SubPath are mutually exclusive.
 +optional
          
 
 
          
@@ -4006,9 +4006,9 @@ 
          k8s.io.apimachinery.
 
          
@@ -4020,7 +4020,7 @@ 
          k8s.io.apimachinery.
 
          
@@ -4081,8 +4081,8 @@ 
          InstallStatus.Status
          
           
diff --git a/content/zh/docs/reference/config/meta/v1beta1/istio-status/index.html b/content/zh/docs/reference/config/meta/v1beta1/istio-status/index.html
index 6a34bde2c4e70..2d3fc29cf4147 100644
--- a/content/zh/docs/reference/config/meta/v1beta1/istio-status/index.html
+++ b/content/zh/docs/reference/config/meta/v1beta1/istio-status/index.html
@@ -24,10 +24,10 @@ 
          IstioStatus
          
           
@@ -39,9 +39,9 @@ 
          IstioStatus
          
           
@@ -53,9 +53,9 @@ 
          IstioStatus
          
           
@@ -93,7 +93,7 @@ 
          IstioCondition
          
           
@@ -105,7 +105,7 @@ 
          IstioCondition
          
           
@@ -117,7 +117,7 @@ 
          IstioCondition
          
           
@@ -129,7 +129,7 @@ 
          IstioCondition
          
           
@@ -141,7 +141,7 @@ 
          IstioCondition
          
           
diff --git a/content/zh/docs/reference/config/networking/destination-rule/index.html b/content/zh/docs/reference/config/networking/destination-rule/index.html
index cdfa4d0dead34..775ff6993cae5 100644
--- a/content/zh/docs/reference/config/networking/destination-rule/index.html
+++ b/content/zh/docs/reference/config/networking/destination-rule/index.html
@@ -10,14 +10,14 @@
 aliases: [/zh/docs/reference/config/networking/v1alpha3/destination-rule]
 number_of_entries: 23
 ---
-
          DestinationRule defines policies that apply to traffic intended for a
          
-service after routing has occurred. These rules specify configuration
          
-for load balancing, connection pool size from the sidecar, and outlier
          
-detection settings to detect and evict unhealthy hosts from the load
          
-balancing pool. For example, a simple load balancing policy for the
          
+
          DestinationRule defines policies that apply to traffic intended for a
+service after routing has occurred. These rules specify configuration
+for load balancing, connection pool size from the sidecar, and outlier
+detection settings to detect and evict unhealthy hosts from the load
+balancing pool. For example, a simple load balancing policy for the
 ratings service would look as follows:
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -28,8 +28,8 @@
     loadBalancer:
       simple: LEAST_REQUEST
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -40,15 +40,15 @@
     loadBalancer:
       simple: LEAST_REQUEST
 
          
-
          {{}}
          
-{{}}
          
-
          Version specific policies can be specified by defining a named
          
-subset and overriding the settings specified at the service level. The
          
-following rule uses a round robin load balancing policy for all traffic
          
-going to a subset named testversion that is composed of endpoints (e.g.,
          
+
          {{}}
+{{}}
          
+
          Version specific policies can be specified by defining a named
+subset and overriding the settings specified at the service level. The
+following rule uses a round robin load balancing policy for all traffic
+going to a subset named testversion that is composed of endpoints (e.g.,
 pods) with labels (version:v3).
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -66,8 +66,8 @@
       loadBalancer:
         simple: ROUND_ROBIN
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -85,16 +85,16 @@
       loadBalancer:
         simple: ROUND_ROBIN
 
          
-
          {{}}
          
-{{}}
          
-
          Note: Policies specified for subsets will not take effect until
          
+
          {{}}
+{{}}
          
+
          Note: Policies specified for subsets will not take effect until
 a route rule explicitly sends traffic to this subset.
          
-
          Traffic policies can be customized to specific ports as well. The
          
-following rule uses the least connection load balancing policy for all
          
-traffic to port 80, while uses a round robin load balancing setting for
          
+
          Traffic policies can be customized to specific ports as well. The
+following rule uses the least connection load balancing policy for all
+traffic to port 80, while uses a round robin load balancing setting for
 traffic to the port 9080.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -112,8 +112,8 @@
       loadBalancer:
         simple: ROUND_ROBIN
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -131,13 +131,13 @@
       loadBalancer:
         simple: ROUND_ROBIN
 
          
-
          {{}}
          
-{{}}
          
-
          Destination Rules can be customized to specific workloads as well.
          
-The following example shows how a destination rule can be applied to a
          
+
          {{}}
+{{}}
          
+
          Destination Rules can be customized to specific workloads as well.
+The following example shows how a destination rule can be applied to a
 specific workload using the workloadSelector configuration.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -157,8 +157,8 @@
         credentialName: client-credential
         mode: MUTUAL
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -178,12 +178,12 @@
         credentialName: client-credential
         mode: MUTUAL
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          DestinationRule
          
 
          
-
          DestinationRule defines policies that apply to traffic intended for a service
          
+
          DestinationRule defines policies that apply to traffic intended for a service
 after routing has occurred.
          
 
 
          matchLabels
 map<string, string>
 
-
          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
          
-map is equivalent to an element of matchExpressions, whose key field is "key", the
          
-operator is "In", and the values array contains only "value". The requirements are ANDed.
          
+
          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
 +optional
          
 
           		matchExpressions
 LabelSelectorRequirement[]
 
-
          matchExpressions is a list of label selector requirements. The requirements are ANDed.
          
+
          matchExpressions is a list of label selector requirements. The requirements are ANDed.
 +optional
          
 
 
          
 ACTION_REQUIRED
 
-
          Overall status only and would not be set as a component status.
          
-Action is needed from the user for reconciliation to proceed
          
+
          Overall status only and would not be set as a component status.
+Action is needed from the user for reconciliation to proceed
 e.g. There are proxies still pointing to the control plane revision when try to remove an IstioOperator CR.
          
 
           		conditions
 IstioCondition[]
 
-
          Current service state of pod.
          
-More info: https://istio.io/docs/reference/config/config-status/
          
-+optional
          
-+patchMergeKey=type
          
+
          Current service state of pod.
+More info: https://istio.io/docs/reference/config/config-status/
++optional
++patchMergeKey=type
 +patchStrategy=merge
          
 
           		validationMessages
 AnalysisMessageBase[]
 
-
          Includes any errors or warnings detected by Istio's analyzers.
          
-+optional
          
-+patchMergeKey=type
          
+
          Includes any errors or warnings detected by Istio's analyzers.
++optional
++patchMergeKey=type
 +patchStrategy=merge
          
 
           		observedGeneration
 int64
 
-
          Resource Generation to which the Reconciled Condition refers.
          
-When this value is not equal to the object's metadata generation, reconciled condition  calculation for the current
          
-generation is still in progress.  See https://istio.io/latest/docs/reference/config/config-status/ for more info.
          
+
          Resource Generation to which the Reconciled Condition refers.
+When this value is not equal to the object's metadata generation, reconciled condition  calculation for the current
+generation is still in progress.  See https://istio.io/latest/docs/reference/config/config-status/ for more info.
 +optional
          
 
           		status
 string
 
-
          Status is the status of the condition.
          
+
          Status is the status of the condition.
 Can be True, False, Unknown.
          
 
           		lastProbeTime
 Timestamp
 
-
          Last time we probed the condition.
          
+
          Last time we probed the condition.
 +optional
          
 
           		lastTransitionTime
 Timestamp
 
-
          Last time the condition transitioned from one status to another.
          
+
          Last time the condition transitioned from one status to another.
 +optional
          
 
           		reason
 string
 
-
          Unique, one-word, CamelCase reason for the condition's last transition.
          
+
          Unique, one-word, CamelCase reason for the condition's last transition.
 +optional
          
 
           		message
 string
 
-
          Human-readable message indicating details about last transition.
          
+
          Human-readable message indicating details about last transition.
 +optional
          
 
 
          
@@ -200,18 +200,18 @@ 
          DestinationRule
          
           
@@ -236,7 +236,7 @@ 
          DestinationRule
          
           
@@ -248,17 +248,17 @@ 
          DestinationRule
          
           
@@ -270,13 +270,13 @@ 
          DestinationRule
          
           
@@ -289,7 +289,7 @@ 
          DestinationRule
          
 
 
          TrafficPolicy
          
 
          
-
          Traffic policies to apply for a specific destination, across all
          
+
          Traffic policies to apply for a specific destination, across all
 destination ports. See DestinationRule for examples.
          
 
 
          host
 string
 
-
          The name of a service from the service registry. Service
          
-names are looked up from the platform's service registry (e.g.,
          
-Kubernetes services, Consul services, etc.) and from the hosts
          
-declared by ServiceEntries. Rules defined for
          
+
          The name of a service from the service registry. Service
+names are looked up from the platform's service registry (e.g.,
+Kubernetes services, Consul services, etc.) and from the hosts
+declared by ServiceEntries. Rules defined for
 services that do not exist in the service registry will be ignored.
          
-
          Note for Kubernetes users: When short names are used (e.g. "reviews"
          
-instead of "reviews.default.svc.cluster.local"), Istio will interpret
          
-the short name based on the namespace of the rule, not the service. A
          
-rule in the "default" namespace containing a host "reviews" will be
          
-interpreted as "reviews.default.svc.cluster.local", irrespective of
          
-the actual namespace associated with the reviews service. To avoid
          
-potential misconfigurations, it is recommended to always use fully
          
+
          Note for Kubernetes users: When short names are used (e.g. "reviews"
+instead of "reviews.default.svc.cluster.local"), Istio will interpret
+the short name based on the namespace of the rule, not the service. A
+rule in the "default" namespace containing a host "reviews" will be
+interpreted as "reviews.default.svc.cluster.local", irrespective of
+the actual namespace associated with the reviews service. To avoid
+potential misconfigurations, it is recommended to always use fully
 qualified domain names over short names.
          
 
          Note that the host field applies to both HTTP and TCP services.
          
 
@@ -224,7 +224,7 @@ 
          DestinationRule
          
           		trafficPolicy
 TrafficPolicy
 
-
          Traffic policies to apply (load balancing policy, connection pool
          
+
          Traffic policies to apply (load balancing policy, connection pool
 sizes, outlier detection).
          
 
           		subsets
 Subset[]
 
-
          One or more named sets that represent individual versions of a
          
+
          One or more named sets that represent individual versions of a
 service. Traffic policies can be overridden at subset level.
          
 
           		exportTo
 string[]
 
-
          A list of namespaces to which this destination rule is exported.
          
-The resolution of a destination rule to apply to a service occurs in the
          
-context of a hierarchy of namespaces. Exporting a destination rule allows
          
-it to be included in the resolution hierarchy for services in
          
-other namespaces. This feature provides a mechanism for service owners
          
-and mesh administrators to control the visibility of destination rules
          
+
          A list of namespaces to which this destination rule is exported.
+The resolution of a destination rule to apply to a service occurs in the
+context of a hierarchy of namespaces. Exporting a destination rule allows
+it to be included in the resolution hierarchy for services in
+other namespaces. This feature provides a mechanism for service owners
+and mesh administrators to control the visibility of destination rules
 across namespace boundaries.
          
-
          If no namespaces are specified then the destination rule is exported to all
          
+
          If no namespaces are specified then the destination rule is exported to all
 namespaces by default.
          
-
          The value "." is reserved and defines an export to the same namespace that
          
-the destination rule is declared in. Similarly, the value "*" is reserved and
          
+
          The value "." is reserved and defines an export to the same namespace that
+the destination rule is declared in. Similarly, the value "*" is reserved and
 defines an export to all namespaces.
          
 
           		workloadSelector
 WorkloadSelector
 
-
          Criteria used to select the specific set of pods/VMs on which this
          
-DestinationRule configuration should be applied. If specified, the DestinationRule
          
-configuration will be applied only to the workload instances matching the workload selector
          
-label in the same namespace. Workload selectors do not apply across namespace boundaries.
          
-If omitted, the DestinationRule falls back to its default behavior.
          
-For example, if specific sidecars need to have egress TLS settings for services outside
          
-of the mesh, instead of every sidecar in the mesh needing to have the
          
+
          Criteria used to select the specific set of pods/VMs on which this
+DestinationRule configuration should be applied. If specified, the DestinationRule
+configuration will be applied only to the workload instances matching the workload selector
+label in the same namespace. Workload selectors do not apply across namespace boundaries.
+If omitted, the DestinationRule falls back to its default behavior.
+For example, if specific sidecars need to have egress TLS settings for services outside
+of the mesh, instead of every sidecar in the mesh needing to have the
 configuration (which is the default behaviour), a workload selector can be specified.
          
 
 
          
@@ -350,10 +350,10 @@ 
          TrafficPolicy
          
           
@@ -365,8 +365,8 @@ 
          TrafficPolicy
          
           
@@ -379,16 +379,16 @@ 
          TrafficPolicy
          
 
 
          Subset
          
 
          
-
          A subset of endpoints of a service. Subsets can be used for scenarios
          
-like A/B testing, or routing to a specific version of a service. Refer
          
-to VirtualService documentation for examples of using
          
-subsets in these scenarios. In addition, traffic policies defined at the
          
-service-level can be overridden at a subset-level. The following rule
          
-uses a round robin load balancing policy for all traffic going to a
          
-subset named testversion that is composed of endpoints (e.g., pods) with
          
+
          A subset of endpoints of a service. Subsets can be used for scenarios
+like A/B testing, or routing to a specific version of a service. Refer
+to VirtualService documentation for examples of using
+subsets in these scenarios. In addition, traffic policies defined at the
+service-level can be overridden at a subset-level. The following rule
+uses a round robin load balancing policy for all traffic going to a
+subset named testversion that is composed of endpoints (e.g., pods) with
 labels (version:v3).
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -406,8 +406,8 @@ 
          Subset
          
       loadBalancer:
         simple: ROUND_ROBIN
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -425,14 +425,14 @@ 
          Subset
          
       loadBalancer:
         simple: ROUND_ROBIN
 
          
-
          {{}}
          
-{{}}
          
-
          Note: Policies specified for subsets will not take effect until
          
+
          {{}}
+{{}}
          
+
          Note: Policies specified for subsets will not take effect until
 a route rule explicitly sends traffic to this subset.
          
-
          One or more labels are typically required to identify the subset destination,
          
-however, when the corresponding DestinationRule represents a host that
          
-supports multiple SNI hosts (e.g., an egress gateway), a subset without labels
          
-may be meaningful. In this case a traffic policy with ClientTLSSettings
          
+
          One or more labels are typically required to identify the subset destination,
+however, when the corresponding DestinationRule represents a host that
+supports multiple SNI hosts (e.g., an egress gateway), a subset without labels
+may be meaningful. In this case a traffic policy with ClientTLSSettings
 can be used to identify a specific SNI host corresponding to the named subset.
          
 
 
          portLevelSettings
 PortTrafficPolicy[]
 
-
          Traffic policies specific to individual ports. Note that port level
          
-settings will override the destination-level settings. Traffic
          
-settings specified at the destination-level will not be inherited when
          
-overridden by port-level settings, i.e. default values will be applied
          
+
          Traffic policies specific to individual ports. Note that port level
+settings will override the destination-level settings. Traffic
+settings specified at the destination-level will not be inherited when
+overridden by port-level settings, i.e. default values will be applied
 to fields omitted in port-level traffic policies.
          
 
           		tunnel
 TunnelSettings
 
-
          Configuration of tunneling TCP over other transport or application layers
          
-for the host configured in the DestinationRule.
          
+
          Configuration of tunneling TCP over other transport or application layers
+for the host configured in the DestinationRule.
 Tunnel settings can be applied to TCP or TLS routes and can't be applied to HTTP routes.
          
 
 
          
@@ -449,7 +449,7 @@ 
          Subset
          
           
@@ -461,7 +461,7 @@ 
          Subset
          
           
@@ -473,9 +473,9 @@ 
          Subset
          
           
@@ -488,14 +488,14 @@ 
          Subset
          
 
 
          LoadBalancerSettings
          
 
          
-
          Load balancing policies to apply for a specific destination. See Envoy's
          
-load balancing
          
-documentation
          
+
          Load balancing policies to apply for a specific destination. See Envoy's
+load balancing
+documentation
 for more details.
          
-
          For example, the following rule uses a round robin load balancing policy
          
+
          For example, the following rule uses a round robin load balancing policy
 for all traffic going to the ratings service.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -506,8 +506,8 @@ 
          LoadBalancerSettings
          
     loadBalancer:
       simple: ROUND_ROBIN
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -518,13 +518,13 @@ 
          LoadBalancerSettings
          
     loadBalancer:
       simple: ROUND_ROBIN
 
          
-
          {{}}
          
-{{}}
          
-
          The following example sets up sticky sessions for the ratings service
          
-hashing-based load balancer for the same ratings service using the
          
+
          {{}}
+{{}}
          
+
          The following example sets up sticky sessions for the ratings service
+hashing-based load balancer for the same ratings service using the
 the User cookie as the hash key.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -538,8 +538,8 @@ 
          LoadBalancerSettings
          
           name: user
           ttl: 0s
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -553,8 +553,8 @@ 
          LoadBalancerSettings
          
           name: user
           ttl: 0s
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          name
 string
 
-
          Name of the subset. The service name and the subset name can
          
+
          Name of the subset. The service name and the subset name can
 be used for traffic splitting in a route rule.
          
 
           		labels
 map<string, string>
 
-
          Labels apply a filter over the endpoints of a service in the
          
+
          Labels apply a filter over the endpoints of a service in the
 service registry. See route rules for examples of usage.
          
 
           		trafficPolicy
 TrafficPolicy
 
-
          Traffic policies that apply to this subset. Subsets inherit the
          
-traffic policies specified at the DestinationRule level. Settings
          
-specified at the subset level will override the corresponding settings
          
+
          Traffic policies that apply to this subset. Subsets inherit the
+traffic policies specified at the DestinationRule level. Settings
+specified at the subset level will override the corresponding settings
 specified at the DestinationRule level.
          
 
 
          
@@ -588,7 +588,7 @@ 
          LoadBalancerSettings
          
           
@@ -600,10 +600,10 @@ 
          LoadBalancerSettings
          
           
@@ -616,15 +616,15 @@ 
          LoadBalancerSettings
          
 
 
          ConnectionPoolSettings
          
 
          
-
          Connection pool settings for an upstream host. The settings apply to
          
-each individual host in the upstream service.  See Envoy's circuit
          
-breaker
          
-for more details. Connection pool settings can be applied at the TCP
          
+
          Connection pool settings for an upstream host. The settings apply to
+each individual host in the upstream service.  See Envoy's circuit
+breaker
+for more details. Connection pool settings can be applied at the TCP
 level as well as at HTTP level.
          
-
          For example, the following rule sets a limit of 100 connections to redis
          
+
          For example, the following rule sets a limit of 100 connections to redis
 service called myredissrv with a connect timeout of 30ms
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -640,8 +640,8 @@ 
          ConnectionPoolSettings
          
           time: 7200s
           interval: 75s
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -657,8 +657,8 @@ 
          ConnectionPoolSettings
          
           time: 7200s
           interval: 75s
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          
 
          localityLbSetting
 LocalityLoadBalancerSetting
 
-
          Locality load balancer settings, this will override mesh wide settings in entirety, meaning no merging would be performed
          
+
          Locality load balancer settings, this will override mesh wide settings in entirety, meaning no merging would be performed
 between this object and the object one in MeshConfig
          
 
           		warmupDurationSecs
 Duration
 
-
          Represents the warmup duration of Service. If set, the newly created endpoint of service
          
-remains in warmup mode starting from its creation time for the duration of this window and
          
-Istio progressively increases amount of traffic for that endpoint instead of sending proportional amount of traffic.
          
-This should be enabled for services that require warm up time to serve full production load with reasonable latency.
          
+
          Represents the warmup duration of Service. If set, the newly created endpoint of service
+remains in warmup mode starting from its creation time for the duration of this window and
+Istio progressively increases amount of traffic for that endpoint instead of sending proportional amount of traffic.
+This should be enabled for services that require warm up time to serve full production load with reasonable latency.
 Currently this is only supported for ROUND_ROBIN and LEAST_REQUEST load balancers.
          
 
 
          
@@ -697,22 +697,22 @@ 
          ConnectionPoolSettings
          
 
 
          OutlierDetection
          
 
          
-
          A Circuit breaker implementation that tracks the status of each
          
-individual host in the upstream service.  Applicable to both HTTP and
          
-TCP services.  For HTTP services, hosts that continually return 5xx
          
-errors for API calls are ejected from the pool for a pre-defined period
          
-of time. For TCP services, connection timeouts or connection
          
-failures to a given host counts as an error when measuring the
          
-consecutive errors metric. See Envoy's outlier
          
-detection
          
+
          A Circuit breaker implementation that tracks the status of each
+individual host in the upstream service.  Applicable to both HTTP and
+TCP services.  For HTTP services, hosts that continually return 5xx
+errors for API calls are ejected from the pool for a pre-defined period
+of time. For TCP services, connection timeouts or connection
+failures to a given host counts as an error when measuring the
+consecutive errors metric. See Envoy's outlier
+detection
 for more details.
          
-
          The following rule sets a connection pool size of 100 HTTP1 connections
          
-with no more than 10 req/connection to the "reviews" service. In addition,
          
-it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
          
-hosts to be scanned every 5 mins so that any host that fails 7 consecutive
          
+
          The following rule sets a connection pool size of 100 HTTP1 connections
+with no more than 10 req/connection to the "reviews" service. In addition,
+it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
+hosts to be scanned every 5 mins so that any host that fails 7 consecutive
 times with a 502, 503, or 504 error code will be ejected for 15 minutes.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -731,8 +731,8 @@ 
          OutlierDetection
          
       interval: 5m
       baseEjectionTime: 15m
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -751,8 +751,8 @@ 
          OutlierDetection
          
       interval: 5m
       baseEjectionTime: 15m
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          
 
          
@@ -768,13 +768,13 @@ 
          OutlierDetection
          
           
@@ -786,8 +786,8 @@ 
          OutlierDetection
          
           
@@ -799,17 +799,17 @@ 
          OutlierDetection
          
           
@@ -821,16 +821,16 @@ 
          OutlierDetection
          
           
@@ -842,7 +842,7 @@ 
          OutlierDetection
          
           
@@ -854,10 +854,10 @@ 
          OutlierDetection
          
           
@@ -869,7 +869,7 @@ 
          OutlierDetection
          
           
@@ -881,12 +881,12 @@ 
          OutlierDetection
          
           
@@ -899,13 +899,13 @@ 
          OutlierDetection
          
 
 
          ClientTLSSettings
          
 
          
-
          SSL/TLS related settings for upstream connections. See Envoy's TLS
          
-context
          
+
          SSL/TLS related settings for upstream connections. See Envoy's TLS
+context
 for more details. These settings are common to both HTTP and TCP upstreams.
          
-
          For example, the following rule configures a client to use mutual TLS
          
+
          For example, the following rule configures a client to use mutual TLS
 for connections to upstream database cluster.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -919,8 +919,8 @@ 
          ClientTLSSettings
          
       privateKey: /etc/certs/client_private_key.pem
       caCertificates: /etc/certs/rootcacerts.pem
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -934,12 +934,12 @@ 
          ClientTLSSettings
          
       privateKey: /etc/certs/client_private_key.pem
       caCertificates: /etc/certs/rootcacerts.pem
 
          
-
          {{}}
          
-{{}}
          
-
          The following rule configures a client to use TLS when talking to a
          
+
          {{}}
+{{}}
          
+
          The following rule configures a client to use TLS when talking to a
 foreign service whose domain matches *.foo.com.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -950,8 +950,8 @@ 
          ClientTLSSettings
          
     tls:
       mode: SIMPLE
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -962,12 +962,12 @@ 
          ClientTLSSettings
          
     tls:
       mode: SIMPLE
 
          
-
          {{}}
          
-{{}}
          
-
          The following rule configures a client to use Istio mutual TLS when talking
          
+
          {{}}
+{{}}
          
+
          The following rule configures a client to use Istio mutual TLS when talking
 to rating services.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -978,8 +978,8 @@ 
          ClientTLSSettings
          
     tls:
       mode: ISTIO_MUTUAL
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -990,8 +990,8 @@ 
          ClientTLSSettings
          
     tls:
       mode: ISTIO_MUTUAL
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          
 
          splitExternalLocalOriginErrors
 bool
 
-
          Determines whether to distinguish local origin failures from external errors. If set to true
          
-consecutive_local_origin_failure is taken into account for outlier detection calculations.
          
-This should be used when you want to derive the outlier detection status based on the errors
          
-seen locally such as failure to connect, timeout while connecting etc. rather than the status code
          
-retuned by upstream service. This is especially useful when the upstream service explicitly returns
          
-a 5xx for some requests and you want to ignore those responses from upstream service while determining
          
-the outlier detection status of a host.
          
+
          Determines whether to distinguish local origin failures from external errors. If set to true
+consecutive_local_origin_failure is taken into account for outlier detection calculations.
+This should be used when you want to derive the outlier detection status based on the errors
+seen locally such as failure to connect, timeout while connecting etc. rather than the status code
+retuned by upstream service. This is especially useful when the upstream service explicitly returns
+a 5xx for some requests and you want to ignore those responses from upstream service while determining
+the outlier detection status of a host.
 Defaults to false.
          
 
           		consecutiveLocalOriginFailures
 UInt32Value
 
-
          The number of consecutive locally originated failures before ejection
          
-occurs. Defaults to 5. Parameter takes effect only when split_external_local_origin_errors
          
+
          The number of consecutive locally originated failures before ejection
+occurs. Defaults to 5. Parameter takes effect only when split_external_local_origin_errors
 is set to true.
          
 
           		consecutiveGatewayErrors
 UInt32Value
 
-
          Number of gateway errors before a host is ejected from the connection pool.
          
-When the upstream host is accessed over HTTP, a 502, 503, or 504 return
          
-code qualifies as a gateway error. When the upstream host is accessed over
          
-an opaque TCP connection, connect timeouts and connection error/failure
          
-events qualify as a gateway error.
          
+
          Number of gateway errors before a host is ejected from the connection pool.
+When the upstream host is accessed over HTTP, a 502, 503, or 504 return
+code qualifies as a gateway error. When the upstream host is accessed over
+an opaque TCP connection, connect timeouts and connection error/failure
+events qualify as a gateway error.
 This feature is disabled by default or when set to the value 0.
          
-
          Note that consecutive_gateway_errors and consecutive_5xx_errors can be
          
-used separately or together. Because the errors counted by
          
-consecutive_gateway_errors are also included in consecutive_5xx_errors,
          
-if the value of consecutive_gateway_errors is greater than or equal to
          
-the value of consecutive_5xx_errors, consecutive_gateway_errors will have
          
+
          Note that consecutive_gateway_errors and consecutive_5xx_errors can be
+used separately or together. Because the errors counted by
+consecutive_gateway_errors are also included in consecutive_5xx_errors,
+if the value of consecutive_gateway_errors is greater than or equal to
+the value of consecutive_5xx_errors, consecutive_gateway_errors will have
 no effect.
          
 
           		consecutive5xxErrors
 UInt32Value
 
-
          Number of 5xx errors before a host is ejected from the connection pool.
          
-When the upstream host is accessed over an opaque TCP connection, connect
          
-timeouts, connection error/failure and request failure events qualify as a
          
-5xx error.
          
+
          Number of 5xx errors before a host is ejected from the connection pool.
+When the upstream host is accessed over an opaque TCP connection, connect
+timeouts, connection error/failure and request failure events qualify as a
+5xx error.
 This feature defaults to 5 but can be disabled by setting the value to 0.
          
-
          Note that consecutive_gateway_errors and consecutive_5xx_errors can be
          
-used separately or together. Because the errors counted by
          
-consecutive_gateway_errors are also included in consecutive_5xx_errors,
          
-if the value of consecutive_gateway_errors is greater than or equal to
          
-the value of consecutive_5xx_errors, consecutive_gateway_errors will have
          
+
          Note that consecutive_gateway_errors and consecutive_5xx_errors can be
+used separately or together. Because the errors counted by
+consecutive_gateway_errors are also included in consecutive_5xx_errors,
+if the value of consecutive_gateway_errors is greater than or equal to
+the value of consecutive_5xx_errors, consecutive_gateway_errors will have
 no effect.
          
 
           		interval
 Duration
 
-
          Time interval between ejection sweep analysis. format:
          
+
          Time interval between ejection sweep analysis. format:
 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.
          
 
           		baseEjectionTime
 Duration
 
-
          Minimum ejection duration. A host will remain ejected for a period
          
-equal to the product of minimum ejection duration and the number of
          
-times the host has been ejected. This technique allows the system to
          
-automatically increase the ejection period for unhealthy upstream
          
+
          Minimum ejection duration. A host will remain ejected for a period
+equal to the product of minimum ejection duration and the number of
+times the host has been ejected. This technique allows the system to
+automatically increase the ejection period for unhealthy upstream
 servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.
          
 
           		maxEjectionPercent
 int32
 
-
          Maximum % of hosts in the load balancing pool for the upstream
          
+
          Maximum % of hosts in the load balancing pool for the upstream
 service that can be ejected. Defaults to 10%.
          
 
           		minHealthPercent
 int32
 
-
          Outlier detection will be enabled as long as the associated load balancing
          
-pool has at least min_health_percent hosts in healthy mode. When the
          
-percentage of healthy hosts in the load balancing pool drops below this
          
-threshold, outlier detection will be disabled and the proxy will load balance
          
-across all hosts in the pool (healthy and unhealthy). The threshold can be
          
-disabled by setting it to 0%. The default is 0% as it's not typically
          
+
          Outlier detection will be enabled as long as the associated load balancing
+pool has at least min_health_percent hosts in healthy mode. When the
+percentage of healthy hosts in the load balancing pool drops below this
+threshold, outlier detection will be disabled and the proxy will load balance
+across all hosts in the pool (healthy and unhealthy). The threshold can be
+disabled by setting it to 0%. The default is 0% as it's not typically
 applicable in k8s environments with few pods per service.
          
 
 
          
@@ -1007,7 +1007,7 @@ 
          ClientTLSSettings
          
           
@@ -1019,8 +1019,8 @@ 
          ClientTLSSettings
          
           
@@ -1032,8 +1032,8 @@ 
          ClientTLSSettings
          
           
@@ -1045,9 +1045,9 @@ 
          ClientTLSSettings
          
           
@@ -1059,20 +1059,20 @@ 
          ClientTLSSettings
          
           
@@ -1084,13 +1084,13 @@ 
          ClientTLSSettings
          
           
@@ -1102,9 +1102,9 @@ 
          ClientTLSSettings
          
           
@@ -1116,16 +1116,16 @@ 
          ClientTLSSettings
          
           
@@ -1138,19 +1138,19 @@ 
          ClientTLSSettings
          
 
 
          LocalityLoadBalancerSetting
          
 
          
-
          Locality-weighted load balancing allows administrators to control the
          
-distribution of traffic to endpoints based on the localities of where the
          
-traffic originates and where it will terminate. These localities are
          
-specified using arbitrary labels that designate a hierarchy of localities in
          
-{region}/{zone}/{sub-zone} form. For additional detail refer to
          
-Locality Weight
          
+
          Locality-weighted load balancing allows administrators to control the
+distribution of traffic to endpoints based on the localities of where the
+traffic originates and where it will terminate. These localities are
+specified using arbitrary labels that designate a hierarchy of localities in
+{region}/{zone}/{sub-zone} form. For additional detail refer to
+Locality Weight
 The following example shows how to setup locality weights mesh-wide.
          
-
          Given a mesh with workloads and their service deployed to "us-west/zone1/"
          
-and "us-west/zone2/          ". This example specifies that when traffic accessing a
          
-service originates from workloads in "us-west/zone1/", 80% of the traffic
          
-will be sent to endpoints in "us-west/zone1/          ", i.e the same zone, and the
          
-remaining 20% will go to endpoints in "us-west/zone2/". This setup is
          
-intended to favor routing traffic to endpoints in the same locality.
          
+
          Given a mesh with workloads and their service deployed to "us-west/zone1/"
+and "us-west/zone2/". This example specifies that when traffic accessing a
+service originates from workloads in "us-west/zone1/", 80% of the traffic
+will be sent to endpoints in "us-west/zone1/", i.e the same zone, and the
+remaining 20% will go to endpoints in "us-west/zone2/". This setup is
+intended to favor routing traffic to endpoints in the same locality.
 A similar setting is specified for traffic originating in "us-west/zone2/".
          
 
            distribute:
     - from: us-west/zone1/*
@@ -1162,14 +1162,14 @@ 
          LocalityLoadBalancerSetting
          
         "us-west/zone1/*": 20
         "us-west/zone2/*": 80
 
          
-
          If the goal of the operator is not to distribute load across zones and
          
-regions but rather to restrict the regionality of failover to meet other
          
-operational requirements an operator can set a 'failover' policy instead of
          
+
          If the goal of the operator is not to distribute load across zones and
+regions but rather to restrict the regionality of failover to meet other
+operational requirements an operator can set a 'failover' policy instead of
 a 'distribute' policy.
          
-
          The following example sets up a locality failover policy for regions.
          
-Assume a service resides in zones within us-east, us-west & eu-west
          
-this example specifies that when endpoints within us-east become unhealthy
          
-traffic should failover to endpoints in any zone or sub-zone within eu-west
          
+
          The following example sets up a locality failover policy for regions.
+Assume a service resides in zones within us-east, us-west & eu-west
+this example specifies that when endpoints within us-east become unhealthy
+traffic should failover to endpoints in any zone or sub-zone within eu-west
 and similarly us-west should failover to us-east.
          
 
           failover:
    - from: us-east
@@ -1193,9 +1193,9 @@ 
          LocalityLoadBalancerSetting
          
 
          
@@ -1207,9 +1207,9 @@ 
          LocalityLoadBalancerSetting
          
           
@@ -1221,8 +1221,8 @@ 
          LocalityLoadBalancerSetting
          
           
@@ -1266,7 +1266,7 @@ 
          LocalityLoadBalancerSetting
          
           
@@ -1295,7 +1295,7 @@ 
          TrafficPolicy.PortTrafficPolicy
          
           
@@ -1366,11 +1366,11 @@ 
          TrafficPolicy.TunnelSettings
          
           
@@ -1382,7 +1382,7 @@ 
          TrafficPolicy.TunnelSettings
          
           
@@ -1406,10 +1406,10 @@ 
          TrafficPolicy.TunnelSettings
          
 
 
          LoadBalancerSettings.ConsistentHashLB
          
 
          
-
          Consistent Hash-based load balancing can be used to provide soft
          
-session affinity based on HTTP headers, cookies or other
          
-properties. The affinity to a particular destination host may be
          
-lost when one or more hosts are added/removed from the destination
          
+
          Consistent Hash-based load balancing can be used to provide soft
+session affinity based on HTTP headers, cookies or other
+properties. The affinity to a particular destination host may be
+lost when one or more hosts are added/removed from the destination
 service.
          
 
 
          
 
          mode
 TLSmode
 
-
          Indicates whether connections to this port should be secured
          
+
          Indicates whether connections to this port should be secured
 using TLS. The value of this field determines how TLS is enforced.
          
 
           		clientCertificate
 string
 
-
          REQUIRED if mode is MUTUAL. The path to the file holding the
          
-client-side TLS certificate to use.
          
+
          REQUIRED if mode is MUTUAL. The path to the file holding the
+client-side TLS certificate to use.
 Should be empty if mode is ISTIO_MUTUAL.
          
 
           		privateKey
 string
 
-
          REQUIRED if mode is MUTUAL. The path to the file holding the
          
-client's private key.
          
+
          REQUIRED if mode is MUTUAL. The path to the file holding the
+client's private key.
 Should be empty if mode is ISTIO_MUTUAL.
          
 
           		caCertificates
 string
 
-
          OPTIONAL: The path to the file containing certificate authority
          
-certificates to use in verifying a presented server certificate. If
          
-omitted, the proxy will not verify the server's certificate.
          
+
          OPTIONAL: The path to the file containing certificate authority
+certificates to use in verifying a presented server certificate. If
+omitted, the proxy will not verify the server's certificate.
 Should be empty if mode is ISTIO_MUTUAL.
          
 
           		credentialName
 string
 
-
          The name of the secret that holds the TLS certs for the
          
-client including the CA certificates. Secret must exist in the
          
-same namespace with the proxy using the certificates.
          
-The secret (of type generic)should contain the
          
-following keys and values: key: <privateKey>,
          
-cert: <clientCert>, cacert: <CACertificate>.
          
-Here CACertificate is used to verify the server certificate.
          
-Secret of type tls for client certificates along with
          
-ca.crt key for CA certificates is also supported.
          
-Only one of client certificates and CA certificate
          
+
          The name of the secret that holds the TLS certs for the
+client including the CA certificates. Secret must exist in the
+same namespace with the proxy using the certificates.
+The secret (of type generic)should contain the
+following keys and values: key: <privateKey>,
+cert: <clientCert>, cacert: <CACertificate>.
+Here CACertificate is used to verify the server certificate.
+Secret of type tls for client certificates along with
+ca.crt key for CA certificates is also supported.
+Only one of client certificates and CA certificate
 or credentialName can be specified.
          
-
          NOTE: This field is applicable at sidecars only if
          
-DestinationRule has a workloadSelector specified.
          
-Otherwise the field will be applicable only at gateways, and
          
+
          NOTE: This field is applicable at sidecars only if
+DestinationRule has a workloadSelector specified.
+Otherwise the field will be applicable only at gateways, and
 sidecars will continue to use the certificate paths.
          
 
           		subjectAltNames
 string[]
 
-
          A list of alternate names to verify the subject identity in the
          
-certificate. If specified, the proxy will verify that the server
          
-certificate's subject alt name matches one of the specified values.
          
-If specified, this list overrides the value of subject_alt_names
          
-from the ServiceEntry. If unspecified, automatic validation of upstream
          
-presented certificate for new upstream connections will be done based on the
          
-downstream HTTP host/authority header, provided VERIFY_CERT_AT_CLIENT
          
+
          A list of alternate names to verify the subject identity in the
+certificate. If specified, the proxy will verify that the server
+certificate's subject alt name matches one of the specified values.
+If specified, this list overrides the value of subject_alt_names
+from the ServiceEntry. If unspecified, automatic validation of upstream
+presented certificate for new upstream connections will be done based on the
+downstream HTTP host/authority header, provided VERIFY_CERT_AT_CLIENT
 and ENABLE_AUTO_SNI environmental variables are set to true.
          
 
           		sni
 string
 
-
          SNI string to present to the server during TLS handshake.
          
-If unspecified, SNI will be automatically set based on downstream HTTP
          
-host/authority header for SIMPLE and MUTUAL TLS modes, provided ENABLE_AUTO_SNI
          
+
          SNI string to present to the server during TLS handshake.
+If unspecified, SNI will be automatically set based on downstream HTTP
+host/authority header for SIMPLE and MUTUAL TLS modes, provided ENABLE_AUTO_SNI
 environmental variable is set to true.
          
 
           		insecureSkipVerify
 BoolValue
 
-
          InsecureSkipVerify specifies whether the proxy should skip verifying the
          
-CA signature and SAN for the server certificate corresponding to the host.
          
-This flag should only be set if global CA signature verifcation is
          
-enabled, VerifyCertAtClient environmental variable is set to true,
          
-but no verification is desired for a specific host. If enabled with or
          
-without VerifyCertAtClient enabled, verification of the CA signature and
          
+
          InsecureSkipVerify specifies whether the proxy should skip verifying the
+CA signature and SAN for the server certificate corresponding to the host.
+This flag should only be set if global CA signature verifcation is
+enabled, VerifyCertAtClient environmental variable is set to true,
+but no verification is desired for a specific host. If enabled with or
+without VerifyCertAtClient enabled, verification of the CA signature and
 SAN will be skipped.
          
-
          InsecureSkipVerify is false by default.
          
-VerifyCertAtClient is false by default in Istio version 1.9 but will
          
-be true by default in a later version where, going forward, it will be
          
+
          InsecureSkipVerify is false by default.
+VerifyCertAtClient is false by default in Istio version 1.9 but will
+be true by default in a later version where, going forward, it will be
 enabled by default.
          
 
           		distribute
 Distribute[]
 
-
          Optional: only one of distribute, failover or failoverPriority can be set.
          
-Explicitly specify loadbalancing weight across different zones and geographical locations.
          
-Refer to Locality weighted load balancing
          
+
          Optional: only one of distribute, failover or failoverPriority can be set.
+Explicitly specify loadbalancing weight across different zones and geographical locations.
+Refer to Locality weighted load balancing
 If empty, the locality weight is set according to the endpoints number within it.
          
 
           		failover
 Failover[]
 
-
          Optional: only one of distribute, failover or failoverPriority can be set.
          
-Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.
          
-Should be used together with OutlierDetection to detect unhealthy endpoints.
          
+
          Optional: only one of distribute, failover or failoverPriority can be set.
+Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.
+Should be used together with OutlierDetection to detect unhealthy endpoints.
 Note: if no OutlierDetection specified, this will not take effect.
          
 
           		failoverPriority
 string[]
 
-
          failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing.
          
-This is to support traffic failover across different groups of endpoints.
          
+
          failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing.
+This is to support traffic failover across different groups of endpoints.
 Suppose there are total N labels specified:
          
 
            
 
          1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority.
            2. 
@@ -1231,7 +1231,7 @@ 
            LocalityLoadBalancerSetting
            
 
          2. All the other endpoints have priority P(N) i.e. lowest priority.
            3. 
 
          
 
          Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match.
          
-
          It can be any label specified on both client and server workloads.
          
+
          It can be any label specified on both client and server workloads.
 The following labels which have special semantic meaning are also supported:
          
 
            
 
          • topology.istio.io/network is used to match the network metadata of an endpoint, which can be specified by pod/namespace label topology.istio.io/network, sidecar env ISTIO_META_NETWORK or MeshNetworks.
            • 
@@ -1254,7 +1254,7 @@ 
            LocalityLoadBalancerSetting
            
 
          • endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority.
            • 
 
          • all the other endpoints have the same lowest priority.
            • 
 
-
            Optional: only one of distribute, failover or failoverPriority can be set.
            
+
            Optional: only one of distribute, failover or failoverPriority can be set.
 And it should be used together with OutlierDetection to detect unhealthy endpoints, otherwise has no effect.
            
 
 
          		enabled
 BoolValue
 
-
          enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.
          
+
          enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.
 e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is.
          
 
           		port
 PortSelector
 
-
          Specifies the number of a port on the destination service
          
+
          Specifies the number of a port on the destination service
 on which this policy is being applied.
          
 
           		protocol
 string
 
-
          Specifies which protocol to use for tunneling the downstream connection.
          
-Supported protocols are:
          
-CONNECT - uses HTTP CONNECT;
          
-POST - uses HTTP POST.
          
-CONNECT is used by default if not specified.
          
+
          Specifies which protocol to use for tunneling the downstream connection.
+Supported protocols are:
+CONNECT - uses HTTP CONNECT;
+POST - uses HTTP POST.
+CONNECT is used by default if not specified.
 HTTP version for upstream requests is determined by the service protocol defined for the proxy.
          
 
           		targetHost
 string
 
-
          Specifies a host to which the downstream connection is tunneled.
          
+
          Specifies a host to which the downstream connection is tunneled.
 Target host must be an FQDN or IP address.
          
 
 
          
@@ -1448,7 +1448,7 @@ 
          LoadBalancerSettings.ConsistentHa
 
          
@@ -1519,10 +1519,10 @@ 
          LoadBalancerSettings.Con
 
          
@@ -1549,8 +1549,8 @@ 
          LoadBalancerSettings.Consi
 
          
@@ -1563,8 +1563,8 @@ 
          LoadBalancerSettings.Consi
 
 
          LoadBalancerSettings.ConsistentHashLB.HTTPCookie
          
 
          
-
          Describes a HTTP cookie that will be used as the hash key for the
          
-Consistent Hash load balancer. If the cookie is not present, it will
          
+
          Describes a HTTP cookie that will be used as the hash key for the
+Consistent Hash load balancer. If the cookie is not present, it will
 be generated.
          
 
 
          useSourceIp
 bool (oneof)
 
-
          Hash based on the source IP address.
          
+
          Hash based on the source IP address.
 This is applicable for both TCP and HTTP connections.
          
 
           		minimumRingSize
 uint64
 
-
          The minimum number of virtual nodes to use for the hash
          
-ring. Defaults to 1024. Larger ring sizes result in more granular
          
-load distributions. If the number of hosts in the load balancing
          
-pool is larger than the ring size, each host will be assigned a
          
+
          The minimum number of virtual nodes to use for the hash
+ring. Defaults to 1024. Larger ring sizes result in more granular
+load distributions. If the number of hosts in the load balancing
+pool is larger than the ring size, each host will be assigned a
 single virtual node.
          
 
           		tableSize
 uint64
 
-
          The table size for Maglev hashing. This helps in controlling the
          
-disruption when the backend hosts change.
          
+
          The table size for Maglev hashing. This helps in controlling the
+disruption when the backend hosts change.
 Increasing the table size reduces the amount of disruption.
          
 
 
          
@@ -1642,7 +1642,7 @@ 
          ConnectionPoolSettings.TCPSettingsconnectTimeout
 
          
@@ -1665,8 +1665,8 @@ 
          ConnectionPoolSettings.TCPSettingsmaxConnectionDuration
 
          
@@ -1695,10 +1695,10 @@ 
          ConnectionPoolSettings.HTTPSettings
 
          
@@ -1710,7 +1710,7 @@ 
          ConnectionPoolSettings.HTTPSettings
 
          
@@ -1722,8 +1722,8 @@ 
          ConnectionPoolSettings.HTTPSettings
 
          
@@ -1735,7 +1735,7 @@ 
          ConnectionPoolSettings.HTTPSettings
 
          
@@ -1747,12 +1747,12 @@ 
          ConnectionPoolSettings.HTTPSettings
 
          
@@ -1775,8 +1775,8 @@ 
          ConnectionPoolSettings.HTTPSettings
 
          
@@ -1805,8 +1805,8 @@ 
          ConnectionPoolSettings.
 
          
@@ -1818,8 +1818,8 @@ 
          ConnectionPoolSettings.
 
          
@@ -1831,8 +1831,8 @@ 
          ConnectionPoolSettings.
 
          
@@ -1845,9 +1845,9 @@ 
          ConnectionPoolSettings.
 
 
          LocalityLoadBalancerSetting.Distribute
          
 
          
-
          Describes how traffic originating in the 'from' zone or sub-zone is
          
-distributed over a set of 'to' zones. Syntax for specifying a zone is
          
-{region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
          
+
          Describes how traffic originating in the 'from' zone or sub-zone is
+distributed over a set of 'to' zones. Syntax for specifying a zone is
+{region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
 segment of the specification. Examples:
          
 
          * - matches all localities
          
 
          us-west/* - all zones and sub-zones within the us-west region
          
@@ -1878,8 +1878,8 @@ 
          LocalityLoadBalancerSetting.Dist
 
          
@@ -1892,12 +1892,12 @@ 
          LocalityLoadBalancerSetting.Dist
 
 
          LocalityLoadBalancerSetting.Failover
          
 
          
-
          Specify the traffic failover policy across regions. Since zone and sub-zone
          
-failover is supported by default this only needs to be specified for
          
-regions when the operator needs to constrain traffic failover so that
          
-the default behavior of failing over to any endpoint globally does not
          
-apply. This is useful when failing over traffic across regions would not
          
-improve service health or may need to be restricted for other reasons
          
+
          Specify the traffic failover policy across regions. Since zone and sub-zone
+failover is supported by default this only needs to be specified for
+regions when the operator needs to constrain traffic failover so that
+the default behavior of failing over to any endpoint globally does not
+apply. This is useful when failing over traffic across regions would not
+improve service health or may need to be restricted for other reasons
 like regulatory controls.
          
 
 
          Duration
 
-
          TCP connection timeout. format:
          
+
          TCP connection timeout. format:
 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.
          
 
           		Duration
 
-
          The maximum duration of a connection. The duration is defined as the period since a connection
          
-was established. If not set, there is no max duration. When max_connection_duration
          
+
          The maximum duration of a connection. The duration is defined as the period since a connection
+was established. If not set, there is no max duration. When max_connection_duration
 is reached the connection will be closed. Duration must be at least 1ms.
          
 
           		http1MaxPendingRequests
 int32
 
-
          Maximum number of requests that will be queued while waiting for
          
-a ready connection pool connection. Default 1024.
          
-Refer to https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking
          
-under which conditions a new connection is created for HTTP2.
          
+
          Maximum number of requests that will be queued while waiting for
+a ready connection pool connection. Default 1024.
+Refer to https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking
+under which conditions a new connection is created for HTTP2.
 Please note that this is applicable to both HTTP/1.1 and HTTP2.
          
 
           		http2MaxRequests
 int32
 
-
          Maximum number of active requests to a destination. Default 1024.
          
+
          Maximum number of active requests to a destination. Default 1024.
 Please note that this is applicable to both HTTP/1.1 and HTTP2.
          
 
           		maxRequestsPerConnection
 int32
 
-
          Maximum number of requests per connection to a backend. Setting this
          
-parameter to 1 disables keep alive. Default 0, meaning "unlimited",
          
+
          Maximum number of requests per connection to a backend. Setting this
+parameter to 1 disables keep alive. Default 0, meaning "unlimited",
 up to 2^29.
          
 
           		maxRetries
 int32
 
-
          Maximum number of retries that can be outstanding to all hosts in a
          
+
          Maximum number of retries that can be outstanding to all hosts in a
 cluster at a given time. Defaults to 2^32-1.
          
 
           		idleTimeout
 Duration
 
-
          The idle timeout for upstream connection pool connections. The idle timeout
          
-is defined as the period in which there are no active requests.
          
-If not set, the default is 1 hour. When the idle timeout is reached,
          
-the connection will be closed. If the connection is an HTTP/2
          
-connection a drain sequence will occur prior to closing the connection.
          
-Note that request based timeouts mean that HTTP/2 PINGs will not
          
+
          The idle timeout for upstream connection pool connections. The idle timeout
+is defined as the period in which there are no active requests.
+If not set, the default is 1 hour. When the idle timeout is reached,
+the connection will be closed. If the connection is an HTTP/2
+connection a drain sequence will occur prior to closing the connection.
+Note that request based timeouts mean that HTTP/2 PINGs will not
 keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.
          
 
           		useClientProtocol
 bool
 
-
          If set to true, client protocol will be preserved while initiating connection to backend.
          
-Note that when this is set to true, h2_upgrade_policy will be ineffective i.e. the client
          
+
          If set to true, client protocol will be preserved while initiating connection to backend.
+Note that when this is set to true, h2_upgrade_policy will be ineffective i.e. the client
 connections will not be upgraded to http2.
          
 
           		probes
 uint32
 
-
          Maximum number of keepalive probes to send without response before
          
-deciding the connection is dead. Default is to use the OS level configuration
          
+
          Maximum number of keepalive probes to send without response before
+deciding the connection is dead. Default is to use the OS level configuration
 (unless overridden, Linux defaults to 9.)
          
 
           		time
 Duration
 
-
          The time duration a connection needs to be idle before keep-alive
          
-probes start being sent. Default is to use the OS level configuration
          
+
          The time duration a connection needs to be idle before keep-alive
+probes start being sent. Default is to use the OS level configuration
 (unless overridden, Linux defaults to 7200s (ie 2 hours.)
          
 
           		interval
 Duration
 
-
          The time duration between keep-alive probes.
          
-Default is to use the OS level configuration
          
+
          The time duration between keep-alive probes.
+Default is to use the OS level configuration
 (unless overridden, Linux defaults to 75s.)
          
 
           		to
 map<string, uint32>
 
-
          Map of upstream localities to traffic distribution weights. The sum of
          
-all weights should be 100. Any locality not present will
          
+
          Map of upstream localities to traffic distribution weights. The sum of
+all weights should be 100. Any locality not present will
 receive no traffic.
          
 
 
          
@@ -1925,7 +1925,7 @@ 
          LocalityLoadBalancerSetting.Failov
 
          
@@ -1980,7 +1980,7 @@ 
          LoadBalancerSettings.SimpleLB
          
           
@@ -1988,8 +1988,8 @@ 
          LoadBalancerSettings.SimpleLB
          
           
@@ -1997,10 +1997,10 @@ 
          LoadBalancerSettings.SimpleLB
          
           
@@ -2008,9 +2008,9 @@ 
          LoadBalancerSettings.SimpleLB
          
           
@@ -2018,9 +2018,9 @@ 
          LoadBalancerSettings.SimpleLB
          
           
@@ -2057,7 +2057,7 @@ 
          ConnectionPoolSetti
 
          
@@ -2065,7 +2065,7 @@ 
          ConnectionPoolSetti
 
          
@@ -2102,7 +2102,7 @@ 
          ClientTLSSettings.TLSmode
          
           
@@ -2110,10 +2110,10 @@ 
          ClientTLSSettings.TLSmode
          
           
diff --git a/content/zh/docs/reference/config/networking/envoy-filter/index.html b/content/zh/docs/reference/config/networking/envoy-filter/index.html
index 95f4d57847b44..0040598f3e815 100644
--- a/content/zh/docs/reference/config/networking/envoy-filter/index.html
+++ b/content/zh/docs/reference/config/networking/envoy-filter/index.html
@@ -10,39 +10,39 @@
 aliases: [/zh/docs/reference/config/networking/v1alpha3/envoy-filter]
 number_of_entries: 18
 ---
-
          EnvoyFilter provides a mechanism to customize the Envoy
          
-configuration generated by Istio Pilot. Use EnvoyFilter to modify
          
-values for certain fields, add specific filters, or even add
          
-entirely new listeners, clusters, etc. This feature must be used
          
-with care, as incorrect configurations could potentially
          
-destabilize the entire mesh. Unlike other Istio networking objects,
          
-EnvoyFilters are additively applied. Any number of EnvoyFilters can
          
-exist for a given workload in a specific namespace. The order of
          
-application of these EnvoyFilters is as follows: all EnvoyFilters
          
-in the config root
          
-namespace          ,
          
+
          EnvoyFilter provides a mechanism to customize the Envoy
+configuration generated by Istio Pilot. Use EnvoyFilter to modify
+values for certain fields, add specific filters, or even add
+entirely new listeners, clusters, etc. This feature must be used
+with care, as incorrect configurations could potentially
+destabilize the entire mesh. Unlike other Istio networking objects,
+EnvoyFilters are additively applied. Any number of EnvoyFilters can
+exist for a given workload in a specific namespace. The order of
+application of these EnvoyFilters is as follows: all EnvoyFilters
+in the config root
+namespace,
 followed by all matching EnvoyFilters in the workload's namespace.
          
-
          NOTE 1: Some aspects of this API are deeply tied to the internal
          
-implementation in Istio networking subsystem as well as Envoy's XDS
          
-API. While the EnvoyFilter API by itself will maintain backward
          
-compatibility, any envoy configuration provided through this
          
-mechanism should be carefully monitored across Istio proxy version
          
-upgrades, to ensure that deprecated fields are removed and replaced
          
+
          NOTE 1: Some aspects of this API are deeply tied to the internal
+implementation in Istio networking subsystem as well as Envoy's XDS
+API. While the EnvoyFilter API by itself will maintain backward
+compatibility, any envoy configuration provided through this
+mechanism should be carefully monitored across Istio proxy version
+upgrades, to ensure that deprecated fields are removed and replaced
 appropriately.
          
-
          NOTE 2: When multiple EnvoyFilters are bound to the same
          
-workload in a given namespace, all patches will be processed
          
-sequentially in order of creation time.  The behavior is undefined
          
+
          NOTE 2: When multiple EnvoyFilters are bound to the same
+workload in a given namespace, all patches will be processed
+sequentially in order of creation time.  The behavior is undefined
 if multiple EnvoyFilter configurations conflict with each other.
          
-
          NOTE 3: To apply an EnvoyFilter resource to all workloads
          
-(sidecars and gateways) in the system, define the resource in the
          
-config root
          
-namespace          ,
          
+
          NOTE 3: To apply an EnvoyFilter resource to all workloads
+(sidecars and gateways) in the system, define the resource in the
+config root
+namespace,
 without a workloadSelector.
          
-
          The example below declares a global default EnvoyFilter resource in
          
-the root namespace called istio-config, that adds a custom
          
-protocol filter on all sidecars in the system, for outbound port
          
-9307. The filter should be added before the terminating tcp_proxy
          
-filter to take effect. In addition, it sets a 30s idle timeout for
          
+
          The example below declares a global default EnvoyFilter resource in
+the root namespace called istio-config, that adds a custom
+protocol filter on all sidecars in the system, for outbound port
+9307. The filter should be added before the terminating tcp_proxy
+filter to take effect. In addition, it sets a 30s idle timeout for
 all HTTP connections in both gateways and sidecars.
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
@@ -83,11 +83,11 @@
           common_http_protocol_options:
             idle_timeout: 30s
 
          
-
          The following example enables Envoy's Lua filter for all inbound
          
-HTTP calls arriving at service port 8080 of the reviews service pod
          
-with labels "app: reviews", in the bookinfo namespace. The lua
          
-filter calls out to an external service internal.org.net:8888 that
          
-requires a special cluster definition in envoy. The cluster is also
          
+
          The following example enables Envoy's Lua filter for all inbound
+HTTP calls arriving at service port 8080 of the reviews service pod
+with labels "app: reviews", in the bookinfo namespace. The lua
+filter calls out to an external service internal.org.net:8888 that
+requires a special cluster definition in envoy. The cluster is also
 added to the sidecar as part of this configuration.
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
@@ -152,9 +152,9 @@
                     address: "internal.org.net"
                     port_value: 8888
 
          
-
          The following example overwrites certain fields (HTTP idle timeout
          
-and X-Forward-For trusted hops) in the HTTP connection manager in a
          
-listener on the ingress gateway in istio-system namespace for the
          
+
          The following example overwrites certain fields (HTTP idle timeout
+and X-Forward-For trusted hops) in the HTTP connection manager in a
+listener on the ingress gateway in istio-system namespace for the
 SNI host app.example.com:
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
@@ -183,8 +183,8 @@
           common_http_protocol_options:
             idle_timeout: 30s
 
          
-
          The following example inserts an attributegen filter
          
-that produces istio_operationId attribute which is consumed
          
+
          The following example inserts an attributegen filter
+that produces istio_operationId attribute which is consumed
 by the istio.stats filter. filterClass: STATS encodes this dependency.
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
@@ -251,9 +251,9 @@
             - key: foo
               value: myauth.acme # required by local ext auth server.
 
          
-
          A workload in the myns namespace needs to access a different ext_auth server
          
-that does not accept initial metadata. Since proto merge cannot remove fields, the
          
-following configuration uses the REPLACE operation. If you do not need to inherit
          
+
          A workload in the myns namespace needs to access a different ext_auth server
+that does not accept initial metadata. Since proto merge cannot remove fields, the
+following configuration uses the REPLACE operation. If you do not need to inherit
 fields, REPLACE is preferred over MERGE.
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
@@ -331,9 +331,9 @@
             ads: {}
           type_urls: ["type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm"]
 
          
-
          The following example adds a Wasm service extension for all proxies using a locally available Wasm file.
          
-The singleton Wasm extension is used to maintain a shared state between workers executing Wasm filters.
          
-For example, a local rate limit extension would rely on a singleton to limit requests across all workers.
          
+
          The following example adds a Wasm service extension for all proxies using a locally available Wasm file.
+The singleton Wasm extension is used to maintain a shared state between workers executing Wasm filters.
+For example, a local rate limit extension would rely on a singleton to limit requests across all workers.
 As another example, an authorization Wasm extension can use a singleton to maintain a database of accounts.
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
@@ -366,7 +366,7 @@
 
 
          EnvoyFilter
          
 
          
-
          EnvoyFilter provides a mechanism to customize the Envoy configuration
          
+
          EnvoyFilter provides a mechanism to customize the Envoy configuration
 generated by Istio Pilot.
          
 
 
          to
 string
 
-
          Destination region the traffic will fail over to when endpoints in
          
+
          Destination region the traffic will fail over to when endpoints in
 the 'from' region becomes unhealthy.
          
 
 
          
 UNSPECIFIED
 
-
          No load balancing algorithm has been specified by the user. Istio
          
+
          No load balancing algorithm has been specified by the user. Istio
 will select an appropriate default.
          
 
 
          
 RANDOM
 
-
          The random load balancer selects a random healthy host. The random
          
-load balancer generally performs better than round robin if no health
          
+
          The random load balancer selects a random healthy host. The random
+load balancer generally performs better than round robin if no health
 checking policy is configured.
          
 
 
          
 PASSTHROUGH
 
-
          This option will forward the connection to the original IP address
          
-requested by the caller without doing any form of load
          
-balancing. This option must be used with care. It is meant for
          
-advanced use cases. Refer to Original Destination load balancer in
          
+
          This option will forward the connection to the original IP address
+requested by the caller without doing any form of load
+balancing. This option must be used with care. It is meant for
+advanced use cases. Refer to Original Destination load balancer in
 Envoy for further details.
          
 
 
          
 ROUND_ROBIN
 
-
          A basic round robin load balancing policy. This is generally unsafe
          
-for many scenarios (e.g. when enpoint weighting is used) as it can
          
-overburden endpoints. In general, prefer to use LEAST_REQUEST as a
          
+
          A basic round robin load balancing policy. This is generally unsafe
+for many scenarios (e.g. when enpoint weighting is used) as it can
+overburden endpoints. In general, prefer to use LEAST_REQUEST as a
 drop-in replacement for ROUND_ROBIN.
          
 
 
          
 LEAST_REQUEST
 
-
          The least request load balancer spreads load across endpoints, favoring
          
-endpoints with the least outstanding requests. This is generally safer
          
-and outperforms ROUND_ROBIN in nearly all cases. Prefer to use
          
+
          The least request load balancer spreads load across endpoints, favoring
+endpoints with the least outstanding requests. This is generally safer
+and outperforms ROUND_ROBIN in nearly all cases. Prefer to use
 LEAST_REQUEST as a drop-in replacement for ROUND_ROBIN.
          
 
 
          
 DO_NOT_UPGRADE
 
-
          Do not upgrade the connection to http2.
          
+
          Do not upgrade the connection to http2.
 This opt-out option overrides the default.
          
 
 
          
 UPGRADE
 
-
          Upgrade the connection to http2.
          
+
          Upgrade the connection to http2.
 This opt-in option overrides the default.
          
 
 
          
 MUTUAL
 
-
          Secure connections to the upstream using mutual TLS by presenting
          
+
          Secure connections to the upstream using mutual TLS by presenting
 client certificates for authentication.
          
 
 
          
 ISTIO_MUTUAL
 
-
          Secure connections to the upstream using mutual TLS by presenting
          
-client certificates for authentication.
          
-Compared to Mutual mode, this mode uses certificates generated
          
-automatically by Istio for mTLS authentication. When this mode is
          
+
          Secure connections to the upstream using mutual TLS by presenting
+client certificates for authentication.
+Compared to Mutual mode, this mode uses certificates generated
+automatically by Istio for mTLS authentication. When this mode is
 used, all other fields in ClientTLSSettings should be empty.
          
 
 
          
@@ -383,13 +383,13 @@ 
          EnvoyFilter
          
           
@@ -412,18 +412,18 @@ 
          EnvoyFilter
          
           
@@ -452,13 +452,13 @@ 
          EnvoyFilter.ProxyMatch
          
           
@@ -470,11 +470,11 @@ 
          EnvoyFilter.ProxyMatch
          
           
@@ -487,7 +487,7 @@ 
          EnvoyFilter.ProxyMatch
          
 
 
          EnvoyFilter.ClusterMatch
          
 
          
-
          Conditions specified in ClusterMatch must be met for the patch
          
+
          Conditions specified in ClusterMatch must be met for the patch
 to be applied to a cluster.
          
 
 
          workloadSelector
 WorkloadSelector
 
-
          Criteria used to select the specific set of pods/VMs on which
          
-this patch configuration should be applied. If omitted, the set
          
-of patches in this configuration will be applied to all workload
          
-instances in the same namespace.  If omitted, the EnvoyFilter
          
-patches will be applied to all workloads in the same
          
-namespace. If the EnvoyFilter is present in the config root
          
-namespace, it will be applied to all applicable workloads in any
          
+
          Criteria used to select the specific set of pods/VMs on which
+this patch configuration should be applied. If omitted, the set
+of patches in this configuration will be applied to all workload
+instances in the same namespace.  If omitted, the EnvoyFilter
+patches will be applied to all workloads in the same
+namespace. If the EnvoyFilter is present in the config root
+namespace, it will be applied to all applicable workloads in any
 namespace.
          
 
           		priority
 int32
 
-
          Priority defines the order in which patch sets are applied within a context.
          
-When one patch depends on another patch, the order of patch application
          
-is significant. The API provides two primary ways to order patches.
          
-Patch sets in the root namespace are applied before the patch sets in the
          
-workload namespace. Patches within a patch set are processed in the order
          
+
          Priority defines the order in which patch sets are applied within a context.
+When one patch depends on another patch, the order of patch application
+is significant. The API provides two primary ways to order patches.
+Patch sets in the root namespace are applied before the patch sets in the
+workload namespace. Patches within a patch set are processed in the order
 that they appear in the configPatches list.
          
-
          The default value for priority is 0 and the range is [ min-int32, max-int32 ].
          
-A patch set with a negative priority is processed before the default. A patch
          
+
          The default value for priority is 0 and the range is [ min-int32, max-int32 ].
+A patch set with a negative priority is processed before the default. A patch
 set with a positive priority is processed after the default.
          
-
          It is recommended to start with priority values that are multiples of 10
          
+
          It is recommended to start with priority values that are multiples of 10
 to leave room for further insertion.
          
-
          Patch sets are sorted in the following ascending key order:
          
+
          Patch sets are sorted in the following ascending key order:
 priority, creation time, fully qualified resource name.
          
 
           		proxyVersion
 string
 
-
          A regular expression in golang regex format (RE2) that can be
          
-used to select proxies using a specific version of istio
          
-proxy. The Istio version for a given proxy is obtained from the
          
-node metadata field ISTIO_VERSION supplied by the proxy when
          
-connecting to Pilot. This value is embedded as an environment
          
-variable (ISTIO_META_ISTIO_VERSION) in the Istio proxy docker
          
-image. Custom proxy implementations should provide this metadata
          
+
          A regular expression in golang regex format (RE2) that can be
+used to select proxies using a specific version of istio
+proxy. The Istio version for a given proxy is obtained from the
+node metadata field ISTIO_VERSION supplied by the proxy when
+connecting to Pilot. This value is embedded as an environment
+variable (ISTIO_META_ISTIO_VERSION) in the Istio proxy docker
+image. Custom proxy implementations should provide this metadata
 variable to take advantage of the Istio version check option.
          
 
           		metadata
 map<string, string>
 
-
          Match on the node metadata supplied by a proxy when connecting
          
-to Istio Pilot. Note that while Envoy's node metadata is of
          
-type Struct, only string key-value pairs are processed by
          
-Pilot. All keys specified in the metadata must match with exact
          
-values. The match will fail if any of the specified keys are
          
+
          Match on the node metadata supplied by a proxy when connecting
+to Istio Pilot. Note that while Envoy's node metadata is of
+type Struct, only string key-value pairs are processed by
+Pilot. All keys specified in the metadata must match with exact
+values. The match will fail if any of the specified keys are
 absent or the values fail to match.
          
 
 
          
@@ -504,8 +504,8 @@ 
          EnvoyFilter.ClusterMatch
          
           
@@ -517,10 +517,10 @@ 
          EnvoyFilter.ClusterMatch
          
           
@@ -532,7 +532,7 @@ 
          EnvoyFilter.ClusterMatch
          
           
@@ -544,9 +544,9 @@ 
          EnvoyFilter.ClusterMatch
          
           
@@ -559,8 +559,8 @@ 
          EnvoyFilter.ClusterMatch
          
 
 
          EnvoyFilter.RouteConfigurationMatch
          
 
          
-
          Conditions specified in RouteConfigurationMatch must be met for
          
-the patch to be applied to a route configuration object or a
          
+
          Conditions specified in RouteConfigurationMatch must be met for
+the patch to be applied to a route configuration object or a
 specific virtual host within the route configuration.
          
 
 
          portNumber
 uint32
 
-
          The service port for which this cluster was generated.  If
          
-omitted, applies to clusters for any port.
          
+
          The service port for which this cluster was generated.  If
+omitted, applies to clusters for any port.
 Note: for inbound cluster, it is the service target port.
          
 
           		service
 string
 
-
          The fully qualified service name for this cluster. If omitted,
          
-applies to clusters for any service. For services defined
          
-through service entries, the service name is same as the hosts
          
-defined in the service entry.
          
+
          The fully qualified service name for this cluster. If omitted,
+applies to clusters for any service. For services defined
+through service entries, the service name is same as the hosts
+defined in the service entry.
 Note: for inbound cluster, this is ignored.
          
 
           		subset
 string
 
-
          The subset associated with the service. If omitted, applies to
          
+
          The subset associated with the service. If omitted, applies to
 clusters for any subset of a service.
          
 
           		name
 string
 
-
          The exact name of the cluster to match. To match a specific
          
-cluster by name, such as the internally generated Passthrough
          
-cluster, leave all fields in clusterMatch empty, except the
          
+
          The exact name of the cluster to match. To match a specific
+cluster by name, such as the internally generated Passthrough
+cluster, leave all fields in clusterMatch empty, except the
 name.
          
 
 
          
@@ -577,8 +577,8 @@ 
          EnvoyFilter.RouteConfigurationMatch
 
          
@@ -590,7 +590,7 @@ 
          EnvoyFilter.RouteConfigurationMatch
 
          
@@ -602,11 +602,11 @@ 
          EnvoyFilter.RouteConfigurationMatch
 
          
@@ -618,7 +618,7 @@ 
          EnvoyFilter.RouteConfigurationMatch
 
          
@@ -630,8 +630,8 @@ 
          EnvoyFilter.RouteConfigurationMatch
 
          
@@ -644,8 +644,8 @@ 
          EnvoyFilter.RouteConfigurationMatch
 
 
          EnvoyFilter.ListenerMatch
          
 
          
-
          Conditions specified in a listener match must be met for the
          
-patch to be applied to a specific listener across all filter
          
+
          Conditions specified in a listener match must be met for the
+patch to be applied to a specific listener across all filter
 chains, or a specific filter chain inside the listener.
          
 
 
          portNumber
 uint32
 
-
          The service port number or gateway server port number for which
          
-this route configuration was generated. If omitted, applies to
          
+
          The service port number or gateway server port number for which
+this route configuration was generated. If omitted, applies to
 route configurations for all ports.
          
 
           		portName
 string
 
-
          Applicable only for GATEWAY context. The gateway server port
          
+
          Applicable only for GATEWAY context. The gateway server port
 name for which this route configuration was generated.
          
 
           		gateway
 string
 
-
          The Istio gateway config's namespace/name for which this route
          
-configuration was generated. Applies only if the context is
          
-GATEWAY. Should be in the namespace/name format. Use this field
          
-in conjunction with the portNumber and portName to accurately
          
-select the Envoy route configuration for a specific HTTPS
          
+
          The Istio gateway config's namespace/name for which this route
+configuration was generated. Applies only if the context is
+GATEWAY. Should be in the namespace/name format. Use this field
+in conjunction with the portNumber and portName to accurately
+select the Envoy route configuration for a specific HTTPS
 server within a gateway config object.
          
 
           		vhost
 VirtualHostMatch
 
-
          Match a specific virtual host in a route configuration and
          
+
          Match a specific virtual host in a route configuration and
 apply the patch to the virtual host.
          
 
           		name
 string
 
-
          Route configuration name to match on. Can be used to match a
          
-specific route configuration by name, such as the internally
          
+
          Route configuration name to match on. Can be used to match a
+specific route configuration by name, such as the internally
 generated http_proxy route configuration for all sidecars.
          
 
 
          
@@ -662,9 +662,9 @@ 
          EnvoyFilter.ListenerMatch
          
           
@@ -676,9 +676,9 @@ 
          EnvoyFilter.ListenerMatch
          
           
@@ -690,7 +690,7 @@ 
          EnvoyFilter.ListenerMatch
          
           
@@ -730,7 +730,7 @@ 
          EnvoyFilter.Patch
          
           
@@ -754,7 +754,7 @@ 
          EnvoyFilter.Patch
          
 
 
          EnvoyFilter.EnvoyConfigObjectMatch
          
 
          
-
          One or more match conditions to be met before a patch is applied
          
+
          One or more match conditions to be met before a patch is applied
 to the generated configuration for a given proxy.
          
 
 
          portNumber
 uint32
 
-
          The service port/gateway port to which traffic is being
          
-sent/received. If not specified, matches all listeners. Even though
          
-inbound listeners are generated for the instance/pod ports, only
          
+
          The service port/gateway port to which traffic is being
+sent/received. If not specified, matches all listeners. Even though
+inbound listeners are generated for the instance/pod ports, only
 service ports should be used to match listeners.
          
 
           		filterChain
 FilterChainMatch
 
-
          Match a specific filter chain in a listener. If specified, the
          
-patch will be applied to the filter chain (and a specific
          
-filter if specified) and not to other filter chains in the
          
+
          Match a specific filter chain in a listener. If specified, the
+patch will be applied to the filter chain (and a specific
+filter if specified) and not to other filter chains in the
 listener.
          
 
           		name
 string
 
-
          Match a specific listener by its name. The listeners generated
          
+
          Match a specific listener by its name. The listeners generated
 by Pilot are typically named as IP:Port.
          
 
           		value
 Struct
 
-
          The JSON config of the object being patched. This will be merged using
          
+
          The JSON config of the object being patched. This will be merged using
 proto merge semantics with the existing proto in the path.
          
 
 
          
@@ -771,8 +771,8 @@ 
          EnvoyFilter.EnvoyConfigObjectMatchcontext
 
          
@@ -845,14 +845,14 @@ 
          EnvoyFilter.EnvoyConfigObjectPatchapplyTo
 
          
@@ -903,9 +903,9 @@ 
          EnvoyFilter.RouteConfigu
 
          
@@ -945,9 +945,9 @@ 
          EnvoyFilter.RouteC
 
          
@@ -971,9 +971,9 @@ 
          EnvoyFilter.RouteC
 
 
          EnvoyFilter.ListenerMatch.FilterChainMatch
          
 
          
-
          For listeners with multiple filter chains (e.g., inbound
          
-listeners on sidecars with permissive mTLS, gateway listeners
          
-with multiple SNI matches), the filter chain match can be used
          
+
          For listeners with multiple filter chains (e.g., inbound
+listeners on sidecars with permissive mTLS, gateway listeners
+with multiple SNI matches), the filter chain match can be used
 to select a specific filter chain to patch.
          
 
 
          PatchContext
 
-
          The specific config generation context to match on. Istio Pilot
          
-generates envoy configuration in the context of a gateway,
          
+
          The specific config generation context to match on. Istio Pilot
+generates envoy configuration in the context of a gateway,
 inbound traffic to sidecar and outbound traffic from sidecar.
          
 
           		ApplyTo
 
-
          Specifies where in the Envoy configuration, the patch should be
          
-applied.  The match is expected to select the appropriate
          
-object based on applyTo.  For example, an applyTo with
          
-HTTP_FILTER is expected to have a match condition on the
          
-listeners, with a network filter selection on
          
-envoy.filters.network.http_connection_manager and a sub filter selection on the
          
-HTTP filter relative to which the insertion should be
          
-performed. Similarly, an applyTo on CLUSTER should have a match
          
+
          Specifies where in the Envoy configuration, the patch should be
+applied.  The match is expected to select the appropriate
+object based on applyTo.  For example, an applyTo with
+HTTP_FILTER is expected to have a match condition on the
+listeners, with a network filter selection on
+envoy.filters.network.http_connection_manager and a sub filter selection on the
+HTTP filter relative to which the insertion should be
+performed. Similarly, an applyTo on CLUSTER should have a match
 (if provided) on the cluster and not on a listener.
          
 
           		name
 string
 
-
          The Route objects generated by default are named as
          
-default.  Route objects generated using a virtual service
          
-will carry the name used in the virtual service's HTTP
          
+
          The Route objects generated by default are named as
+default.  Route objects generated using a virtual service
+will carry the name used in the virtual service's HTTP
 routes.
          
 
           		name
 string
 
-
          The VirtualHosts objects generated by Istio are named as
          
-host:port, where the host typically corresponds to the
          
-VirtualService's host field or the hostname of a service in the
          
+
          The VirtualHosts objects generated by Istio are named as
+host:port, where the host typically corresponds to the
+VirtualService's host field or the hostname of a service in the
 registry.
          
 
 
          
@@ -1001,8 +1001,8 @@ 
          EnvoyFilter.ListenerMatch.Fi
 
          
@@ -1014,10 +1014,10 @@ 
          EnvoyFilter.ListenerMatch.Fi
 
          
@@ -1063,7 +1063,7 @@ 
          EnvoyFilter.ListenerMatch.Fi
 
          
@@ -1092,8 +1092,8 @@ 
          EnvoyFilter.ListenerMatch.FilterM
 
          
@@ -1105,8 +1105,8 @@ 
          EnvoyFilter.ListenerMatch.FilterM
 
          
@@ -1119,9 +1119,9 @@ 
          EnvoyFilter.ListenerMatch.FilterM
 
 
          EnvoyFilter.ListenerMatch.SubFilterMatch
          
 
          
-
          Conditions to match a specific filter within another
          
-filter. This field is typically useful to match a HTTP filter
          
-inside the envoy.filters.network.http_connection_manager network filter.
          
+
          Conditions to match a specific filter within another
+filter. This field is typically useful to match a HTTP filter
+inside the envoy.filters.network.http_connection_manager network filter.
 This could also be applicable for thrift filters.
          
 
 
          sni
 string
 
-
          The SNI value used by a filter chain's match condition.  This
          
-condition will evaluate to false if the filter chain has no
          
+
          The SNI value used by a filter chain's match condition.  This
+condition will evaluate to false if the filter chain has no
 sni match.
          
 
           		transportProtocol
 string
 
-
          Applies only to SIDECAR_INBOUND context. If non-empty, a
          
-transport protocol to consider when determining a filter
          
-chain match.  This value will be compared against the
          
-transport protocol of a new connection, when it's detected by
          
+
          Applies only to SIDECAR_INBOUND context. If non-empty, a
+transport protocol to consider when determining a filter
+chain match.  This value will be compared against the
+transport protocol of a new connection, when it's detected by
 the tls_inspector listener filter.
          
 
          Accepted values include:
          
 
            
@@ -1034,10 +1034,10 @@ 
            EnvoyFilter.ListenerMatch.Fi
 
          		applicationProtocols
 string
 
-
          Applies only to sidecars. If non-empty, a comma separated set
          
-of application protocols to consider when determining a
          
-filter chain match.  This value will be compared against the
          
-application protocols of a new connection, when it's detected
          
+
          Applies only to sidecars. If non-empty, a comma separated set
+of application protocols to consider when determining a
+filter chain match.  This value will be compared against the
+application protocols of a new connection, when it's detected
 by one of the listener filters such as the http_inspector.
          
 
          Accepted values include: h2, http/1.1, http/1.0
          
 
@@ -1050,8 +1050,8 @@ 
          EnvoyFilter.ListenerMatch.Fi
 
          		filter
 FilterMatch
 
-
          The name of a specific filter to apply the patch to. Set this
          
-to envoy.filters.network.http_connection_manager to add a filter or apply a
          
+
          The name of a specific filter to apply the patch to. Set this
+to envoy.filters.network.http_connection_manager to add a filter or apply a
 patch to the HTTP connection manager.
          
 
           		destinationPort
 uint32
 
-
          The destination_port value used by a filter chain's match condition.
          
+
          The destination_port value used by a filter chain's match condition.
 This condition will evaluate to false if the filter chain has no destination_port match.
          
 
           		name
 string
 
-
          The filter name to match on.
          
-For standard Envoy filters, canonical filter
          
+
          The filter name to match on.
+For standard Envoy filters, canonical filter
 names should be used.
          
 
           		subFilter
 SubFilterMatch
 
-
          The next level filter within this filter to match
          
-upon. Typically used for HTTP Connection Manager filters and
          
+
          The next level filter within this filter to match
+upon. Typically used for HTTP Connection Manager filters and
 Thrift filters.
          
 
 
          
@@ -1193,7 +1193,7 @@ 
          EnvoyFilter.Route
 
 
          EnvoyFilter.Patch.Operation
          
 
          
-
          Operation denotes how the patch should be applied to the selected
          
+
          Operation denotes how the patch should be applied to the selected
 configuration.
          
 
 
          
@@ -1212,8 +1212,8 @@ 
          EnvoyFilter.Patch.Operation
          
           
@@ -1221,9 +1221,9 @@ 
          EnvoyFilter.Patch.Operation
          
           
@@ -1231,10 +1231,10 @@ 
          EnvoyFilter.Patch.Operation
          
           
@@ -1242,14 +1242,14 @@ 
          EnvoyFilter.Patch.Operation
          
           
@@ -1257,14 +1257,14 @@ 
          EnvoyFilter.Patch.Operation
          
           
@@ -1272,14 +1272,14 @@ 
          EnvoyFilter.Patch.Operation
          
           
@@ -1287,9 +1287,9 @@ 
          EnvoyFilter.Patch.Operation
          
           
@@ -1299,14 +1299,14 @@ 
          EnvoyFilter.Patch.Operation
          
 
 
          EnvoyFilter.Patch.FilterClass
          
 
          
-
          FilterClass determines the filter insertion point in the filter chain
          
-relative to the filters implicitly inserted by the control plane.
          
-It is used in conjuction with the ADD operation.
          
-This is the preferred insertion mechanism for adding filters over
          
-the INSERT_* operations since those operations rely on potentially unstable
          
-filter names.
          
-Filter ordering is important if your filter depends on or affects the
          
-functioning of a another filter in the filter chain.
          
+
          FilterClass determines the filter insertion point in the filter chain
+relative to the filters implicitly inserted by the control plane.
+It is used in conjuction with the ADD operation.
+This is the preferred insertion mechanism for adding filters over
+the INSERT_* operations since those operations rely on potentially unstable
+filter names.
+Filter ordering is important if your filter depends on or affects the
+functioning of a another filter in the filter chain.
 Within a filter class, filters are inserted in the order of processing.
          
 
 
          
 MERGE
 
-
          Merge the provided config with the generated config using
          
-proto merge semantics. If you are specifying config in its
          
+
          Merge the provided config with the generated config using
+proto merge semantics. If you are specifying config in its
 entirety, use REPLACE instead.
          
 
 
          
 ADD
 
-
          Add the provided config to an existing list (of listeners,
          
-clusters, virtual hosts, network filters, or http
          
-filters). This operation will be ignored when applyTo is set
          
+
          Add the provided config to an existing list (of listeners,
+clusters, virtual hosts, network filters, or http
+filters). This operation will be ignored when applyTo is set
 to ROUTE_CONFIGURATION, or HTTP_ROUTE.
          
 
 
          
 REMOVE
 
-
          Remove the selected object from the list (of listeners,
          
-clusters, virtual hosts, network filters, routes, or http
          
-filters). Does not require a value to be specified. This
          
-operation will be ignored when applyTo is set to
          
+
          Remove the selected object from the list (of listeners,
+clusters, virtual hosts, network filters, routes, or http
+filters). Does not require a value to be specified. This
+operation will be ignored when applyTo is set to
 ROUTE_CONFIGURATION, or HTTP_ROUTE.
          
 
 
          
 INSERT_BEFORE
 
-
          Insert operation on an array of named objects. This operation
          
-is typically useful only in the context of filters or routes,
          
-where the order of elements matter. Routes should be ordered
          
-based on most to least specific matching criteria since the
          
-first matching element is selected. For clusters and virtual hosts,
          
-order of the element in the array does not matter. Insert
          
-before the selected filter or sub filter. If no filter is
          
-selected, the specified filter will be inserted at the front
          
+
          Insert operation on an array of named objects. This operation
+is typically useful only in the context of filters or routes,
+where the order of elements matter. Routes should be ordered
+based on most to least specific matching criteria since the
+first matching element is selected. For clusters and virtual hosts,
+order of the element in the array does not matter. Insert
+before the selected filter or sub filter. If no filter is
+selected, the specified filter will be inserted at the front
 of the list.
          
 
 
          
 INSERT_AFTER
 
-
          Insert operation on an array of named objects. This operation
          
-is typically useful only in the context of filters or routes,
          
-where the order of elements matter. Routes should be ordered
          
-based on most to least specific matching criteria since the
          
-first matching element is selected. For clusters and virtual hosts,
          
-order of the element in the array does not matter. Insert
          
-after the selected filter or sub filter. If no filter is
          
-selected, the specified filter will be inserted at the end
          
+
          Insert operation on an array of named objects. This operation
+is typically useful only in the context of filters or routes,
+where the order of elements matter. Routes should be ordered
+based on most to least specific matching criteria since the
+first matching element is selected. For clusters and virtual hosts,
+order of the element in the array does not matter. Insert
+after the selected filter or sub filter. If no filter is
+selected, the specified filter will be inserted at the end
 of the list.
          
 
 
          
 INSERT_FIRST
 
-
          Insert operation on an array of named objects. This operation
          
-is typically useful only in the context of filters or routes,
          
-where the order of elements matter. Routes should be ordered
          
-based on most to least specific matching criteria since the
          
-first matching element is selected. For clusters and virtual hosts,
          
-order of the element in the array does not matter. Insert
          
-first in the list based on the presence of selected filter or not.
          
-This is specifically useful when you want your filter first in the
          
+
          Insert operation on an array of named objects. This operation
+is typically useful only in the context of filters or routes,
+where the order of elements matter. Routes should be ordered
+based on most to least specific matching criteria since the
+first matching element is selected. For clusters and virtual hosts,
+order of the element in the array does not matter. Insert
+first in the list based on the presence of selected filter or not.
+This is specifically useful when you want your filter first in the
 list based on a match condition specified in Match clause.
          
 
 
          
 REPLACE
 
-
          Replace contents of a named filter with new contents.
          
-REPLACE operation is only valid for HTTP_FILTER and
          
-NETWORK_FILTER. If the named filter is not found, this operation
          
+
          Replace contents of a named filter with new contents.
+REPLACE operation is only valid for HTTP_FILTER and
+NETWORK_FILTER. If the named filter is not found, this operation
 has no effect.
          
 
 
          
@@ -1320,7 +1320,7 @@ 
          EnvoyFilter.Patch.FilterClass
          
           
@@ -1383,7 +1383,7 @@ 
          EnvoyFilter.ApplyTo
          
           
@@ -1391,8 +1391,8 @@ 
          EnvoyFilter.ApplyTo
          
           
@@ -1400,9 +1400,9 @@ 
          EnvoyFilter.ApplyTo
          
           
@@ -1417,7 +1417,7 @@ 
          EnvoyFilter.ApplyTo
          
           
@@ -1432,7 +1432,7 @@ 
          EnvoyFilter.ApplyTo
          
           
@@ -1449,7 +1449,7 @@ 
          EnvoyFilter.ApplyTo
          
 
 
          EnvoyFilter.PatchContext
          
 
          
-
          PatchContext selects a class of configurations based on the
          
+
          PatchContext selects a class of configurations based on the
 traffic flow direction and workload type.
          
 
 
          
 UNSPECIFIED
 
-
          Control plane decides where to insert the filter.
          
+
          Control plane decides where to insert the filter.
 Do not specify FilterClass if the filter is independent of others.
          
 
 
          
 NETWORK_FILTER
 
-
          Applies the patch to the network filter chain, to modify an
          
+
          Applies the patch to the network filter chain, to modify an
 existing filter or add a new filter.
          
 
 
          
 HTTP_FILTER
 
-
          Applies the patch to the HTTP filter chain in the http
          
-connection manager, to modify an existing filter or add a new
          
+
          Applies the patch to the HTTP filter chain in the http
+connection manager, to modify an existing filter or add a new
 filter.
          
 
 
          
 ROUTE_CONFIGURATION
 
-
          Applies the patch to the Route configuration (rds output)
          
-inside a HTTP connection manager. This does not apply to the
          
-virtual host. Currently, only MERGE operation is allowed on the
          
+
          Applies the patch to the Route configuration (rds output)
+inside a HTTP connection manager. This does not apply to the
+virtual host. Currently, only MERGE operation is allowed on the
 route configuration objects.
          
 
 
          
 HTTP_ROUTE
 
-
          Applies the patch to a route object inside the matched virtual
          
+
          Applies the patch to a route object inside the matched virtual
 host in a route configuration.
          
 
 
          
 EXTENSION_CONFIG
 
-
          Applies the patch to or adds an extension config in ECDS output. Note that ECDS
          
+
          Applies the patch to or adds an extension config in ECDS output. Note that ECDS
 is only supported by HTTP filters.
          
 
 
          
diff --git a/content/zh/docs/reference/config/networking/gateway/index.html b/content/zh/docs/reference/config/networking/gateway/index.html
index 5695edea2fee5..fffb4ef2504dc 100644
--- a/content/zh/docs/reference/config/networking/gateway/index.html
+++ b/content/zh/docs/reference/config/networking/gateway/index.html
@@ -10,18 +10,18 @@
 aliases: [/zh/docs/reference/config/networking/v1alpha3/gateway]
 number_of_entries: 6
 ---
-
          Gateway describes a load balancer operating at the edge of the mesh
          
-receiving incoming or outgoing HTTP/TCP connections. The specification
          
-describes a set of ports that should be exposed, the type of protocol to
          
+
          Gateway describes a load balancer operating at the edge of the mesh
+receiving incoming or outgoing HTTP/TCP connections. The specification
+describes a set of ports that should be exposed, the type of protocol to
 use, SNI configuration for the load balancer, etc.
          
-
          For example, the following Gateway configuration sets up a proxy to act
          
-as a load balancer exposing port 80 and 9080 (http), 443 (https),
          
-9443(https) and port 2379 (TCP) for ingress.  The gateway will be
          
-applied to the proxy running on a pod with labels app: my-gateway-controller. While Istio will configure the proxy to listen
          
-on these ports, it is the responsibility of the user to ensure that
          
+
          For example, the following Gateway configuration sets up a proxy to act
+as a load balancer exposing port 80 and 9080 (http), 443 (https),
+9443(https) and port 2379 (TCP) for ingress.  The gateway will be
+applied to the proxy running on a pod with labels app: my-gateway-controller. While Istio will configure the proxy to listen
+on these ports, it is the responsibility of the user to ensure that
 external traffic to these ports are allowed into the mesh.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -73,8 +73,8 @@
     hosts:
     - "*"
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -126,23 +126,23 @@
     hosts:
     - "*"
 
          
-
          {{}}
          
-{{}}
          
-
          The Gateway specification above describes the L4-L6 properties of a load
          
-balancer. A VirtualService can then be bound to a gateway to control
          
+
          {{}}
+{{}}
          
+
          The Gateway specification above describes the L4-L6 properties of a load
+balancer. A VirtualService can then be bound to a gateway to control
 the forwarding of traffic arriving at a particular host or gateway port.
          
-
          For example, the following VirtualService splits traffic for
          
-https://uk.bookinfo.com/reviews, https://eu.bookinfo.com/reviews,
          
-http://uk.bookinfo.com:9080/reviews,
          
-http://eu.bookinfo.com:9080/reviews into two versions (prod and qa) of
          
-an internal reviews service on port 9080. In addition, requests
          
-containing the cookie "user: dev-123" will be sent to special port 7777
          
-in the qa version. The same rule is also applicable inside the mesh for
          
-requests to the "reviews.prod.svc.cluster.local" service. This rule is
          
-applicable across ports 443, 9080. Note that http://uk.bookinfo.com
          
+
          For example, the following VirtualService splits traffic for
+https://uk.bookinfo.com/reviews, https://eu.bookinfo.com/reviews,
+http://uk.bookinfo.com:9080/reviews,
+http://eu.bookinfo.com:9080/reviews into two versions (prod and qa) of
+an internal reviews service on port 9080. In addition, requests
+containing the cookie "user: dev-123" will be sent to special port 7777
+in the qa version. The same rule is also applicable inside the mesh for
+requests to the "reviews.prod.svc.cluster.local" service. This rule is
+applicable across ports 443, 9080. Note that http://uk.bookinfo.com
 gets redirected to https://uk.bookinfo.com (i.e. 80 redirects to 443).
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -179,8 +179,8 @@
         host: reviews.qa.svc.cluster.local
       weight: 20
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -217,14 +217,14 @@
         host: reviews.qa.svc.cluster.local
       weight: 20
 
          
-
          {{}}
          
-{{}}
          
-
          The following VirtualService forwards traffic arriving at (external)
          
-port 27017 to internal Mongo server on port 5555. This rule is not
          
-applicable internally in the mesh as the gateway list omits the
          
+
          {{}}
+{{}}
          
+
          The following VirtualService forwards traffic arriving at (external)
+port 27017 to internal Mongo server on port 5555. This rule is not
+applicable internally in the mesh as the gateway list omits the
 reserved name mesh.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -244,8 +244,8 @@
         port:
           number: 5555
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -265,15 +265,15 @@
         port:
           number: 5555
 
          
-
          {{}}
          
-{{}}
          
-
          It is possible to restrict the set of virtual services that can bind to
          
-a gateway server using the namespace/hostname syntax in the hosts field.
          
-For example, the following Gateway allows any virtual service in the ns1
          
-namespace to bind to it, while restricting only the virtual service with
          
+
          {{}}
+{{}}
          
+
          It is possible to restrict the set of virtual services that can bind to
+a gateway server using the namespace/hostname syntax in the hosts field.
+For example, the following Gateway allows any virtual service in the ns1
+namespace to bind to it, while restricting only the virtual service with
 foo.bar.com host in the ns2 namespace to bind to it.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -291,8 +291,8 @@
     - "ns1/*"
     - "ns2/foo.bar.com"
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -310,12 +310,12 @@
     - "ns1/*"
     - "ns2/foo.bar.com"
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          Gateway
          
 
          
-
          Gateway describes a load balancer operating at the edge of the mesh
          
+
          Gateway describes a load balancer operating at the edge of the mesh
 receiving incoming or outgoing HTTP/TCP connections.
          
 
 
          
@@ -343,17 +343,17 @@ 
          Gateway
          
           
@@ -366,10 +366,10 @@ 
          Gateway
          
 
 
          Server
          
 
          
-
          Server describes the properties of the proxy on a given load balancer
          
+
          Server describes the properties of the proxy on a given load balancer
 port. For example,
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -385,8 +385,8 @@ 
          Server
          
     hosts:
     - "*"
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -402,11 +402,11 @@ 
          Server
          
     hosts:
     - "*"
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          Another example
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -422,8 +422,8 @@ 
          Server
          
     hosts:
     - "*"
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -439,11 +439,11 @@ 
          Server
          
     hosts:
     - "*"
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          The following is an example of TLS configuration for port 443
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -462,8 +462,8 @@ 
          Server
          
       mode: SIMPLE
       credentialName: tls-cert
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -482,8 +482,8 @@ 
          Server
          
       mode: SIMPLE
       credentialName: tls-cert
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          selector
 map<string, string>
 
-
          One or more labels that indicate a specific set of pods/VMs
          
-on which this gateway configuration should be applied.
          
-By default workloads are searched across all namespaces based on label selectors.
          
-This implies that a gateway resource in the namespace "foo" can select pods in
          
-the namespace "bar" based on labels.
          
-This behavior can be controlled via the PILOT_SCOPE_GATEWAY_TO_NAMESPACE
          
-environment variable in istiod. If this variable is set
          
-to true, the scope of label search is restricted to the configuration
          
-namespace in which the the resource is present. In other words, the Gateway
          
-resource must reside in the same namespace as the gateway workload
          
-instance.
          
+
          One or more labels that indicate a specific set of pods/VMs
+on which this gateway configuration should be applied.
+By default workloads are searched across all namespaces based on label selectors.
+This implies that a gateway resource in the namespace "foo" can select pods in
+the namespace "bar" based on labels.
+This behavior can be controlled via the PILOT_SCOPE_GATEWAY_TO_NAMESPACE
+environment variable in istiod. If this variable is set
+to true, the scope of label search is restricted to the configuration
+namespace in which the the resource is present. In other words, the Gateway
+resource must reside in the same namespace as the gateway workload
+instance.
 If selector is nil, the Gateway will be applied to all workloads.
          
 
 
          
@@ -499,7 +499,7 @@ 
          Server
          
           
@@ -511,13 +511,13 @@ 
          Server
          
           
@@ -529,31 +529,31 @@ 
          Server
          
           
@@ -565,8 +565,8 @@ 
          Server
          
           
@@ -578,8 +578,8 @@ 
          Server
          
           
@@ -619,9 +619,9 @@ 
          Port
          
           
@@ -644,7 +644,7 @@ 
          Port
          
           
@@ -671,7 +671,7 @@ 
          ServerTLSSettings
          
           
@@ -683,8 +683,8 @@ 
          ServerTLSSettings
          
           
@@ -696,7 +696,7 @@ 
          ServerTLSSettings
          
           
@@ -708,7 +708,7 @@ 
          ServerTLSSettings
          
           
@@ -720,8 +720,8 @@ 
          ServerTLSSettings
          
           
@@ -733,15 +733,15 @@ 
          ServerTLSSettings
          
           
@@ -753,7 +753,7 @@ 
          ServerTLSSettings
          
           
@@ -765,10 +765,10 @@ 
          ServerTLSSettings
          
           
@@ -780,11 +780,11 @@ 
          ServerTLSSettings
          
           
@@ -818,7 +818,7 @@ 
          ServerTLSSettings
          
           
@@ -844,8 +844,8 @@ 
          ServerTLSSettings.TLSmode
          
           
@@ -860,7 +860,7 @@ 
          ServerTLSSettings.TLSmode
          
           
@@ -868,16 +868,16 @@ 
          ServerTLSSettings.TLSmode
          
           
@@ -885,11 +885,11 @@ 
          ServerTLSSettings.TLSmode
          
           
diff --git a/content/zh/docs/reference/config/networking/proxy-config/index.html b/content/zh/docs/reference/config/networking/proxy-config/index.html
index 188fcd931a3f8..c4460dfbf28ed 100644
--- a/content/zh/docs/reference/config/networking/proxy-config/index.html
+++ b/content/zh/docs/reference/config/networking/proxy-config/index.html
@@ -10,15 +10,15 @@
 aliases: [/zh/docs/reference/config/networking/v1beta1/proxy-config]
 number_of_entries: 2
 ---
-
          ProxyConfig exposes proxy level configuration options. ProxyConfig can be configured on a per-workload basis,
          
-a per-namespace basis, or mesh-wide. ProxyConfig is not a required resource; there are default values in place, which are documented
          
+
          ProxyConfig exposes proxy level configuration options. ProxyConfig can be configured on a per-workload basis,
+a per-namespace basis, or mesh-wide. ProxyConfig is not a required resource; there are default values in place, which are documented
 inline with each field.
          
 
          NOTE: fields in ProxyConfig are not dynamically configured - changes will require restart of workloads to take effect.
          
-
          For any namespace, including the root configuration namespace, it is only valid
          
+
          For any namespace, including the root configuration namespace, it is only valid
 to have a single workload selector-less ProxyConfig resource.
          
-
          For resources with a workload selector, it is only valid to have one resource selecting
          
+
          For resources with a workload selector, it is only valid to have one resource selecting
 any given workload.
          
-
          For mesh level configuration, put the resource in the root configuration namespace for
          
+
          For mesh level configuration, put the resource in the root configuration namespace for
 your Istio installation without a workload selector:
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: ProxyConfig
@@ -53,8 +53,8 @@
   image:
     imageType: debug
 
          
-
          If a ProxyConfig CR is defined that matches a workload it will merge with its proxy.istio.io/config annotation if present,
          
-with the CR taking precedence over the annotation for overlapping fields. Similarly, if a mesh wide ProxyConfig CR is defined and
          
+
          If a ProxyConfig CR is defined that matches a workload it will merge with its proxy.istio.io/config annotation if present,
+with the CR taking precedence over the annotation for overlapping fields. Similarly, if a mesh wide ProxyConfig CR is defined and
 meshConfig.DefaultConfig is set, the two resources will be merged with the CR taking precedence for overlapping fields.
          
 
 
          ProxyConfig
          
@@ -75,7 +75,7 @@ 
          ProxyConfig
          
           
@@ -87,8 +87,8 @@ 
          ProxyConfig
          
           
@@ -100,7 +100,7 @@ 
          ProxyConfig
          
           
@@ -124,9 +124,9 @@ 
          ProxyConfig
          
 
 
          ProxyImage
          
 
          
-
          The following values are used to construct proxy image url.
          
-format: ${hub}/${image_name}/${tag}-${image_type},
          
-example: docker.io/istio/proxyv2:1.11.1 or docker.io/istio/proxyv2:1.11.1-distroless.
          
+
          The following values are used to construct proxy image url.
+format: ${hub}/${image_name}/${tag}-${image_type},
+example: docker.io/istio/proxyv2:1.11.1 or docker.io/istio/proxyv2:1.11.1-distroless.
 This information was previously part of the Values API.
          
 
 
          
 
          port
 Port
 
-
          The Port on which the proxy should listen for incoming
          
+
          The Port on which the proxy should listen for incoming
 connections.
          
 
           		bind
 string
 
-
          The ip or the Unix domain socket to which the listener should be bound
          
-to. Format: x.x.x.x or unix:///path/to/uds or unix://@foobar
          
-(Linux abstract namespace). When using Unix domain sockets, the port
          
-number should be 0.
          
-This can be used to restrict the reachability of this server to be gateway internal only.
          
-This is typically used when a gateway needs to communicate to another mesh service
          
-e.g. publishing metrics. In such case, the server created with the
          
+
          The ip or the Unix domain socket to which the listener should be bound
+to. Format: x.x.x.x or unix:///path/to/uds or unix://@foobar
+(Linux abstract namespace). When using Unix domain sockets, the port
+number should be 0.
+This can be used to restrict the reachability of this server to be gateway internal only.
+This is typically used when a gateway needs to communicate to another mesh service
+e.g. publishing metrics. In such case, the server created with the
 specified bind will not be available to external gateway clients.
          
 
           		hosts
 string[]
 
-
          One or more hosts exposed by this gateway.
          
-While typically applicable to
          
-HTTP services, it can also be used for TCP services using TLS with SNI.
          
-A host is specified as a dnsName with an optional namespace/ prefix.
          
-The dnsName should be specified using FQDN format, optionally including
          
-a wildcard character in the left-most component (e.g., prod/*.example.com).
          
-Set the dnsName to * to select all VirtualService hosts from the
          
+
          One or more hosts exposed by this gateway.
+While typically applicable to
+HTTP services, it can also be used for TCP services using TLS with SNI.
+A host is specified as a dnsName with an optional namespace/ prefix.
+The dnsName should be specified using FQDN format, optionally including
+a wildcard character in the left-most component (e.g., prod/*.example.com).
+Set the dnsName to * to select all VirtualService hosts from the
 specified namespace (e.g.,prod/*).
          
-
          The namespace can be set to * or ., representing any or the current
          
-namespace, respectively. For example, */foo.example.com selects the
          
-service from any available namespace while ./foo.example.com only selects
          
-the service from the namespace of the sidecar. The default, if no namespace/
          
-is specified, is */, that is, select services from any namespace.
          
+
          The namespace can be set to * or ., representing any or the current
+namespace, respectively. For example, */foo.example.com selects the
+service from any available namespace while ./foo.example.com only selects
+the service from the namespace of the sidecar. The default, if no namespace/
+is specified, is */, that is, select services from any namespace.
 Any associated DestinationRule in the selected namespace will also be used.
          
-
          A VirtualService must be bound to the gateway and must have one or
          
-more hosts that match the hosts specified in a server. The match
          
-could be an exact match or a suffix match with the server's hosts. For
          
-example, if the server's hosts specifies *.example.com, a
          
-VirtualService with hosts dev.example.com or prod.example.com will
          
-match. However, a VirtualService with host example.com or
          
+
          A VirtualService must be bound to the gateway and must have one or
+more hosts that match the hosts specified in a server. The match
+could be an exact match or a suffix match with the server's hosts. For
+example, if the server's hosts specifies *.example.com, a
+VirtualService with hosts dev.example.com or prod.example.com will
+match. However, a VirtualService with host example.com or
 newexample.com will not match.
          
-
          NOTE: Only virtual services exported to the gateway's namespace
          
-(e.g., exportTo value of *) can be referenced.
          
-Private configurations (e.g., exportTo set to .) will not be
          
-available. Refer to the exportTo setting in VirtualService,
          
+
          NOTE: Only virtual services exported to the gateway's namespace
+(e.g., exportTo value of *) can be referenced.
+Private configurations (e.g., exportTo set to .) will not be
+available. Refer to the exportTo setting in VirtualService,
 DestinationRule, and ServiceEntry configurations for details.
          
 
           		tls
 ServerTLSSettings
 
-
          Set of TLS related options that govern the server's behavior. Use
          
-these options to control if all http requests should be redirected to
          
+
          Set of TLS related options that govern the server's behavior. Use
+these options to control if all http requests should be redirected to
 https, and the TLS modes to use.
          
 
           		name
 string
 
-
          An optional name of the server, when set must be unique across all servers.
          
-This will be used for variety of purposes like prefixing stats generated with
          
+
          An optional name of the server, when set must be unique across all servers.
+This will be used for variety of purposes like prefixing stats generated with
 this name etc.
          
 
           		protocol
 string
 
-
          The protocol exposed on the port.
          
-MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
          
-TLS implies the connection will be routed based on the SNI header to
          
+
          The protocol exposed on the port.
+MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
+TLS implies the connection will be routed based on the SNI header to
 the destination without terminating the TLS connection.
          
 
           		targetPort
 uint32
 
-
          The port number on the endpoint where the traffic will be
          
+
          The port number on the endpoint where the traffic will be
 received. Applicable only when used with ServiceEntries.
          
 
           		httpsRedirect
 bool
 
-
          If set to true, the load balancer will send a 301 redirect for
          
+
          If set to true, the load balancer will send a 301 redirect for
 all http connections, asking the clients to use HTTPS.
          
 
           		mode
 TLSmode
 
-
          Optional: Indicates whether connections to this port should be
          
-secured using TLS. The value of this field determines how TLS is
          
+
          Optional: Indicates whether connections to this port should be
+secured using TLS. The value of this field determines how TLS is
 enforced.
          
 
           		serverCertificate
 string
 
-
          REQUIRED if mode is SIMPLE or MUTUAL. The path to the file
          
+
          REQUIRED if mode is SIMPLE or MUTUAL. The path to the file
 holding the server-side TLS certificate to use.
          
 
           		privateKey
 string
 
-
          REQUIRED if mode is SIMPLE or MUTUAL. The path to the file
          
+
          REQUIRED if mode is SIMPLE or MUTUAL. The path to the file
 holding the server's private key.
          
 
           		caCertificates
 string
 
-
          REQUIRED if mode is MUTUAL. The path to a file containing
          
-certificate authority certificates to use in verifying a presented
          
+
          REQUIRED if mode is MUTUAL. The path to a file containing
+certificate authority certificates to use in verifying a presented
 client side certificate.
          
 
           		credentialName
 string
 
-
          For gateways running on Kubernetes, the name of the secret that
          
-holds the TLS certs including the CA certificates. Applicable
          
-only on Kubernetes. The secret (of type generic) should
          
-contain the following keys and values: key: <privateKey> and cert: <serverCert>. For mutual TLS,
          
-cacert: <CACertificate> can be provided in the same secret or
          
-a separate secret named <secret>-cacert.
          
-Secret of type tls for server certificates along with
          
-ca.crt key for CA certificates is also supported.
          
-Only one of server certificates and CA certificate
          
+
          For gateways running on Kubernetes, the name of the secret that
+holds the TLS certs including the CA certificates. Applicable
+only on Kubernetes. The secret (of type generic) should
+contain the following keys and values: key: <privateKey> and cert: <serverCert>. For mutual TLS,
+cacert: <CACertificate> can be provided in the same secret or
+a separate secret named <secret>-cacert.
+Secret of type tls for server certificates along with
+ca.crt key for CA certificates is also supported.
+Only one of server certificates and CA certificate
 or credentialName can be specified.
          
 
           		subjectAltNames
 string[]
 
-
          A list of alternate names to verify the subject identity in the
          
+
          A list of alternate names to verify the subject identity in the
 certificate presented by the client.
          
 
           		verifyCertificateSpki
 string[]
 
-
          An optional list of base64-encoded SHA-256 hashes of the SPKIs of
          
-authorized client certificates.
          
-Note: When both verify_certificate_hash and verify_certificate_spki
          
-are specified, a hash matching either value will result in the
          
+
          An optional list of base64-encoded SHA-256 hashes of the SPKIs of
+authorized client certificates.
+Note: When both verify_certificate_hash and verify_certificate_spki
+are specified, a hash matching either value will result in the
 certificate being accepted.
          
 
           		verifyCertificateHash
 string[]
 
-
          An optional list of hex-encoded SHA-256 hashes of the
          
-authorized client certificates. Both simple and colon separated
          
-formats are acceptable.
          
-Note: When both verify_certificate_hash and verify_certificate_spki
          
-are specified, a hash matching either value will result in the
          
+
          An optional list of hex-encoded SHA-256 hashes of the
+authorized client certificates. Both simple and colon separated
+formats are acceptable.
+Note: When both verify_certificate_hash and verify_certificate_spki
+are specified, a hash matching either value will result in the
 certificate being accepted.
          
 
           		cipherSuites
 string[]
 
-
          Optional: If specified, only support the specified cipher list.
          
+
          Optional: If specified, only support the specified cipher list.
 Otherwise default to the default cipher list supported by Envoy.
          
 
 
          
 PASSTHROUGH
 
-
          The SNI string presented by the client will be used as the
          
-match criterion in a VirtualService TLS route to determine
          
+
          The SNI string presented by the client will be used as the
+match criterion in a VirtualService TLS route to determine
 the destination service from the service registry.
          
 
 
          
 MUTUAL
 
-
          Secure connections to the downstream using mutual TLS by
          
+
          Secure connections to the downstream using mutual TLS by
 presenting server certificates for authentication.
          
 
 
          
 AUTO_PASSTHROUGH
 
-
          Similar to the passthrough mode, except servers with this TLS
          
-mode do not require an associated VirtualService to map from
          
-the SNI value to service in the registry. The destination
          
-details such as the service/subset/port are encoded in the
          
-SNI value. The proxy will forward to the upstream (Envoy)
          
-cluster (a group of endpoints) specified by the SNI
          
-value. This server is typically used to provide connectivity
          
-between services in disparate L3 networks that otherwise do
          
-not have direct connectivity between their respective
          
-endpoints. Use of this mode assumes that both the source and
          
+
          Similar to the passthrough mode, except servers with this TLS
+mode do not require an associated VirtualService to map from
+the SNI value to service in the registry. The destination
+details such as the service/subset/port are encoded in the
+SNI value. The proxy will forward to the upstream (Envoy)
+cluster (a group of endpoints) specified by the SNI
+value. This server is typically used to provide connectivity
+between services in disparate L3 networks that otherwise do
+not have direct connectivity between their respective
+endpoints. Use of this mode assumes that both the source and
 the destination are using Istio mTLS to secure traffic.
          
 
 
          
 ISTIO_MUTUAL
 
-
          Secure connections from the downstream using mutual TLS by
          
-presenting server certificates for authentication.  Compared
          
-to Mutual mode, this mode uses certificates, representing
          
-gateway workload identity, generated automatically by Istio
          
-for mTLS authentication. When this mode is used, all other
          
+
          Secure connections from the downstream using mutual TLS by
+presenting server certificates for authentication.  Compared
+to Mutual mode, this mode uses certificates, representing
+gateway workload identity, generated automatically by Istio
+for mTLS authentication. When this mode is used, all other
 fields in TLSOptions should be empty.
          
 
           		selector
 WorkloadSelector
 
-
          Optional. Selectors specify the set of pods/VMs on which this ProxyConfig resource should be applied.
          
+
          Optional. Selectors specify the set of pods/VMs on which this ProxyConfig resource should be applied.
 If not set, the ProxyConfig resource will be applied to all workloads in the namespace where this resource is defined.
          
 
           		concurrency
 Int32Value
 
-
          The number of worker threads to run.
          
-If unset, defaults to 2. If set to 0, this will be configured to use all cores on the machine using
          
+
          The number of worker threads to run.
+If unset, defaults to 2. If set to 0, this will be configured to use all cores on the machine using
 CPU requests and limits to choose a value, with limits taking precedence over requests.
          
 
           		environmentVariables
 map<string, string>
 
-
          Additional environment variables for the proxy.
          
+
          Additional environment variables for the proxy.
 Names starting with ISTIO_META_ will be included in the generated bootstrap configuration and sent to the XDS server.
          
 
 
          
@@ -143,9 +143,9 @@ 
          ProxyImage
          
           
diff --git a/content/zh/docs/reference/config/networking/service-entry/index.html b/content/zh/docs/reference/config/networking/service-entry/index.html
index 7429905302050..911964ffb94bb 100644
--- a/content/zh/docs/reference/config/networking/service-entry/index.html
+++ b/content/zh/docs/reference/config/networking/service-entry/index.html
@@ -10,26 +10,26 @@
 aliases: [/zh/docs/reference/config/networking/v1alpha3/service-entry]
 number_of_entries: 3
 ---
-
          ServiceEntry enables adding additional entries into Istio's
          
-internal service registry, so that auto-discovered services in the
          
-mesh can access/route to these manually specified services. A
          
-service entry describes the properties of a service (DNS name,
          
-VIPs, ports, protocols, endpoints). These services could be
          
-external to the mesh (e.g., web APIs) or mesh-internal services
          
-that are not part of the platform's service registry (e.g., a set
          
-of VMs talking to services in Kubernetes). In addition, the
          
-endpoints of a service entry can also be dynamically selected by
          
-using the workloadSelector field. These endpoints can be VM
          
-workloads declared using the WorkloadEntry object or Kubernetes
          
-pods. The ability to select both pods and VMs under a single
          
-service allows for migration of services from VMs to Kubernetes
          
-without having to change the existing DNS names associated with the
          
+
          ServiceEntry enables adding additional entries into Istio's
+internal service registry, so that auto-discovered services in the
+mesh can access/route to these manually specified services. A
+service entry describes the properties of a service (DNS name,
+VIPs, ports, protocols, endpoints). These services could be
+external to the mesh (e.g., web APIs) or mesh-internal services
+that are not part of the platform's service registry (e.g., a set
+of VMs talking to services in Kubernetes). In addition, the
+endpoints of a service entry can also be dynamically selected by
+using the workloadSelector field. These endpoints can be VM
+workloads declared using the WorkloadEntry object or Kubernetes
+pods. The ability to select both pods and VMs under a single
+service allows for migration of services from VMs to Kubernetes
+without having to change the existing DNS names associated with the
 services.
          
-
          The following example declares a few external APIs accessed by internal
          
-applications over HTTPS. The sidecar inspects the SNI value in the
          
+
          The following example declares a few external APIs accessed by internal
+applications over HTTPS. The sidecar inspects the SNI value in the
 ClientHello message to route to the appropriate external service.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -46,8 +46,8 @@
     protocol: TLS
   resolution: DNS
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -64,14 +64,14 @@
     protocol: TLS
   resolution: DNS
 
          
-
          {{}}
          
-{{}}
          
-
          The following configuration adds a set of MongoDB instances running on
          
-unmanaged VMs to Istio's registry, so that these services can be treated
          
-as any other service in the mesh. The associated DestinationRule is used
          
+
          {{}}
+{{}}
          
+
          The following configuration adds a set of MongoDB instances running on
+unmanaged VMs to Istio's registry, so that these services can be treated
+as any other service in the mesh. The associated DestinationRule is used
 to initiate mTLS connections to the database instances.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -91,8 +91,8 @@
   - address: 2.2.2.2
   - address: 3.3.3.3
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -112,11 +112,11 @@
   - address: 2.2.2.2
   - address: 3.3.3.3
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          and the associated DestinationRule
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -130,8 +130,8 @@
       privateKey: /etc/certs/client_private_key.pem
       caCertificates: /etc/certs/rootcacerts.pem
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -145,13 +145,13 @@
       privateKey: /etc/certs/client_private_key.pem
       caCertificates: /etc/certs/rootcacerts.pem
 
          
-
          {{}}
          
-{{}}
          
-
          The following example uses a combination of service entry and TLS
          
-routing in a virtual service to steer traffic based on the SNI value to
          
+
          {{}}
+{{}}
          
+
          The following example uses a combination of service entry and TLS
+routing in a virtual service to steer traffic based on the SNI value to
 an internal egress firewall.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -167,8 +167,8 @@
     protocol: TLS
   resolution: NONE
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -184,11 +184,11 @@
     protocol: TLS
   resolution: NONE
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          And the associated VirtualService to route based on the SNI value.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -206,8 +206,8 @@
     - destination:
         host: internal-egress-firewall.ns1.svc.cluster.local
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -225,20 +225,20 @@
     - destination:
         host: internal-egress-firewall.ns1.svc.cluster.local
 
          
-
          {{}}
          
-{{}}
          
-
          The virtual service with TLS match serves to override the default SNI
          
-match. In the absence of a virtual service, traffic will be forwarded to
          
+
          {{}}
+{{}}
          
+
          The virtual service with TLS match serves to override the default SNI
+match. In the absence of a virtual service, traffic will be forwarded to
 the wikipedia domains.
          
-
          The following example demonstrates the use of a dedicated egress gateway
          
-through which all external service traffic is forwarded.
          
-The 'exportTo' field allows for control over the visibility of a service
          
-declaration to other namespaces in the mesh. By default, a service is exported
          
-to all namespaces. The following example restricts the visibility to the
          
-current namespace, represented by ".", so that it cannot be used by other
          
+
          The following example demonstrates the use of a dedicated egress gateway
+through which all external service traffic is forwarded.
+The 'exportTo' field allows for control over the visibility of a service
+declaration to other namespaces in the mesh. By default, a service is exported
+to all namespaces. The following example restricts the visibility to the
+current namespace, represented by ".", so that it cannot be used by other
 namespaces.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -256,8 +256,8 @@
     protocol: HTTP
   resolution: DNS
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -275,11 +275,11 @@
     protocol: HTTP
   resolution: DNS
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          Define a gateway to handle all egress traffic.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: Gateway
 metadata:
@@ -296,8 +296,8 @@
    hosts:
    - "*"
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: Gateway
 metadata:
@@ -314,16 +314,16 @@
    hosts:
    - "*"
 
          
-
          {{}}
          
-{{}}
          
-
          And the associated VirtualService to route from the sidecar to the
          
-gateway service (istio-egressgateway.istio-system.svc.cluster.local), as
          
-well as route from the gateway to the external service. Note that the
          
-virtual service is exported to all namespaces enabling them to route traffic
          
-through the gateway to the external service. Forcing traffic to go through
          
+
          {{}}
+{{}}
          
+
          And the associated VirtualService to route from the sidecar to the
+gateway service (istio-egressgateway.istio-system.svc.cluster.local), as
+well as route from the gateway to the external service. Note that the
+virtual service is exported to all namespaces enabling them to route traffic
+through the gateway to the external service. Forcing traffic to go through
 a managed middle proxy like this is a common practice.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -353,8 +353,8 @@
     - destination:
         host: example.com
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -384,14 +384,14 @@
     - destination:
         host: example.com
 
          
-
          {{}}
          
-{{}}
          
-
          The following example demonstrates the use of wildcards in the hosts for
          
-external services. If the connection has to be routed to the IP address
          
-requested by the application (i.e. application resolves DNS and attempts
          
+
          {{}}
+{{}}
          
+
          The following example demonstrates the use of wildcards in the hosts for
+external services. If the connection has to be routed to the IP address
+requested by the application (i.e. application resolves DNS and attempts
 to connect to a specific IP), the discovery mode must be set to NONE.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -406,8 +406,8 @@
     protocol: HTTP
   resolution: NONE
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -422,13 +422,13 @@
     protocol: HTTP
   resolution: NONE
 
          
-
          {{}}
          
-{{}}
          
-
          The following example demonstrates a service that is available via a
          
-Unix Domain Socket on the host of the client. The resolution must be
          
+
          {{}}
+{{}}
          
+
          The following example demonstrates a service that is available via a
+Unix Domain Socket on the host of the client. The resolution must be
 set to STATIC to use Unix address endpoints.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -445,8 +445,8 @@
   endpoints:
   - address: unix:///var/run/example/socket
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -463,17 +463,17 @@
   endpoints:
   - address: unix:///var/run/example/socket
 
          
-
          {{}}
          
-{{}}
          
-
          For HTTP-based services, it is possible to create a VirtualService
          
-backed by multiple DNS addressable endpoints. In such a scenario, the
          
-application can use the HTTP_PROXY environment variable to transparently
          
-reroute API calls for the VirtualService to a chosen backend. For
          
-example, the following configuration creates a non-existent external
          
-service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
          
+
          {{}}
+{{}}
          
+
          For HTTP-based services, it is possible to create a VirtualService
+backed by multiple DNS addressable endpoints. In such a scenario, the
+application can use the HTTP_PROXY environment variable to transparently
+reroute API calls for the VirtualService to a chosen backend. For
+example, the following configuration creates a non-existent external
+service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
 uk.foo.bar.com:9080, and in.foo.bar.com:7080
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -498,8 +498,8 @@
     ports:
       http: 7080
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -524,17 +524,17 @@
     ports:
       http: 7080
 
          
-
          {{}}
          
-{{}}
          
-
          With HTTP_PROXY=http://localhost/, calls from the application to
          
-http://foo.bar.com will be load balanced across the three domains
          
-specified above. In other words, a call to http://foo.bar.com/baz would
          
+
          {{}}
+{{}}
          
+
          With HTTP_PROXY=http://localhost/, calls from the application to
+http://foo.bar.com will be load balanced across the three domains
+specified above. In other words, a call to http://foo.bar.com/baz would
 be translated to http://uk.foo.bar.com/baz.
          
-
          The following example illustrates the usage of a ServiceEntry
          
-containing a subject alternate name
          
+
          The following example illustrates the usage of a ServiceEntry
+containing a subject alternate name
 whose format conforms to the SPIFFE standard:
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -555,8 +555,8 @@
   subjectAltNames:
   - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -577,21 +577,21 @@
   subjectAltNames:
   - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account"
 
          
-
          {{}}
          
-{{}}
          
-
          The following example demonstrates the use of ServiceEntry with a
          
-workloadSelector to handle the migration of a service
          
-details.bookinfo.com from VMs to Kubernetes. The service has two
          
-VM-based instances with sidecars as well as a set of Kubernetes
          
-pods managed by a standard deployment object. Consumers of this
          
-service in the mesh will be automatically load balanced across the
          
-VMs and Kubernetes.  VM for the details.bookinfo.com
          
-service. This VM has sidecar installed and bootstrapped using the
          
-details-legacy service account. The sidecar receives HTTP traffic
          
-on port 80 (wrapped in istio mutual TLS) and forwards it to the
          
+
          {{}}
+{{}}
          
+
          The following example demonstrates the use of ServiceEntry with a
+workloadSelector to handle the migration of a service
+details.bookinfo.com from VMs to Kubernetes. The service has two
+VM-based instances with sidecars as well as a set of Kubernetes
+pods managed by a standard deployment object. Consumers of this
+service in the mesh will be automatically load balanced across the
+VMs and Kubernetes.  VM for the details.bookinfo.com
+service. This VM has sidecar installed and bootstrapped using the
+details-legacy service account. The sidecar receives HTTP traffic
+on port 80 (wrapped in istio mutual TLS) and forwards it to the
 application on the localhost on the same port.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: WorkloadEntry
 metadata:
@@ -614,8 +614,8 @@
     app: details
     instance-id: vm2
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: WorkloadEntry
 metadata:
@@ -638,14 +638,14 @@
     app: details
     instance-id: vm2
 
          
-
          {{}}
          
-{{}}
          
-
          Assuming there is also a Kubernetes deployment with pod labels
          
-app: details using the same service account details, the
          
-following service entry declares a service spanning both VMs and
          
+
          {{}}
+{{}}
          
+
          Assuming there is also a Kubernetes deployment with pod labels
+app: details using the same service account details, the
+following service entry declares a service spanning both VMs and
 Kubernetes:
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -663,8 +663,8 @@
     labels:
       app: details
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -682,12 +682,12 @@
     labels:
       app: details
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          ServiceEntry
          
 
          
-
          ServiceEntry enables adding additional entries into Istio's internal
          
+
          ServiceEntry enables adding additional entries into Istio's internal
 service registry.
          
 
 
          imageType
 string
 
-
          The image type of the image.
          
-Istio publishes default, debug, and distroless images.
          
-Other values are allowed if those image types (example: centos) are published to the specified hub.
          
+
          The image type of the image.
+Istio publishes default, debug, and distroless images.
+Other values are allowed if those image types (example: centos) are published to the specified hub.
 supported values: default, debug, distroless.
          
 
 
          
@@ -704,27 +704,27 @@ 
          ServiceEntry
          
           
@@ -761,8 +761,8 @@ 
          ServiceEntry
          
           
@@ -774,7 +774,7 @@ 
          ServiceEntry
          
           
@@ -786,9 +786,9 @@ 
          ServiceEntry
          
           
@@ -800,7 +800,7 @@ 
          ServiceEntry
          
           
@@ -812,11 +812,11 @@ 
          ServiceEntry
          
           
@@ -828,18 +828,18 @@ 
          ServiceEntry
          
           
@@ -851,11 +851,11 @@ 
          ServiceEntry
          
           
@@ -868,11 +868,11 @@ 
          ServiceEntry
          
 
 
          ServiceEntry.Location
          
 
          
-
          Location specifies whether the service is part of Istio mesh or
          
-outside the mesh.  Location determines the behavior of several
          
-features, such as service-to-service mTLS authentication, policy
          
-enforcement, etc. When communicating with services outside the mesh,
          
-Istio's mTLS authentication is disabled, and policy enforcement is
          
+
          Location specifies whether the service is part of Istio mesh or
+outside the mesh.  Location determines the behavior of several
+features, such as service-to-service mTLS authentication, policy
+enforcement, etc. When communicating with services outside the mesh,
+Istio's mTLS authentication is disabled, and policy enforcement is
 performed on the client-side as opposed to server-side.
          
 
 
          hosts
 string[]
 
-
          The hosts associated with the ServiceEntry. Could be a DNS
          
+
          The hosts associated with the ServiceEntry. Could be a DNS
 name with wildcard prefix.
          
 
            
 
          1. The hosts field is used to select matching hosts in VirtualServices and DestinationRules.
            2. 
 
          2. For HTTP traffic the HTTP Host/Authority header will be matched against the hosts field.
            3. 
-
          3. For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value
            
+
          4. For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value
 will be matched against the hosts field.
            5. 
 
          
-
          NOTE 1: When resolution is set to type DNS and no endpoints
          
-are specified, the host field will be used as the DNS name of the
          
+
          NOTE 1: When resolution is set to type DNS and no endpoints
+are specified, the host field will be used as the DNS name of the
 endpoint to route traffic to.
          
-
          NOTE 2: If the hostname matches with the name of a service
          
-from another service registry such as Kubernetes that also
          
-supplies its own set of endpoints, the ServiceEntry will be
          
-treated as a decorator of the existing Kubernetes
          
-service. Properties in the service entry will be added to the
          
-Kubernetes service if applicable. Currently, the only the
          
+
          NOTE 2: If the hostname matches with the name of a service
+from another service registry such as Kubernetes that also
+supplies its own set of endpoints, the ServiceEntry will be
+treated as a decorator of the existing Kubernetes
+service. Properties in the service entry will be added to the
+Kubernetes service if applicable. Currently, the only the
 following additional properties will be considered by istiod:
          
 
            
-
          1. subjectAltNames: In addition to verifying the SANs of the
            
-service accounts associated with the pods of the service, the
            
+
          2. subjectAltNames: In addition to verifying the SANs of the
+service accounts associated with the pods of the service, the
 SANs specified here will also be verified.
            3. 
 
          
 
@@ -737,19 +737,19 @@ 
          ServiceEntry
          
           		addresses
 string[]
 
-
          The virtual IP addresses associated with the service. Could be CIDR
          
-prefix. For HTTP traffic, generated route configurations will include http route
          
-domains for both the addresses and hosts field values and the destination will
          
-be identified based on the HTTP Host/Authority header.
          
-If one or more IP addresses are specified,
          
-the incoming traffic will be identified as belonging to this service
          
-if the destination IP matches the IP/CIDRs specified in the addresses
          
-field. If the Addresses field is empty, traffic will be identified
          
-solely based on the destination port. In such scenarios, the port on
          
-which the service is being accessed must not be shared by any other
          
-service in the mesh. In other words, the sidecar will behave as a
          
-simple TCP proxy, forwarding incoming traffic on a specified port to
          
-the specified destination endpoint IP/host. Unix domain socket
          
+
          The virtual IP addresses associated with the service. Could be CIDR
+prefix. For HTTP traffic, generated route configurations will include http route
+domains for both the addresses and hosts field values and the destination will
+be identified based on the HTTP Host/Authority header.
+If one or more IP addresses are specified,
+the incoming traffic will be identified as belonging to this service
+if the destination IP matches the IP/CIDRs specified in the addresses
+field. If the Addresses field is empty, traffic will be identified
+solely based on the destination port. In such scenarios, the port on
+which the service is being accessed must not be shared by any other
+service in the mesh. In other words, the sidecar will behave as a
+simple TCP proxy, forwarding incoming traffic on a specified port to
+the specified destination endpoint IP/host. Unix domain socket
 addresses are not supported in this field.
          
 
           		ports
 Port[]
 
-
          The ports associated with the external service. If the
          
-Endpoints are Unix domain socket addresses, there must be exactly one
          
+
          The ports associated with the external service. If the
+Endpoints are Unix domain socket addresses, there must be exactly one
 port.
          
 
           		location
 Location
 
-
          Specify whether the service should be considered external to the mesh
          
+
          Specify whether the service should be considered external to the mesh
 or part of the mesh.
          
 
           		resolution
 Resolution
 
-
          Service discovery mode for the hosts. Care must be taken
          
-when setting the resolution mode to NONE for a TCP port without
          
-accompanying IP addresses. In such cases, traffic to any IP on
          
+
          Service discovery mode for the hosts. Care must be taken
+when setting the resolution mode to NONE for a TCP port without
+accompanying IP addresses. In such cases, traffic to any IP on
 said port will be allowed (i.e. 0.0.0.0:<port>).
          
 
           		endpoints
 WorkloadEntry[]
 
-
          One or more endpoints associated with the service. Only one of
          
+
          One or more endpoints associated with the service. Only one of
 endpoints or workloadSelector can be specified.
          
 
           		workloadSelector
 WorkloadSelector
 
-
          Applicable only for MESH_INTERNAL services. Only one of
          
-endpoints or workloadSelector can be specified. Selects one
          
-or more Kubernetes pods or VM workloads (specified using
          
-WorkloadEntry) based on their labels. The WorkloadEntry object
          
-representing the VMs should be defined in the same namespace as
          
+
          Applicable only for MESH_INTERNAL services. Only one of
+endpoints or workloadSelector can be specified. Selects one
+or more Kubernetes pods or VM workloads (specified using
+WorkloadEntry) based on their labels. The WorkloadEntry object
+representing the VMs should be defined in the same namespace as
 the ServiceEntry.
          
 
           		exportTo
 string[]
 
-
          A list of namespaces to which this service is exported. Exporting a service
          
-allows it to be used by sidecars, gateways and virtual services defined in
          
-other namespaces. This feature provides a mechanism for service owners
          
-and mesh administrators to control the visibility of services across
          
+
          A list of namespaces to which this service is exported. Exporting a service
+allows it to be used by sidecars, gateways and virtual services defined in
+other namespaces. This feature provides a mechanism for service owners
+and mesh administrators to control the visibility of services across
 namespace boundaries.
          
-
          If no namespaces are specified then the service is exported to all
          
+
          If no namespaces are specified then the service is exported to all
 namespaces by default.
          
-
          The value "." is reserved and defines an export to the same namespace that
          
-the service is declared in. Similarly the value "*" is reserved and
          
+
          The value "." is reserved and defines an export to the same namespace that
+the service is declared in. Similarly the value "*" is reserved and
 defines an export to all namespaces.
          
-
          For a Kubernetes Service, the equivalent effect can be achieved by setting
          
-the annotation "networking.istio.io/exportTo" to a comma-separated list
          
+
          For a Kubernetes Service, the equivalent effect can be achieved by setting
+the annotation "networking.istio.io/exportTo" to a comma-separated list
 of namespace names.
          
 
           		subjectAltNames
 string[]
 
-
          If specified, the proxy will verify that the server certificate's
          
+
          If specified, the proxy will verify that the server certificate's
 subject alternate name matches one of the specified values.
          
-
          NOTE: When using the workloadEntry with workloadSelectors, the
          
-service account specified in the workloadEntry will also be used
          
-to derive the additional subject alternate names that should be
          
+
          NOTE: When using the workloadEntry with workloadSelectors, the
+service account specified in the workloadEntry will also be used
+to derive the additional subject alternate names that should be
 verified.
          
 
 
          
@@ -886,7 +886,7 @@ 
          ServiceEntry.Location
          
           
@@ -894,9 +894,9 @@ 
          ServiceEntry.Location
          
           
@@ -906,14 +906,14 @@ 
          ServiceEntry.Location
          
 
 
          ServiceEntry.Resolution
          
 
          
-
          Resolution determines how the proxy will resolve the IP addresses of
          
-the network endpoints associated with the service, so that it can
          
-route to one of them. The resolution mode specified here has no impact
          
-on how the application resolves the IP address associated with the
          
-service. The application may still have to use DNS to resolve the
          
-service to an IP so that the outbound traffic can be captured by the
          
-Proxy. Alternatively, for HTTP services, the application could
          
-directly communicate with the proxy (e.g., by setting HTTP_PROXY) to
          
+
          Resolution determines how the proxy will resolve the IP addresses of
+the network endpoints associated with the service, so that it can
+route to one of them. The resolution mode specified here has no impact
+on how the application resolves the IP address associated with the
+service. The application may still have to use DNS to resolve the
+service to an IP so that the outbound traffic can be captured by the
+Proxy. Alternatively, for HTTP services, the application could
+directly communicate with the proxy (e.g., by setting HTTP_PROXY) to
 talk to these services.
          
 
 
          
 MESH_EXTERNAL
 
-
          Signifies that the service is external to the mesh. Typically used
          
+
          Signifies that the service is external to the mesh. Typically used
 to indicate external services consumed through APIs.
          
 
 
          
 MESH_INTERNAL
 
-
          Signifies that the service is part of the mesh. Typically used to
          
-indicate services added explicitly as part of expanding the service
          
-mesh to include unmanaged infrastructure (e.g., VMs added to a
          
+
          Signifies that the service is part of the mesh. Typically used to
+indicate services added explicitly as part of expanding the service
+mesh to include unmanaged infrastructure (e.g., VMs added to a
 Kubernetes based service mesh).
          
 
 
          
@@ -927,11 +927,11 @@ 
          ServiceEntry.Resolution
          
           
@@ -939,7 +939,7 @@ 
          ServiceEntry.Resolution
          
           
@@ -947,12 +947,12 @@ 
          ServiceEntry.Resolution
          
           
@@ -960,15 +960,15 @@ 
          ServiceEntry.Resolution
          
           
diff --git a/content/zh/docs/reference/config/networking/sidecar/index.html b/content/zh/docs/reference/config/networking/sidecar/index.html
index 6db0dc95de84d..d99f4f33e37bd 100644
--- a/content/zh/docs/reference/config/networking/sidecar/index.html
+++ b/content/zh/docs/reference/config/networking/sidecar/index.html
@@ -10,45 +10,45 @@
 aliases: [/zh/docs/reference/config/networking/v1alpha3/sidecar]
 number_of_entries: 7
 ---
-
          Sidecar describes the configuration of the sidecar proxy that mediates
          
-inbound and outbound communication to the workload instance it is attached to. By
          
-default, Istio will program all sidecar proxies in the mesh with the
          
-necessary configuration required to reach every workload instance in the mesh, as
          
-well as accept traffic on all the ports associated with the
          
-workload. The Sidecar configuration provides a way to fine tune the set of
          
-ports, protocols that the proxy will accept when forwarding traffic to
          
-and from the workload. In addition, it is possible to restrict the set
          
-of services that the proxy can reach when forwarding outbound traffic
          
+
          Sidecar describes the configuration of the sidecar proxy that mediates
+inbound and outbound communication to the workload instance it is attached to. By
+default, Istio will program all sidecar proxies in the mesh with the
+necessary configuration required to reach every workload instance in the mesh, as
+well as accept traffic on all the ports associated with the
+workload. The Sidecar configuration provides a way to fine tune the set of
+ports, protocols that the proxy will accept when forwarding traffic to
+and from the workload. In addition, it is possible to restrict the set
+of services that the proxy can reach when forwarding outbound traffic
 from workload instances.
          
-
          Services and configuration in a mesh are organized into one or more
          
-namespaces (e.g., a Kubernetes namespace or a CF org/space). A Sidecar
          
-configuration in a namespace will apply to one or more workload instances in the same
          
-namespace, selected using the workloadSelector field. In the absence of a
          
-workloadSelector, it will apply to all workload instances in the same
          
-namespace. When determining the Sidecar configuration to be applied to a
          
-workload instance, preference will be given to the resource with a
          
-workloadSelector that selects this workload instance, over a Sidecar configuration
          
+
          Services and configuration in a mesh are organized into one or more
+namespaces (e.g., a Kubernetes namespace or a CF org/space). A Sidecar
+configuration in a namespace will apply to one or more workload instances in the same
+namespace, selected using the workloadSelector field. In the absence of a
+workloadSelector, it will apply to all workload instances in the same
+namespace. When determining the Sidecar configuration to be applied to a
+workload instance, preference will be given to the resource with a
+workloadSelector that selects this workload instance, over a Sidecar configuration
 without any workloadSelector.
          
-
          NOTE 1: Each namespace can have only one Sidecar
          
-configuration without any workloadSelector           that specifies the
          
-default for all pods in that namespace          . It is recommended to use
          
-the name default for the namespace-wide sidecar. The behavior of
          
-the system is undefined if more than one selector-less Sidecar
          
-configurations exist in a given namespace. The behavior of the
          
-system is undefined if two or more Sidecar configurations with a
          
+
          NOTE 1: Each namespace can have only one Sidecar
+configuration without any workloadSelector that specifies the
+default for all pods in that namespace. It is recommended to use
+the name default for the namespace-wide sidecar. The behavior of
+the system is undefined if more than one selector-less Sidecar
+configurations exist in a given namespace. The behavior of the
+system is undefined if two or more Sidecar configurations with a
 workloadSelector select the same workload instance.
          
-
          NOTE 2: A Sidecar configuration in the MeshConfig
          
-root namespace
          
-will be applied by default to all namespaces without a Sidecar
          
-configuration          . This global default Sidecar configuration should not have
          
+
          NOTE 2: A Sidecar configuration in the MeshConfig
+root namespace
+will be applied by default to all namespaces without a Sidecar
+configuration. This global default Sidecar configuration should not have
 any workloadSelector.
          
-
          The example below declares a global default Sidecar configuration
          
-in the root namespace called istio-config, that configures
          
-sidecars in all namespaces to allow egress traffic only to other
          
-workloads in the same namespace as well as to services in the
          
+
          The example below declares a global default Sidecar configuration
+in the root namespace called istio-config, that configures
+sidecars in all namespaces to allow egress traffic only to other
+workloads in the same namespace as well as to services in the
 istio-system namespace.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -60,8 +60,8 @@
     - "./*"
     - "istio-system/*"
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -73,15 +73,15 @@
     - "./*"
     - "istio-system/*"
 
          
-
          {{}}
          
-{{}}
          
-
          The example below declares a Sidecar configuration in the
          
-prod-us1 namespace that overrides the global default defined
          
-above, and configures the sidecars in the namespace to allow egress
          
-traffic to public services in the prod-us1, prod-apis, and the
          
+
          {{}}
+{{}}
          
+
          The example below declares a Sidecar configuration in the
+prod-us1 namespace that overrides the global default defined
+above, and configures the sidecars in the namespace to allow egress
+traffic to public services in the prod-us1, prod-apis, and the
 istio-system namespaces.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -94,8 +94,8 @@
     - "prod-apis/*"
     - "istio-system/*"
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -108,18 +108,18 @@
     - "prod-apis/*"
     - "istio-system/*"
 
          
-
          {{}}
          
-{{}}
          
-
          The following example declares a Sidecar configuration in the
          
-prod-us1 namespace for all pods with labels app: ratings
          
-belonging to the ratings.prod-us1 service.  The workload accepts
          
-inbound HTTP traffic on port 9080. The traffic is then forwarded to
          
-the attached workload instance listening on a Unix domain
          
-socket. In the egress direction, in addition to the istio-system
          
-namespace, the sidecar proxies only HTTP traffic bound for port
          
+
          {{}}
+{{}}
          
+
          The following example declares a Sidecar configuration in the
+prod-us1 namespace for all pods with labels app: ratings
+belonging to the ratings.prod-us1 service.  The workload accepts
+inbound HTTP traffic on port 9080. The traffic is then forwarded to
+the attached workload instance listening on a Unix domain
+socket. In the egress direction, in addition to the istio-system
+namespace, the sidecar proxies only HTTP traffic bound for port
 9080 for services in the prod-us1 namespace.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -145,8 +145,8 @@
   - hosts:
     - "istio-system/*"
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -172,24 +172,24 @@
   - hosts:
     - "istio-system/*"
 
          
-
          {{}}
          
-{{}}
          
-
          If the workload is deployed without IPTables-based traffic capture,
          
-the Sidecar configuration is the only way to configure the ports
          
-on the proxy attached to the workload instance. The following
          
-example declares a Sidecar configuration in the prod-us1
          
-namespace for all pods with labels app: productpage belonging to
          
-the productpage.prod-us1 service. Assuming that these pods are
          
-deployed without IPtable rules (i.e. the istio-init container)
          
-and the proxy metadata ISTIO_META_INTERCEPTION_MODE is set to
          
-NONE, the specification, below, allows such pods to receive HTTP
          
-traffic on port 9080 (wrapped inside Istio mutual TLS) and forward
          
-it to the application listening on 127.0.0.1:8080. It also allows
          
-the application to communicate with a backing MySQL database on
          
-127.0.0.1:3306, that then gets proxied to the externally hosted
          
+
          {{}}
+{{}}
          
+
          If the workload is deployed without IPTables-based traffic capture,
+the Sidecar configuration is the only way to configure the ports
+on the proxy attached to the workload instance. The following
+example declares a Sidecar configuration in the prod-us1
+namespace for all pods with labels app: productpage belonging to
+the productpage.prod-us1 service. Assuming that these pods are
+deployed without IPtable rules (i.e. the istio-init container)
+and the proxy metadata ISTIO_META_INTERCEPTION_MODE is set to
+NONE, the specification, below, allows such pods to receive HTTP
+traffic on port 9080 (wrapped inside Istio mutual TLS) and forward
+it to the application listening on 127.0.0.1:8080. It also allows
+the application to communicate with a backing MySQL database on
+127.0.0.1:3306, that then gets proxied to the externally hosted
 MySQL service at mysql.foo.com:3306.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -216,8 +216,8 @@
     hosts:
     - "*/mysql.foo.com"
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -244,11 +244,11 @@
     hosts:
     - "*/mysql.foo.com"
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          And the associated service entry for routing to mysql.foo.com:3306
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -264,8 +264,8 @@
   location: MESH_EXTERNAL
   resolution: DNS
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -281,21 +281,21 @@
   location: MESH_EXTERNAL
   resolution: DNS
 
          
-
          {{}}
          
-{{}}
          
-
          It is also possible to mix and match traffic capture modes in a single
          
-proxy. For example, consider a setup where internal services are on the
          
-192.168.0.0/16 subnet. So, IP tables are setup on the VM to capture all
          
-outbound traffic on 192.168.0.0/16 subnet. Assume that the VM has an
          
-additional network interface on 172.16.0.0/16 subnet for inbound
          
-traffic. The following Sidecar configuration allows the VM to expose a
          
-listener on 172.16.1.32:80 (the VM's IP) for traffic arriving from the
          
+
          {{}}
+{{}}
          
+
          It is also possible to mix and match traffic capture modes in a single
+proxy. For example, consider a setup where internal services are on the
+192.168.0.0/16 subnet. So, IP tables are setup on the VM to capture all
+outbound traffic on 192.168.0.0/16 subnet. Assume that the VM has an
+additional network interface on 172.16.0.0/16 subnet for inbound
+traffic. The following Sidecar configuration allows the VM to expose a
+listener on 172.16.1.32:80 (the VM's IP) for traffic arriving from the
 172.16.0.0/16 subnet.
          
-
          NOTE: The ISTIO_META_INTERCEPTION_MODE metadata on the
          
-proxy in the VM should contain REDIRECT or TPROXY as its value,
          
+
          NOTE: The ISTIO_META_INTERCEPTION_MODE metadata on the
+proxy in the VM should contain REDIRECT or TPROXY as its value,
 implying that IP tables based traffic capture is active.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -322,8 +322,8 @@
     hosts:
     - "*/*"
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
@@ -350,22 +350,22 @@
     hosts:
     - "*/*"
 
          
-
          {{}}
          
-{{}}
          
-
          The following example declares a Sidecar configuration in the
          
-prod-us1 namespace for all pods with labels app: ratings
          
-belonging to the ratings.prod-us1 service.  The service accepts
          
-inbound HTTPS traffic on port 8443 and the sidecar proxy terminates
          
-one way TLS using the given server certificates.
          
-The traffic is then forwarded to the attached workload instance
          
-listening on a Unix domain socket.
          
-It is expected that PeerAuthentication policy would be configured
          
-in order to set mTLS mode to "DISABLE" on specific
          
-ports.
          
-In this example, the mTLS mode is disabled on PORT 80.
          
+
          {{}}
+{{}}
          
+
          The following example declares a Sidecar configuration in the
+prod-us1 namespace for all pods with labels app: ratings
+belonging to the ratings.prod-us1 service.  The service accepts
+inbound HTTPS traffic on port 8443 and the sidecar proxy terminates
+one way TLS using the given server certificates.
+The traffic is then forwarded to the attached workload instance
+listening on a Unix domain socket.
+It is expected that PeerAuthentication policy would be configured
+in order to set mTLS mode to "DISABLE" on specific
+ports.
+In this example, the mTLS mode is disabled on PORT 80.
 This feature is currently experimental.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
@@ -386,8 +386,8 @@
       privateKey: "/etc/certs/privatekey.pem"
       serverCertificate: "/etc/certs/servercert.pem"
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: v1
 kind: Service
 metadata:
@@ -403,8 +403,8 @@
   selector:
     app: ratings
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
 metadata:
@@ -420,13 +420,13 @@
     80:
       mode: DISABLE
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          Sidecar
          
 
          
-
          Sidecar describes the configuration of the sidecar proxy that mediates
          
-inbound and outbound communication of the workload instance to which it is
          
+
          Sidecar describes the configuration of the sidecar proxy that mediates
+inbound and outbound communication of the workload instance to which it is
 attached.
          
 
 
          
 NONE
 
-
          Assume that incoming connections have already been resolved (to a
          
-specific destination IP address). Such connections are typically
          
-routed via the proxy using mechanisms such as IP table REDIRECT/
          
-eBPF. After performing any routing related transformations, the
          
-proxy will forward the connection to the IP address to which the
          
+
          Assume that incoming connections have already been resolved (to a
+specific destination IP address). Such connections are typically
+routed via the proxy using mechanisms such as IP table REDIRECT/
+eBPF. After performing any routing related transformations, the
+proxy will forward the connection to the IP address to which the
 connection was bound.
          
 
 
          
 STATIC
 
-
          Use the static IP addresses specified in endpoints (see below) as the
          
+
          Use the static IP addresses specified in endpoints (see below) as the
 backing instances associated with the service.
          
 
 
          
 DNS
 
-
          Attempt to resolve the IP address by querying the ambient DNS,
          
-asynchronously. If no endpoints are specified, the proxy
          
-will resolve the DNS address specified in the hosts field, if
          
-wildcards are not used. If endpoints are specified, the DNS
          
-addresses specified in the endpoints will be resolved to determine
          
-the destination IP address.  DNS resolution cannot be used with Unix
          
+
          Attempt to resolve the IP address by querying the ambient DNS,
+asynchronously. If no endpoints are specified, the proxy
+will resolve the DNS address specified in the hosts field, if
+wildcards are not used. If endpoints are specified, the DNS
+addresses specified in the endpoints will be resolved to determine
+the destination IP address.  DNS resolution cannot be used with Unix
 domain socket endpoints.
          
 
 
          
 DNS_ROUND_ROBIN
 
-
          Attempt to resolve the IP address by querying the ambient DNS,
          
-asynchronously. Unlike DNS, DNS_ROUND_ROBIN only uses the
          
-first IP address returned when a new connection needs to be initiated
          
-without relying on complete results of DNS resolution, and connections
          
-made to hosts will be retained even if DNS records change frequently
          
-eliminating draining connection pools and connection cycling.
          
-This is best suited for large web scale services that
          
-must be accessed via DNS. The proxy will resolve the DNS address
          
-specified in the hosts field, if wildcards are not used. DNS resolution
          
+
          Attempt to resolve the IP address by querying the ambient DNS,
+asynchronously. Unlike DNS, DNS_ROUND_ROBIN only uses the
+first IP address returned when a new connection needs to be initiated
+without relying on complete results of DNS resolution, and connections
+made to hosts will be retained even if DNS records change frequently
+eliminating draining connection pools and connection cycling.
+This is best suited for large web scale services that
+must be accessed via DNS. The proxy will resolve the DNS address
+specified in the hosts field, if wildcards are not used. DNS resolution
 cannot be used with Unix domain socket endpoints.
          
 
 
          
@@ -443,8 +443,8 @@ 
          Sidecar
          
           
@@ -456,11 +456,11 @@ 
          Sidecar
          
           
@@ -472,9 +472,9 @@ 
          Sidecar
          
           
@@ -486,12 +486,12 @@ 
          Sidecar
          
           
@@ -504,7 +504,7 @@ 
          Sidecar
          
 
 
          IstioIngressListener
          
 
          
-
          IstioIngressListener specifies the properties of an inbound
          
+
          IstioIngressListener specifies the properties of an inbound
 traffic listener on the sidecar proxy attached to a workload instance.
          
 
 
          workloadSelector
 WorkloadSelector
 
-
          Criteria used to select the specific set of pods/VMs on which this
          
-Sidecar configuration should be applied. If omitted, the Sidecar
          
+
          Criteria used to select the specific set of pods/VMs on which this
+Sidecar configuration should be applied. If omitted, the Sidecar
 configuration will be applied to all workload instances in the same namespace.
          
 
           		ingress
 IstioIngressListener[]
 
-
          Ingress specifies the configuration of the sidecar for processing
          
-inbound traffic to the attached workload instance. If omitted, Istio will
          
-automatically configure the sidecar based on the information about the workload
          
-obtained from the orchestration platform (e.g., exposed ports, services,
          
-etc.). If specified, inbound ports are configured if and only if the
          
+
          Ingress specifies the configuration of the sidecar for processing
+inbound traffic to the attached workload instance. If omitted, Istio will
+automatically configure the sidecar based on the information about the workload
+obtained from the orchestration platform (e.g., exposed ports, services,
+etc.). If specified, inbound ports are configured if and only if the
 workload instance is associated with a service.
          
 
           		egress
 IstioEgressListener[]
 
-
          Egress specifies the configuration of the sidecar for processing
          
-outbound traffic from the attached workload instance to other
          
-services in the mesh. If not specified, inherits the system
          
+
          Egress specifies the configuration of the sidecar for processing
+outbound traffic from the attached workload instance to other
+services in the mesh. If not specified, inherits the system
 detected defaults from the namespace-wide or the global default Sidecar.
          
 
           		outboundTrafficPolicy
 OutboundTrafficPolicy
 
-
          Configuration for the outbound traffic policy.  If your
          
-application uses one or more external services that are not known
          
-apriori, setting the policy to ALLOW_ANY will cause the
          
-sidecars to route any unknown traffic originating from the
          
-application to its requested destination. If not specified,
          
-inherits the system detected defaults from the namespace-wide or
          
+
          Configuration for the outbound traffic policy.  If your
+application uses one or more external services that are not known
+apriori, setting the policy to ALLOW_ANY will cause the
+sidecars to route any unknown traffic originating from the
+application to its requested destination. If not specified,
+inherits the system detected defaults from the namespace-wide or
 the global default Sidecar.
          
 
 
          
@@ -532,11 +532,11 @@ 
          IstioIngressListener
          
           
@@ -548,7 +548,7 @@ 
          IstioIngressListener
          
           
@@ -560,13 +560,13 @@ 
          IstioIngressListener
          
           
@@ -578,8 +578,8 @@ 
          IstioIngressListener
          
           
@@ -592,7 +592,7 @@ 
          IstioIngressListener
          
 
 
          IstioEgressListener
          
 
          
-
          IstioEgressListener specifies the properties of an outbound traffic
          
+
          IstioEgressListener specifies the properties of an outbound traffic
 listener on the sidecar proxy attached to a workload instance.
          
 
 
          bind
 string
 
-
          The IP(IPv4 or IPv6) to which the listener should be bound.
          
-Unix domain socket addresses are not allowed in
          
-the bind field for ingress listeners. If omitted, Istio will
          
-automatically configure the defaults based on imported services
          
-and the workload instances to which this configuration is applied
          
+
          The IP(IPv4 or IPv6) to which the listener should be bound.
+Unix domain socket addresses are not allowed in
+the bind field for ingress listeners. If omitted, Istio will
+automatically configure the defaults based on imported services
+and the workload instances to which this configuration is applied
 to.
          
 
           		captureMode
 CaptureMode
 
-
          The captureMode option dictates how traffic to the listener is
          
+
          The captureMode option dictates how traffic to the listener is
 expected to be captured (or not).
          
 
           		defaultEndpoint
 string
 
-
          The IP endpoint or Unix domain socket to which
          
-traffic should be forwarded to. This configuration can be used to
          
-redirect traffic arriving at the bind IP:Port on the sidecar to a localhost:port
          
-or Unix domain socket where the application workload instance is listening for
          
-connections. Arbitrary IPs are not supported. Format should be one of
          
-127.0.0.1:PORT, [::1]:PORT (forward to localhost),
          
-0.0.0.0:PORT, [::]:PORT (forward to the instance IP),
          
+
          The IP endpoint or Unix domain socket to which
+traffic should be forwarded to. This configuration can be used to
+redirect traffic arriving at the bind IP:Port on the sidecar to a localhost:port
+or Unix domain socket where the application workload instance is listening for
+connections. Arbitrary IPs are not supported. Format should be one of
+127.0.0.1:PORT, [::1]:PORT (forward to localhost),
+0.0.0.0:PORT, [::]:PORT (forward to the instance IP),
 or unix:///path/to/socket (forward to Unix domain socket).
          
 
           		tls
 ServerTLSSettings
 
-
          Set of TLS related options that will enable TLS termination on the
          
-sidecar for requests originating from outside the mesh.
          
+
          Set of TLS related options that will enable TLS termination on the
+sidecar for requests originating from outside the mesh.
 Currently supports only SIMPLE and MUTUAL TLS modes.
          
 
 
          
@@ -609,14 +609,14 @@ 
          IstioEgressListener
          
           
@@ -628,12 +628,12 @@ 
          IstioEgressListener
          
           
@@ -645,8 +645,8 @@ 
          IstioEgressListener
          
           
@@ -658,29 +658,29 @@ 
          IstioEgressListener
          
           
@@ -693,14 +693,14 @@ 
          IstioEgressListener
          
 
 
          WorkloadSelector
          
 
          
-
          WorkloadSelector specifies the criteria used to determine if the
          
-Gateway, Sidecar, EnvoyFilter, ServiceEntry, or DestinationRule
          
-configuration can be applied to a proxy. The matching criteria
          
-includes the metadata associated with a proxy, workload instance
          
-info such as labels attached to the pod/VM, or any other info that
          
-the proxy provides to Istio during the initial handshake. If
          
-multiple conditions are specified, all conditions need to match in
          
-order for the workload instance to be selected. Currently, only
          
+
          WorkloadSelector specifies the criteria used to determine if the
+Gateway, Sidecar, EnvoyFilter, ServiceEntry, or DestinationRule
+configuration can be applied to a proxy. The matching criteria
+includes the metadata associated with a proxy, workload instance
+info such as labels attached to the pod/VM, or any other info that
+the proxy provides to Istio during the initial handshake. If
+multiple conditions are specified, all conditions need to match in
+order for the workload instance to be selected. Currently, only
 label based selection mechanism is supported.
          
 
 
          port
 Port
 
-
          The port associated with the listener. If using Unix domain socket,
          
-use 0 as the port number, with a valid protocol. The port if
          
-specified, will be used as the default destination port associated
          
-with the imported hosts. If the port is omitted, Istio will infer the
          
-listener ports based on the imported hosts. Note that when multiple
          
-egress listeners are specified, where one or more listeners have
          
-specific ports while others have no port, the hosts exposed on a
          
-listener port will be based on the listener with the most specific
          
+
          The port associated with the listener. If using Unix domain socket,
+use 0 as the port number, with a valid protocol. The port if
+specified, will be used as the default destination port associated
+with the imported hosts. If the port is omitted, Istio will infer the
+listener ports based on the imported hosts. Note that when multiple
+egress listeners are specified, where one or more listeners have
+specific ports while others have no port, the hosts exposed on a
+listener port will be based on the listener with the most specific
 port.
          
 
           		bind
 string
 
-
          The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound
          
-to. Port MUST be specified if bind is not empty. Format: IPv4 or IPv6 address formats or
          
-unix:///path/to/uds or unix://@foobar (Linux abstract namespace). If
          
-omitted, Istio will automatically configure the defaults based on imported
          
-services, the workload instances to which this configuration is applied to and
          
-the captureMode. If captureMode is NONE, bind will default to
          
+
          The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound
+to. Port MUST be specified if bind is not empty. Format: IPv4 or IPv6 address formats or
+unix:///path/to/uds or unix://@foobar (Linux abstract namespace). If
+omitted, Istio will automatically configure the defaults based on imported
+services, the workload instances to which this configuration is applied to and
+the captureMode. If captureMode is NONE, bind will default to
 127.0.0.1.
          
 
           		captureMode
 CaptureMode
 
-
          When the bind address is an IP, the captureMode option dictates
          
-how traffic to the listener is expected to be captured (or not).
          
+
          When the bind address is an IP, the captureMode option dictates
+how traffic to the listener is expected to be captured (or not).
 captureMode must be DEFAULT or NONE for Unix domain socket binds.
          
 
           		hosts
 string[]
 
-
          One or more service hosts exposed by the listener
          
-in namespace/dnsName format. Services in the specified namespace
          
-matching dnsName will be exposed.
          
-The corresponding service can be a service in the service registry
          
-(e.g., a Kubernetes or cloud foundry service) or a service specified
          
-using a ServiceEntry or VirtualService configuration. Any
          
+
          One or more service hosts exposed by the listener
+in namespace/dnsName format. Services in the specified namespace
+matching dnsName will be exposed.
+The corresponding service can be a service in the service registry
+(e.g., a Kubernetes or cloud foundry service) or a service specified
+using a ServiceEntry or VirtualService configuration. Any
 associated DestinationRule in the same namespace will also be used.
          
-
          The dnsName should be specified using FQDN format, optionally including
          
-a wildcard character in the left-most component (e.g., prod/*.example.com).
          
-Set the dnsName to * to select all services from the specified namespace
          
+
          The dnsName should be specified using FQDN format, optionally including
+a wildcard character in the left-most component (e.g., prod/*.example.com).
+Set the dnsName to * to select all services from the specified namespace
 (e.g., prod/*).
          
-
          The namespace can be set to *, ., or ~, representing any, the current,
          
-or no namespace, respectively. For example, */foo.example.com selects the
          
-service from any available namespace while ./foo.example.com only selects
          
-the service from the namespace of the sidecar. If a host is set to */*,
          
-Istio will configure the sidecar to be able to reach every service in the
          
-mesh that is exported to the sidecar's namespace. The value ~/* can be used
          
-to completely trim the configuration for sidecars that simply receive traffic
          
+
          The namespace can be set to *, ., or ~, representing any, the current,
+or no namespace, respectively. For example, */foo.example.com selects the
+service from any available namespace while ./foo.example.com only selects
+the service from the namespace of the sidecar. If a host is set to */*,
+Istio will configure the sidecar to be able to reach every service in the
+mesh that is exported to the sidecar's namespace. The value ~/* can be used
+to completely trim the configuration for sidecars that simply receive traffic
 and respond, but make no outbound connections of their own.
          
-
          NOTE: Only services and configuration artifacts exported to the sidecar's
          
-namespace (e.g., exportTo value of *) can be referenced.
          
-Private configurations (e.g., exportTo set to .) will
          
-not be available. Refer to the exportTo setting in VirtualService,
          
+
          NOTE: Only services and configuration artifacts exported to the sidecar's
+namespace (e.g., exportTo value of *) can be referenced.
+Private configurations (e.g., exportTo set to .) will
+not be available. Refer to the exportTo setting in VirtualService,
 DestinationRule, and ServiceEntry configurations for details.
          
 
 
          
@@ -717,9 +717,9 @@ 
          WorkloadSelector
          
           
@@ -732,14 +732,14 @@ 
          WorkloadSelector
          
 
 
          OutboundTrafficPolicy
          
 
          
-
          OutboundTrafficPolicy sets the default behavior of the sidecar for
          
-handling outbound traffic from the application.
          
-If your application uses one or more external
          
-services that are not known apriori, setting the policy to ALLOW_ANY
          
-will cause the sidecars to route any unknown traffic originating from
          
-the application to its requested destination.  Users are strongly
          
-encouraged to use ServiceEntry configurations to explicitly declare any external
          
-dependencies, instead of using ALLOW_ANY, so that traffic to these
          
+
          OutboundTrafficPolicy sets the default behavior of the sidecar for
+handling outbound traffic from the application.
+If your application uses one or more external
+services that are not known apriori, setting the policy to ALLOW_ANY
+will cause the sidecars to route any unknown traffic originating from
+the application to its requested destination.  Users are strongly
+encouraged to use ServiceEntry configurations to explicitly declare any external
+dependencies, instead of using ALLOW_ANY, so that traffic to these
 services can be monitored.
          
 
 
          labels
 map<string, string>
 
-
          One or more labels that indicate a specific set of pods/VMs
          
-on which the configuration should be applied. The scope of
          
-label search is restricted to the configuration namespace in which the
          
+
          One or more labels that indicate a specific set of pods/VMs
+on which the configuration should be applied. The scope of
+label search is restricted to the configuration namespace in which the
 the resource is present.
          
 
 
          
@@ -777,7 +777,7 @@ 
          OutboundTrafficPolicy.Mode
          
           
@@ -785,7 +785,7 @@ 
          OutboundTrafficPolicy.Mode
          
           
@@ -795,7 +795,7 @@ 
          OutboundTrafficPolicy.Mode
          
 
 
          CaptureMode
          
 
          
-
          CaptureMode describes how traffic to a listener is expected to be
          
+
          CaptureMode describes how traffic to a listener is expected to be
 captured. Applicable only when the listener is bound to an IP.
          
 
 
          
 REGISTRY_ONLY
 
-
          Outbound traffic will be restricted to services defined in the
          
+
          Outbound traffic will be restricted to services defined in the
 service registry as well as those defined through ServiceEntry configurations.
          
 
 
          
 ALLOW_ANY
 
-
          Outbound traffic to unknown destinations will be allowed, in case
          
+
          Outbound traffic to unknown destinations will be allowed, in case
 there are no services or ServiceEntry configurations for the destination port.
          
 
 
          
@@ -823,10 +823,10 @@ 
          CaptureMode
          
           
diff --git a/content/zh/docs/reference/config/networking/virtual-service/index.html b/content/zh/docs/reference/config/networking/virtual-service/index.html
index 3db09b79210fc..f83a8def9b936 100644
--- a/content/zh/docs/reference/config/networking/virtual-service/index.html
+++ b/content/zh/docs/reference/config/networking/virtual-service/index.html
@@ -10,41 +10,41 @@
 aliases: [/zh/docs/reference/config/networking/v1alpha3/virtual-service]
 number_of_entries: 27
 ---
-
          Configuration affecting traffic routing. Here are a few terms useful to define
          
+
          Configuration affecting traffic routing. Here are a few terms useful to define
 in the context of traffic routing.
          
-
          Service a unit of application behavior bound to a unique name in a
          
-service registry. Services consist of multiple network endpoints
          
+
          Service a unit of application behavior bound to a unique name in a
+service registry. Services consist of multiple network endpoints
 implemented by workload instances running on pods, containers, VMs etc.
          
-
          Service versions (a.k.a. subsets) - In a continuous deployment
          
-scenario, for a given service, there can be distinct subsets of
          
-instances running different variants of the application binary. These
          
-variants are not necessarily different API versions. They could be
          
-iterative changes to the same service, deployed in different
          
-environments (prod, staging, dev, etc.). Common scenarios where this
          
-occurs include A/B testing, canary rollouts, etc. The choice of a
          
-particular version can be decided based on various criterion (headers,
          
-url, etc.) and/or by weights assigned to each version. Each service has
          
+
          Service versions (a.k.a. subsets) - In a continuous deployment
+scenario, for a given service, there can be distinct subsets of
+instances running different variants of the application binary. These
+variants are not necessarily different API versions. They could be
+iterative changes to the same service, deployed in different
+environments (prod, staging, dev, etc.). Common scenarios where this
+occurs include A/B testing, canary rollouts, etc. The choice of a
+particular version can be decided based on various criterion (headers,
+url, etc.) and/or by weights assigned to each version. Each service has
 a default version consisting of all its instances.
          
 
          Source - A downstream client calling a service.
          
-
          Host - The address used by a client when attempting to connect to a
          
+
          Host - The address used by a client when attempting to connect to a
 service.
          
-
          Access model - Applications address only the destination service
          
-(Host) without knowledge of individual service versions (subsets). The
          
-actual choice of the version is determined by the proxy/sidecar, enabling the
          
-application code to decouple itself from the evolution of dependent
          
+
          Access model - Applications address only the destination service
+(Host) without knowledge of individual service versions (subsets). The
+actual choice of the version is determined by the proxy/sidecar, enabling the
+application code to decouple itself from the evolution of dependent
 services.
          
-
          A VirtualService defines a set of traffic routing rules to apply when a host is
          
-addressed. Each routing rule defines matching criteria for traffic of a specific
          
-protocol. If the traffic is matched, then it is sent to a named destination service
          
+
          A VirtualService defines a set of traffic routing rules to apply when a host is
+addressed. Each routing rule defines matching criteria for traffic of a specific
+protocol. If the traffic is matched, then it is sent to a named destination service
 (or subset/version of it) defined in the registry.
          
-
          The source of traffic can also be matched in a routing rule. This allows routing
          
+
          The source of traffic can also be matched in a routing rule. This allows routing
 to be customized for specific client contexts.
          
-
          The following example on Kubernetes, routes all HTTP traffic by default to
          
-pods of the reviews service with label "version: v1". In addition,
          
-HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will
          
+
          The following example on Kubernetes, routes all HTTP traffic by default to
+pods of the reviews service with label "version: v1". In addition,
+HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will
 be rewritten to /newcatalog and sent to pods with label "version: v2".
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -71,8 +71,8 @@
         host: reviews.prod.svc.cluster.local
         subset: v1
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -99,13 +99,13 @@
         host: reviews.prod.svc.cluster.local
         subset: v1
 
          
-
          {{}}
          
-{{}}
          
-
          A subset/version of a route destination is identified with a reference
          
-to a named service subset which must be declared in a corresponding
          
+
          {{}}
+{{}}
          
+
          A subset/version of a route destination is identified with a reference
+to a named service subset which must be declared in a corresponding
 DestinationRule.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -120,8 +120,8 @@
     labels:
       version: v2
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -136,8 +136,8 @@
     labels:
       version: v2
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          VirtualService
          
 
          
@@ -157,29 +157,29 @@ 
          VirtualService
          
 
          
@@ -215,10 +215,10 @@ 
          VirtualService
          
           
@@ -230,14 +230,14 @@ 
          VirtualService
          
           
@@ -249,8 +249,8 @@ 
          VirtualService
          
           
@@ -262,15 +262,15 @@ 
          VirtualService
          
           
@@ -283,26 +283,26 @@ 
          VirtualService
          
 
 
          Destination
          
 
          
-
          Destination indicates the network addressable service to which the
          
-request/connection will be sent after processing a routing rule. The
          
-destination.host should unambiguously refer to a service in the service
          
-registry. Istio's service registry is composed of all the services found
          
-in the platform's service registry (e.g., Kubernetes services, Consul
          
-services), as well as services declared through the
          
+
          Destination indicates the network addressable service to which the
+request/connection will be sent after processing a routing rule. The
+destination.host should unambiguously refer to a service in the service
+registry. Istio's service registry is composed of all the services found
+in the platform's service registry (e.g., Kubernetes services, Consul
+services), as well as services declared through the
 ServiceEntry resource.
          
-
          Note for Kubernetes users: When short names are used (e.g. "reviews"
          
-instead of "reviews.default.svc.cluster.local"), Istio will interpret
          
-the short name based on the namespace of the rule, not the service. A
          
-rule in the "default" namespace containing a host "reviews will be
          
-interpreted as "reviews.default.svc.cluster.local", irrespective of the
          
-actual namespace associated with the reviews service. To avoid potential
          
-misconfigurations, it is recommended to always use fully qualified
          
+
          Note for Kubernetes users: When short names are used (e.g. "reviews"
+instead of "reviews.default.svc.cluster.local"), Istio will interpret
+the short name based on the namespace of the rule, not the service. A
+rule in the "default" namespace containing a host "reviews will be
+interpreted as "reviews.default.svc.cluster.local", irrespective of the
+actual namespace associated with the reviews service. To avoid potential
+misconfigurations, it is recommended to always use fully qualified
 domain names over short names.
          
-
          The following Kubernetes example routes all traffic by default to pods
          
-of the reviews service with label "version: v1" (i.e., subset v1), and
          
+
          The following Kubernetes example routes all traffic by default to pods
+of the reviews service with label "version: v1" (i.e., subset v1), and
 some to subset v2, in a Kubernetes environment.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -328,8 +328,8 @@ 
          Destination
          
         host: reviews # interpreted as reviews.foo.svc.cluster.local
         subset: v1
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -355,11 +355,11 @@ 
          Destination
          
         host: reviews # interpreted as reviews.foo.svc.cluster.local
         subset: v1
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          And the associated DestinationRule
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -375,8 +375,8 @@ 
          Destination
          
     labels:
       version: v2
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -392,19 +392,19 @@ 
          Destination
          
     labels:
       version: v2
 
          
-
          {{}}
          
-{{}}
          
-
          The following VirtualService sets a timeout of 5s for all calls to
          
-productpage.prod.svc.cluster.local service in Kubernetes. Notice that
          
-there are no subsets defined in this rule. Istio will fetch all
          
-instances of productpage.prod.svc.cluster.local service from the service
          
-registry and populate the sidecar's load balancing pool. Also, notice
          
-that this rule is set in the istio-system namespace but uses the fully
          
-qualified domain name of the productpage service,
          
-productpage.prod.svc.cluster.local. Therefore the rule's namespace does
          
+
          {{}}
+{{}}
          
+
          The following VirtualService sets a timeout of 5s for all calls to
+productpage.prod.svc.cluster.local service in Kubernetes. Notice that
+there are no subsets defined in this rule. Istio will fetch all
+instances of productpage.prod.svc.cluster.local service from the service
+registry and populate the sidecar's load balancing pool. Also, notice
+that this rule is set in the istio-system namespace but uses the fully
+qualified domain name of the productpage service,
+productpage.prod.svc.cluster.local. Therefore the rule's namespace does
 not have an impact in resolving the name of the productpage service.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -419,8 +419,8 @@ 
          Destination
          
     - destination:
         host: productpage.prod.svc.cluster.local
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -435,15 +435,15 @@ 
          Destination
          
     - destination:
         host: productpage.prod.svc.cluster.local
 
          
-
          {{}}
          
-{{}}
          
-
          To control routing for traffic bound to services outside the mesh, external
          
-services must first be added to Istio's internal service registry using the
          
-ServiceEntry resource. VirtualServices can then be defined to control traffic
          
-bound to these external services. For example, the following rules define a
          
+
          {{}}
+{{}}
          
+
          To control routing for traffic bound to services outside the mesh, external
+services must first be added to Istio's internal service registry using the
+ServiceEntry resource. VirtualServices can then be defined to control traffic
+bound to these external services. For example, the following rules define a
 Service for wikipedia.org and set a timeout of 5s for HTTP requests.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -471,8 +471,8 @@ 
          Destination
          
     - destination:
         host: wikipedia.org
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -500,8 +500,8 @@ 
          Destination
          
     - destination:
         host: wikipedia.org
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          
 NONE
 
-
          No traffic capture. When used in an egress listener, the application is
          
-expected to explicitly communicate with the listener port or Unix
          
-domain socket. When used in an ingress listener, care needs to be taken
          
-to ensure that the listener port is not in use by other processes on
          
+
          No traffic capture. When used in an egress listener, the application is
+expected to explicitly communicate with the listener port or Unix
+domain socket. When used in an ingress listener, care needs to be taken
+to ensure that the listener port is not in use by other processes on
 the host.
          
 
           		hosts
 string[]
 
-
          The destination hosts to which traffic is being sent. Could
          
-be a DNS name with wildcard prefix or an IP address.  Depending on the
          
-platform, short-names can also be used instead of a FQDN (i.e. has no
          
-dots in the name). In such a scenario, the FQDN of the host would be
          
+
          The destination hosts to which traffic is being sent. Could
+be a DNS name with wildcard prefix or an IP address.  Depending on the
+platform, short-names can also be used instead of a FQDN (i.e. has no
+dots in the name). In such a scenario, the FQDN of the host would be
 derived based on the underlying platform.
          
-
          A single VirtualService can be used to describe all the traffic
          
-properties of the corresponding hosts, including those for multiple
          
-HTTP and TCP ports. Alternatively, the traffic properties of a host
          
-can be defined using more than one VirtualService, with certain
          
-caveats. Refer to the
          
-Operations Guide
          
+
          A single VirtualService can be used to describe all the traffic
+properties of the corresponding hosts, including those for multiple
+HTTP and TCP ports. Alternatively, the traffic properties of a host
+can be defined using more than one VirtualService, with certain
+caveats. Refer to the
+Operations Guide
 for details.
          
-
          Note for Kubernetes users: When short names are used (e.g. "reviews"
          
-instead of "reviews.default.svc.cluster.local"), Istio will interpret
          
-the short name based on the namespace of the rule, not the service. A
          
-rule in the "default" namespace containing a host "reviews" will be
          
-interpreted as "reviews.default.svc.cluster.local", irrespective of
          
-the actual namespace associated with the reviews service. To avoid
          
-potential misconfigurations, it is recommended to always use fully
          
+
          Note for Kubernetes users: When short names are used (e.g. "reviews"
+instead of "reviews.default.svc.cluster.local"), Istio will interpret
+the short name based on the namespace of the rule, not the service. A
+rule in the "default" namespace containing a host "reviews" will be
+interpreted as "reviews.default.svc.cluster.local", irrespective of
+the actual namespace associated with the reviews service. To avoid
+potential misconfigurations, it is recommended to always use fully
 qualified domain names over short names.
          
-
          The hosts field applies to both HTTP and TCP services. Service inside
          
-the mesh, i.e., those found in the service registry, must always be
          
-referred to using their alphanumeric names. IP addresses are allowed
          
+
          The hosts field applies to both HTTP and TCP services. Service inside
+the mesh, i.e., those found in the service registry, must always be
+referred to using their alphanumeric names. IP addresses are allowed
 only for services defined via the Gateway.
          
 
          Note: It must be empty for a delegate VirtualService.
          
 
@@ -192,18 +192,18 @@ 
          VirtualService
          
           		gateways
 string[]
 
-
          The names of gateways and sidecars that should apply these routes.
          
-Gateways in other namespaces may be referred to by
          
-<gateway namespace>/<gateway name>; specifying a gateway with no
          
-namespace qualifier is the same as specifying the VirtualService's
          
-namespace. A single VirtualService is used for sidecars inside the mesh as
          
-well as for one or more gateways. The selection condition imposed by this
          
-field can be overridden using the source field in the match conditions
          
-of protocol-specific routes. The reserved word mesh is used to imply
          
-all the sidecars in the mesh. When this field is omitted, the default
          
-gateway (mesh) will be used, which would apply the rule to all
          
-sidecars in the mesh. If a list of gateway names is provided, the
          
-rules will apply only to the gateways. To apply the rules to both
          
+
          The names of gateways and sidecars that should apply these routes.
+Gateways in other namespaces may be referred to by
+<gateway namespace>/<gateway name>; specifying a gateway with no
+namespace qualifier is the same as specifying the VirtualService's
+namespace. A single VirtualService is used for sidecars inside the mesh as
+well as for one or more gateways. The selection condition imposed by this
+field can be overridden using the source field in the match conditions
+of protocol-specific routes. The reserved word mesh is used to imply
+all the sidecars in the mesh. When this field is omitted, the default
+gateway (mesh) will be used, which would apply the rule to all
+sidecars in the mesh. If a list of gateway names is provided, the
+rules will apply only to the gateways. To apply the rules to both
 gateways and sidecars, specify mesh as one of the gateway names.
          
 
           		http
 HTTPRoute[]
 
-
          An ordered list of route rules for HTTP traffic. HTTP routes will be
          
-applied to platform service ports named 'http-'/'http2-'/'grpc-*', gateway
          
-ports with protocol HTTP/HTTP2/GRPC/ TLS-terminated-HTTPS and service
          
-entry ports using HTTP/HTTP2/GRPC protocols.  The first rule matching
          
+
          An ordered list of route rules for HTTP traffic. HTTP routes will be
+applied to platform service ports named 'http-'/'http2-'/'grpc-*', gateway
+ports with protocol HTTP/HTTP2/GRPC/ TLS-terminated-HTTPS and service
+entry ports using HTTP/HTTP2/GRPC protocols.  The first rule matching
 an incoming request is used.
          
 
           		tls
 TLSRoute[]
 
-
          An ordered list of route rule for non-terminated TLS & HTTPS
          
-traffic. Routing is typically performed using the SNI value presented
          
-by the ClientHello message. TLS routes will be applied to platform
          
-service ports named 'https-', 'tls-', unterminated gateway ports using
          
-HTTPS/TLS protocols (i.e. with "passthrough" TLS mode) and service
          
-entry ports using HTTPS/TLS protocols.  The first rule matching an
          
-incoming request is used.  NOTE: Traffic 'https-' or 'tls-' ports
          
-without associated virtual service will be treated as opaque TCP
          
+
          An ordered list of route rule for non-terminated TLS & HTTPS
+traffic. Routing is typically performed using the SNI value presented
+by the ClientHello message. TLS routes will be applied to platform
+service ports named 'https-', 'tls-', unterminated gateway ports using
+HTTPS/TLS protocols (i.e. with "passthrough" TLS mode) and service
+entry ports using HTTPS/TLS protocols.  The first rule matching an
+incoming request is used.  NOTE: Traffic 'https-' or 'tls-' ports
+without associated virtual service will be treated as opaque TCP
 traffic.
          
 
           		tcp
 TCPRoute[]
 
-
          An ordered list of route rules for opaque TCP traffic. TCP routes will
          
-be applied to any port that is not a HTTP or TLS port. The first rule
          
+
          An ordered list of route rules for opaque TCP traffic. TCP routes will
+be applied to any port that is not a HTTP or TLS port. The first rule
 matching an incoming request is used.
          
 
           		exportTo
 string[]
 
-
          A list of namespaces to which this virtual service is exported. Exporting a
          
-virtual service allows it to be used by sidecars and gateways defined in
          
-other namespaces. This feature provides a mechanism for service owners
          
-and mesh administrators to control the visibility of virtual services
          
+
          A list of namespaces to which this virtual service is exported. Exporting a
+virtual service allows it to be used by sidecars and gateways defined in
+other namespaces. This feature provides a mechanism for service owners
+and mesh administrators to control the visibility of virtual services
 across namespace boundaries.
          
-
          If no namespaces are specified then the virtual service is exported to all
          
+
          If no namespaces are specified then the virtual service is exported to all
 namespaces by default.
          
-
          The value "." is reserved and defines an export to the same namespace that
          
-the virtual service is declared in. Similarly the value "*" is reserved and
          
+
          The value "." is reserved and defines an export to the same namespace that
+the virtual service is declared in. Similarly the value "*" is reserved and
 defines an export to all namespaces.
          
 
 
          
@@ -517,18 +517,18 @@ 
          Destination
          
           
@@ -540,8 +540,8 @@ 
          Destination
          
           
@@ -553,8 +553,8 @@ 
          Destination
          
           
@@ -567,7 +567,7 @@ 
          Destination
          
 
 
          HTTPRoute
          
 
          
-
          Describes match conditions and actions for routing HTTP/1.1, HTTP2, and
          
+
          Describes match conditions and actions for routing HTTP/1.1, HTTP2, and
 gRPC traffic. See VirtualService for usage examples.
          
 
 
          
 
          host
 string
 
-
          The name of a service from the service registry. Service
          
-names are looked up from the platform's service registry (e.g.,
          
-Kubernetes services, Consul services, etc.) and from the hosts
          
-declared by ServiceEntry. Traffic forwarded to
          
+
          The name of a service from the service registry. Service
+names are looked up from the platform's service registry (e.g.,
+Kubernetes services, Consul services, etc.) and from the hosts
+declared by ServiceEntry. Traffic forwarded to
 destinations that are not found in either of the two, will be dropped.
          
-
          Note for Kubernetes users: When short names are used (e.g. "reviews"
          
-instead of "reviews.default.svc.cluster.local"), Istio will interpret
          
-the short name based on the namespace of the rule, not the service. A
          
-rule in the "default" namespace containing a host "reviews will be
          
-interpreted as "reviews.default.svc.cluster.local", irrespective of
          
-the actual namespace associated with the reviews service. To avoid
          
-potential misconfiguration, it is recommended to always use fully
          
+
          Note for Kubernetes users: When short names are used (e.g. "reviews"
+instead of "reviews.default.svc.cluster.local"), Istio will interpret
+the short name based on the namespace of the rule, not the service. A
+rule in the "default" namespace containing a host "reviews will be
+interpreted as "reviews.default.svc.cluster.local", irrespective of
+the actual namespace associated with the reviews service. To avoid
+potential misconfiguration, it is recommended to always use fully
 qualified domain names over short names.
          
 
           		subset
 string
 
-
          The name of a subset within the service. Applicable only to services
          
-within the mesh. The subset must be defined in a corresponding
          
+
          The name of a subset within the service. Applicable only to services
+within the mesh. The subset must be defined in a corresponding
 DestinationRule.
          
 
           		port
 PortSelector
 
-
          Specifies the port on the host that is being addressed. If a service
          
-exposes only a single port it is not required to explicitly select the
          
+
          Specifies the port on the host that is being addressed. If a service
+exposes only a single port it is not required to explicitly select the
 port.
          
 
 
          
@@ -584,9 +584,9 @@ 
          HTTPRoute
          
           
@@ -598,9 +598,9 @@ 
          HTTPRoute
          
           
@@ -612,9 +612,9 @@ 
          HTTPRoute
          
           
@@ -626,9 +626,9 @@ 
          HTTPRoute
          
           
@@ -640,8 +640,8 @@ 
          HTTPRoute
          
           
@@ -709,8 +709,8 @@ 
          HTTPRoute
          
           
@@ -722,11 +722,11 @@ 
          HTTPRoute
          
           
@@ -738,8 +738,8 @@ 
          HTTPRoute
          
           
@@ -751,8 +751,8 @@ 
          HTTPRoute
          
           
@@ -776,8 +776,8 @@ 
          HTTPRoute
          
 
 
          Delegate
          
 
          
-
          Describes the delegate VirtualService.
          
-The following routing rules forward the traffic to /productpage by a delegate VirtualService named productpage,
          
+
          Describes the delegate VirtualService.
+The following routing rules forward the traffic to /productpage by a delegate VirtualService named productpage,
 forward the traffic to /reviews by a delegate VirtualService named reviews.
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
@@ -856,7 +856,7 @@ 
          Delegate
          
 
          
@@ -869,15 +869,15 @@ 
          Delegate
          
 
 
          Headers
          
 
          
-
          Message headers can be manipulated when Envoy forwards requests to,
          
-or responses from, a destination service. Header manipulation rules can
          
-be specified for a specific route destination or for all destinations.
          
-The following VirtualService adds a test header with the value true
          
-to requests that are routed to any reviews service destination.
          
-It also removes the foo response header, but only from responses
          
+
          Message headers can be manipulated when Envoy forwards requests to,
+or responses from, a destination service. Header manipulation rules can
+be specified for a specific route destination or for all destinations.
+The following VirtualService adds a test header with the value true
+to requests that are routed to any reviews service destination.
+It also removes the foo response header, but only from responses
 coming from the v1 subset (version) of the reviews service.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -904,8 +904,8 @@ 
          Headers
          
           - foo
       weight: 75
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -932,8 +932,8 @@ 
          Headers
          
           - foo
       weight: 75
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          name
 string
 
-
          The name assigned to the route for debugging purposes. The
          
-route's name will be concatenated with the match's name and will
          
-be logged in the access logs for requests matching this
          
+
          The name assigned to the route for debugging purposes. The
+route's name will be concatenated with the match's name and will
+be logged in the access logs for requests matching this
 route/match.
          
 
           		match
 HTTPMatchRequest[]
 
-
          Match conditions to be satisfied for the rule to be
          
-activated. All conditions inside a single match block have AND
          
-semantics, while the list of match blocks have OR semantics. The rule
          
+
          Match conditions to be satisfied for the rule to be
+activated. All conditions inside a single match block have AND
+semantics, while the list of match blocks have OR semantics. The rule
 is matched if any one of the match blocks succeed.
          
 
           		route
 HTTPRouteDestination[]
 
-
          A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
          
-The forwarding target can be one of several versions of a service (see
          
-glossary in beginning of document). Weights associated with the
          
+
          A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
+The forwarding target can be one of several versions of a service (see
+glossary in beginning of document). Weights associated with the
 service version determine the proportion of traffic it receives.
          
 
           		redirect
 HTTPRedirect
 
-
          A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
          
-If traffic passthrough option is specified in the rule,
          
-route/redirect will be ignored. The redirect primitive can be used to
          
+
          A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
+If traffic passthrough option is specified in the rule,
+route/redirect will be ignored. The redirect primitive can be used to
 send a HTTP 301 redirect to a different URI or Authority.
          
 
           		directResponse
 HTTPDirectResponse
 
-
          A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
          
-Direct Response is used to specify a fixed response that should
          
+
          A HTTP rule can either return a direct_response, redirect or forward (default) traffic.
+Direct Response is used to specify a fixed response that should
 be sent to clients.
          
 
          It can be set only when Route and Redirect are empty.
          
 
@@ -654,15 +654,15 @@ 
          HTTPRoute
          
           		delegate
 Delegate
 
-
          Delegate is used to specify the particular VirtualService which
          
+
          Delegate is used to specify the particular VirtualService which
 can be used to define delegate HTTPRoute.
          
-
          It can be set only when Route and Redirect are empty, and the route
          
-rules of the delegate VirtualService will be merged with that in the
          
+
          It can be set only when Route and Redirect are empty, and the route
+rules of the delegate VirtualService will be merged with that in the
 current one.
          
 
          NOTE:
          
 
            
 
          1. Only one level delegation is supported.
            2. 
-
          2. The delegate's HTTPMatchRequest must be a strict subset of the root's,
            
+
          3. The delegate's HTTPMatchRequest must be a strict subset of the root's,
 otherwise there is a conflict and the HTTPRoute will not take effect.
            4. 
 
          
 
@@ -675,7 +675,7 @@ 
          HTTPRoute
          
           		rewrite
 HTTPRewrite
 
-
          Rewrite HTTP URIs and Authority headers. Rewrite cannot be used with
          
+
          Rewrite HTTP URIs and Authority headers. Rewrite cannot be used with
 Redirect primitive. Rewrite will be performed before forwarding.
          
 
           		fault
 HTTPFaultInjection
 
-
          Fault injection policy to apply on HTTP traffic at the client side.
          
-Note that timeouts or retries will not be enabled when faults are
          
+
          Fault injection policy to apply on HTTP traffic at the client side.
+Note that timeouts or retries will not be enabled when faults are
 enabled on the client side.
          
 
           		mirror
 Destination
 
-
          Mirror HTTP traffic to a another destination in addition to forwarding
          
-the requests to the intended destination. Mirrored traffic is on a
          
-best effort basis where the sidecar/gateway will not wait for the
          
-mirrored cluster to respond before returning the response from the
          
-original destination.  Statistics will be generated for the mirrored
          
+
          Mirror HTTP traffic to a another destination in addition to forwarding
+the requests to the intended destination. Mirrored traffic is on a
+best effort basis where the sidecar/gateway will not wait for the
+mirrored cluster to respond before returning the response from the
+original destination.  Statistics will be generated for the mirrored
 destination.
          
 
           		mirrorPercentage
 Percent
 
-
          Percentage of the traffic to be mirrored by the mirror field.
          
-If this field is absent, all the traffic (100%) will be mirrored.
          
+
          Percentage of the traffic to be mirrored by the mirror field.
+If this field is absent, all the traffic (100%) will be mirrored.
 Max value is 100.
          
 
           		corsPolicy
 CorsPolicy
 
-
          Cross-Origin Resource Sharing policy (CORS). Refer to
          
-CORS
          
+
          Cross-Origin Resource Sharing policy (CORS). Refer to
+CORS
 for further details about cross origin resource sharing.
          
 
           		namespace
 string
 
-
          Namespace specifies the namespace where the delegate VirtualService resides.
          
+
          Namespace specifies the namespace where the delegate VirtualService resides.
 By default, it is same to the root's.
          
 
 
          
@@ -949,7 +949,7 @@ 
          Headers
          
           
@@ -961,7 +961,7 @@ 
          Headers
          
           
@@ -974,12 +974,12 @@ 
          Headers
          
 
 
          TLSRoute
          
 
          
-
          Describes match conditions and actions for routing unterminated TLS
          
-traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
          
-traffic arriving at port 443 of gateway called "mygateway" to internal
          
+
          Describes match conditions and actions for routing unterminated TLS
+traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
+traffic arriving at port 443 of gateway called "mygateway" to internal
 services in the mesh based on the SNI value.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1005,8 +1005,8 @@ 
          TLSRoute
          
     - destination:
         host: reviews.prod.svc.cluster.local
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1032,8 +1032,8 @@ 
          TLSRoute
          
     - destination:
         host: reviews.prod.svc.cluster.local
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          
 
          request
 HeaderOperations
 
-
          Header manipulation rules to apply before forwarding a request
          
+
          Header manipulation rules to apply before forwarding a request
 to the destination service
          
 
           		response
 HeaderOperations
 
-
          Header manipulation rules to apply before returning a response
          
+
          Header manipulation rules to apply before returning a response
 to the caller
          
 
 
          
@@ -1049,9 +1049,9 @@ 
          TLSRoute
          
           
@@ -1075,11 +1075,11 @@ 
          TLSRoute
          
 
 
          TCPRoute
          
 
          
-
          Describes match conditions and actions for routing TCP traffic. The
          
-following routing rule forwards traffic arriving at port 27017 for
          
+
          Describes match conditions and actions for routing TCP traffic. The
+following routing rule forwards traffic arriving at port 27017 for
 mongo.prod.svc.cluster.local to another Mongo server on port 5555.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1096,8 +1096,8 @@ 
          TCPRoute
          
         port:
           number: 5555
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1114,8 +1114,8 @@ 
          TCPRoute
          
         port:
           number: 5555
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          
 
          match
 TLSMatchAttributes[]
 
-
          Match conditions to be satisfied for the rule to be
          
-activated. All conditions inside a single match block have AND
          
-semantics, while the list of match blocks have OR semantics. The rule
          
+
          Match conditions to be satisfied for the rule to be
+activated. All conditions inside a single match block have AND
+semantics, while the list of match blocks have OR semantics. The rule
 is matched if any one of the match blocks succeed.
          
 
 
          
@@ -1131,9 +1131,9 @@ 
          TCPRoute
          
           
@@ -1157,13 +1157,13 @@ 
          TCPRoute
          
 
 
          HTTPMatchRequest
          
 
          
-
          HttpMatchRequest specifies a set of criterion to be met in order for the
          
-rule to be applied to the HTTP request. For example, the following
          
-restricts the rule to match only requests where the URL path
          
-starts with /ratings/v2/ and the request contains a custom end-user header
          
+
          HttpMatchRequest specifies a set of criterion to be met in order for the
+rule to be applied to the HTTP request. For example, the following
+restricts the rule to match only requests where the URL path
+starts with /ratings/v2/ and the request contains a custom end-user header
 with value jason.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1183,8 +1183,8 @@ 
          HTTPMatchRequest
          
     - destination:
         host: ratings.prod.svc.cluster.local
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1204,9 +1204,9 @@ 
          HTTPMatchRequest
          
     - destination:
         host: ratings.prod.svc.cluster.local
 
          
-
          {{}}
          
-{{}}
          
-
          HTTPMatchRequest CANNOT be empty.
          
+
          {{}}
+{{}}
          
+
          HTTPMatchRequest CANNOT be empty.
 Note: No regex string match can be set when delegate VirtualService is specified.
          
 
 
          
 
          match
 L4MatchAttributes[]
 
-
          Match conditions to be satisfied for the rule to be
          
-activated. All conditions inside a single match block have AND
          
-semantics, while the list of match blocks have OR semantics. The rule
          
+
          Match conditions to be satisfied for the rule to be
+activated. All conditions inside a single match block have AND
+semantics, while the list of match blocks have OR semantics. The rule
 is matched if any one of the match blocks succeed.
          
 
 
          
@@ -1223,8 +1223,8 @@ 
          HTTPMatchRequest
          
           
@@ -1236,7 +1236,7 @@ 
          HTTPMatchRequest
          
           
@@ -1261,7 +1261,7 @@ 
          HTTPMatchRequest
          
           
@@ -1356,8 +1356,8 @@ 
          HTTPMatchRequest
          
           
@@ -1369,9 +1369,9 @@ 
          HTTPMatchRequest
          
           
@@ -1383,8 +1383,8 @@ 
          HTTPMatchRequest
          
           
@@ -1400,16 +1400,16 @@ 
          HTTPMatchRequest
          
 
          Ex:
          
 
            
 
          • 
-
            For a query parameter like "?key=true", the map key would be "key" and
            
+
            For a query parameter like "?key=true", the map key would be "key" and
 the string match could be defined as exact: "true".
            
 
            • 
 
          • 
-
            For a query parameter like "?key", the map key would be "key" and the
            
+
            For a query parameter like "?key", the map key would be "key" and the
 string match could be defined as exact: "".
            
 
            • 
 
          • 
-
            For a query parameter like "?key=123", the map key would be "key" and the
            
-string match could be defined as regex: "\d+$". Note that this
            
+
            For a query parameter like "?key=123", the map key would be "key" and the
+string match could be defined as regex: "\d+$". Note that this
 configuration will only match values like "123" but not "a123" or "123a".
            
 
            • 
 
          
@@ -1425,7 +1425,7 @@ 
          HTTPMatchRequest
          
           
@@ -1437,7 +1437,7 @@ 
          HTTPMatchRequest
          
           
@@ -1449,8 +1449,8 @@ 
          HTTPMatchRequest
          
           
@@ -1462,11 +1462,11 @@ 
          HTTPMatchRequest
          
           
@@ -1479,14 +1479,14 @@ 
          HTTPMatchRequest
          
 
 
          HTTPRouteDestination
          
 
          
-
          Each routing rule is associated with one or more service versions (see
          
-glossary in beginning of document). Weights associated with the version
          
-determine the proportion of traffic it receives. For example, the
          
-following rule will route 25% of traffic for the "reviews" service to
          
-instances with the "v2" tag and the remaining traffic (i.e., 75%) to
          
+
          Each routing rule is associated with one or more service versions (see
+glossary in beginning of document). Weights associated with the version
+determine the proportion of traffic it receives. For example, the
+following rule will route 25% of traffic for the "reviews" service to
+instances with the "v2" tag and the remaining traffic (i.e., 75%) to
 "v1".
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1505,8 +1505,8 @@ 
          HTTPRouteDestination
          
         subset: v1
       weight: 75
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1525,11 +1525,11 @@ 
          HTTPRouteDestination
          
         subset: v1
       weight: 75
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          And the associated DestinationRule
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
 metadata:
@@ -1544,8 +1544,8 @@ 
          HTTPRouteDestination
          
     labels:
       version: v2
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -1560,13 +1560,13 @@ 
          HTTPRouteDestination
          
     labels:
       version: v2
 
          
-
          {{}}
          
-{{}}
          
-
          Traffic can also be split across two entirely different services without
          
-having to define new subsets. For example, the following rule forwards 25% of
          
+
          {{}}
+{{}}
          
+
          Traffic can also be split across two entirely different services without
+having to define new subsets. For example, the following rule forwards 25% of
 traffic to reviews.com to dev.reviews.com
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1583,8 +1583,8 @@ 
          HTTPRouteDestination
          
         host: reviews.com
       weight: 75
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1601,8 +1601,8 @@ 
          HTTPRouteDestination
          
         host: reviews.com
       weight: 75
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          name
 string
 
-
          The name assigned to a match. The match's name will be
          
-concatenated with the parent route's name and will be logged in
          
+
          The name assigned to a match. The match's name will be
+concatenated with the parent route's name and will be logged in
 the access logs for requests matching this route.
          
 
           		uri
 StringMatch
 
-
          URI to match
          
+
          URI to match
 values are case-sensitive and formatted as follows:
          
 
-
          Note: Case-insensitive matching could be enabled via the
          
+
          Note: Case-insensitive matching could be enabled via the
 ignore_uri_case flag.
          
 
           		scheme
 StringMatch
 
-
          URI Scheme
          
+
          URI Scheme
 values are case-sensitive and formatted as follows:
          
 
            
 
          • 
@@ -1284,7 +1284,7 @@ 
            HTTPMatchRequest
            
 
          		method
 StringMatch
 
-
          HTTP Method
          
+
          HTTP Method
 values are case-sensitive and formatted as follows:
          
 
            
 
          • 
@@ -1307,7 +1307,7 @@ 
            HTTPMatchRequest
            
 
          		authority
 StringMatch
 
-
          HTTP Authority
          
+
          HTTP Authority
 values are case-sensitive and formatted as follows:
          
 
            
 
          • 
@@ -1330,7 +1330,7 @@ 
            HTTPMatchRequest
            
 
          		headers
 map<string, StringMatch>
 
-
          The header keys must be lowercase and use hyphen as the separator,
          
+
          The header keys must be lowercase and use hyphen as the separator,
 e.g. x-request-id.
          
 
          Header values are case-sensitive and formatted as follows:
          
 
-
          If the value is empty and only the name of header is specfied, presence of the header is checked.
          
+
          If the value is empty and only the name of header is specfied, presence of the header is checked.
 Note: The keys uri, scheme, method, and authority will be ignored.
          
 
           		port
 uint32
 
-
          Specifies the ports on the host that is being addressed. Many services
          
-only expose a single port or label ports with the protocols they support,
          
+
          Specifies the ports on the host that is being addressed. Many services
+only expose a single port or label ports with the protocols they support,
 in these cases it is not required to explicitly select the port.
          
 
           		sourceLabels
 map<string, string>
 
-
          One or more labels that constrain the applicability of a rule to source (client) workloads
          
-with the given labels. If the VirtualService has a list of gateways specified
          
-in the top-level gateways field, it must include the reserved gateway
          
+
          One or more labels that constrain the applicability of a rule to source (client) workloads
+with the given labels. If the VirtualService has a list of gateways specified
+in the top-level gateways field, it must include the reserved gateway
 mesh for this field to be applicable.
          
 
           		gateways
 string[]
 
-
          Names of gateways where the rule should be applied. Gateway names
          
-in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
          
+
          Names of gateways where the rule should be applied. Gateway names
+in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
 match is independent of sourceLabels.
          
 
           		bool
 
 
          Flag to specify whether the URI matching should be case-insensitive.
          
-
          Note: The case will be ignored only in the case of exact and prefix
          
+
          Note: The case will be ignored only in the case of exact and prefix
 URI matches.
          
 
           		withoutHeaders
 map<string, StringMatch>
 
-
          withoutHeader has the same syntax with the header, but has opposite meaning.
          
+
          withoutHeader has the same syntax with the header, but has opposite meaning.
 If a header is matched with a matching rule among withoutHeader, the traffic becomes not matched one.
          
 
           		sourceNamespace
 string
 
-
          Source namespace constraining the applicability of a rule to workloads in that namespace.
          
-If the VirtualService has a list of gateways specified in the top-level gateways field,
          
+
          Source namespace constraining the applicability of a rule to workloads in that namespace.
+If the VirtualService has a list of gateways specified in the top-level gateways field,
 it must include the reserved gateway mesh for this field to be applicable.
          
 
           		statPrefix
 string
 
-
          The human readable prefix to use when emitting statistics for this route.
          
-The statistics are generated with prefix route.<stat_prefix>.
          
-This should be set for highly critical routes that one wishes to get "per-route" statistics on.
          
-This prefix is only for proxy-level statistics (envoy_) and not service-level (istio_) statistics.
          
-Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-route-stat-prefix
          
+
          The human readable prefix to use when emitting statistics for this route.
+The statistics are generated with prefix route.<stat_prefix>.
+This should be set for highly critical routes that one wishes to get "per-route" statistics on.
+This prefix is only for proxy-level statistics (envoy_) and not service-level (istio_) statistics.
+Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-route-stat-prefix
 for statistics that are generated when this is configured.
          
 
 
          
@@ -1618,7 +1618,7 @@ 
          HTTPRouteDestination
          
           
@@ -1630,8 +1630,8 @@ 
          HTTPRouteDestination
          
           
@@ -1671,7 +1671,7 @@ 
          RouteDestination
          
           
@@ -1683,8 +1683,8 @@ 
          RouteDestination
          
           
@@ -1697,7 +1697,7 @@ 
          RouteDestination
          
 
 
          L4MatchAttributes
          
 
          
-
          L4 connection match attributes. Note that L4 connection matching support
          
+
          L4 connection match attributes. Note that L4 connection matching support
 is incomplete.
          
 
 
          
 
          destination
 Destination
 
-
          Destination uniquely identifies the instances of a service
          
+
          Destination uniquely identifies the instances of a service
 to which the request/connection should be forwarded to.
          
 
           		weight
 int32
 
-
          Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests.
          
-If there is only one destination in a rule, it will receive all traffic.
          
+
          Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests.
+If there is only one destination in a rule, it will receive all traffic.
 Otherwise, if weight is 0, the destination will not receive any traffic.
          
 
           		destination
 Destination
 
-
          Destination uniquely identifies the instances of a service
          
+
          Destination uniquely identifies the instances of a service
 to which the request/connection should be forwarded to.
          
 
           		weight
 int32
 
-
          Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests.
          
-If there is only one destination in a rule, it will receive all traffic.
          
+
          Weight specifies the relative proportion of traffic to be forwarded to the destination. A destination will receive weight/(sum of all weights) requests.
+If there is only one destination in a rule, it will receive all traffic.
 Otherwise, if weight is 0, the destination will not receive any traffic.
          
 
 
          
@@ -1714,7 +1714,7 @@ 
          L4MatchAttributes
          
           
@@ -1726,8 +1726,8 @@ 
          L4MatchAttributes
          
           
@@ -1739,9 +1739,9 @@ 
          L4MatchAttributes
          
           
@@ -1753,8 +1753,8 @@ 
          L4MatchAttributes
          
           
@@ -1766,8 +1766,8 @@ 
          L4MatchAttributes
          
           
@@ -1796,9 +1796,9 @@ 
          TLSMatchAttributes
          
           
@@ -1810,7 +1810,7 @@ 
          TLSMatchAttributes
          
           
@@ -1822,9 +1822,9 @@ 
          TLSMatchAttributes
          
           
@@ -1836,9 +1836,9 @@ 
          TLSMatchAttributes
          
           
@@ -1850,8 +1850,8 @@ 
          TLSMatchAttributes
          
           
@@ -1863,8 +1863,8 @@ 
          TLSMatchAttributes
          
           
@@ -1877,13 +1877,13 @@ 
          TLSMatchAttributes
          
 
 
          HTTPRedirect
          
 
          
-
          HTTPRedirect can be used to send a 301 redirect response to the caller,
          
-where the Authority/Host and the URI in the response can be swapped with
          
-the specified values. For example, the following rule redirects
          
-requests for /v1/getProductRatings API on the ratings service to
          
+
          HTTPRedirect can be used to send a 301 redirect response to the caller,
+where the Authority/Host and the URI in the response can be swapped with
+the specified values. For example, the following rule redirects
+requests for /v1/getProductRatings API on the ratings service to
 /v1/bookRatings provided by the bookratings service.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -1900,8 +1900,8 @@ 
          HTTPRedirect
          
       authority: newratings.default.svc.cluster.local
   ...
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1918,8 +1918,8 @@ 
          HTTPRedirect
          
       authority: newratings.default.svc.cluster.local
   ...
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          destinationSubnets
 string[]
 
-
          IPv4 or IPv6 ip addresses of destination with optional subnet.  E.g.,
          
+
          IPv4 or IPv6 ip addresses of destination with optional subnet.  E.g.,
 a.b.c.d/xx form or just a.b.c.d.
          
 
           		port
 uint32
 
-
          Specifies the port on the host that is being addressed. Many services
          
-only expose a single port or label ports with the protocols they support,
          
+
          Specifies the port on the host that is being addressed. Many services
+only expose a single port or label ports with the protocols they support,
 in these cases it is not required to explicitly select the port.
          
 
           		sourceLabels
 map<string, string>
 
-
          One or more labels that constrain the applicability of a rule to
          
-workloads with the given labels. If the VirtualService has a list of
          
-gateways specified in the top-level gateways field, it should include the reserved gateway
          
+
          One or more labels that constrain the applicability of a rule to
+workloads with the given labels. If the VirtualService has a list of
+gateways specified in the top-level gateways field, it should include the reserved gateway
 mesh in order for this field to be applicable.
          
 
           		gateways
 string[]
 
-
          Names of gateways where the rule should be applied. Gateway names
          
-in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
          
+
          Names of gateways where the rule should be applied. Gateway names
+in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
 match is independent of sourceLabels.
          
 
           		sourceNamespace
 string
 
-
          Source namespace constraining the applicability of a rule to workloads in that namespace.
          
-If the VirtualService has a list of gateways specified in the top-level gateways field,
          
+
          Source namespace constraining the applicability of a rule to workloads in that namespace.
+If the VirtualService has a list of gateways specified in the top-level gateways field,
 it must include the reserved gateway mesh for this field to be applicable.
          
 
           		sniHosts
 string[]
 
-
          SNI (server name indicator) to match on. Wildcard prefixes
          
-can be used in the SNI value, e.g., *.com will match foo.example.com
          
-as well as example.com. An SNI value must be a subset (i.e., fall
          
+
          SNI (server name indicator) to match on. Wildcard prefixes
+can be used in the SNI value, e.g., *.com will match foo.example.com
+as well as example.com. An SNI value must be a subset (i.e., fall
 within the domain) of the corresponding virtual serivce's hosts.
          
 
           		destinationSubnets
 string[]
 
-
          IPv4 or IPv6 ip addresses of destination with optional subnet.  E.g.,
          
+
          IPv4 or IPv6 ip addresses of destination with optional subnet.  E.g.,
 a.b.c.d/xx form or just a.b.c.d.
          
 
           		port
 uint32
 
-
          Specifies the port on the host that is being addressed. Many services
          
-only expose a single port or label ports with the protocols they
          
-support, in these cases it is not required to explicitly select the
          
+
          Specifies the port on the host that is being addressed. Many services
+only expose a single port or label ports with the protocols they
+support, in these cases it is not required to explicitly select the
 port.
          
 
           		sourceLabels
 map<string, string>
 
-
          One or more labels that constrain the applicability of a rule to
          
-workloads with the given labels. If the VirtualService has a list of
          
-gateways specified in the top-level gateways field, it should include the reserved gateway
          
+
          One or more labels that constrain the applicability of a rule to
+workloads with the given labels. If the VirtualService has a list of
+gateways specified in the top-level gateways field, it should include the reserved gateway
 mesh in order for this field to be applicable.
          
 
           		gateways
 string[]
 
-
          Names of gateways where the rule should be applied. Gateway names
          
-in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
          
+
          Names of gateways where the rule should be applied. Gateway names
+in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
 match is independent of sourceLabels.
          
 
           		sourceNamespace
 string
 
-
          Source namespace constraining the applicability of a rule to workloads in that namespace.
          
-If the VirtualService has a list of gateways specified in the top-level gateways field,
          
+
          Source namespace constraining the applicability of a rule to workloads in that namespace.
+If the VirtualService has a list of gateways specified in the top-level gateways field,
 it must include the reserved gateway mesh for this field to be applicable.
          
 
 
          
@@ -1935,8 +1935,8 @@ 
          HTTPRedirect
          
           
@@ -1948,7 +1948,7 @@ 
          HTTPRedirect
          
           
@@ -1986,9 +1986,9 @@ 
          HTTPRedirect
          
           
@@ -2000,7 +2000,7 @@ 
          HTTPRedirect
          
           
@@ -2013,11 +2013,11 @@ 
          HTTPRedirect
          
 
 
          HTTPDirectResponse
          
 
          
-
          HTTPDirectResponse can be used to send a fixed response to clients.
          
-For example, the following rule returns a fixed 503 status with a body
          
+
          HTTPDirectResponse can be used to send a fixed response to clients.
+For example, the following rule returns a fixed 503 status with a body
 to requests for /v1/getProductRatings API.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2035,8 +2035,8 @@ 
          HTTPDirectResponse
          
         string: "unknown error"
   ...
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2054,12 +2054,12 @@ 
          HTTPDirectResponse
          
         string: "unknown error"
   ...
 
          
-
          {{}}
          
-{{}}
          
-
          It is also possible to specify a binary response body.
          
+
          {{}}
+{{}}
          
+
          It is also possible to specify a binary response body.
 This is mostly useful for non text-based protocols such as gRPC.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2077,8 +2077,8 @@ 
          HTTPDirectResponse
          
         bytes: "dW5rbm93biBlcnJvcg==" # "unknown error" in base64
   ...
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2096,13 +2096,13 @@ 
          HTTPDirectResponse
          
         bytes: "dW5rbm93biBlcnJvcg==" # "unknown error" in base64
   ...
 
          
-
          {{}}
          
-{{}}
          
-
          It is good practice to add headers in the HTTPRoute
          
-as well as the direct_response, for example to specify
          
+
          {{}}
+{{}}
          
+
          It is good practice to add headers in the HTTPRoute
+as well as the direct_response, for example to specify
 the returned Content-Type.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2124,8 +2124,8 @@ 
          HTTPDirectResponse
          
           content-type: "appliation/json"
   ...
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2147,8 +2147,8 @@ 
          HTTPDirectResponse
          
           content-type: "text/plain"
   ...
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          
 
          uri
 string
 
-
          On a redirect, overwrite the Path portion of the URL with this
          
-value. Note that the entire path will be replaced, irrespective of the
          
+
          On a redirect, overwrite the Path portion of the URL with this
+value. Note that the entire path will be replaced, irrespective of the
 request URI being matched as an exact path or prefix.
          
 
           		authority
 string
 
-
          On a redirect, overwrite the Authority/Host portion of the URL with
          
+
          On a redirect, overwrite the Authority/Host portion of the URL with
 this value.
          
 
           		scheme
 string
 
-
          On a redirect, overwrite the scheme portion of the URL with this value.
          
-For example, http or https.
          
-If unset, the original scheme will be used.
          
+
          On a redirect, overwrite the scheme portion of the URL with this value.
+For example, http or https.
+If unset, the original scheme will be used.
 If derivePort is set to FROM_PROTOCOL_DEFAULT, this will impact the port used as well
          
 
           		redirectCode
 uint32
 
-
          On a redirect, Specifies the HTTP status code to use in the redirect
          
+
          On a redirect, Specifies the HTTP status code to use in the redirect
 response. The default response code is MOVED_PERMANENTLY (301).
          
 
 
          
@@ -2175,7 +2175,7 @@ 
          HTTPDirectResponse
          
           
@@ -2225,13 +2225,13 @@ 
          HTTPBody
          
 
 
          HTTPRewrite
          
 
          
-
          HTTPRewrite can be used to rewrite specific parts of a HTTP request
          
-before forwarding the request to the destination. Rewrite primitive can
          
-be used only with HTTPRouteDestination. The following example
          
-demonstrates how to rewrite the URL prefix for api call (/ratings) to
          
+
          HTTPRewrite can be used to rewrite specific parts of a HTTP request
+before forwarding the request to the destination. Rewrite primitive can
+be used only with HTTPRouteDestination. The following example
+demonstrates how to rewrite the URL prefix for api call (/ratings) to
 ratings service before making the actual API call.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2250,8 +2250,8 @@ 
          HTTPRewrite
          
         host: ratings.prod.svc.cluster.local
         subset: v1
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2270,8 +2270,8 @@ 
          HTTPRewrite
          
         host: ratings.prod.svc.cluster.local
         subset: v1
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          
 
          body
 HTTPBody
 
-
          Specifies the content of the response body. If this setting is omitted,
          
+
          Specifies the content of the response body. If this setting is omitted,
 no body is included in the generated response.
          
 
 
          
@@ -2287,8 +2287,8 @@ 
          HTTPRewrite
          
           
@@ -2312,7 +2312,7 @@ 
          HTTPRewrite
          
 
 
          StringMatch
          
 
          
-
          Describes how to match a given string in HTTP headers. Match is
          
+
          Describes how to match a given string in HTTP headers. Match is
 case-sensitive.
          
 
 
          
 
          uri
 string
 
-
          rewrite the path (or the prefix) portion of the URI with this
          
-value. If the original URI was matched based on prefix, the value
          
+
          rewrite the path (or the prefix) portion of the URI with this
+value. If the original URI was matched based on prefix, the value
 provided in this field will replace the corresponding matched prefix.
          
 
 
          
@@ -2363,13 +2363,13 @@ 
          StringMatch
          
 
 
          HTTPRetry
          
 
          
-
          Describes the retry policy to use when a HTTP request fails. For
          
-example, the following rule sets the maximum number of retries to 3 when
          
-calling ratings:v1 service, with a 2s timeout per retry attempt.
          
-A retry will be attempted if there is a connect-failure, refused_stream
          
+
          Describes the retry policy to use when a HTTP request fails. For
+example, the following rule sets the maximum number of retries to 3 when
+calling ratings:v1 service, with a 2s timeout per retry attempt.
+A retry will be attempted if there is a connect-failure, refused_stream
 or when the upstream server responds with Service Unavailable(503).
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2387,8 +2387,8 @@ 
          HTTPRetry
          
       perTryTimeout: 2s
       retryOn: connect-failure,refused-stream,503
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2406,8 +2406,8 @@ 
          HTTPRetry
          
       perTryTimeout: 2s
       retryOn: gateway-error,connect-failure,refused-stream
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          
@@ -2423,10 +2423,10 @@ 
          HTTPRetry
          
           
@@ -2438,9 +2438,9 @@ 
          HTTPRetry
          
           
@@ -2452,10 +2452,10 @@ 
          HTTPRetry
          
           
@@ -2467,7 +2467,7 @@ 
          HTTPRetry
          
           
@@ -2480,15 +2480,15 @@ 
          HTTPRetry
          
 
 
          CorsPolicy
          
 
          
-
          Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
          
-service. Refer to CORS
          
-for further details about cross origin resource sharing. For example,
          
-the following rule restricts cross origin requests to those originating
          
-from example.com domain using HTTP POST/GET, and sets the
          
-Access-Control-Allow-Credentials header to false. In addition, it only
          
+
          Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
+service. Refer to CORS
+for further details about cross origin resource sharing. For example,
+the following rule restricts cross origin requests to those originating
+from example.com domain using HTTP POST/GET, and sets the
+Access-Control-Allow-Credentials header to false. In addition, it only
 exposes X-Foo-bar header and sets an expiry period of 1 day.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2512,8 +2512,8 @@ 
          CorsPolicy
          
       - X-Foo-Bar
       maxAge: "24h"
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2537,8 +2537,8 @@ 
          CorsPolicy
          
       - X-Foo-Bar
       maxAge: "24h"
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          
 
          attempts
 int32
 
-
          Number of retries to be allowed for a given request. The interval
          
-between retries will be determined automatically (25ms+). When request
          
-timeout of the HTTP route
          
-or per_try_timeout is configured, the actual number of retries attempted also depends on
          
+
          Number of retries to be allowed for a given request. The interval
+between retries will be determined automatically (25ms+). When request
+timeout of the HTTP route
+or per_try_timeout is configured, the actual number of retries attempted also depends on
 the specified request timeout and per_try_timeout values.
          
 
           		perTryTimeout
 Duration
 
-
          Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST BE >=1ms.
          
-Default is same value as request
          
-timeout of the HTTP route,
          
+
          Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST BE >=1ms.
+Default is same value as request
+timeout of the HTTP route,
 which means no timeout.
          
 
           		retryOn
 string
 
-
          Specifies the conditions under which retry takes place.
          
-One or more policies can be specified using a ‘,’ delimited list.
          
-If retry_on specifies a valid HTTP status, it will be added to retriable_status_codes retry policy.
          
-See the retry policies
          
+
          Specifies the conditions under which retry takes place.
+One or more policies can be specified using a ‘,’ delimited list.
+If retry_on specifies a valid HTTP status, it will be added to retriable_status_codes retry policy.
+See the retry policies
 and gRPC retry policies for more details.
          
 
           		retryRemoteLocalities
 BoolValue
 
-
          Flag to specify whether the retries should retry to other localities.
          
+
          Flag to specify whether the retries should retry to other localities.
 See the retry plugin configuration for more details.
          
 
 
          
@@ -2554,8 +2554,8 @@ 
          CorsPolicy
          
           
@@ -2567,7 +2567,7 @@ 
          CorsPolicy
          
           
@@ -2579,7 +2579,7 @@ 
          CorsPolicy
          
           
@@ -2591,7 +2591,7 @@ 
          CorsPolicy
          
           
@@ -2603,7 +2603,7 @@ 
          CorsPolicy
          
           
@@ -2615,8 +2615,8 @@ 
          CorsPolicy
          
           
@@ -2629,12 +2629,12 @@ 
          CorsPolicy
          
 
 
          HTTPFaultInjection
          
 
          
-
          HTTPFaultInjection can be used to specify one or more faults to inject
          
-while forwarding HTTP requests to the destination specified in a route.
          
-Fault specification is part of a VirtualService rule. Faults include
          
-aborting the Http request from downstream service, and/or delaying
          
+
          HTTPFaultInjection can be used to specify one or more faults to inject
+while forwarding HTTP requests to the destination specified in a route.
+Fault specification is part of a VirtualService rule. Faults include
+aborting the Http request from downstream service, and/or delaying
 proxying of requests. A fault rule MUST HAVE delay or abort or both.
          
-
          Note: Delay and abort faults are independent of one another, even if
          
+
          Note: Delay and abort faults are independent of one another, even if
 both are specified simultaneously.
          
 
 
          
 
          allowOrigins
 StringMatch[]
 
-
          String patterns that match allowed origins.
          
-An origin is allowed if any of the string matchers match.
          
+
          String patterns that match allowed origins.
+An origin is allowed if any of the string matchers match.
 If a match is found, then the outgoing Access-Control-Allow-Origin would be set to the origin as provided by the client.
          
 
           		allowMethods
 string[]
 
-
          List of HTTP methods allowed to access the resource. The content will
          
+
          List of HTTP methods allowed to access the resource. The content will
 be serialized into the Access-Control-Allow-Methods header.
          
 
           		allowHeaders
 string[]
 
-
          List of HTTP headers that can be used when requesting the
          
+
          List of HTTP headers that can be used when requesting the
 resource. Serialized to Access-Control-Allow-Headers header.
          
 
           		exposeHeaders
 string[]
 
-
          A list of HTTP headers that the browsers are allowed to
          
+
          A list of HTTP headers that the browsers are allowed to
 access. Serialized into Access-Control-Expose-Headers header.
          
 
           		maxAge
 Duration
 
-
          Specifies how long the results of a preflight request can be
          
+
          Specifies how long the results of a preflight request can be
 cached. Translates to the Access-Control-Max-Age header.
          
 
           		allowCredentials
 BoolValue
 
-
          Indicates whether the caller is allowed to send the actual request
          
-(not the preflight) using credentials. Translates to
          
+
          Indicates whether the caller is allowed to send the actual request
+(not the preflight) using credentials. Translates to
 Access-Control-Allow-Credentials header.
          
 
 
          
@@ -2651,7 +2651,7 @@ 
          HTTPFaultInjection
          
           
@@ -2663,7 +2663,7 @@ 
          HTTPFaultInjection
          
           
@@ -2676,7 +2676,7 @@ 
          HTTPFaultInjection
          
 
 
          PortSelector
          
 
          
-
          PortSelector specifies the number of a port to be used for
          
+
          PortSelector specifies the number of a port to be used for
 matching or selection for final routing.
          
 
 
          delay
 Delay
 
-
          Delay requests before forwarding, emulating various failures such as
          
+
          Delay requests before forwarding, emulating various failures such as
 network issues, overloaded upstream service, etc.
          
 
           		abort
 Abort
 
-
          Abort Http request attempts and return error codes back to downstream
          
+
          Abort Http request attempts and return error codes back to downstream
 service, giving the impression that the upstream service is faulty.
          
 
 
          
@@ -2758,7 +2758,7 @@ 
          Headers.HeaderOperations
          
           
@@ -2782,12 +2782,12 @@ 
          Headers.HeaderOperations
          
 
 
          HTTPFaultInjection.Delay
          
 
          
-
          Delay specification is used to inject latency into the request
          
-forwarding path. The following example will introduce a 5 second delay
          
-in 1 out of every 1000 requests to the "v1" version of the "reviews"
          
+
          Delay specification is used to inject latency into the request
+forwarding path. The following example will introduce a 5 second delay
+in 1 out of every 1000 requests to the "v1" version of the "reviews"
 service from all pods with label env: prod
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2809,8 +2809,8 @@ 
          HTTPFaultInjection.Delay
          
           value: 0.1
         fixedDelay: 5s
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2832,10 +2832,10 @@ 
          HTTPFaultInjection.Delay
          
           value: 0.1
         fixedDelay: 5s
 
          
-
          {{}}
          
-{{}}
          
-
          The fixedDelay field is used to indicate the amount of delay in seconds.
          
-The optional percentage field can be used to only delay a certain
          
+
          {{}}
+{{}}
          
+
          The fixedDelay field is used to indicate the amount of delay in seconds.
+The optional percentage field can be used to only delay a certain
 percentage of requests. If left unspecified, all request will be delayed.
          
 
 
          add
 map<string, string>
 
-
          Append the given values to the headers specified by keys
          
+
          Append the given values to the headers specified by keys
 (will create a comma-separated list of values)
          
 
 
          
@@ -2852,7 +2852,7 @@ 
          HTTPFaultInjection.Delay
          
           
@@ -2875,8 +2875,8 @@ 
          HTTPFaultInjection.Delay
          
           
@@ -2889,11 +2889,11 @@ 
          HTTPFaultInjection.Delay
          
 
 
          HTTPFaultInjection.Abort
          
 
          
-
          Abort specification is used to prematurely abort a request with a
          
-pre-specified error code. The following example will return an HTTP 400
          
+
          Abort specification is used to prematurely abort a request with a
+pre-specified error code. The following example will return an HTTP 400
 error code for 1 out of every 1000 requests to the "ratings" service "v1".
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -2912,8 +2912,8 @@ 
          HTTPFaultInjection.Abort
          
           value: 0.1
         httpStatus: 400
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -2932,11 +2932,11 @@ 
          HTTPFaultInjection.Abort
          
           value: 0.1
         httpStatus: 400
 
          
-
          {{}}
          
-{{}}
          
-
          The httpStatus field is used to indicate the HTTP status code to
          
-return to the caller. The optional percentage field can be used to only
          
-abort a certain percentage of requests. If not specified, all requests are
          
+
          {{}}
+{{}}
          
+
          The httpStatus field is used to indicate the HTTP status code to
+return to the caller. The optional percentage field can be used to only
+abort a certain percentage of requests. If not specified, all requests are
 aborted.
          
 
 
          fixedDelay
 Duration (oneof)
 
-
          Add a fixed delay before forwarding the request. Format:
          
+
          Add a fixed delay before forwarding the request. Format:
 1h/1m/1s/1ms. MUST be >=1ms.
          
 
           		percent
 int32
 
-
          Percentage of requests on which the delay will be injected (0-100).
          
-Use of integer percent value is deprecated. Use the double percentage
          
+
          Percentage of requests on which the delay will be injected (0-100).
+Use of integer percent value is deprecated. Use the double percentage
 field instead.
          
 
 
          
@@ -2964,9 +2964,9 @@ 
          HTTPFaultInjection.Abort
          
           
diff --git a/content/zh/docs/reference/config/networking/workload-entry/index.html b/content/zh/docs/reference/config/networking/workload-entry/index.html
index 05d9e5dc4316d..019e509c51d89 100644
--- a/content/zh/docs/reference/config/networking/workload-entry/index.html
+++ b/content/zh/docs/reference/config/networking/workload-entry/index.html
@@ -10,28 +10,28 @@
 aliases: [/zh/docs/reference/config/networking/v1alpha3/workload-entry]
 number_of_entries: 1
 ---
-
          WorkloadEntry enables operators to describe the properties of a
          
-single non-Kubernetes workload such as a VM or a bare metal server
          
-as it is onboarded into the mesh. A WorkloadEntry must be
          
-accompanied by an Istio ServiceEntry that selects the workload
          
-through the appropriate labels and provides the service definition
          
-for a MESH_INTERNAL service (hostnames, port properties, etc.). A
          
-ServiceEntry object can select multiple workload entries as well
          
-as Kubernetes pods based on the label selector specified in the
          
+
          WorkloadEntry enables operators to describe the properties of a
+single non-Kubernetes workload such as a VM or a bare metal server
+as it is onboarded into the mesh. A WorkloadEntry must be
+accompanied by an Istio ServiceEntry that selects the workload
+through the appropriate labels and provides the service definition
+for a MESH_INTERNAL service (hostnames, port properties, etc.). A
+ServiceEntry object can select multiple workload entries as well
+as Kubernetes pods based on the label selector specified in the
 service entry.
          
-
          When a workload connects to istiod, the status field in the
          
-custom resource will be updated to indicate the health of the
          
-workload along with other details, similar to how Kubernetes
          
+
          When a workload connects to istiod, the status field in the
+custom resource will be updated to indicate the health of the
+workload along with other details, similar to how Kubernetes
 updates the status of a pod.
          
-
          The following example declares a workload entry representing a VM
          
-for the details.bookinfo.com service. This VM has sidecar
          
-installed and bootstrapped using the details-legacy service
          
-account. The service is exposed on port 80 to applications in the
          
-mesh. The HTTP traffic to this service is wrapped in Istio mutual
          
-TLS and sent to sidecars on VMs on target port 8080, that in turn
          
+
          The following example declares a workload entry representing a VM
+for the details.bookinfo.com service. This VM has sidecar
+installed and bootstrapped using the details-legacy service
+account. The service is exposed on port 80 to applications in the
+mesh. The HTTP traffic to this service is wrapped in Istio mutual
+TLS and sent to sidecars on VMs on target port 8080, that in turn
 forward it to the application on localhost on the same port.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: WorkloadEntry
 metadata:
@@ -47,8 +47,8 @@
     app: details-legacy
     instance-id: vm1
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: WorkloadEntry
 metadata:
@@ -64,11 +64,11 @@
     app: details-legacy
     instance-id: vm1
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          and the associated service entry
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -87,8 +87,8 @@
     labels:
       app: details-legacy
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -107,15 +107,15 @@
     labels:
       app: details-legacy
 
          
-
          {{}}
          
-{{}}
          
-
          The following example declares the same VM workload using
          
-its fully qualified DNS name. The service entry's resolution
          
-mode should be changed to DNS to indicate that the client-side
          
-sidecars should dynamically resolve the DNS name at runtime before
          
+
          {{}}
+{{}}
          
+
          The following example declares the same VM workload using
+its fully qualified DNS name. The service entry's resolution
+mode should be changed to DNS to indicate that the client-side
+sidecars should dynamically resolve the DNS name at runtime before
 forwarding the request.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: WorkloadEntry
 metadata:
@@ -131,8 +131,8 @@
     app: details-legacy
     instance-id: vm1
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: WorkloadEntry
 metadata:
@@ -148,11 +148,11 @@
     app: details-legacy
     instance-id: vm1
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          and the associated service entry
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -171,8 +171,8 @@
     labels:
       app: details-legacy
 
          
-
          {{}}
          
-
          {{}}
          
+
          {{}}
          
+
          {{}}
          
 
          apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -191,8 +191,8 @@
     labels:
       app: details-legacy
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          WorkloadEntry
          
 
          
@@ -212,9 +212,9 @@ 
          WorkloadEntry
          
 
          
@@ -226,15 +226,15 @@ 
          WorkloadEntry
          
           
@@ -277,22 +277,22 @@ 
          WorkloadEntry
          
           
@@ -304,7 +304,7 @@ 
          WorkloadEntry
          
           
@@ -316,9 +316,9 @@ 
          WorkloadEntry
          
           
diff --git a/content/zh/docs/reference/config/networking/workload-group/index.html b/content/zh/docs/reference/config/networking/workload-group/index.html
index de8b6aed9ca4a..91f14e4132324 100644
--- a/content/zh/docs/reference/config/networking/workload-group/index.html
+++ b/content/zh/docs/reference/config/networking/workload-group/index.html
@@ -10,20 +10,20 @@
 aliases: [/zh/docs/reference/config/networking/v1alpha3/workload-group]
 number_of_entries: 7
 ---
-
          WorkloadGroup describes a collection of workload instances.
          
-It provides a specification that the workload instances can use to bootstrap
          
-their proxies, including the metadata and identity. It is only intended to
          
-be used with non-k8s workloads like Virtual Machines, and is meant to mimic
          
-the existing sidecar injection and deployment specification model used for
          
+
          WorkloadGroup describes a collection of workload instances.
+It provides a specification that the workload instances can use to bootstrap
+their proxies, including the metadata and identity. It is only intended to
+be used with non-k8s workloads like Virtual Machines, and is meant to mimic
+the existing sidecar injection and deployment specification model used for
 Kubernetes workloads to bootstrap Istio proxies.
          
-
          The following example declares a workload group representing a collection
          
-of workloads that will be registered under reviews in namespace
          
-bookinfo. The set of labels will be associated with each workload
          
-instance during the bootstrap process, and the ports 3550 and 8080
          
-will be associated with the workload group and use service account default.
          
+
          The following example declares a workload group representing a collection
+of workloads that will be registered under reviews in namespace
+bookinfo. The set of labels will be associated with each workload
+instance during the bootstrap process, and the ports 3550 and 8080
+will be associated with the workload group and use service account default.
 app.kubernetes.io/version is just an arbitrary example of a label.
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
 kind: WorkloadGroup
 metadata:
@@ -54,15 +54,15 @@
      - name: Lit-Header
        value: Im-The-Best
 
          
-
          {{}}
          
-{{}}
          
+
          {{}}
+{{}}
          
 
 
          WorkloadGroup
          
 
          
-
          WorkloadGroup enables specifying the properties of a single workload for bootstrap and
          
-provides a template for WorkloadEntry, similar to how Deployment specifies properties
          
-of workloads via Pod templates. A WorkloadGroup can have more than one WorkloadEntry.
          
-WorkloadGroup has no relationship to resources which control service registry like ServiceEntry
          
+
          WorkloadGroup enables specifying the properties of a single workload for bootstrap and
+provides a template for WorkloadEntry, similar to how Deployment specifies properties
+of workloads via Pod templates. A WorkloadGroup can have more than one WorkloadEntry.
+WorkloadGroup has no relationship to resources which control service registry like ServiceEntry
 and as such doesn't configure host name for these workloads.
          
 
 
          grpcStatus
 string (oneof)
 
-
          GRPC status code to use to abort the request. The supported
          
-codes are documented in https://github.com/grpc/grpc/blob/master/doc/statuscodes.md
          
-Note: If you want to return the status "Unavailable", then you should
          
+
          GRPC status code to use to abort the request. The supported
+codes are documented in https://github.com/grpc/grpc/blob/master/doc/statuscodes.md
+Note: If you want to return the status "Unavailable", then you should
 specify the code as UNAVAILABLE(all caps), but not 14.
          
 
           		address
 string
 
-
          Address associated with the network endpoint without the
          
-port.  Domain names can be used if and only if the resolution is set
          
-to DNS, and must be fully-qualified without wildcards. Use the form
          
+
          Address associated with the network endpoint without the
+port.  Domain names can be used if and only if the resolution is set
+to DNS, and must be fully-qualified without wildcards. Use the form
 unix:///absolute/path/to/socket for Unix domain socket endpoints.
          
 
           		ports
 map<string, uint32>
 
-
          Set of ports associated with the endpoint. If the port map is
          
-specified, it must be a map of servicePortName to this endpoint's
          
-port, such that traffic to the service port will be forwarded to
          
-the endpoint port that maps to the service's portName. If
          
-omitted, and the targetPort is specified as part of the service's
          
-port specification, traffic to the service port will be forwarded
          
-to one of the endpoints on the specified targetPort. If both
          
-the targetPort and endpoint's port map are not specified, traffic
          
-to a service port will be forwarded to one of the endpoints on
          
+
          Set of ports associated with the endpoint. If the port map is
+specified, it must be a map of servicePortName to this endpoint's
+port, such that traffic to the service port will be forwarded to
+the endpoint port that maps to the service's portName. If
+omitted, and the targetPort is specified as part of the service's
+port specification, traffic to the service port will be forwarded
+to one of the endpoints on the specified targetPort. If both
+the targetPort and endpoint's port map are not specified, traffic
+to a service port will be forwarded to one of the endpoints on
 the same port.
          
 
          NOTE 1: Do not use for unix:// addresses.
          
 
          NOTE 2: endpoint port map takes precedence over targetPort.
          
@@ -259,13 +259,13 @@ 
          WorkloadEntry
          
           		network
 string
 
-
          Network enables Istio to group endpoints resident in the same L3
          
-domain/network. All endpoints in the same network are assumed to be
          
-directly reachable from one another. When endpoints in different
          
-networks cannot reach each other directly, an Istio Gateway can be
          
-used to establish connectivity (usually using the
          
-AUTO_PASSTHROUGH mode in a Gateway Server). This is
          
-an advanced configuration used typically for spanning an Istio mesh
          
+
          Network enables Istio to group endpoints resident in the same L3
+domain/network. All endpoints in the same network are assumed to be
+directly reachable from one another. When endpoints in different
+networks cannot reach each other directly, an Istio Gateway can be
+used to establish connectivity (usually using the
+AUTO_PASSTHROUGH mode in a Gateway Server). This is
+an advanced configuration used typically for spanning an Istio mesh
 over multiple clusters.
          
 
           		locality
 string
 
-
          The locality associated with the endpoint. A locality corresponds
          
-to a failure domain (e.g., country/region/zone). Arbitrary failure
          
-domain hierarchies can be represented by separating each
          
-encapsulating failure domain by /. For example, the locality of an
          
-an endpoint in US, in US-East-1 region, within availability zone
          
-az-1, in data center rack r11 can be represented as
          
-us/us-east-1/az-1/r11. Istio will configure the sidecar to route to
          
-endpoints within the same locality as the sidecar. If none of the
          
-endpoints in the locality are available, endpoints parent locality
          
-(but within the same network ID) will be chosen. For example, if
          
-there are two endpoints in same network (networkID "n1"), say e1
          
-with locality us/us-east-1/az-1/r11 and e2 with locality
          
-us/us-east-1/az-2/r12, a sidecar from us/us-east-1/az-1/r11 locality
          
-will prefer e1 from the same locality over e2 from a different
          
-locality. Endpoint e2 could be the IP associated with a gateway
          
-(that bridges networks n1 and n2), or the IP associated with a
          
+
          The locality associated with the endpoint. A locality corresponds
+to a failure domain (e.g., country/region/zone). Arbitrary failure
+domain hierarchies can be represented by separating each
+encapsulating failure domain by /. For example, the locality of an
+an endpoint in US, in US-East-1 region, within availability zone
+az-1, in data center rack r11 can be represented as
+us/us-east-1/az-1/r11. Istio will configure the sidecar to route to
+endpoints within the same locality as the sidecar. If none of the
+endpoints in the locality are available, endpoints parent locality
+(but within the same network ID) will be chosen. For example, if
+there are two endpoints in same network (networkID "n1"), say e1
+with locality us/us-east-1/az-1/r11 and e2 with locality
+us/us-east-1/az-2/r12, a sidecar from us/us-east-1/az-1/r11 locality
+will prefer e1 from the same locality over e2 from a different
+locality. Endpoint e2 could be the IP associated with a gateway
+(that bridges networks n1 and n2), or the IP associated with a
 standard service endpoint.
          
 
           		weight
 uint32
 
-
          The load balancing weight associated with the endpoint. Endpoints
          
+
          The load balancing weight associated with the endpoint. Endpoints
 with higher weights will receive proportionally higher traffic.
          
 
           		serviceAccount
 string
 
-
          The service account associated with the workload if a sidecar
          
-is present in the workload. The service account must be present
          
-in the same namespace as the configuration ( WorkloadEntry or a
          
+
          The service account associated with the workload if a sidecar
+is present in the workload. The service account must be present
+in the same namespace as the configuration ( WorkloadEntry or a
 ServiceEntry)
          
 
 
          
@@ -79,7 +79,7 @@ 
          WorkloadGroup
          
           
@@ -91,10 +91,10 @@ 
          WorkloadGroup
          
           
@@ -106,7 +106,7 @@ 
          WorkloadGroup
          
           
@@ -144,7 +144,7 @@ 
          ReadinessProbe
          
           
@@ -156,7 +156,7 @@ 
          ReadinessProbe
          
           
@@ -168,7 +168,7 @@ 
          ReadinessProbe
          
           
@@ -180,7 +180,7 @@ 
          ReadinessProbe
          
           
@@ -192,7 +192,7 @@ 
          ReadinessProbe
          
           
@@ -263,7 +263,7 @@ 
          HTTPHealthCheckConfig
          
           
@@ -286,7 +286,7 @@ 
          HTTPHealthCheckConfig
          
           
@@ -399,7 +399,7 @@ 
          ExecHealthCheckConfig
          
 
 
          WorkloadGroup.ObjectMeta
          
 
          
-
          ObjectMeta describes metadata that will be attached to a WorkloadEntry.
          
+
          ObjectMeta describes metadata that will be attached to a WorkloadEntry.
 It is a subset of the supported Kubernetes metadata.
          
 
 
          metadata
 ObjectMeta
 
-
          Metadata that will be used for all corresponding WorkloadEntries.
          
+
          Metadata that will be used for all corresponding WorkloadEntries.
 User labels for a workload group should be set here in metadata rather than in template.
          
 
           		template
 WorkloadEntry
 
-
          Template to be used for the generation of WorkloadEntry resources that belong to this WorkloadGroup.
          
-Please note that address and labels fields should not be set in the template, and an empty serviceAccount
          
-should default to default. The workload identities (mTLS certificates) will be bootstrapped using the
          
-specified service account's token. Workload entries in this group will be in the same namespace as the
          
+
          Template to be used for the generation of WorkloadEntry resources that belong to this WorkloadGroup.
+Please note that address and labels fields should not be set in the template, and an empty serviceAccount
+should default to default. The workload identities (mTLS certificates) will be bootstrapped using the
+specified service account's token. Workload entries in this group will be in the same namespace as the
 workload group, and inherit the labels and annotations from the above metadata field.
          
 
           		probe
 ReadinessProbe
 
-
          ReadinessProbe describes the configuration the user must provide for healthchecking on their workload.
          
+
          ReadinessProbe describes the configuration the user must provide for healthchecking on their workload.
 This configuration mirrors K8S in both syntax and logic for the most part.
          
 
           		timeoutSeconds
 int32
 
-
          Number of seconds after which the probe times out.
          
+
          Number of seconds after which the probe times out.
 Defaults to 1 second. Minimum value is 1 second.
          
 
           		periodSeconds
 int32
 
-
          How often (in seconds) to perform the probe.
          
+
          How often (in seconds) to perform the probe.
 Default to 10 seconds. Minimum value is 1 second.
          
 
           		successThreshold
 int32
 
-
          Minimum consecutive successes for the probe to be considered successful after having failed.
          
+
          Minimum consecutive successes for the probe to be considered successful after having failed.
 Defaults to 1 second.
          
 
           		failureThreshold
 int32
 
-
          Minimum consecutive failures for the probe to be considered failed after having succeeded.
          
+
          Minimum consecutive failures for the probe to be considered failed after having succeeded.
 Defaults to 3 seconds.
          
 
           		httpGet
 HTTPHealthCheckConfig (oneof)
 
-
          httpGet is performed to a given endpoint
          
+
          httpGet is performed to a given endpoint
 and the status/able to connect determines health.
          
 
           		host
 string
 
-
          Host name to connect to, defaults to the pod IP. You probably want to set
          
+
          Host name to connect to, defaults to the pod IP. You probably want to set
 "Host" in httpHeaders instead.
          
 
           		httpHeaders
 HTTPHeader[]
 
-
          Headers the proxy will pass on to make the request.
          
+
          Headers the proxy will pass on to make the request.
 Allows repeated headers.
          
 
 
          
diff --git a/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html b/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html
index 86c457f44ba80..0bee21e37c9f8 100644
--- a/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html
+++ b/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html
@@ -10,15 +10,15 @@
 aliases: [/zh/docs/reference/config/extensions/v1alpha1/wasm-plugin]
 number_of_entries: 6
 ---
-
          WasmPlugins provides a mechanism to extend the functionality provided by
          
+
          WasmPlugins provides a mechanism to extend the functionality provided by
 the Istio proxy through WebAssembly filters.
          
-
          Order of execution (as part of Envoy's filter chain) is determined by
          
-phase and priority settings, allowing the configuration of complex
          
-interactions between user-supplied WasmPlugins and Istio's internal
          
+
          Order of execution (as part of Envoy's filter chain) is determined by
+phase and priority settings, allowing the configuration of complex
+interactions between user-supplied WasmPlugins and Istio's internal
 filters.
          
 
          Examples:
          
-
          AuthN Filter deployed to ingress-gateway that implements an OpenID flow
          
-and populates the Authorization header with a JWT to be consumed by
          
+
          AuthN Filter deployed to ingress-gateway that implements an OpenID flow
+and populates the Authorization header with a JWT to be consumed by
 Istio AuthN.
          
 
          apiVersion: extensions.istio.io/v1alpha1
 kind: WasmPlugin
@@ -101,18 +101,18 @@
     - name: TRUST_DOMAIN
       value: "cluster.local"
 
          
-
          And a more complex example that deploys three WasmPlugins and orders them
          
-using phase and priority. The (hypothetical) setup is that the
          
-openid-connect filter performs an OpenID Connect flow to authenticate the
          
-user, writing a signed JWT into the Authorization header of the request,
          
-which can be verified by the Istio authn plugin. Then, the acl-check plugin
          
-kicks in, passing the JWT to a policy server, which in turn responds with a
          
-signed token that contains information about which files and functions of the
          
-system are available to the user that was previously authenticated. The
          
-acl-check filter writes this token to a header. Finally, the check-header
          
-filter verifies the token in that header and makes sure that the token's
          
+
          And a more complex example that deploys three WasmPlugins and orders them
+using phase and priority. The (hypothetical) setup is that the
+openid-connect filter performs an OpenID Connect flow to authenticate the
+user, writing a signed JWT into the Authorization header of the request,
+which can be verified by the Istio authn plugin. Then, the acl-check plugin
+kicks in, passing the JWT to a policy server, which in turn responds with a
+signed token that contains information about which files and functions of the
+system are available to the user that was previously authenticated. The
+acl-check filter writes this token to a header. Finally, the check-header
+filter verifies the token in that header and makes sure that the token's
 contents (the permitted 'function') matches its plugin configuration.
          
-
          The resulting filter chain looks like this:
          
+
          The resulting filter chain looks like this:
 -> openid-connect -> istio.authn -> acl-check -> check-header -> router
          
 
          apiVersion: extensions.istio.io/v1alpha1
 kind: WasmPlugin
@@ -171,7 +171,7 @@
 
 
          WasmPlugin
          
 
          
-
          WasmPlugins provides a mechanism to extend the functionality provided by
          
+
          WasmPlugins provides a mechanism to extend the functionality provided by
 the Istio proxy through WebAssembly filters.
          
 
 
          
@@ -188,11 +188,11 @@ 
          WasmPlugin
          
           
@@ -204,10 +204,10 @@ 
          WasmPlugin
          
           
@@ -219,10 +219,10 @@ 
          WasmPlugin
          
           
@@ -234,11 +234,11 @@ 
          WasmPlugin
          
           
@@ -250,9 +250,9 @@ 
          WasmPlugin
          
           
@@ -275,8 +275,8 @@ 
          WasmPlugin
          
           
@@ -299,11 +299,11 @@ 
          WasmPlugin
          
           
@@ -315,7 +315,7 @@ 
          WasmPlugin
          
           
@@ -328,7 +328,7 @@ 
          WasmPlugin
          
 
 
          VmConfig
          
 
          
-
          Configuration for a Wasm VM.
          
+
          Configuration for a Wasm VM.
 more details can be found here.
          
 
 
          selector
 WorkloadSelector
 
-
          Criteria used to select the specific set of pods/VMs on which
          
-this plugin configuration should be applied. If omitted, this
          
-configuration will be applied to all workload instances in the same
          
-namespace. If the WasmPlugin is present in the config root
          
-namespace, it will be applied to all applicable workloads in any
          
+
          Criteria used to select the specific set of pods/VMs on which
+this plugin configuration should be applied. If omitted, this
+configuration will be applied to all workload instances in the same
+namespace. If the WasmPlugin is present in the config root
+namespace, it will be applied to all applicable workloads in any
 namespace.
          
 
           		url
 string
 
-
          URL of a Wasm module or OCI container. If no scheme is present,
          
-defaults to oci://, referencing an OCI image. Other valid schemes
          
-are file:// for referencing .wasm module files present locally
          
-within the proxy container, and http[s]:// for .wasm module files
          
+
          URL of a Wasm module or OCI container. If no scheme is present,
+defaults to oci://, referencing an OCI image. Other valid schemes
+are file:// for referencing .wasm module files present locally
+within the proxy container, and http[s]:// for .wasm module files
 hosted remotely.
          
 
           		sha256
 string
 
-
          SHA256 checksum that will be used to verify Wasm module or OCI container.
          
-If the url field already references a SHA256 (using the @sha256:
          
-notation), it must match the value of this field. If an OCI image is
          
-referenced by tag and this field is set, its checksum will be verified
          
+
          SHA256 checksum that will be used to verify Wasm module or OCI container.
+If the url field already references a SHA256 (using the @sha256:
+notation), it must match the value of this field. If an OCI image is
+referenced by tag and this field is set, its checksum will be verified
 against the contents of this field after pulling.
          
 
           		imagePullPolicy
 PullPolicy
 
-
          The pull behaviour to be applied when fetching Wasm module by either
          
-OCI image or http/https. Only relevant when referencing Wasm module without
          
-any digest, including the digest in OCI image URL or sha256 field in vm_config.
          
-Defaults to IfNotPresent, except when an OCI image is referenced in the url
          
-and the latest tag is used, in which case Always is the default,
          
+
          The pull behaviour to be applied when fetching Wasm module by either
+OCI image or http/https. Only relevant when referencing Wasm module without
+any digest, including the digest in OCI image URL or sha256 field in vm_config.
+Defaults to IfNotPresent, except when an OCI image is referenced in the url
+and the latest tag is used, in which case Always is the default,
 mirroring K8s behaviour.
          
 
           		imagePullSecret
 string
 
-
          Credentials to use for OCI image pulling.
          
-Name of a K8s Secret in the same namespace as the WasmPlugin that
          
-contains a docker pull secret which is to be used to authenticate
          
+
          Credentials to use for OCI image pulling.
+Name of a K8s Secret in the same namespace as the WasmPlugin that
+contains a docker pull secret which is to be used to authenticate
 against the registry when pulling the image.
          
 
           		pluginName
 string
 
-
          The plugin name to be used in the Envoy configuration (used to be called
          
-rootID). Some .wasm modules might require this value to select the Wasm
          
+
          The plugin name to be used in the Envoy configuration (used to be called
+rootID). Some .wasm modules might require this value to select the Wasm
 plugin to execute.
          
 
           		priority
 Int64Value
 
-
          Determines ordering of WasmPlugins in the same phase.
          
-When multiple WasmPlugins are applied to the same workload in the
          
-same phase, they will be applied by priority, in descending order.
          
-If priority is not set, or two WasmPlugins exist with the same
          
-value, the ordering will be deterministically derived from name and
          
+
          Determines ordering of WasmPlugins in the same phase.
+When multiple WasmPlugins are applied to the same workload in the
+same phase, they will be applied by priority, in descending order.
+If priority is not set, or two WasmPlugins exist with the same
+value, the ordering will be deterministically derived from name and
 namespace of the WasmPlugins. Defaults to 0.
          
 
           		vmConfig
 VmConfig
 
-
          Configuration for a Wasm VM.
          
+
          Configuration for a Wasm VM.
 more details can be found here.
          
 
 
          
@@ -345,7 +345,7 @@ 
          VmConfig
          
           
@@ -372,7 +372,7 @@ 
          EnvVar
          
           
@@ -384,7 +384,7 @@ 
          EnvVar
          
           
@@ -396,8 +396,8 @@ 
          EnvVar
          
           
@@ -423,8 +423,8 @@ 
          PluginPhase
          
           
@@ -455,7 +455,7 @@ 
          PluginPhase
          
 
 
          PullPolicy
          
 
          
-
          The pull behaviour to be applied when fetching a Wam module,
          
+
          The pull behaviour to be applied when fetching a Wam module,
 mirroring K8s behaviour.
          
 
 
          env
 EnvVar[]
 
-
          Specifies environment variables to be injected to this VM.
          
+
          Specifies environment variables to be injected to this VM.
 Note that if a key does not exist, it will be ignored.
          
 
           		name
 string
 
-
          Required
          
+
          Required
 Name of the environment variable. Must be a C_IDENTIFIER.
          
 
           		valueFrom
 EnvValueSource
 
-
          Required
          
+
          Required
 Source for the environment variable's value.
          
 
           		value
 string
 
-
          Value for the environment variable.
          
-Note that if value_from is HOST, it will be ignored.
          
+
          Value for the environment variable.
+Note that if value_from is HOST, it will be ignored.
 Defaults to "".
          
 
 
          
 UNSPECIFIED_PHASE
 
-
          Control plane decides where to insert the plugin. This will generally
          
-be at the end of the filter chain, right before the Router.
          
+
          Control plane decides where to insert the plugin. This will generally
+be at the end of the filter chain, right before the Router.
 Do not specify PluginPhase if the plugin is independent of others.
          
 
 
          
@@ -469,7 +469,7 @@ 
          PullPolicy
          
           
@@ -477,8 +477,8 @@ 
          PullPolicy
          
           
@@ -486,7 +486,7 @@ 
          PullPolicy
          
           
diff --git a/content/zh/docs/reference/config/security/authorization-policy/index.html b/content/zh/docs/reference/config/security/authorization-policy/index.html
index d1d642337387c..c77d41699f404 100644
--- a/content/zh/docs/reference/config/security/authorization-policy/index.html
+++ b/content/zh/docs/reference/config/security/authorization-policy/index.html
@@ -12,8 +12,8 @@
 number_of_entries: 9
 ---
 
          Istio Authorization Policy enables access control on workloads in the mesh.
          
-
          Authorization policy supports CUSTOM, DENY and ALLOW actions for access control. When CUSTOM, DENY and ALLOW actions
          
-are used for a workload at the same time, the CUSTOM action is evaluated first, then the DENY action, and finally the ALLOW action.
          
+
          Authorization policy supports CUSTOM, DENY and ALLOW actions for access control. When CUSTOM, DENY and ALLOW actions
+are used for a workload at the same time, the CUSTOM action is evaluated first, then the DENY action, and finally the ALLOW action.
 The evaluation is determined by the following rules:
          
 
            
 
          1. If there are any CUSTOM policies that match the request, evaluate and deny the request if the evaluation result is deny.
            2. 
@@ -22,15 +22,15 @@
 
          2. If any of the ALLOW policies match the request, allow the request.
            3. 
 
          3. Deny the request.
            4. 
 
          
-
          Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.
          
-AUDIT policies do not affect whether requests are allowed or denied to the workload.
          
+
          Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.
+AUDIT policies do not affect whether requests are allowed or denied to the workload.
 Requests will be allowed or denied based solely on CUSTOM, DENY and ALLOW actions.
          
-
          A request will be internally marked that it should be audited if there is an AUDIT policy on the workload that matches the request.
          
-A separate plugin must be configured and enabled to actually fulfill the audit decision and complete the audit behavior.
          
-The request will not be audited if there are no such supporting plugins enabled.
          
+
          A request will be internally marked that it should be audited if there is an AUDIT policy on the workload that matches the request.
+A separate plugin must be configured and enabled to actually fulfill the audit decision and complete the audit behavior.
+The request will not be audited if there are no such supporting plugins enabled.
 Currently, the only supported plugin is the Stackdriver plugin.
          
 
          Here is an example of Istio Authorization Policy:
          
-
          It sets the action to "ALLOW" to create an allow policy. The default action is "ALLOW"
          
+
          It sets the action to "ALLOW" to create an allow policy. The default action is "ALLOW"
 but it is useful to be explicit in the policy.
          
 
          It allows requests from:
          
 
            
@@ -68,8 +68,8 @@
     - key: request.auth.claims[iss]
       values: ["https://accounts.google.com"]
 
-
            The following is another example that sets action to "DENY" to create a deny policy.
            
-It denies requests from the "dev" namespace to the "POST" method on all workloads
            
+
            The following is another example that sets action to "DENY" to create a deny policy.
+It denies requests from the "dev" namespace to the "POST" method on all workloads
 in the "foo" namespace.
            
 
            apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -86,7 +86,7 @@
     - operation:
         methods: ["POST"]
 
            
-
            The following authorization policy sets the action to "AUDIT". It will audit any GET requests to the path with the
            
+
            The following authorization policy sets the action to "AUDIT". It will audit any GET requests to the path with the
 prefix "/user/profile".
            
 
            apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -104,15 +104,15 @@
         methods: ["GET"]
         paths: ["/user/profile/*"]
 
            
-
            Authorization Policy scope (target) is determined by "metadata/namespace" and
            
+
            Authorization Policy scope (target) is determined by "metadata/namespace" and
 an optional "selector".
            
 
              
-
            • "metadata/namespace" tells which namespace the policy applies. If set to root
              
+
            • "metadata/namespace" tells which namespace the policy applies. If set to root
 namespace, the policy applies to all namespaces in a mesh.
              • 
 
            • workload "selector" can be used to further restrict where a policy applies.
              • 
 
            
 
            For example,
            
-
            The following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
            
+
            The following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
 all requests to workloads in namespace foo.
            
 
            apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -132,7 +132,7 @@
  rules:
  - {}
 
            
-
            The following authorization policy applies to workloads containing label "app: httpbin" in namespace bar. It allows
            
+
            The following authorization policy applies to workloads containing label "app: httpbin" in namespace bar. It allows
 nothing and effectively denies all requests to the selected workloads.
            
 
            apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -144,7 +144,7 @@
     matchLabels:
       app: httpbin
 
            
-
            The following authorization policy applies to workloads containing label "version: v1" in all namespaces in the mesh.
            
+
            The following authorization policy applies to workloads containing label "version: v1" in all namespaces in the mesh.
 (Assuming the root namespace is configured to "istio-system").
            
 
            apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -175,8 +175,8 @@ 
            AuthorizationPolicy
            
 
          
@@ -225,8 +225,8 @@ 
          AuthorizationPolicy
          
 
 
          Rule
          
 
          
-
          Rule matches requests from a list of sources that perform a list of operations subject to a
          
-list of conditions. A match occurs when at least one source, one operation and all conditions
          
+
          Rule matches requests from a list of sources that perform a list of operations subject to a
+list of conditions. A match occurs when at least one source, one operation and all conditions
 matches the request. An empty rule is always matched.
          
 
          Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
          
 
            
@@ -287,9 +287,9 @@ 
            Rule
            
 
          
 
          Source
          
 
          
-
          Source specifies the source identities of a request. Fields in the source are
          
+
          Source specifies the source identities of a request. Fields in the source are
 ANDed together.
          
-
          For example, the following source matches if the principal is "admin" or "dev"
          
+
          For example, the following source matches if the principal is "admin" or "dev"
 and the namespace is "prod" or "test" and the ip is not "1.2.3.4".
          
 
          principals: ["admin", "dev"]
 namespaces: ["prod", "test"]
@@ -310,8 +310,8 @@ 
          Source
          
 
          
@@ -586,7 +586,7 @@ 
          Condition
          
           
@@ -598,7 +598,7 @@ 
          Condition
          
           
@@ -625,7 +625,7 @@ 
          AuthorizationPolicy.ExtensionProv
 
          
@@ -728,16 +728,16 @@ 
          AuthorizationPolicy.Action
          
           
@@ -63,9 +63,9 @@ 
          JWTRule
          
           
@@ -133,12 +133,12 @@ 
          JWTRule
          
           
@@ -150,8 +150,8 @@ 
          JWTRule
          
           
@@ -202,8 +202,8 @@ 
          JWTHeader
          
           
diff --git a/content/zh/docs/reference/config/security/peer_authentication/index.html b/content/zh/docs/reference/config/security/peer_authentication/index.html
index ead59c3749b8f..e8552ebce6701 100644
--- a/content/zh/docs/reference/config/security/peer_authentication/index.html
+++ b/content/zh/docs/reference/config/security/peer_authentication/index.html
@@ -25,7 +25,7 @@ 
          PeerAuthentication
          
     mode: STRICT
           
 
          For mesh level, put the policy in root-namespace according to your Istio installation.
          
-
          Policies to allow both mTLS & plaintext traffic for all workloads under namespace foo, but
          
+
          Policies to allow both mTLS & plaintext traffic for all workloads under namespace foo, but
 require mTLS for workload finance.
          
 
          apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
@@ -48,7 +48,7 @@ 
          PeerAuthentication
          
   mtls:
     mode: STRICT
 
          
-
          Policy to allow mTLS strict for all workloads, but leave port 8080 to
          
+
          Policy to allow mTLS strict for all workloads, but leave port 8080 to
 plaintext:
          
 
          apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
@@ -65,7 +65,7 @@ 
          PeerAuthentication
          
     8080:
       mode: DISABLE
 
          
-
          Policy to inherit mTLS mode from namespace (or mesh) settings, and overwrite
          
+
          Policy to inherit mTLS mode from namespace (or mesh) settings, and overwrite
 settings for port 8080
          
 
          apiVersion: security.istio.io/v1beta1
 kind: PeerAuthentication
@@ -97,7 +97,7 @@ 
          PeerAuthentication
          
 
          
@@ -120,7 +120,7 @@ 
          PeerAuthentication
          
           
diff --git a/content/zh/docs/reference/config/security/request_authentication/index.html b/content/zh/docs/reference/config/security/request_authentication/index.html
index 226b060334cf5..3b2dea6151476 100644
--- a/content/zh/docs/reference/config/security/request_authentication/index.html
+++ b/content/zh/docs/reference/config/security/request_authentication/index.html
@@ -12,11 +12,11 @@
 ---
 
          RequestAuthentication
          
 
          
-
          RequestAuthentication defines what request authentication methods are supported by a workload.
          
-It will reject a request if the request contains invalid authentication information, based on the
          
-configured authentication rules. A request that does not contain any authentication credentials
          
-will be accepted but will not have any authenticated identity. To restrict access to authenticated
          
-requests only, this should be accompanied by an authorization rule.
          
+
          RequestAuthentication defines what request authentication methods are supported by a workload.
+It will reject a request if the request contains invalid authentication information, based on the
+configured authentication rules. A request that does not contain any authentication credentials
+will be accepted but will not have any authenticated identity. To restrict access to authenticated
+requests only, this should be accompanied by an authorization rule.
 Examples:
          
 
            
 
          • Require JWT for all request for workloads that have label app:httpbin
            • 
@@ -49,8 +49,8 @@ 
            RequestAuthentication
            
         requestPrincipals: ["*"]
             
 
              
-
            • A policy in the root namespace ("istio-system" by default) applies to workloads in all namespaces
              
-in a mesh. The following policy makes all workloads only accept requests that contain a
              
+
            • A policy in the root namespace ("istio-system" by default) applies to workloads in all namespaces
+in a mesh. The following policy makes all workloads only accept requests that contain a
 valid JWT token.
              • 
 
            
 
            apiVersion: security.istio.io/v1beta1
@@ -75,8 +75,8 @@ 
            RequestAuthentication
            
         requestPrincipals: ["*"]
 
            
 
              
-
            • The next example shows how to set a different JWT requirement for a different host. The RequestAuthentication
              
-declares it can accept JWTs issued by either issuer-foo or issuer-bar (the public key set is implicitly
              
+
            • The next example shows how to set a different JWT requirement for a different host. The RequestAuthentication
+declares it can accept JWTs issued by either issuer-foo or issuer-bar (the public key set is implicitly
 set from the OpenID Connect spec).
              • 
 
            
 
            apiVersion: security.istio.io/v1beta1
@@ -116,8 +116,8 @@ 
            RequestAuthentication
            
         hosts: ["another-host.com"]
 
            
 
              
-
            • You can fine tune the authorization policy to set different requirement per path. For example,
              
-to require JWT on all paths, except /healthz, the same RequestAuthentication can be used, but the
              
+
            • You can fine tune the authorization policy to set different requirement per path. For example,
+to require JWT on all paths, except /healthz, the same RequestAuthentication can be used, but the
 authorization policy could be:
              • 
 
            
 
            apiVersion: security.istio.io/v1beta1
@@ -137,11 +137,11 @@ 
            RequestAuthentication
            
     - operation:
         paths: ["/healthz"]
 
            
-
            [Experimental] Routing based on derived metadata
            
-is now supported. A prefix '@' is used to denote a match against internal metadata instead of the headers in the request.
            
+
            [Experimental] Routing based on derived metadata
+is now supported. A prefix '@' is used to denote a match against internal metadata instead of the headers in the request.
 Currently this feature is only supported for the following metadata:
            
 
              
-
            • request.auth.claims.{claim-name}[.{sub-claim}]* which are extracted from validated JWT tokens. The claim name
              
+
            • request.auth.claims.{claim-name}[.{sub-claim}]* which are extracted from validated JWT tokens. The claim name
 currently does not support the . character. Examples: request.auth.claims.sub and request.auth.claims.name.givenName.
              • 
 
            
 
            The use of matches against JWT claim metadata is only supported in Gateways. The following example shows:
            
@@ -217,8 +217,8 @@ 
            RequestAuthentication
            
 
          
diff --git a/content/zh/docs/reference/config/telemetry/index.html b/content/zh/docs/reference/config/telemetry/index.html
index 56fdaf78717f5..68d226baf35c1 100644
--- a/content/zh/docs/reference/config/telemetry/index.html
+++ b/content/zh/docs/reference/config/telemetry/index.html
@@ -11,11 +11,11 @@
 number_of_entries: 18
 ---
 
          Telemetry defines how the telemetry is generated for workloads within a mesh.
          
-
          For mesh level configuration, put the resource in root configuration
          
+
          For mesh level configuration, put the resource in root configuration
 namespace for your Istio installation without a workload selector.
          
-
          For any namespace, including the root configuration namespace, it is only
          
+
          For any namespace, including the root configuration namespace, it is only
 valid to have a single workload selector-less Telemetry resource.
          
-
          For resources with a workload selector, it is only valid to have one resource
          
+
          For resources with a workload selector, it is only valid to have one resource
 selecting any given workload.
          
 
          The hierarchy of Telemetry configuration is as follows:
          
 
            
@@ -35,7 +35,7 @@
   tracing:
   - randomSamplingPercentage: 10.00
 
-
            Policy to disable trace reporting for the "foo" workload (note: tracing
            
+
            Policy to disable trace reporting for the "foo" workload (note: tracing
 context will still be propagated):
            
 
            apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
@@ -115,7 +115,7 @@
         request_host:
           value: "request.host"
 
            
-
            Policy to remove the response_code dimension on some Prometheus metrics for
            
+
            Policy to remove the response_code dimension on some Prometheus metrics for
 the bar.foo workload:
            
 
            apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
@@ -196,8 +196,8 @@ 
            Telemetry
            
 
          
@@ -209,7 +209,7 @@ 
          Telemetry
          
           
@@ -221,7 +221,7 @@ 
          Telemetry
          
           
@@ -233,7 +233,7 @@ 
          Telemetry
          
           
@@ -246,13 +246,13 @@ 
          Telemetry
          
 
 
          Tracing
          
 
          
-
          Tracing configures tracing behavior for workloads within a mesh.
          
-It can be used to enable/disable tracing, as well as to set sampling
          
+
          Tracing configures tracing behavior for workloads within a mesh.
+It can be used to enable/disable tracing, as well as to set sampling
 rates and custom tag extraction.
          
-
          Tracing configuration support overrides of the fields providers,
          
-random_sampling_percentage, disable_span_reporting, and custom_tags at
          
-each level in the configuration hierarchy, with missing values filled in
          
-from parent resources. However, when specified, custom_tags will
          
+
          Tracing configuration support overrides of the fields providers,
+random_sampling_percentage, disable_span_reporting, and custom_tags at
+each level in the configuration hierarchy, with missing values filled in
+from parent resources. However, when specified, custom_tags will
 fully replace any values provided by parent configuration.
          
 
 
          
 UNSPECIFIED_POLICY
 
-
          Defaults to IfNotPresent, except for OCI images with tag latest, for which
          
+
          Defaults to IfNotPresent, except for OCI images with tag latest, for which
 the default will be Always.
          
 
 
          
 IfNotPresent
 
-
          If an existing version of the image has been pulled before, that
          
-will be used. If no version of the image is present locally, we
          
+
          If an existing version of the image has been pulled before, that
+will be used. If no version of the image is present locally, we
 will pull the latest version.
          
 
 
          
 Always
 
-
          We will always pull the latest version of an image when changing
          
+
          We will always pull the latest version of an image when changing
 this plugin. Note that the change includes metadata field as well.
          
 
           		selector
 WorkloadSelector
 
-
          Optional. The selector decides where to apply the authorization policy. The selector will match with workloads
          
-in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector
          
+
          Optional. The selector decides where to apply the authorization policy. The selector will match with workloads
+in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector
 will additionally match with workloads in all namespaces.
          
 
          If not set, the selector will match all workloads.
          
 
@@ -190,7 +190,7 @@ 
          AuthorizationPolicy
          
           		Rule[]
 
 
          Optional. A list of rules to match the request. A match occurs when at least one rule matches the request.
          
-
          If not set, the match will never occur. This is equivalent to setting a default of deny for the target workloads if
          
+
          If not set, the match will never occur. This is equivalent to setting a default of deny for the target workloads if
 the action is ALLOW.
          
 
           		principals
 string[]
 
-
          Optional. A list of peer identities derived from the peer certificate. The peer identity is in the format of
          
-"<TRUST_DOMAIN>/ns/<NAMESPACE>/sa/<SERVICE_ACCOUNT>", for example, "cluster.local/ns/default/sa/productpage".
          
+
          Optional. A list of peer identities derived from the peer certificate. The peer identity is in the format of
+"<TRUST_DOMAIN>/ns/<NAMESPACE>/sa/<SERVICE_ACCOUNT>", for example, "cluster.local/ns/default/sa/productpage".
 This field requires mTLS enabled and is the same as the source.principal attribute.
          
 
          If not set, any principal is allowed.
          
 
@@ -335,8 +335,8 @@ 
          Source
          
           		requestPrincipals
 string[]
 
-
          Optional. A list of request identities derived from the JWT. The request identity is in the format of
          
-"<ISS>/<SUB>", for example, "example.com/sub-1". This field requires request authentication enabled and is the
          
+
          Optional. A list of request identities derived from the JWT. The request identity is in the format of
+"<ISS>/<SUB>", for example, "example.com/sub-1". This field requires request authentication enabled and is the
 same as the request.auth.principal attribute.
          
 
          If not set, any request principal is allowed.
          
 
@@ -360,7 +360,7 @@ 
          Source
          
           		namespaces
 string[]
 
-
          Optional. A list of namespaces derived from the peer certificate.
          
+
          Optional. A list of namespaces derived from the peer certificate.
 This field requires mTLS enabled and is the same as the source.namespace attribute.
          
 
          If not set, any namespace is allowed.
          
 
@@ -384,7 +384,7 @@ 
          Source
          
           		ipBlocks
 string[]
 
-
          Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. "1.2.3.4") and
          
+
          Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. "1.2.3.4") and
 CIDR (e.g. "1.2.3.0/24") are supported. This is the same as the source.ip attribute.
          
 
          If not set, any IP is allowed.
          
 
@@ -408,11 +408,11 @@ 
          Source
          
           		remoteIpBlocks
 string[]
 
-
          Optional. A list of IP blocks, populated from X-Forwarded-For header or proxy protocol.
          
-To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig
          
-when you install Istio or using an annotation on the ingress gateway.  See the documentation here:
          
-Configuring Gateway Network Topology.
          
-Single IP (e.g. "1.2.3.4") and CIDR (e.g. "1.2.3.0/24") are supported.
          
+
          Optional. A list of IP blocks, populated from X-Forwarded-For header or proxy protocol.
+To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig
+when you install Istio or using an annotation on the ingress gateway.  See the documentation here:
+Configuring Gateway Network Topology.
+Single IP (e.g. "1.2.3.4") and CIDR (e.g. "1.2.3.0/24") are supported.
 This is the same as the remote.ip attribute.
          
 
          If not set, any IP is allowed.
          
 
@@ -437,9 +437,9 @@ 
          Source
          
 
 
          Operation
          
 
          
-
          Operation specifies the operations of a request. Fields in the operation are
          
+
          Operation specifies the operations of a request. Fields in the operation are
 ANDed together.
          
-
          For example, the following operation matches if the host has suffix ".example.com"
          
+
          For example, the following operation matches if the host has suffix ".example.com"
 and the method is "GET" or "HEAD" and the path doesn't have prefix "/admin".
          
 
          hosts: ["*.example.com"]
 methods: ["GET", "HEAD"]
@@ -460,8 +460,8 @@ 
          Operation
          
 
          		hosts
 string[]
 
-
          Optional. A list of hosts as specified in the HTTP request. The match is case-insensitive.
          
-See the security best practices for
          
+
          Optional. A list of hosts as specified in the HTTP request. The match is case-insensitive.
+See the security best practices for
 recommended usage of this field.
          
 
          If not set, any host is allowed. Must be used only with HTTP.
          
 
@@ -508,7 +508,7 @@ 
          Operation
          
           		methods
 string[]
 
-
          Optional. A list of methods as specified in the HTTP request.
          
+
          Optional. A list of methods as specified in the HTTP request.
 For gRPC service, this will always be "POST".
          
 
          If not set, any method is allowed. Must be used only with HTTP.
          
 
@@ -532,8 +532,8 @@ 
          Operation
          
           		paths
 string[]
 
-
          Optional. A list of paths as specified in the HTTP request. See the Authorization Policy Normalization
          
-for details of the path normalization.
          
+
          Optional. A list of paths as specified in the HTTP request. See the Authorization Policy Normalization
+for details of the path normalization.
 For gRPC service, this will be the fully-qualified name in the form of "/package.service/method".
          
 
          If not set, any path is allowed. Must be used only with HTTP.
          
 
@@ -574,7 +574,7 @@ 
          Condition
          
           		key
 string
 
-
          The name of an Istio attribute.
          
+
          The name of an Istio attribute.
 See the full list of supported attributes.
          
 
           		values
 string[]
 
-
          Optional. A list of allowed values for the attribute.
          
+
          Optional. A list of allowed values for the attribute.
 Note: at least one of values or not_values must be set.
          
 
           		notValues
 string[]
 
-
          Optional. A list of negative match of values for the attribute.
          
+
          Optional. A list of negative match of values for the attribute.
 Note: at least one of values or not_values must be set.
          
 
           		name
 string
 
-
          Specifies the name of the extension provider. The list of available providers is defined in the MeshConfig.
          
+
          Specifies the name of the extension provider. The list of available providers is defined in the MeshConfig.
 Note, currently at most 1 extension provider is allowed per workload. Different workloads can use different extension provider.
          
 
 
          
 CUSTOM
 
-
          The CUSTOM action allows an extension to handle the user request if the matching rules evaluate to true.
          
-The extension is evaluated independently and before the native ALLOW and DENY actions. When used together, A request
          
-is allowed if and only if all the actions return allow, in other words, the extension cannot bypass the
          
-authorization decision made by ALLOW and DENY action.
          
-Extension behavior is defined by the named providers declared in MeshConfig. The authorization policy refers to
          
-the extension by specifying the name of the provider.
          
-One example use case of the extension is to integrate with a custom external authorization system to delegate
          
+
          The CUSTOM action allows an extension to handle the user request if the matching rules evaluate to true.
+The extension is evaluated independently and before the native ALLOW and DENY actions. When used together, A request
+is allowed if and only if all the actions return allow, in other words, the extension cannot bypass the
+authorization decision made by ALLOW and DENY action.
+Extension behavior is defined by the named providers declared in MeshConfig. The authorization policy refers to
+the extension by specifying the name of the provider.
+One example use case of the extension is to integrate with a custom external authorization system to delegate
 the authorization decision to it.
          
 
          Note: The CUSTOM action is currently an alpha feature and is subject to breaking changes in later versions.
          
-
          The following authorization policy applies to an ingress gateway and delegates the authorization check to a named extension
          
+
          The following authorization policy applies to an ingress gateway and delegates the authorization check to a named extension
 "my-custom-authz" if the request path has prefix "/admin/".
          
 
          apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
diff --git a/content/zh/docs/reference/config/security/jwt/index.html b/content/zh/docs/reference/config/security/jwt/index.html
index c2503f7ba1aa0..b8a08bcf6f5f6 100644
--- a/content/zh/docs/reference/config/security/jwt/index.html
+++ b/content/zh/docs/reference/config/security/jwt/index.html
@@ -12,21 +12,21 @@
 ---
 
          JWTRule
          
 
          
-
          JSON Web Token (JWT) token format for authentication as defined by
          
-RFC 7519. See OAuth 2.0 and
          
-OIDC 1.0 for how this is used in the whole
          
+
          JSON Web Token (JWT) token format for authentication as defined by
+RFC 7519. See OAuth 2.0 and
+OIDC 1.0 for how this is used in the whole
 authentication flow.
          
 
          Examples:
          
-
          Spec for a JWT that is issued by https://example.com, with the audience claims must be either
          
-bookstore_android.apps.example.com or bookstore_web.apps.example.com.
          
-The token should be presented at the Authorization header (default). The JSON Web Key Set (JWKS)
          
+
          Spec for a JWT that is issued by https://example.com, with the audience claims must be either
+bookstore_android.apps.example.com or bookstore_web.apps.example.com.
+The token should be presented at the Authorization header (default). The JSON Web Key Set (JWKS)
 will be discovered following OpenID Connect protocol.
          
 
          issuer: https://example.com
 audiences:
 - bookstore_android.apps.example.com
   bookstore_web.apps.example.com
 
          
-
          This example specifies a token in a non-default location (x-goog-iap-jwt-assertion header). It also
          
+
          This example specifies a token in a non-default location (x-goog-iap-jwt-assertion header). It also
 defines the URI to fetch JWKS explicitly.
          
 
          issuer: https://example.com
 jwksUri: https://example.com/.secret/jwks.json
@@ -48,10 +48,10 @@ 
          JWTRule
          
 
          		issuer
 string
 
-
          Identifies the issuer that issued the JWT. See
          
-issuer
          
+
          Identifies the issuer that issued the JWT. See
+issuer
 A JWT with different iss claim will be rejected.
          
-
          Example: https://foobar.auth0.com
          
+
          Example: https://foobar.auth0.com
 Example: 1234567-compute@developer.gserviceaccount.com
          
 
           		audiences
 string[]
 
-
          The list of JWT
          
-audiences.
          
-that are allowed to access. A JWT containing any of these
          
+
          The list of JWT
+audiences.
+that are allowed to access. A JWT containing any of these
 audiences will be accepted.
          
 
          The service name will be accepted if audiences is empty.
          
 
          Example:
          
@@ -83,12 +83,12 @@ 
          JWTRule
          
           		jwksUri
 string
 
-
          URL of the provider's public key set to validate signature of the
          
+
          URL of the provider's public key set to validate signature of the
 JWT. See OpenID Discovery.
          
-
          Optional if the key set document can either (a) be retrieved from
          
-OpenID
          
-Discovery           of
          
-the issuer or (b) inferred from the email domain of the issuer (e.g. a
          
+
          Optional if the key set document can either (a) be retrieved from
+OpenID
+Discovery of
+the issuer or (b) inferred from the email domain of the issuer (e.g. a
 Google service account).
          
 
          Example: https://www.googleapis.com/oauth2/v1/certs
          
 
          Note: Only one of jwksUri and jwks should be used.
          
@@ -102,7 +102,7 @@ 
          JWTRule
          
           		jwks
 string
 
-
          JSON Web Key Set of public keys to validate signature of the JWT.
          
+
          JSON Web Key Set of public keys to validate signature of the JWT.
 See https://auth0.com/docs/jwks.
          
 
          Note: Only one of jwksUri and jwks should be used.
          
 
@@ -115,13 +115,13 @@ 
          JWTRule
          
           		fromHeaders
 JWTHeader[]
 
-
          List of header locations from which JWT is expected. For example, below is the location spec
          
+
          List of header locations from which JWT is expected. For example, below is the location spec
 if JWT is expected to be found in x-jwt-assertion header, and have "Bearer " prefix:
          
 
            fromHeaders:
   - name: x-jwt-assertion
     prefix: "Bearer "
 
          
-
          Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
          
+
          Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
 such requests is undefined.
          
 
           		fromParams
 string[]
 
-
          List of query parameters from which JWT is expected. For example, if JWT is provided via query
          
-parameter my_token (e.g /path?my_token=), the config is:
          
+
          List of query parameters from which JWT is expected. For example, if JWT is provided via query
+parameter my_token (e.g /path?my_token=), the config is:
          
 
            fromParams:
   - "my_token"
 
          
-
          Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
          
+
          Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
 such requests is undefined.
          
 
           		outputPayloadToHeader
 string
 
-
          This field specifies the header name to output a successfully verified JWT payload to the
          
-backend. The forwarded data is base64_encoded(jwt_payload_in_JSON). If it is not specified,
          
+
          This field specifies the header name to output a successfully verified JWT payload to the
+backend. The forwarded data is base64_encoded(jwt_payload_in_JSON). If it is not specified,
 the payload will not be emitted.
          
 
           		prefix
 string
 
-
          The prefix that should be stripped before decoding the token.
          
-For example, for "Authorization: Bearer ", prefix="Bearer " with a space at the end.
          
+
          The prefix that should be stripped before decoding the token.
+For example, for "Authorization: Bearer ", prefix="Bearer " with a space at the end.
 If the header doesn't have this exact prefix, it is considered invalid.
          
 
           		selector
 WorkloadSelector
 
-
          The selector determines the workloads to apply the ChannelAuthentication on.
          
+
          The selector determines the workloads to apply the ChannelAuthentication on.
 If not set, the policy will be applied to all workloads in the same namespace as the policy.
          
 
           		portLevelMtls
 map<uint32, MutualTLS>
 
-
          Port specific mutual TLS settings. These only apply when a workload selector
          
+
          Port specific mutual TLS settings. These only apply when a workload selector
 is specified.
          
 
           		selector
 WorkloadSelector
 
-
          Optional. The selector decides where to apply the request authentication policy. The selector will match with workloads
          
-in the same namespace as the request authentication policy. If the request authentication policy is in the root namespace,
          
+
          Optional. The selector decides where to apply the request authentication policy. The selector will match with workloads
+in the same namespace as the request authentication policy. If the request authentication policy is in the root namespace,
 the selector will additionally match with workloads in all namespaces.
          
 
          If not set, the selector will match all workloads.
          
 
@@ -231,12 +231,12 @@ 
          RequestAuthentication
          
           		jwtRules
 JWTRule[]
 
-
          Define the list of JWTs that can be validated at the selected workloads' proxy. A valid token
          
-will be used to extract the authenticated identity.
          
-Each rule will be activated only when a token is presented at the location recognized by the
          
-rule. The token will be validated based on the JWT rule config. If validation fails, the request will
          
-be rejected.
          
-Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
          
+
          Define the list of JWTs that can be validated at the selected workloads' proxy. A valid token
+will be used to extract the authenticated identity.
+Each rule will be activated only when a token is presented at the location recognized by the
+rule. The token will be validated based on the JWT rule config. If validation fails, the request will
+be rejected.
+Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
 such requests is undefined.
          
 
           		selector
 WorkloadSelector
 
-
          Optional. The selector decides where to apply the Telemetry policy.
          
-If not set, the Telemetry policy will be applied to all workloads in the
          
+
          Optional. The selector decides where to apply the Telemetry policy.
+If not set, the Telemetry policy will be applied to all workloads in the
 same namespace as the Telemetry policy.
          
 
           		tracing
 Tracing[]
 
-
          Optional. Tracing configures the tracing behavior for all
          
+
          Optional. Tracing configures the tracing behavior for all
 selected workloads.
          
 
           		metrics
 Metrics[]
 
-
          Optional. Metrics configure the metrics behavior for all
          
+
          Optional. Metrics configure the metrics behavior for all
 selected workloads.
          
 
           		accessLogging
 AccessLogging[]
 
-
          Optional. AccessLogging configures the access logging behavior for all
          
+
          Optional. AccessLogging configures the access logging behavior for all
 selected workloads.
          
 
 
          
@@ -280,10 +280,10 @@ 
          Tracing
          
           
@@ -295,13 +295,13 @@ 
          Tracing
          
           
@@ -313,8 +313,8 @@ 
          Tracing
          
           
@@ -338,7 +338,7 @@ 
          Tracing
          
 
 
          ProviderRef
          
 
          
-
          Used to bind Telemetry configuration to specific providers for
          
+
          Used to bind Telemetry configuration to specific providers for
 targeted customization.
          
 
 
          providers
 ProviderRef[]
 
-
          Optional. Name of provider(s) to use for span reporting. If a provider is
          
-not specified, the default tracing
          
-provider           will be
          
-used. NOTE: At the moment, only a single provider can be specified in a
          
+
          Optional. Name of provider(s) to use for span reporting. If a provider is
+not specified, the default tracing
+provider will be
+used. NOTE: At the moment, only a single provider can be specified in a
 given Tracing rule.
          
 
           		randomSamplingPercentage
 DoubleValue
 
-
          Controls the rate at which traffic will be selected for tracing if no
          
-prior sampling decision has been made. If a prior sampling decision has
          
-been made, that decision will be respected. However, if no sampling
          
-decision has been made (example: no x-b3-sampled tracing header was
          
-present in the requests), the traffic will be selected for telemetry
          
+
          Controls the rate at which traffic will be selected for tracing if no
+prior sampling decision has been made. If a prior sampling decision has
+been made, that decision will be respected. However, if no sampling
+decision has been made (example: no x-b3-sampled tracing header was
+present in the requests), the traffic will be selected for telemetry
 generation at the percentage specified.
          
-
          Defaults to 0%. Valid values [0.00-100.00]. Can be specified in 0.01%
          
+
          Defaults to 0%. Valid values [0.00-100.00]. Can be specified in 0.01%
 increments.
          
 
           		disableSpanReporting
 BoolValue
 
-
          Controls span reporting. If set to true, no spans will be reported for
          
-impacted workloads. This does NOT impact context propagation or trace
          
+
          Controls span reporting. If set to true, no spans will be reported for
+impacted workloads. This does NOT impact context propagation or trace
 sampling behavior.
          
 
 
          
@@ -367,8 +367,8 @@ 
          ProviderRef
          
 
 
          Metrics
          
 
          
-
          Metrics defines the workload-level overrides for metrics generation behavior
          
-within a mesh. It can be used to enable/disable metrics generation, as well
          
+
          Metrics defines the workload-level overrides for metrics generation behavior
+within a mesh. It can be used to enable/disable metrics generation, as well
 as to customize the dimensions of the generated metrics.
          
 
 
          
@@ -385,9 +385,9 @@ 
          Metrics
          
           
@@ -400,17 +400,17 @@ 
          Metrics
          
           
@@ -423,7 +423,7 @@ 
          Metrics
          
 
 
          MetricSelector
          
 
          
-
          Provides a mechanism for matching metrics for the application of override
          
+
          Provides a mechanism for matching metrics for the application of override
 behaviors.
          
 
 
          providers
 ProviderRef[]
 
-
          Optional. Name of providers to which this configuration should apply.
          
-If a provider is not specified, the default metrics
          
-provider           will be
          
+
          Optional. Name of providers to which this configuration should apply.
+If a provider is not specified, the default metrics
+provider will be
 used.
          
 
           		MetricsOverrides[]
 
 
          Optional. Ordered list of overrides to metrics generation behavior.
          
-
          Specified overrides will be applied in order. They will be applied on
          
-top of inherited overrides from other resources in the hierarchy in the
          
+
          Specified overrides will be applied in order. They will be applied on
+top of inherited overrides from other resources in the hierarchy in the
 following order:
          
 
            
 
          1. Mesh-scoped overrides
            2. 
 
          2. Namespace-scoped overrides
            3. 
 
          3. Workload-scoped overrides
            4. 
 
          
-
          Because overrides are applied in order, users are advised to order their
          
-overrides from least specific to most specific matches. That is, it is
          
-a best practice to list any universal overrides first, with tailored
          
+
          Because overrides are applied in order, users are advised to order their
+overrides from least specific to most specific matches. That is, it is
+a best practice to list any universal overrides first, with tailored
 overrides following them.
          
 
 
          
@@ -451,7 +451,7 @@ 
          MetricSelector
          
           
@@ -463,7 +463,7 @@ 
          MetricSelector
          
           
@@ -476,7 +476,7 @@ 
          MetricSelector
          
 
 
          MetricsOverrides
          
 
          
-
          MetricsOverrides defines custom metric generation behavior for an individual
          
+
          MetricsOverrides defines custom metric generation behavior for an individual
 metric or the set of all standard metrics.
          
 
 
          customMetric
 string (oneof)
 
-
          Allows free-form specification of a metric. No validation of custom
          
+
          Allows free-form specification of a metric. No validation of custom
 metrics is provided.
          
 
           		mode
 WorkloadMode
 
-
          Controls which mode of metrics generation is selected: CLIENT and/or
          
+
          Controls which mode of metrics generation is selected: CLIENT and/or
 SERVER.
          
 
 
          
@@ -493,10 +493,10 @@ 
          MetricsOverrides
          
           
@@ -508,9 +508,9 @@ 
          MetricsOverrides
          
           
@@ -522,11 +522,11 @@ 
          MetricsOverrides
          
           
@@ -539,8 +539,8 @@ 
          MetricsOverrides
          
 
 
          AccessLogging
          
 
          
-
          Access logging defines the workload-level overrides for access log
          
-generation. It can be used to select provider or enable/disable access log
          
+
          Access logging defines the workload-level overrides for access log
+generation. It can be used to select provider or enable/disable access log
 generation for a workload.
          
 
 
          match
 MetricSelector
 
-
          Match allows provides the scope of the override. It can be used to select
          
-individual metrics, as well as the workload modes (server and/or client)
          
+
          Match allows provides the scope of the override. It can be used to select
+individual metrics, as well as the workload modes (server and/or client)
 in which the metrics will be generated.
          
-
          If match is not specified, the overrides will apply to all metrics for
          
+
          If match is not specified, the overrides will apply to all metrics for
 both modes of operation (client and server).
          
 
           		disabled
 BoolValue
 
-
          Optional. Must explicitly set this to "true" to turn off metrics reporting
          
-for the listed metrics. If disabled has been set to "true" in a parent
          
-configuration, it must explicitly be set to "false" to turn metrics
          
+
          Optional. Must explicitly set this to "true" to turn off metrics reporting
+for the listed metrics. If disabled has been set to "true" in a parent
+configuration, it must explicitly be set to "false" to turn metrics
 reporting on in the workloads selected by the Telemetry resource.
          
 
           		tagOverrides
 map<string, TagOverride>
 
-
          Optional. Collection of tag names and tag expressions to override in the
          
-selected metric(s).
          
-The key in the map is the name of the tag.
          
-The value in the map is the operation to perform on the the tag.
          
-WARNING: some providers may not support adding/removing tags.
          
+
          Optional. Collection of tag names and tag expressions to override in the
+selected metric(s).
+The key in the map is the name of the tag.
+The value in the map is the operation to perform on the the tag.
+WARNING: some providers may not support adding/removing tags.
 See also: https://istio.io/latest/docs/reference/config/metrics/#labels
          
 
 
          
@@ -568,8 +568,8 @@ 
          AccessLogging
          
           
@@ -581,10 +581,10 @@ 
          AccessLogging
          
           
@@ -596,7 +596,7 @@ 
          AccessLogging
          
           
@@ -609,7 +609,7 @@ 
          AccessLogging
          
 
 
          Tracing.TracingSelector
          
 
          
-
          TracingSelector provides a coarse-grained ability to configure tracing
          
+
          TracingSelector provides a coarse-grained ability to configure tracing
 behavior based on certain traffic metadata (such as traffic direction).
          
 
 
          providers
 ProviderRef[]
 
-
          Optional. Name of providers to which this configuration should apply.
          
-If a provider is not specified, the default logging
          
+
          Optional. Name of providers to which this configuration should apply.
+If a provider is not specified, the default logging
 provider will be used.
          
 
           		disabled
 BoolValue
 
-
          Controls logging. If set to true, no access logs will be generated for
          
-impacted workloads (for the specified providers).
          
-NOTE: currently default behavior will be controlled by the provider(s)
          
-selected above. Customization controls will be added to this API in
          
+
          Controls logging. If set to true, no access logs will be generated for
+impacted workloads (for the specified providers).
+NOTE: currently default behavior will be controlled by the provider(s)
+selected above. Customization controls will be added to this API in
 future releases.
          
 
           		filter
 Filter
 
-
          Optional. If specified, this filter will be used to select specific
          
+
          Optional. If specified, this filter will be used to select specific
 requests/connections for logging.
          
 
 
          
@@ -626,7 +626,7 @@ 
          Tracing.TracingSelector
          
           
@@ -639,11 +639,11 @@ 
          Tracing.TracingSelector
          
 
 
          Tracing.CustomTag
          
 
          
-
          CustomTag defines a tag to be added to a trace span that is based on
          
-an operator-supplied value. This value can either be a hard-coded value,
          
-a value taken from an environment variable known to the sidecar proxy, or
          
+
          CustomTag defines a tag to be added to a trace span that is based on
+an operator-supplied value. This value can either be a hard-coded value,
+a value taken from an environment variable known to the sidecar proxy, or
 from a request header.
          
-
          NOTE: when specified, custom_tags will fully replace any values provided
          
+
          NOTE: when specified, custom_tags will fully replace any values provided
 by parent configuration.
          
 
 
          mode
 WorkloadMode
 
-
          This determines whether or not to apply the tracing configuration
          
+
          This determines whether or not to apply the tracing configuration
 based on the direction of traffic relative to the proxied workload.
          
 
 
          
@@ -682,7 +682,7 @@ 
          Tracing.CustomTag
          
           
@@ -746,7 +746,7 @@ 
          Tracing.Environment
          
           
@@ -784,7 +784,7 @@ 
          Tracing.RequestHeader
          
           
@@ -797,8 +797,8 @@ 
          Tracing.RequestHeader
          
 
 
          MetricsOverrides.TagOverride
          
 
          
-
          TagOverride specifies an operation to perform on a metric dimension (also
          
-known as a label). Tags may be added, removed, or have their default
          
+
          TagOverride specifies an operation to perform on a metric dimension (also
+known as a label). Tags may be added, removed, or have their default
 values overridden.
          
 
 
          header
 RequestHeader (oneof)
 
-
          RequestHeader adds the value of an header from the request to each
          
+
          RequestHeader adds the value of an header from the request to each
 span.
          
 
           		defaultValue
 string
 
-
          Optional. If the environment variable is not found, this value will be
          
+
          Optional. If the environment variable is not found, this value will be
 used instead.
          
 
           		defaultValue
 string
 
-
          Optional. If the header is not found, this value will be
          
+
          Optional. If the header is not found, this value will be
 used instead.
          
 
 
          
@@ -826,13 +826,13 @@ 
          MetricsOverrides.TagOverride
          
           
@@ -845,11 +845,11 @@ 
          MetricsOverrides.TagOverride
          
 
 
          AccessLogging.LogSelector
          
 
          
-
          LogSelector provides a coarse-grained ability to configure logging behavior
          
-based on certain traffic metadata (such as traffic direction). LogSelector
          
-applies to traffic metadata which is not represented in the attribute set
          
-currently supported by Filters. It allows control planes to limit the
          
-configuration sent to individual workloads. Finer-grained logging behavior
          
+
          LogSelector provides a coarse-grained ability to configure logging behavior
+based on certain traffic metadata (such as traffic direction). LogSelector
+applies to traffic metadata which is not represented in the attribute set
+currently supported by Filters. It allows control planes to limit the
+configuration sent to individual workloads. Finer-grained logging behavior
 can be further configured via filter.
          
 
 
          value
 string
 
-
          Value is only considered if the operation is UPSERT.
          
-Values are CEL expressions over
          
-attributes. Examples include: "string(destination.port)" and
          
-"request.host". Istio exposes all standard Envoy
          
-attributes          .
          
-Additionally, Istio exposes node metadata as attributes.
          
-More information is provided in the customization
          
+
          Value is only considered if the operation is UPSERT.
+Values are CEL expressions over
+attributes. Examples include: "string(destination.port)" and
+"request.host". Istio exposes all standard Envoy
+attributes.
+Additionally, Istio exposes node metadata as attributes.
+More information is provided in the customization
 docs.
          
 
 
          
@@ -866,7 +866,7 @@ 
          AccessLogging.LogSelector
          
           
@@ -912,8 +912,8 @@ 
          AccessLogging.Filter
          
 
 
          MetricSelector.IstioMetric
          
 
          
-
          Curated list of known metric types that is supported by Istio metric
          
-providers. See also:
          
+
          Curated list of known metric types that is supported by Istio metric
+providers. See also:
 https://istio.io/latest/docs/reference/config/metrics/#metrics
          
 
 
          mode
 WorkloadMode
 
-
          This determines whether or not to apply the access logging configuration
          
+
          This determines whether or not to apply the access logging configuration
 based on the direction of traffic relative to the proxied workload.
          
 
 
          
@@ -927,7 +927,7 @@ 
          MetricSelector.IstioMetric
          
           
@@ -935,7 +935,7 @@ 
          MetricSelector.IstioMetric
          
           
@@ -1058,7 +1058,7 @@ 
          MetricSelector.IstioMetric
          
           
@@ -1079,7 +1079,7 @@ 
          MetricsOverrides.TagOverride.Ope
 
          
@@ -1087,7 +1087,7 @@ 
          MetricsOverrides.TagOverride.Ope
 
          
@@ -1097,11 +1097,11 @@ 
          MetricsOverrides.TagOverride.Ope
 
 
          WorkloadMode
          
 
          
-
          WorkloadMode allows selection of the role of the underlying workload in
          
-network traffic. A workload is considered as acting as a SERVER if it is
          
-the destination of the traffic (that is, traffic direction, from the
          
-perspective of the workload is inbound). If the workload is the source of
          
-the network traffic, it is considered to be in CLIENT mode (traffic is
          
+
          WorkloadMode allows selection of the role of the underlying workload in
+network traffic. A workload is considered as acting as a SERVER if it is
+the destination of the traffic (that is, traffic direction, from the
+perspective of the workload is inbound). If the workload is the source of
+the network traffic, it is considered to be in CLIENT mode (traffic is
 outbound from the workload).
          
 
 
          
 ALL_METRICS
 
-
          Use of this enum indicates that the override should apply to all Istio
          
+
          Use of this enum indicates that the override should apply to all Istio
 default metrics.
          
 
 
          
 REQUEST_COUNT
 
-
          Counter of requests to/from an application, generated for HTTP, HTTP/2,
          
+
          Counter of requests to/from an application, generated for HTTP, HTTP/2,
 and GRPC traffic.
          
 
          The Prometheus provider exports this metric as: istio_requests_total.
          
 
          The Stackdriver provider exports this metric as:
          
@@ -949,9 +949,9 @@ 
          MetricSelector.IstioMetric
          
 
          
 REQUEST_DURATION
 
-
          Histogram of request durations, generated for HTTP, HTTP/2, and GRPC
          
+
          Histogram of request durations, generated for HTTP, HTTP/2, and GRPC
 traffic.
          
-
          The Prometheus provider exports this metric as:
          
+
          The Prometheus provider exports this metric as:
 istio_request_duration_milliseconds.
          
 
          The Stackdriver provider exports this metric as:
          
 
            
@@ -964,7 +964,7 @@ 
            MetricSelector.IstioMetric
            
 
          
 REQUEST_SIZE
 
-
          Histogram of request body sizes, generated for HTTP, HTTP/2, and GRPC
          
+
          Histogram of request body sizes, generated for HTTP, HTTP/2, and GRPC
 traffic.
          
 
          The Prometheus provider exports this metric as: istio_request_bytes.
          
 
          The Stackdriver provider exports this metric as:
          
@@ -978,7 +978,7 @@ 
          MetricSelector.IstioMetric
          
 
          
 RESPONSE_SIZE
 
-
          Histogram of response body sizes, generated for HTTP, HTTP/2, and GRPC
          
+
          Histogram of response body sizes, generated for HTTP, HTTP/2, and GRPC
 traffic.
          
 
          The Prometheus provider exports this metric as: istio_response_bytes.
          
 
          The Stackdriver provider exports this metric as:
          
@@ -993,7 +993,7 @@ 
          MetricSelector.IstioMetric
          
           		TCP_OPENED_CONNECTIONS
 
 
          Counter of TCP connections opened over lifetime of workload.
          
-
          The Prometheus provider exports this metric as:
          
+
          The Prometheus provider exports this metric as:
 istio_tcp_connections_opened_total.
          
 
          The Stackdriver provider exports this metric as:
          
 
            
@@ -1007,7 +1007,7 @@ 
            MetricSelector.IstioMetric
            
 
          		TCP_CLOSED_CONNECTIONS
 
 
          Counter of TCP connections closed over lifetime of workload.
          
-
          The Prometheus provider exports this metric as:
          
+
          The Prometheus provider exports this metric as:
 istio_tcp_connections_closed_total.
          
 
          The Stackdriver provider exports this metric as:
          
 
            
@@ -1021,7 +1021,7 @@ 
            MetricSelector.IstioMetric
            
 
          		TCP_SENT_BYTES
 
 
          Counter of bytes sent during a response over a TCP connection.
          
-
          The Prometheus provider exports this metric as:
          
+
          The Prometheus provider exports this metric as:
 istio_tcp_sent_bytes_total.
          
 
          The Stackdriver provider exports this metric as:
          
 
            
@@ -1035,7 +1035,7 @@ 
            MetricSelector.IstioMetric
            
 
          		TCP_RECEIVED_BYTES
 
 
          Counter of bytes received during a request over a TCP connection.
          
-
          The Prometheus provider exports this metric as:
          
+
          The Prometheus provider exports this metric as:
 istio_tcp_received_bytes_total.
          
 
          The Stackdriver provider exports this metric as:
          
 
            
@@ -1049,7 +1049,7 @@ 
            MetricSelector.IstioMetric
            
 
          		GRPC_REQUEST_MESSAGES
 
 
          Counter incremented for every gRPC messages sent from a client.
          
-
          The Prometheus provider exports this metric as:
          
+
          The Prometheus provider exports this metric as:
 istio_request_messages_total
          
 
           		GRPC_RESPONSE_MESSAGES
 
 
          Counter incremented for every gRPC messages sent from a server.
          
-
          The Prometheus provider exports this metric as:
          
+
          The Prometheus provider exports this metric as:
 istio_response_messages_total
          
 
 
          
 UPSERT
 
-
          Insert or Update the tag with the provided value expression. The
          
+
          Insert or Update the tag with the provided value expression. The
 value field MUST be specified if UPSERT is used as the operation.
          
 
 
          
 REMOVE
 
-
          Specifies that the tag should not be included in the metric when
          
+
          Specifies that the tag should not be included in the metric when
 generated.
          
 
 
          
@@ -1115,7 +1115,7 @@ 
          WorkloadMode
          
           
@@ -1123,7 +1123,7 @@ 
          WorkloadMode
          
           
@@ -1131,7 +1131,7 @@ 
          WorkloadMode
          
           
diff --git a/content/zh/docs/reference/config/type/workload-selector/index.html b/content/zh/docs/reference/config/type/workload-selector/index.html
index b070f64ded174..3c494d39d60f0 100644
--- a/content/zh/docs/reference/config/type/workload-selector/index.html
+++ b/content/zh/docs/reference/config/type/workload-selector/index.html
@@ -10,11 +10,11 @@
 ---
 
          WorkloadSelector
          
 
          
-
          WorkloadSelector specifies the criteria used to determine if a policy can be applied
          
-to a proxy. The matching criteria includes the metadata associated with a proxy,
          
-workload instance info such as labels attached to the pod/VM, or any other info
          
-that the proxy provides to Istio during the initial handshake. If multiple conditions are
          
-specified, all conditions need to match in order for the workload instance to be
          
+
          WorkloadSelector specifies the criteria used to determine if a policy can be applied
+to a proxy. The matching criteria includes the metadata associated with a proxy,
+workload instance info such as labels attached to the pod/VM, or any other info
+that the proxy provides to Istio during the initial handshake. If multiple conditions are
+specified, all conditions need to match in order for the workload instance to be
 selected. Currently, only label based selection mechanism is supported.
          
 
 
          
 CLIENT_AND_SERVER
 
-
          Selects for scenarios when the workload is either the
          
+
          Selects for scenarios when the workload is either the
 source or destination of the network traffic.
          
 
 
          
 CLIENT
 
-
          Selects for scenarios when the workload is the
          
+
          Selects for scenarios when the workload is the
 source of the network traffic.
          
 
 
          
 SERVER
 
-
          Selects for scenarios when the workload is the
          
+
          Selects for scenarios when the workload is the
 destination of the network traffic.
          
 
 
          
@@ -31,8 +31,8 @@ 
          WorkloadSelector
          
           
@@ -45,7 +45,7 @@ 
          WorkloadSelector
          
 
 
          PortSelector
          
 
          
-
          PortSelector is the criteria for specifying if a policy can be applied to
          
+
          PortSelector is the criteria for specifying if a policy can be applied to
 a listener having a specific port.
          
 
 
          matchLabels
 map<string, string>
 
-
          One or more labels that indicate a specific set of pods/VMs
          
-on which a policy should be applied. The scope of label search is restricted to
          
+
          One or more labels that indicate a specific set of pods/VMs
+on which a policy should be applied. The scope of label search is restricted to
 the configuration namespace in which the resource is present.
          
 
 
          
@@ -74,11 +74,11 @@ 
          PortSelector
          
 
 
          WorkloadMode
          
 
          
-
          WorkloadMode allows selection of the role of the underlying workload in
          
-network traffic. A workload is considered as acting as a SERVER if it is
          
-the destination of the traffic (that is, traffic direction, from the
          
-perspective of the workload is inbound). If the workload is the source of
          
-the network traffic, it is considered to be in CLIENT mode (traffic is
          
+
          WorkloadMode allows selection of the role of the underlying workload in
+network traffic. A workload is considered as acting as a SERVER if it is
+the destination of the traffic (that is, traffic direction, from the
+perspective of the workload is inbound). If the workload is the source of
+the network traffic, it is considered to be in CLIENT mode (traffic is
 outbound from the workload).
          
 
 
          
@@ -99,8 +99,8 @@ 
          WorkloadMode
          
           
@@ -108,7 +108,7 @@ 
          WorkloadMode
          
           
@@ -116,7 +116,7 @@ 
          WorkloadMode
          
           

From bda4007bcb3214ce160540295a17163ca530f330 Mon Sep 17 00:00:00 2001
From: Eric Van Norman 
Date: Fri, 14 Oct 2022 12:05:37 -0500
Subject: [PATCH 3/3] Use the latest build tools image

---
 .../config/istio.analysis.v1alpha1/index.html |  16 +--
 .../config/istio.mesh.v1alpha1/index.html     | 130 +++++++++---------
 .../config/istio.operator.v1alpha1/index.html |  18 +--
 .../meta/v1beta1/istio-status/index.html      |   6 +-
 .../networking/destination-rule/index.html    |  60 ++++----
 .../config/networking/envoy-filter/index.html |  24 ++--
 .../config/networking/gateway/index.html      |  18 +--
 .../networking/service-entry/index.html       |  22 +--
 .../config/networking/sidecar/index.html      |   8 +-
 .../networking/virtual-service/index.html     |  92 ++++++-------
 .../networking/workload-entry/index.html      |  12 +-
 .../networking/workload-group/index.html      |   6 +-
 .../proxy_extensions/wasm-plugin/index.html   |  14 +-
 .../security/authorization-policy/index.html  |  64 ++++-----
 .../reference/config/security/jwt/index.html  |   8 +-
 .../request_authentication/index.html         |   8 +-
 .../reference/config/telemetry/index.html     |  12 +-
 .../config/istio.analysis.v1alpha1/index.html |  16 +--
 .../config/istio.mesh.v1alpha1/index.html     | 130 +++++++++---------
 .../config/istio.operator.v1alpha1/index.html |  18 +--
 .../meta/v1beta1/istio-status/index.html      |   6 +-
 .../networking/destination-rule/index.html    |  60 ++++----
 .../config/networking/envoy-filter/index.html |  24 ++--
 .../config/networking/gateway/index.html      |  18 +--
 .../networking/service-entry/index.html       |  22 +--
 .../config/networking/sidecar/index.html      |   8 +-
 .../networking/virtual-service/index.html     |  92 ++++++-------
 .../networking/workload-entry/index.html      |  12 +-
 .../networking/workload-group/index.html      |   6 +-
 .../proxy_extensions/wasm-plugin/index.html   |  14 +-
 .../security/authorization-policy/index.html  |  64 ++++-----
 .../reference/config/security/jwt/index.html  |   8 +-
 .../request_authentication/index.html         |   8 +-
 .../reference/config/telemetry/index.html     |  12 +-
 34 files changed, 518 insertions(+), 518 deletions(-)

diff --git a/content/en/docs/reference/config/istio.analysis.v1alpha1/index.html b/content/en/docs/reference/config/istio.analysis.v1alpha1/index.html
index be16cc59a07b1..6f24f5da011f4 100644
--- a/content/en/docs/reference/config/istio.analysis.v1alpha1/index.html
+++ b/content/en/docs/reference/config/istio.analysis.v1alpha1/index.html
@@ -65,10 +65,10 @@ 
          AnalysisMessageBase
          
 
 
          AnalysisMessageWeakSchema
          
 
          
-
          AnalysisMessageWeakSchema is the set of information that's needed to define a
+
          AnalysisMessageWeakSchema is the set of information that’s needed to define a
 weakly-typed schema. The purpose of this proto is to provide a mechanism for
 validating istio/istio/galley/pkg/config/analysis/msg/messages.yaml to make
-sure that we don't allow committing underspecified types.
          
+sure that we don’t allow committing underspecified types.
          
 
 
          
 CLIENT
 
-
          Selects for scenarios when the workload is the
          
-source of the network traffic. In addition,
          
+
          Selects for scenarios when the workload is the
+source of the network traffic. In addition,
 if the workload is a gateway, selects this.
          
 
 
          
 SERVER
 
-
          Selects for scenarios when the workload is the
          
+
          Selects for scenarios when the workload is the
 destination of the network traffic.
          
 
 
          
 CLIENT_AND_SERVER
 
-
          Selects for scenarios when the workload is either the
          
+
          Selects for scenarios when the workload is either the
 source or destination of the network traffic.
          
 
 
          
@@ -175,8 +175,8 @@ 
          GenericAnalysisMessage
          
           
@@ -264,7 +264,7 @@ 
          AnalysisMessageBase.Type
          
           
@@ -304,7 +304,7 @@ 
          AnalysisMessageWeakSchema.ArgType
          
 
          Required. Should be a golang type, used in code generation.
 Ideally this will change to a less language-pinned type before this gets
-out of alpha, but for compatibility with current istio/istio code it's
+out of alpha, but for compatibility with current istio/istio code it’s
 go_type for now.
          
 
 
diff --git a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
index 4158228a0a596..7d08859d3f7e9 100644
--- a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
+++ b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
@@ -172,7 +172,7 @@ 
          MeshConfig
          
           
@@ -211,7 +211,7 @@ 
          MeshConfig
          
           
@@ -324,7 +324,7 @@ 
          MeshConfig
          
           
@@ -384,7 +384,7 @@ 
          MeshConfig
          
           
@@ -533,7 +533,7 @@ 
          MeshConfig
          
           
@@ -557,7 +557,7 @@ 
          MeshConfig
          
           
@@ -1265,7 +1265,7 @@ 
          Mesh
 
          
@@ -1310,7 +1310,7 @@ 
          Mes
 The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
 to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
-
          Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".
          
+
          Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.
          
 
 
 
          
@@ -1450,9 +1450,9 @@ 
          Mes
 
          Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
 https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
          
 
            
-
          • Exact match: "abc" will match on value "abc".
            • 
-
          • Prefix match: "abc*" will match on value "abc" and "abcd".
            • 
-
          • Suffix match: "*abc" will match on value "abc" and "xabc".
            • 
+
          • Exact match: “abc” will match on value “abc”.
            • 
+
          • Prefix match: “abc*” will match on value “abc” and “abcd”.
            • 
+
          • Suffix match: “*abc” will match on value “abc” and “xabc”.
            • 
 
          
 
 
@@ -1474,9 +1474,9 @@ 
          Mes
 
          Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
 https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
          
 
            
-
          • Exact match: "abc" will match on value "abc".
            • 
-
          • Prefix match: "abc*" will match on value "abc" and "abcd".
            • 
-
          • Suffix match: "*abc" will match on value "abc" and "xabc".
            • 
+
          • Exact match: “abc” will match on value “abc”.
            • 
+
          • Prefix match: “abc*” will match on value “abc” and “abcd”.
            • 
+
          • Suffix match: “*abc” will match on value “abc” and “xabc”.
            • 
 
          
 
 
@@ -1495,9 +1495,9 @@ 
          Mes
 
          Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
 https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
          
 
            
-
          • Exact match: "abc" will match on value "abc".
            • 
-
          • Prefix match: "abc*" will match on value "abc" and "abcd".
            • 
-
          • Suffix match: "*abc" will match on value "abc" and "xabc".
            • 
+
          • Exact match: “abc” will match on value “abc”.
            • 
+
          • Prefix match: “abc*” will match on value “abc” and “abcd”.
            • 
+
          • Suffix match: “*abc” will match on value “abc” and “xabc”.
            • 
 
          
 
 
@@ -1528,7 +1528,7 @@ 
          Mes
 The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
 to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
-
          Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".
          
+
          Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.
          
 
 
 
          
@@ -2121,7 +2121,7 @@ 
          MeshConfig.Exten
 The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
 to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
-
          Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
          
+
          Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.
          
 
 
 
          
@@ -2191,7 +2191,7 @@ 
          MeshConfig.E
 The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
 to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
-
          Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
          
+
          Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.
          
 
 
 
          
@@ -2229,7 +2229,7 @@ 
          MeshConfig.E
 
          
@@ -2396,8 +2396,8 @@ 
          k8s.io.apimachinery.
 
          
@@ -2610,7 +2610,7 @@ 
          ProxyConfig
          
 source-based routing scenarios.
          
 
          Since Istio does not assign a local service/service version to each
 Envoy instance, the name is same for all of them.  However, the
-source/caller's identity (e.g., IP address) is encoded in the
+source/caller’s identity (e.g., IP address) is encoded in the
 --service-node flag when launching Envoy.  When the RDS service
 receives API calls from Envoy, it uses the value of the service-node
 flag to compute routes that are relative to the service instances
@@ -2723,10 +2723,10 @@ 
          ProxyConfig
          
           
@@ -2788,7 +2788,7 @@ 
          ProxyConfig
          
 
          Address of the service to which access logs from Envoys should be
 sent. (e.g. accesslog-service:15000). See Access Log
 Service
-for details about Envoy's gRPC Access Log Service API.
          
+for details about Envoy’s gRPC Access Log Service API.
          
 
 
           
@@ -3106,7 +3106,7 @@ 
          Tracing.Datadog
          
 
          Tracing.Stackdriver
          
 
          
 
          Stackdriver defines configuration for a Stackdriver tracer.
-See Envoy's OpenCensus trace configuration
+See Envoy’s OpenCensus trace configuration
 and
 OpenCensus trace config for details.
          
 
@@ -3127,7 +3127,7 @@ 
          Tracing.OpenCensusAgent
          
 
          
 
          OpenCensusAgent defines configuration for an OpenCensus tracer writing to
 an OpenCensus agent backend. See
-Envoy's OpenCensus trace configuration
+Envoy’s OpenCensus trace configuration
 and
 OpenCensus trace config
 for details.
          
@@ -3361,8 +3361,8 @@ 
          Network.NetworkEndpoints
          
 
 
        • 
 
          Explicitly:
          
-
          a. By matching the registry name with one of the "fromRegistry"
-in the mesh config. A "from_registry" can only be assigned to a
+
          a. By matching the registry name with one of the “fromRegistry”
+in the mesh config. A “from_registry” can only be assigned to a
 single network.
          
 
          b. By matching the IP against one of the CIDR ranges in a mesh
 config network. The CIDR ranges must not overlap and be assigned to
diff --git a/content/en/docs/reference/config/istio.operator.v1alpha1/index.html b/content/en/docs/reference/config/istio.operator.v1alpha1/index.html
index 7578af3f61ccc..f1c5f2147174f 100644
--- a/content/en/docs/reference/config/istio.operator.v1alpha1/index.html
+++ b/content/en/docs/reference/config/istio.operator.v1alpha1/index.html
@@ -11,7 +11,7 @@
 ---
 
          Configuration affecting Istio control plane installation version and shape.
 Note: unlike other Istio protos, field names must use camelCase. This is asserted in tests.
-Without camelCase, the json tag on the Go struct will not match the user's JSON representation.
+Without camelCase, the json tag on the Go struct will not match the user’s JSON representation.
 This leads to Kubernetes merge libraries, which rely on this tag, to fail.
 All other usages use jsonpb which does not use the json tag.
          
 
@@ -3932,7 +3932,7 @@ 
          k8s.io.api.core.v1.VolumeMount
          
 
          • 
@@ -3971,9 +3971,9 @@ 
          k8s.io.api.core.v1.VolumeMount
          
           
diff --git a/content/en/docs/reference/config/meta/v1beta1/istio-status/index.html b/content/en/docs/reference/config/meta/v1beta1/istio-status/index.html
index dd12e7e66e07d..26571416221c2 100644
--- a/content/en/docs/reference/config/meta/v1beta1/istio-status/index.html
+++ b/content/en/docs/reference/config/meta/v1beta1/istio-status/index.html
@@ -39,7 +39,7 @@ 
          IstioStatus
          
           
diff --git a/content/en/docs/reference/config/networking/destination-rule/index.html b/content/en/docs/reference/config/networking/destination-rule/index.html
index f9fd94989fda2..fbd76d8218180 100644
--- a/content/en/docs/reference/config/networking/destination-rule/index.html
+++ b/content/en/docs/reference/config/networking/destination-rule/index.html
@@ -201,15 +201,15 @@ 
          DestinationRule
          
           
@@ -367,7 +367,7 @@ 
          TrafficPolicy
          
           
@@ -899,7 +899,7 @@ 
          OutlierDetection
          
 
 
          ClientTLSSettings
          
 
          
-
          SSL/TLS related settings for upstream connections. See Envoy's TLS
+
          SSL/TLS related settings for upstream connections. See Envoy’s TLS
 context
 for more details. These settings are common to both HTTP and TCP upstreams.
          
 
          For example, the following rule configures a client to use mutual TLS
@@ -1033,7 +1033,7 @@ 
          ClientTLSSettings
          
 
          
@@ -1047,7 +1047,7 @@ 
          ClientTLSSettings
          
           
@@ -1086,7 +1086,7 @@ 
          ClientTLSSettings
          
           
@@ -1845,8 +1845,8 @@ 
          ConnectionPoolSettings.
 
 
          LocalityLoadBalancerSetting.Distribute
          
 
          
-
          Describes how traffic originating in the 'from' zone or sub-zone is
-distributed over a set of 'to' zones. Syntax for specifying a zone is
+
          Describes how traffic originating in the ‘from’ zone or sub-zone is
+distributed over a set of ’to’ zones. Syntax for specifying a zone is
 {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
 segment of the specification. Examples:
          
 
          * - matches all localities
          
@@ -1867,7 +1867,7 @@ 
          LocalityLoadBalancerSetting.Dist
 
          
@@ -947,7 +947,7 @@ 
          EnvoyFilter.RouteC
 
          
@@ -1001,7 +1001,7 @@ 
          EnvoyFilter.ListenerMatch.Fi
 
          
diff --git a/content/en/docs/reference/config/networking/gateway/index.html b/content/en/docs/reference/config/networking/gateway/index.html
index ce493547a31ce..658f0c5b6e271 100644
--- a/content/en/docs/reference/config/networking/gateway/index.html
+++ b/content/en/docs/reference/config/networking/gateway/index.html
@@ -136,9 +136,9 @@
 http://uk.bookinfo.com:9080/reviews,
 http://eu.bookinfo.com:9080/reviews into two versions (prod and qa) of
 an internal reviews service on port 9080. In addition, requests
-containing the cookie "user: dev-123" will be sent to special port 7777
+containing the cookie “user: dev-123” will be sent to special port 7777
 in the qa version. The same rule is also applicable inside the mesh for
-requests to the "reviews.prod.svc.cluster.local" service. This rule is
+requests to the “reviews.prod.svc.cluster.local” service. This rule is
 applicable across ports 443, 9080. Note that http://uk.bookinfo.com
 gets redirected to https://uk.bookinfo.com (i.e. 80 redirects to 443).
          
 
          {{}}
@@ -346,8 +346,8 @@ 
          Gateway
          
 
          One or more labels that indicate a specific set of pods/VMs
 on which this gateway configuration should be applied.
 By default workloads are searched across all namespaces based on label selectors.
-This implies that a gateway resource in the namespace "foo" can select pods in
-the namespace "bar" based on labels.
+This implies that a gateway resource in the namespace “foo” can select pods in
+the namespace “bar” based on labels.
 This behavior can be controlled via the PILOT_SCOPE_GATEWAY_TO_NAMESPACE
 environment variable in istiod. If this variable is set
 to true, the scope of label search is restricted to the configuration
@@ -545,12 +545,12 @@ 
          Server
          
 Any associated DestinationRule in the selected namespace will also be used.
          
 
          A VirtualService must be bound to the gateway and must have one or
 more hosts that match the hosts specified in a server. The match
-could be an exact match or a suffix match with the server's hosts. For
-example, if the server's hosts specifies *.example.com, a
+could be an exact match or a suffix match with the server’s hosts. For
+example, if the server’s hosts specifies *.example.com, a
 VirtualService with hosts dev.example.com or prod.example.com will
 match. However, a VirtualService with host example.com or
 newexample.com will not match.
          
-
          NOTE: Only virtual services exported to the gateway's namespace
+
          NOTE: Only virtual services exported to the gateway’s namespace
 (e.g., exportTo value of *) can be referenced.
 Private configurations (e.g., exportTo set to .) will not be
 available. Refer to the exportTo setting in VirtualService,
@@ -565,7 +565,7 @@ 
          Server
          
 
          
 
          string[]
 
 
          A list of strings specifying the resource identifiers that were the cause
-of message generation. A "path" here is a (NAMESPACE/)?RESOURCETYPE/NAME
-tuple that uniquely identifies a particular resource. There doesn't seem to
+of message generation. A “path” here is a (NAMESPACE/)?RESOURCETYPE/NAME
+tuple that uniquely identifies a particular resource. There doesn’t seem to
 be a single concept for this, but this is intuitively taken from
 https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology
 At least one is required.
          
@@ -250,8 +250,8 @@ 
          AnalysisMessageBase.Type
          
           		name
 string
 
-
          A human-readable name for the message type. e.g. "InternalError",
-"PodMissingProxy". This should be the same for all messages of the same type.
+
          A human-readable name for the message type. e.g. “InternalError”,
+“PodMissingProxy”. This should be the same for all messages of the same type.
 Required.
          
 
           		string
 
 
          A 7 character code matching ^IST[0-9]{4}$ intended to uniquely identify
-the message type. (e.g. "IST0001" is mapped to the "InternalError" message
+the message type. (e.g. “IST0001” is mapped to the “InternalError” message
 type.) 0000-0100 are reserved. Required.
          
 
           		string
 
 
          Format for the proxy access log
-Empty value results in proxy's default access log format
          
+Empty value results in proxy’s default access log format
          
 
           		
 
@@ -195,9 +195,9 @@ 
          MeshConfig
          
           		enableEnvoyAccessLogService
 bool
 
-
          This flag enables Envoy's gRPC Access Log Service.
+
          This flag enables Envoy’s gRPC Access Log Service.
 See Access Log Service
-for details about Envoy's gRPC Access Log Service API.
+for details about Envoy’s gRPC Access Log Service API.
 Default value is false.
          
 
           		
 
          This flag disables Envoy Listener logs.
 See Listener Access Log
-Istio Enables Envoy's listener access logs on "NoRoute" response flag.
+Istio Enables Envoy’s listener access logs on “NoRoute” response flag.
 Default value is false.
          
 
           		CertificateData[]
 
 
          The extra root certificates for workload-to-workload communication.
-The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret)
+The plugin certificates (the ‘cacerts’ secret) or self-signed certificates (the ‘istio-ca-secret’ secret)
 are automatically added by Istiod.
 The CA certificate that signs the workload certificates is automatically added by Istio Agent.
          
 
@@ -345,9 +345,9 @@ 
          MeshConfig
          
 . - Current Namespace
 ~ - No Namespace
 
-
          If not set the system will use "*" as the default value which implies that
+
          If not set the system will use “*” as the default value which implies that
 services are exported to all namespaces.
          
-
          All namespaces is a reasonable default for implementations that don't
+
          All namespaces is a reasonable default for implementations that don’t
 need to restrict access or visibility of services across namespace
 boundaries. If that requirement is present it is generally good practice to
 make the default Current namespace so that services are only visible
@@ -370,7 +370,7 @@ 
          MeshConfig
          
           		
 
          The default value for the VirtualService.export_to field. Has the same
 syntax as default_service_export_to.
          
-
          If not set the system will use "*" as the default value which implies that
+
          If not set the system will use “*” as the default value which implies that
 virtual services are exported to all namespaces
          
 
           		
 
          The default value for the DestinationRule.export_to field. Has the same
 syntax as default_service_export_to.
          
-
          If not set the system will use "*" as the default value which implies that
+
          If not set the system will use “*” as the default value which implies that
 destination rules are exported to all namespaces
          
 
           		extensionProviders
 ExtensionProvider[]
 
-
          Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy
+
          Defines a list of extension providers that extend Istio’s functionality. For example, the AuthorizationPolicy
 can be used with an extension provider to delegate the authorization decision to a custom authorization system.
          
 
           		LabelSelector[]
 
 
          A list of Kubernetes selectors that specify the set of namespaces that Istio considers when
-computing configuration updates for sidecars. This can be used to reduce Istio's computational load
+computing configuration updates for sidecars. This can be used to reduce Istio’s computational load
 by limiting the number of entities (including services, pods, and endpoints) that are watched and processed.
 If omitted, Istio will use the default behavior of processing all namespaces in the cluster.
 Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector.
@@ -591,7 +591,7 @@ 
          MeshConfig
          
           		
 
          ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are
 normalized by the sidecars and gateways.
-The normalized paths will be used in all aspects through the requests' lifetime on the
+The normalized paths will be used in all aspects through the requests’ lifetime on the
 sidecars and gateways, which includes routing decisions in outbound direction (client proxy),
 authorization policy match and enforcement in inbound direction (server proxy), and the URL
 path proxied to the upstream service.
@@ -608,7 +608,7 @@ 
          MeshConfig
          
           		
 
          Configure the default HTTP retry policy.
 The default number of retry attempts is set at 2 for these errors:
-"connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes".
+“connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes”.
 Setting the number of attempts to 0 disables retry policy globally.
 This setting can be overriden on a per-host basis using the Virtual Service
 API.
@@ -862,8 +862,8 @@ 
          MeshConfig.CA
          
 
        • DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
 DISABLE MODE can also be used for testing
          • 
 
        • TLS MUTUAL MODE be on by default. If the CA certificates
-(cert bundle to verify the CA server's certificate) is omitted, Istiod will
-use the system root certs to verify the CA server's certificate.
          • 
+(cert bundle to verify the CA server’s certificate) is omitted, Istiod will
+use the system root certs to verify the CA server’s certificate.
 
 
           		
 
          When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
 The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
-A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
+A “x-envoy-auth-partial-body: false|true” metadata header will be added to the authorization request message
 indicating if the body data is partial.
          
 
           		
@@ -1346,8 +1346,8 @@ 
          Mes
 
          		string
 
 
          Sets a prefix to the value of authorization request header Path.
-For example, setting this to "/check" for an original user request at path "/admin" will cause the
-authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin".
          
+For example, setting this to “/check” for an original user request at path “/admin” will cause the
+authorization check request to be sent to the authorization service at the path “/check/admin” instead of “/admin”.
          
 
           		
 
@@ -1360,7 +1360,7 @@ 
          Mes
 
          		
 
          If true, the user request will be allowed even if the communication with the authorization service has failed,
 or if the authorization service has returned a HTTP 5xx error.
-Default is false and the request will be rejected with "Forbidden" response.
          
+Default is false and the request will be rejected with “Forbidden” response.
          
 
           		
 
@@ -1372,7 +1372,7 @@ 
          Mes
 
          		string
 
 
          Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
-The default status is "403" (HTTP Forbidden).
          
+The default status is “403” (HTTP Forbidden).
          
 
           		
 
@@ -1405,9 +1405,9 @@ 
          Mes
 
          Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
 https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
          
 
            
-
          • Exact match: "abc" will match on value "abc".
            • 
-
          • Prefix match: "abc*" will match on value "abc" and "abcd".
            • 
-
          • Suffix match: "*abc" will match on value "abc" and "xabc".
            • 
+
          • Exact match: “abc” will match on value “abc”.
            • 
+
          • Prefix match: “abc*” will match on value “abc” and “abcd”.
            • 
+
          • Suffix match: “*abc” will match on value “abc” and “xabc”.
            • 
 
          
 
 
          		
@@ -1577,7 +1577,7 @@ 
          Mes
 
          		string
 
 
          Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
-The default status is "403" (HTTP Forbidden).
          
+The default status is “403” (HTTP Forbidden).
          
 
           		
 
@@ -1620,7 +1620,7 @@ 
          MeshConfig.Extension
 The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
 to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
-
          Example: "zipkin.default.svc.cluster.local" or "bar/zipkin.example.com".
          
+
          Example: “zipkin.default.svc.cluster.local” or “bar/zipkin.example.com”.
          
 
 
          		
 
@@ -1677,7 +1677,7 @@ 
          MeshConfig.Extens
 The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
 to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
-
          Example: "lightstep.default.svc.cluster.local" or "bar/lightstep.example.com".
          
+
          Example: “lightstep.default.svc.cluster.local” or “bar/lightstep.example.com”.
          
 
 
          		
 
@@ -1743,7 +1743,7 @@ 
          MeshConfig.Extensio
 The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
 to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
-
          Example: "datadog.default.svc.cluster.local" or "bar/datadog.example.com".
          
+
          Example: “datadog.default.svc.cluster.local” or “bar/datadog.example.com”.
          
 
 
          		
 
@@ -1798,7 +1798,7 @@ 
          MeshConfig.Exten
 The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
 to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
-
          Example: "skywalking.default.svc.cluster.local" or "bar/skywalking.example.com".
          
+
          Example: “skywalking.default.svc.cluster.local” or “bar/skywalking.example.com”.
          
 
 
          		
 
@@ -1877,7 +1877,7 @@ 
          MeshConfig.
 
          
 
          Defines configuration for an OpenCensus tracer writing to an OpenCensus backend.
          
 
          WARNING: OpenCensusAgentTracingProviders should be used with extreme care. Configuration of
-OpenCensus providers CANNOT be changed during the course of proxy's lifetime due to a limitation
+OpenCensus providers CANNOT be changed during the course of proxy’s lifetime due to a limitation
 in the implementation of OpenCensus driver in Envoy. This means only a single provider configuration
 may be used for OpenCensus at any given time for a proxy or group of proxies AND that any change to the provider
 configuration MUST be accompanied by a restart of all proxies that will use that configuration.
          
@@ -1902,7 +1902,7 @@ 
          MeshConfig.
 The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
 to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
-
          Example: "ocagent.default.svc.cluster.local" or "bar/ocagent.example.com".
          
+
          Example: “ocagent.default.svc.cluster.local” or “bar/ocagent.example.com”.
          
 
 
          		
 
@@ -2017,7 +2017,7 @@ 
          MeshConfig.Exte
 The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
 to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
-
          Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
          
+
          Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.
          
 
 
          		
 
@@ -2042,8 +2042,8 @@ 
          MeshConfig.Exte
 
          Optional. The friendly name of the access log.
 Defaults:
          
 
            
-
          • "http_envoy_accesslog"
            • 
-
          • "listener_envoy_accesslog"
            • 
+
          • “http_envoy_accesslog”
            • 
+
          • “listener_envoy_accesslog”
            • 
 
          
 
 
          		
@@ -2146,8 +2146,8 @@ 
          MeshConfig.Exten
 
          Optional. The friendly name of the access log.
 Defaults:
          
 
            
-
          • "tcp_envoy_accesslog"
            • 
-
          • "listener_envoy_accesslog"
            • 
+
          • “tcp_envoy_accesslog”
            • 
+
          • “listener_envoy_accesslog”
            • 
 
          
 
 
          		
@@ -2216,7 +2216,7 @@ 
          MeshConfig.E
 
          Optional. The friendly name of the access log.
 Defaults:
          
 
            
-
          • "otel_envoy_accesslog"
            • 
+
          • “otel_envoy_accesslog”
            • 
 
          
 
 
          		LogFormat
 
 
          Optional. Format for the proxy access log
-Empty value results in proxy's default access log format, following Envoy access logging formatting.
          
+Empty value results in proxy’s default access log format, following Envoy access logging formatting.
          
 
           		
 
@@ -2261,7 +2261,7 @@ 
          MeshConfig.Ext
 
          Example:
 labels:
 path: request.url_path
-foo: request.headers['x-foo']
          
+foo: request.headers[‘x-foo’]
          
 
 
          		
 
@@ -2290,7 +2290,7 @@ 
          MeshC
 
          Textual format for the envoy access logs. Envoy command operators may be
 used in the format. The format string documentation
 provides more information.
          
-
          NOTE: Istio will insert a newline ('\n') on all formats (if missing).
          
+
          NOTE: Istio will insert a newline (’\n’) on all formats (if missing).
          
 
          Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"
          
 
 
          		map<string, string>
 
 
          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-map is equivalent to an element of matchExpressions, whose key field is "key", the
-operator is "In", and the values array contains only "value". The requirements are ANDed.
+map is equivalent to an element of matchExpressions, whose key field is “key”, the
+operator is “In”, and the values array contains only “value”. The requirements are ANDed.
 +optional
          
 
           		statNameLength
 int32
 
-
          Maximum length of name field in Envoy's metrics. The length of the name field
+
          Maximum length of name field in Envoy’s metrics. The length of the name field
 is determined by the length of a name field in a service and the set of labels that
 comprise a particular version of the service. The default value is set to 189 characters.
-Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric.
+Envoy’s internal metrics take up 67 characters, for a total of 256 character name per metric.
 Increase the value of this field if you find that the metrics from Envoys are truncated.
          
 
           		
@@ -2801,7 +2801,7 @@ 
          ProxyConfig
          
           		
 
          Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000).
 See Metric Service
-for details about Envoy's Metrics Service API.
          
+for details about Envoy’s Metrics Service API.
          
 
           		
 
@@ -2937,7 +2937,7 @@ 
          ProxyConfig
          
 
          Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior.
 This feature adds hooks to delay application startup until the pod proxy
 is ready to accept traffic, mitigating some startup race conditions.
-Default value is 'false'.
          
+Default value is ‘false’.
          
 
           		
 
@@ -2950,7 +2950,7 @@ 
          ProxyConfig
          
           		
 
          The PEM data of the extra root certificates for workload-to-workload communication.
 This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA.
-The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret)
+The plugin certificates (the ‘cacerts’ secret), self-signed certificates (the ‘istio-ca-secret’ secret)
 are added automatically by Istiod.
          
 
           		string
 
 
          Path within the container at which the volume should be mounted.  Must
-not contain ':'.
          
+not contain ‘:’.
          
 
           		
 
@@ -3943,8 +3943,8 @@ 
          k8s.io.api.core.v1.VolumeMount
          
           		subPath
 string
 
-
          Path within the volume from which the container's volume should be mounted.
-Defaults to "" (volume's root).
+
          Path within the volume from which the container’s volume should be mounted.
+Defaults to "" (volume’s root).
 +optional
          
 
           		subPathExpr
 string
 
-
          Expanded path within the volume from which the container's volume should be mounted.
-Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
-Defaults to "" (volume's root).
+
          Expanded path within the volume from which the container’s volume should be mounted.
+Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container’s environment.
+Defaults to "" (volume’s root).
 SubPathExpr and SubPath are mutually exclusive.
 +optional
          
 
@@ -4007,8 +4007,8 @@ 
          k8s.io.apimachinery.
 
          		map<string, string>
 
 
          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-map is equivalent to an element of matchExpressions, whose key field is "key", the
-operator is "In", and the values array contains only "value". The requirements are ANDed.
+map is equivalent to an element of matchExpressions, whose key field is “key”, the
+operator is “In”, and the values array contains only “value”. The requirements are ANDed.
 +optional
          
 
           		validationMessages
 AnalysisMessageBase[]
 
-
          Includes any errors or warnings detected by Istio's analyzers.
+
          Includes any errors or warnings detected by Istio’s analyzers.
 +optional
 +patchMergeKey=type
 +patchStrategy=merge
          
@@ -54,7 +54,7 @@ 
          IstioStatus
          
           		int64
 
 
          Resource Generation to which the Reconciled Condition refers.
-When this value is not equal to the object's metadata generation, reconciled condition  calculation for the current
+When this value is not equal to the object’s metadata generation, reconciled condition  calculation for the current
 generation is still in progress.  See https://istio.io/latest/docs/reference/config/config-status/ for more info.
 +optional
          
 
@@ -129,7 +129,7 @@ 
          IstioCondition
          
           		reason
 string
 
-
          Unique, one-word, CamelCase reason for the condition's last transition.
+
          Unique, one-word, CamelCase reason for the condition’s last transition.
 +optional
          
 
           		string
 
 
          The name of a service from the service registry. Service
-names are looked up from the platform's service registry (e.g.,
+names are looked up from the platform’s service registry (e.g.,
 Kubernetes services, Consul services, etc.) and from the hosts
 declared by ServiceEntries. Rules defined for
 services that do not exist in the service registry will be ignored.
          
-
          Note for Kubernetes users: When short names are used (e.g. "reviews"
-instead of "reviews.default.svc.cluster.local"), Istio will interpret
+
          Note for Kubernetes users: When short names are used (e.g. “reviews”
+instead of “reviews.default.svc.cluster.local”), Istio will interpret
 the short name based on the namespace of the rule, not the service. A
-rule in the "default" namespace containing a host "reviews" will be
-interpreted as "reviews.default.svc.cluster.local", irrespective of
+rule in the “default” namespace containing a host “reviews” will be
+interpreted as “reviews.default.svc.cluster.local”, irrespective of
 the actual namespace associated with the reviews service. To avoid
 potential misconfigurations, it is recommended to always use fully
 qualified domain names over short names.
          
@@ -257,8 +257,8 @@ 
          DestinationRule
          
 across namespace boundaries.
          
 
          If no namespaces are specified then the destination rule is exported to all
 namespaces by default.
          
-
          The value "." is reserved and defines an export to the same namespace that
-the destination rule is declared in. Similarly, the value "*" is reserved and
+
          The value “.” is reserved and defines an export to the same namespace that
+the destination rule is declared in. Similarly, the value “*” is reserved and
 defines an export to all namespaces.
          
 
           		
 
          Configuration of tunneling TCP over other transport or application layers
 for the host configured in the DestinationRule.
-Tunnel settings can be applied to TCP or TLS routes and can't be applied to HTTP routes.
          
+Tunnel settings can be applied to TCP or TLS routes and can’t be applied to HTTP routes.
          
 
           		
 
@@ -488,7 +488,7 @@ 
          Subset
          
 
 
          LoadBalancerSettings
          
 
          
-
          Load balancing policies to apply for a specific destination. See Envoy's
+
          Load balancing policies to apply for a specific destination. See Envoy’s
 load balancing
 documentation
 for more details.
          
@@ -617,7 +617,7 @@ 
          LoadBalancerSettings
          
 
          ConnectionPoolSettings
          
 
          
 
          Connection pool settings for an upstream host. The settings apply to
-each individual host in the upstream service.  See Envoy's circuit
+each individual host in the upstream service.  See Envoy’s circuit
 breaker
 for more details. Connection pool settings can be applied at the TCP
 level as well as at HTTP level.
          
@@ -703,11 +703,11 @@ 
          OutlierDetection
          
 errors for API calls are ejected from the pool for a pre-defined period
 of time. For TCP services, connection timeouts or connection
 failures to a given host counts as an error when measuring the
-consecutive errors metric. See Envoy's outlier
+consecutive errors metric. See Envoy’s outlier
 detection
 for more details.
          
 
          The following rule sets a connection pool size of 100 HTTP1 connections
-with no more than 10 req/connection to the "reviews" service. In addition,
+with no more than 10 req/connection to the “reviews” service. In addition,
 it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
 hosts to be scanned every 5 mins so that any host that fails 7 consecutive
 times with a 502, 503, or 504 error code will be ejected for 15 minutes.
          
@@ -886,7 +886,7 @@ 
          OutlierDetection
          
 percentage of healthy hosts in the load balancing pool drops below this
 threshold, outlier detection will be disabled and the proxy will load balance
 across all hosts in the pool (healthy and unhealthy). The threshold can be
-disabled by setting it to 0%. The default is 0% as it's not typically
+disabled by setting it to 0%. The default is 0% as it’s not typically
 applicable in k8s environments with few pods per service.
          
 
 
          		string
 
 
          REQUIRED if mode is MUTUAL. The path to the file holding the
-client's private key.
+client’s private key.
 Should be empty if mode is ISTIO_MUTUAL.
          
 
           		
 
          OPTIONAL: The path to the file containing certificate authority
 certificates to use in verifying a presented server certificate. If
-omitted, the proxy will not verify the server's certificate.
+omitted, the proxy will not verify the server’s certificate.
 Should be empty if mode is ISTIO_MUTUAL.
          
 
           		
 
          A list of alternate names to verify the subject identity in the
 certificate. If specified, the proxy will verify that the server
-certificate's subject alt name matches one of the specified values.
+certificate’s subject alt name matches one of the specified values.
 If specified, this list overrides the value of subject_alt_names
 from the ServiceEntry. If unspecified, automatic validation of upstream
 presented certificate for new upstream connections will be done based on the
@@ -1145,13 +1145,13 @@ 
          LocalityLoadBalancerSetting
          
 {region}/{zone}/{sub-zone} form. For additional detail refer to
 Locality Weight
 The following example shows how to setup locality weights mesh-wide.
          
-
          Given a mesh with workloads and their service deployed to "us-west/zone1/"
-and "us-west/zone2/". This example specifies that when traffic accessing a
-service originates from workloads in "us-west/zone1/", 80% of the traffic
-will be sent to endpoints in "us-west/zone1/", i.e the same zone, and the
-remaining 20% will go to endpoints in "us-west/zone2/". This setup is
+
          Given a mesh with workloads and their service deployed to “us-west/zone1/”
+and “us-west/zone2/”. This example specifies that when traffic accessing a
+service originates from workloads in “us-west/zone1/”, 80% of the traffic
+will be sent to endpoints in “us-west/zone1/”, i.e the same zone, and the
+remaining 20% will go to endpoints in “us-west/zone2/”. This setup is
 intended to favor routing traffic to endpoints in the same locality.
-A similar setting is specified for traffic originating in "us-west/zone2/".
          
+A similar setting is specified for traffic originating in “us-west/zone2/”.
          
 
            distribute:
     - from: us-west/zone1/*
       to:
@@ -1164,8 +1164,8 @@ 
          LocalityLoadBalancerSetting
          
 
          
 
          If the goal of the operator is not to distribute load across zones and
 regions but rather to restrict the regionality of failover to meet other
-operational requirements an operator can set a 'failover' policy instead of
-a 'distribute' policy.
          
+operational requirements an operator can set a ‘failover’ policy instead of
+a ‘distribute’ policy.
          
 
          The following example sets up a locality failover policy for regions.
 Assume a service resides in zones within us-east, us-west & eu-west
 this example specifies that when endpoints within us-east become unhealthy
@@ -1723,7 +1723,7 @@ 
          ConnectionPoolSettings.HTTPSettings
 
          		int32
 
 
          Maximum number of requests per connection to a backend. Setting this
-parameter to 1 disables keep alive. Default 0, meaning "unlimited",
+parameter to 1 disables keep alive. Default 0, meaning “unlimited”,
 up to 2^29.
          
 
           		from
 string
 
-
          Originating locality, '/' separated, e.g. 'region/zone/sub_zone'.
          
+
          Originating locality, ‘/’ separated, e.g. ‘region/zone/sub_zone’.
          
 
           		
 
@@ -1926,7 +1926,7 @@ 
          LocalityLoadBalancerSetting.Failov
 
          		string
 
 
          Destination region the traffic will fail over to when endpoints in
-the 'from' region becomes unhealthy.
          
+the ‘from’ region becomes unhealthy.
          
 
           		
 
diff --git a/content/en/docs/reference/config/networking/envoy-filter/index.html b/content/en/docs/reference/config/networking/envoy-filter/index.html
index f3b121e84d482..8702b50a32691 100644
--- a/content/en/docs/reference/config/networking/envoy-filter/index.html
+++ b/content/en/docs/reference/config/networking/envoy-filter/index.html
@@ -21,9 +21,9 @@
 application of these EnvoyFilters is as follows: all EnvoyFilters
 in the config root
 namespace,
-followed by all matching EnvoyFilters in the workload's namespace.
          
+followed by all matching EnvoyFilters in the workload’s namespace.
          
 
          NOTE 1: Some aspects of this API are deeply tied to the internal
-implementation in Istio networking subsystem as well as Envoy's XDS
+implementation in Istio networking subsystem as well as Envoy’s XDS
 API. While the EnvoyFilter API by itself will maintain backward
 compatibility, any envoy configuration provided through this
 mechanism should be carefully monitored across Istio proxy version
@@ -83,9 +83,9 @@
           common_http_protocol_options:
             idle_timeout: 30s
 
-
          The following example enables Envoy's Lua filter for all inbound
+
          The following example enables Envoy’s Lua filter for all inbound
 HTTP calls arriving at service port 8080 of the reviews service pod
-with labels "app: reviews", in the bookinfo namespace. The lua
+with labels “app: reviews”, in the bookinfo namespace. The lua
 filter calls out to an external service internal.org.net:8888 that
 requires a special cluster definition in envoy. The cluster is also
 added to the sidecar as part of this configuration.
          
@@ -471,7 +471,7 @@ 
          EnvoyFilter.ProxyMatch
          
           		map<string, string>
 
 
          Match on the node metadata supplied by a proxy when connecting
-to Istio Pilot. Note that while Envoy's node metadata is of
+to Istio Pilot. Note that while Envoy’s node metadata is of
 type Struct, only string key-value pairs are processed by
 Pilot. All keys specified in the metadata must match with exact
 values. The match will fail if any of the specified keys are
@@ -602,7 +602,7 @@ 
          EnvoyFilter.RouteConfigurationMatch
 
          		gateway
 string
 
-
          The Istio gateway config's namespace/name for which this route
+
          The Istio gateway config’s namespace/name for which this route
 configuration was generated. Applies only if the context is
 GATEWAY. Should be in the namespace/name format. Use this field
 in conjunction with the portNumber and portName to accurately
@@ -905,7 +905,7 @@ 
          EnvoyFilter.RouteConfigu
 
          		
 
          The Route objects generated by default are named as
 default.  Route objects generated using a virtual service
-will carry the name used in the virtual service's HTTP
+will carry the name used in the virtual service’s HTTP
 routes.
          
 
           		
 
          The VirtualHosts objects generated by Istio are named as
 host:port, where the host typically corresponds to the
-VirtualService's host field or the hostname of a service in the
+VirtualService’s host field or the hostname of a service in the
 registry.
          
 
           		sni
 string
 
-
          The SNI value used by a filter chain's match condition.  This
+
          The SNI value used by a filter chain’s match condition.  This
 condition will evaluate to false if the filter chain has no
 sni match.
          
 
@@ -1017,7 +1017,7 @@ 
          EnvoyFilter.ListenerMatch.Fi
 
          Applies only to SIDECAR_INBOUND context. If non-empty, a
 transport protocol to consider when determining a filter
 chain match.  This value will be compared against the
-transport protocol of a new connection, when it's detected by
+transport protocol of a new connection, when it’s detected by
 the tls_inspector listener filter.
          
 
          Accepted values include:
          
 
            
@@ -1037,7 +1037,7 @@ 
            EnvoyFilter.ListenerMatch.Fi
 
            Applies only to sidecars. If non-empty, a comma separated set
 of application protocols to consider when determining a
 filter chain match.  This value will be compared against the
-application protocols of a new connection, when it's detected
+application protocols of a new connection, when it’s detected
 by one of the listener filters such as the http_inspector.
            
 
            Accepted values include: h2, http/1.1, http/1.0
            
 
@@ -1063,7 +1063,7 @@ 
            EnvoyFilter.ListenerMatch.Fi
 
          		destinationPort
 uint32
 
-
          The destination_port value used by a filter chain's match condition.
+
          The destination_port value used by a filter chain’s match condition.
 This condition will evaluate to false if the filter chain has no destination_port match.
          
 
           		tls
 ServerTLSSettings
 
-
          Set of TLS related options that govern the server's behavior. Use
+
          Set of TLS related options that govern the server’s behavior. Use
 these options to control if all http requests should be redirected to
 https, and the TLS modes to use.
          
 
@@ -709,7 +709,7 @@ 
          ServerTLSSettings
          
           		string
 
 
          REQUIRED if mode is SIMPLE or MUTUAL. The path to the file
-holding the server's private key.
          
+holding the server’s private key.
          
 
           		
 
diff --git a/content/en/docs/reference/config/networking/service-entry/index.html b/content/en/docs/reference/config/networking/service-entry/index.html
index 6a2bb119e01da..47838f01e29a7 100644
--- a/content/en/docs/reference/config/networking/service-entry/index.html
+++ b/content/en/docs/reference/config/networking/service-entry/index.html
@@ -10,13 +10,13 @@
 aliases: [/docs/reference/config/networking/v1alpha3/service-entry]
 number_of_entries: 3
 ---
-
          ServiceEntry enables adding additional entries into Istio's
+
          ServiceEntry enables adding additional entries into Istio’s
 internal service registry, so that auto-discovered services in the
 mesh can access/route to these manually specified services. A
 service entry describes the properties of a service (DNS name,
 VIPs, ports, protocols, endpoints). These services could be
 external to the mesh (e.g., web APIs) or mesh-internal services
-that are not part of the platform's service registry (e.g., a set
+that are not part of the platform’s service registry (e.g., a set
 of VMs talking to services in Kubernetes). In addition, the
 endpoints of a service entry can also be dynamically selected by
 using the workloadSelector field. These endpoints can be VM
@@ -67,7 +67,7 @@
 
          {{}}
 {{}}
          
 
          The following configuration adds a set of MongoDB instances running on
-unmanaged VMs to Istio's registry, so that these services can be treated
+unmanaged VMs to Istio’s registry, so that these services can be treated
 as any other service in the mesh. The associated DestinationRule is used
 to initiate mTLS connections to the database instances.
          
 
          {{}}
@@ -232,10 +232,10 @@
 the wikipedia domains.
          
 
          The following example demonstrates the use of a dedicated egress gateway
 through which all external service traffic is forwarded.
-The 'exportTo' field allows for control over the visibility of a service
+The ’exportTo’ field allows for control over the visibility of a service
 declaration to other namespaces in the mesh. By default, a service is exported
 to all namespaces. The following example restricts the visibility to the
-current namespace, represented by ".", so that it cannot be used by other
+current namespace, represented by “.”, so that it cannot be used by other
 namespaces.
          
 
          {{}}
 {{}}
          
@@ -687,7 +687,7 @@
 
 
          ServiceEntry
          
 
          
-
          ServiceEntry enables adding additional entries into Istio's internal
+
          ServiceEntry enables adding additional entries into Istio’s internal
 service registry.
          
 
 
@@ -835,11 +835,11 @@ 
          ServiceEntry
          
 namespace boundaries.
          If no namespaces are specified then the service is exported to all
 namespaces by default.
          
-
          The value "." is reserved and defines an export to the same namespace that
-the service is declared in. Similarly the value "*" is reserved and
+
          The value “.” is reserved and defines an export to the same namespace that
+the service is declared in. Similarly the value “*” is reserved and
 defines an export to all namespaces.
          For a Kubernetes Service, the equivalent effect can be achieved by setting
-the annotation "networking.istio.io/exportTo" to a comma-separated list
+the annotation “networking.istio.io/exportTo” to a comma-separated list
 of namespace names.
          
@@ -851,7 +851,7 @@ 
          ServiceEntry
          
 
 
 
 
 
          subjectAltNames
 string[]
 
-
          If specified, the proxy will verify that the server certificate's
+
          If specified, the proxy will verify that the server certificate’s
 subject alternate name matches one of the specified values.
          
 
          NOTE: When using the workloadEntry with workloadSelectors, the
 service account specified in the workloadEntry will also be used
@@ -872,7 +872,7 @@ 
          ServiceEntry.Location
          
 outside the mesh.  Location determines the behavior of several
 features, such as service-to-service mTLS authentication, policy
 enforcement, etc. When communicating with services outside the mesh,
-Istio's mTLS authentication is disabled, and policy enforcement is
+Istio’s mTLS authentication is disabled, and policy enforcement is
 performed on the client-side as opposed to server-side.
          
 
 
diff --git a/content/en/docs/reference/config/networking/sidecar/index.html b/content/en/docs/reference/config/networking/sidecar/index.html
index 7bf3b1bee4413..c7d665925616e 100644
--- a/content/en/docs/reference/config/networking/sidecar/index.html
+++ b/content/en/docs/reference/config/networking/sidecar/index.html
@@ -289,7 +289,7 @@
 outbound traffic on 192.168.0.0/16 subnet. Assume that the VM has an
 additional network interface on 172.16.0.0/16 subnet for inbound
 traffic. The following Sidecar configuration allows the VM to expose a
-listener on 172.16.1.32:80 (the VM's IP) for traffic arriving from the
+listener on 172.16.1.32:80 (the VM’s IP) for traffic arriving from the
 172.16.0.0/16 subnet.
          NOTE: The ISTIO_META_INTERCEPTION_MODE metadata on the
 proxy in the VM should contain REDIRECT or TPROXY as its value,
@@ -360,7 +360,7 @@
 The traffic is then forwarded to the attached workload instance
 listening on a Unix domain socket.
 It is expected that PeerAuthentication policy would be configured
-in order to set mTLS mode to "DISABLE" on specific
+in order to set mTLS mode to “DISABLE” on specific
 ports.
 In this example, the mTLS mode is disabled on PORT 80.
 This feature is currently experimental.
          
@@ -674,10 +674,10 @@ 
          IstioEgressListener
          
 service from any available namespace while ./foo.example.com only selects
 the service from the namespace of the sidecar. If a host is set to */*,
 Istio will configure the sidecar to be able to reach every service in the
-mesh that is exported to the sidecar's namespace. The value ~/* can be used
+mesh that is exported to the sidecar’s namespace. The value ~/* can be used
 to completely trim the configuration for sidecars that simply receive traffic
 and respond, but make no outbound connections of their own.
          
-
          NOTE: Only services and configuration artifacts exported to the sidecar's
+
          NOTE: Only services and configuration artifacts exported to the sidecar’s
 namespace (e.g., exportTo value of *) can be referenced.
 Private configurations (e.g., exportTo set to .) will
 not be available. Refer to the exportTo setting in VirtualService,
diff --git a/content/en/docs/reference/config/networking/virtual-service/index.html b/content/en/docs/reference/config/networking/virtual-service/index.html
index f1e6743618a26..f6ce3a61a4b84 100644
--- a/content/en/docs/reference/config/networking/virtual-service/index.html
+++ b/content/en/docs/reference/config/networking/virtual-service/index.html
@@ -40,9 +40,9 @@
 
          The source of traffic can also be matched in a routing rule. This allows routing
 to be customized for specific client contexts.
          The following example on Kubernetes, routes all HTTP traffic by default to
-pods of the reviews service with label "version: v1". In addition,
+pods of the reviews service with label “version: v1”. In addition,
 HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will
-be rewritten to /newcatalog and sent to pods with label "version: v2".
          
+be rewritten to /newcatalog and sent to pods with label “version: v2”.
          {{}}
 {{}}
          apiVersion: networking.istio.io/v1alpha3
@@ -169,11 +169,11 @@ 
          VirtualService
          
 caveats. Refer to the
 Operations Guide
 for details.
          
-
          Note for Kubernetes users: When short names are used (e.g. "reviews"
-instead of "reviews.default.svc.cluster.local"), Istio will interpret
+
          Note for Kubernetes users: When short names are used (e.g. “reviews”
+instead of “reviews.default.svc.cluster.local”), Istio will interpret
 the short name based on the namespace of the rule, not the service. A
-rule in the "default" namespace containing a host "reviews" will be
-interpreted as "reviews.default.svc.cluster.local", irrespective of
+rule in the “default” namespace containing a host “reviews” will be
+interpreted as “reviews.default.svc.cluster.local”, irrespective of
 the actual namespace associated with the reviews service. To avoid
 potential misconfigurations, it is recommended to always use fully
 qualified domain names over short names.
          
@@ -195,7 +195,7 @@ 
          VirtualService
          
 
          The names of gateways and sidecars that should apply these routes.
 Gateways in other namespaces may be referred to by
 <gateway namespace>/<gateway name>; specifying a gateway with no
-namespace qualifier is the same as specifying the VirtualService's
+namespace qualifier is the same as specifying the VirtualService’s
 namespace. A single VirtualService is used for sidecars inside the mesh as
 well as for one or more gateways. The selection condition imposed by this
 field can be overridden using the source field in the match conditions
@@ -216,7 +216,7 @@ 
          VirtualService
          
 
          
@@ -286,20 +286,20 @@ 
          Destination
          
 
          Destination indicates the network addressable service to which the
 request/connection will be sent after processing a routing rule. The
 destination.host should unambiguously refer to a service in the service
-registry. Istio's service registry is composed of all the services found
-in the platform's service registry (e.g., Kubernetes services, Consul
+registry. Istio’s service registry is composed of all the services found
+in the platform’s service registry (e.g., Kubernetes services, Consul
 services), as well as services declared through the
 ServiceEntry resource.
          
-
          Note for Kubernetes users: When short names are used (e.g. "reviews"
-instead of "reviews.default.svc.cluster.local"), Istio will interpret
+
          Note for Kubernetes users: When short names are used (e.g. “reviews”
+instead of “reviews.default.svc.cluster.local”), Istio will interpret
 the short name based on the namespace of the rule, not the service. A
-rule in the "default" namespace containing a host "reviews will be
-interpreted as "reviews.default.svc.cluster.local", irrespective of the
+rule in the “default” namespace containing a host “reviews will be
+interpreted as “reviews.default.svc.cluster.local”, irrespective of the
 actual namespace associated with the reviews service. To avoid potential
 misconfigurations, it is recommended to always use fully qualified
 domain names over short names.
          
 
          The following Kubernetes example routes all traffic by default to pods
-of the reviews service with label "version: v1" (i.e., subset v1), and
+of the reviews service with label “version: v1” (i.e., subset v1), and
 some to subset v2, in a Kubernetes environment.
          
 
          {{}}
 {{}}
          
@@ -398,10 +398,10 @@ 
          Destination
          
 productpage.prod.svc.cluster.local service in Kubernetes. Notice that
 there are no subsets defined in this rule. Istio will fetch all
 instances of productpage.prod.svc.cluster.local service from the service
-registry and populate the sidecar's load balancing pool. Also, notice
+registry and populate the sidecar’s load balancing pool. Also, notice
 that this rule is set in the istio-system namespace but uses the fully
 qualified domain name of the productpage service,
-productpage.prod.svc.cluster.local. Therefore the rule's namespace does
+productpage.prod.svc.cluster.local. Therefore the rule’s namespace does
 not have an impact in resolving the name of the productpage service.
          
 
          {{}}
 {{}}
          
@@ -438,7 +438,7 @@ 
          Destination
          
 
          {{}}
 {{}}
          
 
          To control routing for traffic bound to services outside the mesh, external
-services must first be added to Istio's internal service registry using the
+services must first be added to Istio’s internal service registry using the
 ServiceEntry resource. VirtualServices can then be defined to control traffic
 bound to these external services. For example, the following rules define a
 Service for wikipedia.org and set a timeout of 5s for HTTP requests.
          
@@ -518,15 +518,15 @@ 
          Destination
          
           
@@ -1400,17 +1400,17 @@ 
          HTTPMatchRequest
          
 
          Ex:
          
 
            
 
          • 
-
            For a query parameter like "?key=true", the map key would be "key" and
+
            For a query parameter like “?key=true”, the map key would be “key” and
 the string match could be defined as exact: "true".
            
 
            • 
 
          • 
-
            For a query parameter like "?key", the map key would be "key" and the
+
            For a query parameter like “?key”, the map key would be “key” and the
 string match could be defined as exact: "".
            
 
            • 
 
          • 
-
            For a query parameter like "?key=123", the map key would be "key" and the
+
            For a query parameter like “?key=123”, the map key would be “key” and the
 string match could be defined as regex: "\d+$". Note that this
-configuration will only match values like "123" but not "a123" or "123a".
            
+configuration will only match values like “123” but not “a123” or “123a”.
            
 
            • 
 
          
 
          Note: prefix matching is currently not supported.
          
@@ -1464,7 +1464,7 @@ 
          HTTPMatchRequest
          
           
diff --git a/content/en/docs/reference/config/networking/workload-entry/index.html b/content/en/docs/reference/config/networking/workload-entry/index.html
index a6156b31ad36a..2d3c4ca405267 100644
--- a/content/en/docs/reference/config/networking/workload-entry/index.html
+++ b/content/en/docs/reference/config/networking/workload-entry/index.html
@@ -110,7 +110,7 @@
 
          {{}}
 {{}}
          
 
          The following example declares the same VM workload using
-its fully qualified DNS name. The service entry's resolution
+its fully qualified DNS name. The service entry’s resolution
 mode should be changed to DNS to indicate that the client-side
 sidecars should dynamically resolve the DNS name at runtime before
 forwarding the request.
          
@@ -227,13 +227,13 @@ 
          WorkloadEntry
          
 
          
 
 
 
 
          HTTPRoute[]
 
 
          An ordered list of route rules for HTTP traffic. HTTP routes will be
-applied to platform service ports named 'http-'/'http2-'/'grpc-*', gateway
+applied to platform service ports named ‘http-’/‘http2-’/‘grpc-*’, gateway
 ports with protocol HTTP/HTTP2/GRPC/ TLS-terminated-HTTPS and service
 entry ports using HTTP/HTTP2/GRPC protocols.  The first rule matching
 an incoming request is used.
          
@@ -233,10 +233,10 @@ 
          VirtualService
          
 
          An ordered list of route rule for non-terminated TLS & HTTPS
 traffic. Routing is typically performed using the SNI value presented
 by the ClientHello message. TLS routes will be applied to platform
-service ports named 'https-', 'tls-', unterminated gateway ports using
-HTTPS/TLS protocols (i.e. with "passthrough" TLS mode) and service
+service ports named ‘https-’, ’tls-’, unterminated gateway ports using
+HTTPS/TLS protocols (i.e. with “passthrough” TLS mode) and service
 entry ports using HTTPS/TLS protocols.  The first rule matching an
-incoming request is used.  NOTE: Traffic 'https-' or 'tls-' ports
+incoming request is used.  NOTE: Traffic ‘https-’ or ’tls-’ ports
 without associated virtual service will be treated as opaque TCP
 traffic.
          
 
@@ -269,8 +269,8 @@ 
          VirtualService
          
 across namespace boundaries.
          
 
          If no namespaces are specified then the virtual service is exported to all
 namespaces by default.
          
-
          The value "." is reserved and defines an export to the same namespace that
-the virtual service is declared in. Similarly the value "*" is reserved and
+
          The value “.” is reserved and defines an export to the same namespace that
+the virtual service is declared in. Similarly the value “*” is reserved and
 defines an export to all namespaces.
          
 
           		string
 
 
          The name of a service from the service registry. Service
-names are looked up from the platform's service registry (e.g.,
+names are looked up from the platform’s service registry (e.g.,
 Kubernetes services, Consul services, etc.) and from the hosts
 declared by ServiceEntry. Traffic forwarded to
 destinations that are not found in either of the two, will be dropped.
          
-
          Note for Kubernetes users: When short names are used (e.g. "reviews"
-instead of "reviews.default.svc.cluster.local"), Istio will interpret
+
          Note for Kubernetes users: When short names are used (e.g. “reviews”
+instead of “reviews.default.svc.cluster.local”), Istio will interpret
 the short name based on the namespace of the rule, not the service. A
-rule in the "default" namespace containing a host "reviews will be
-interpreted as "reviews.default.svc.cluster.local", irrespective of
+rule in the “default” namespace containing a host “reviews will be
+interpreted as “reviews.default.svc.cluster.local”, irrespective of
 the actual namespace associated with the reviews service. To avoid
 potential misconfiguration, it is recommended to always use fully
 qualified domain names over short names.
          
@@ -585,7 +585,7 @@ 
          HTTPRoute
          
           		string
 
 
          The name assigned to the route for debugging purposes. The
-route's name will be concatenated with the match's name and will
+route’s name will be concatenated with the match’s name and will
 be logged in the access logs for requests matching this
 route/match.
          
 
@@ -662,7 +662,7 @@ 
          HTTPRoute
          
 
          NOTE:
          
 
            
 
          1. Only one level delegation is supported.
            2. 
-
          2. The delegate's HTTPMatchRequest must be a strict subset of the root's,
+
          3. The delegate’s HTTPMatchRequest must be a strict subset of the root’s,
 otherwise there is a conflict and the HTTPRoute will not take effect.
            4. 
 
          
 
@@ -857,7 +857,7 @@ 
          Delegate
          
           		string
 
 
          Namespace specifies the namespace where the delegate VirtualService resides.
-By default, it is same to the root's.
          
+By default, it is same to the root’s.
          
 
           		
 
@@ -976,7 +976,7 @@ 
          TLSRoute
          
 
          
 
          Describes match conditions and actions for routing unterminated TLS
 traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
-traffic arriving at port 443 of gateway called "mygateway" to internal
+traffic arriving at port 443 of gateway called “mygateway” to internal
 services in the mesh based on the SNI value.
          
 
          {{}}
 {{}}
          
@@ -1223,8 +1223,8 @@ 
          HTTPMatchRequest
          
 
          		name
 string
 
-
          The name assigned to a match. The match's name will be
-concatenated with the parent route's name and will be logged in
+
          The name assigned to a match. The match’s name will be
+concatenated with the parent route’s name and will be logged in
 the access logs for requests matching this route.
          
 
           		
 
          The human readable prefix to use when emitting statistics for this route.
 The statistics are generated with prefix route.<stat_prefix>.
-This should be set for highly critical routes that one wishes to get "per-route" statistics on.
+This should be set for highly critical routes that one wishes to get “per-route” statistics on.
 This prefix is only for proxy-level statistics (envoy_) and not service-level (istio_) statistics.
 Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-route-stat-prefix
 for statistics that are generated when this is configured.
          
@@ -1482,9 +1482,9 @@ 
          HTTPRouteDestination
          
 
          Each routing rule is associated with one or more service versions (see
 glossary in beginning of document). Weights associated with the version
 determine the proportion of traffic it receives. For example, the
-following rule will route 25% of traffic for the "reviews" service to
-instances with the "v2" tag and the remaining traffic (i.e., 75%) to
-"v1".
          
+following rule will route 25% of traffic for the “reviews” service to
+instances with the “v2” tag and the remaining traffic (i.e., 75%) to
+“v1”.
          
 
          {{}}
 {{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
@@ -1799,7 +1799,7 @@ 
          TLSMatchAttributes
          
 
          SNI (server name indicator) to match on. Wildcard prefixes
 can be used in the SNI value, e.g., *.com will match foo.example.com
 as well as example.com. An SNI value must be a subset (i.e., fall
-within the domain) of the corresponding virtual serivce's hosts.
          
+within the domain) of the corresponding virtual serivce’s hosts.
          
 
 
          		
 
@@ -2784,7 +2784,7 @@ 
          HTTPFaultInjection.Delay
          
 
          
 
          Delay specification is used to inject latency into the request
 forwarding path. The following example will introduce a 5 second delay
-in 1 out of every 1000 requests to the "v1" version of the "reviews"
+in 1 out of every 1000 requests to the “v1” version of the “reviews”
 service from all pods with label env: prod
          
 
          {{}}
 {{}}
          
@@ -2891,7 +2891,7 @@ 
          HTTPFaultInjection.Abort
          
 
          
 
          Abort specification is used to prematurely abort a request with a
 pre-specified error code. The following example will return an HTTP 400
-error code for 1 out of every 1000 requests to the "ratings" service "v1".
          
+error code for 1 out of every 1000 requests to the “ratings” service “v1”.
          
 
          {{}}
 {{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
@@ -2966,7 +2966,7 @@ 
          HTTPFaultInjection.Abort
          
 
          		
 
          GRPC status code to use to abort the request. The supported
 codes are documented in https://github.com/grpc/grpc/blob/master/doc/statuscodes.md
-Note: If you want to return the status "Unavailable", then you should
+Note: If you want to return the status “Unavailable”, then you should
 specify the code as UNAVAILABLE(all caps), but not 14.
          
 
           		map<string, uint32>
 
 
          Set of ports associated with the endpoint. If the port map is
-specified, it must be a map of servicePortName to this endpoint's
+specified, it must be a map of servicePortName to this endpoint’s
 port, such that traffic to the service port will be forwarded to
-the endpoint port that maps to the service's portName. If
-omitted, and the targetPort is specified as part of the service's
+the endpoint port that maps to the service’s portName. If
+omitted, and the targetPort is specified as part of the service’s
 port specification, traffic to the service port will be forwarded
 to one of the endpoints on the specified targetPort. If both
-the targetPort and endpoint's port map are not specified, traffic
+the targetPort and endpoint’s port map are not specified, traffic
 to a service port will be forwarded to one of the endpoints on
 the same port.
          
 
          NOTE 1: Do not use for unix:// addresses.
          
@@ -287,7 +287,7 @@ 
          WorkloadEntry
          
 endpoints within the same locality as the sidecar. If none of the
 endpoints in the locality are available, endpoints parent locality
 (but within the same network ID) will be chosen. For example, if
-there are two endpoints in same network (networkID "n1"), say e1
+there are two endpoints in same network (networkID “n1”), say e1
 with locality us/us-east-1/az-1/r11 and e2 with locality
 us/us-east-1/az-2/r12, a sidecar from us/us-east-1/az-1/r11 locality
 will prefer e1 from the same locality over e2 from a different
diff --git a/content/en/docs/reference/config/networking/workload-group/index.html b/content/en/docs/reference/config/networking/workload-group/index.html
index e0b073bfa4629..726587170d3e1 100644
--- a/content/en/docs/reference/config/networking/workload-group/index.html
+++ b/content/en/docs/reference/config/networking/workload-group/index.html
@@ -63,7 +63,7 @@ 
          WorkloadGroup
          
 provides a template for WorkloadEntry, similar to how Deployment specifies properties
 of workloads via Pod templates. A WorkloadGroup can have more than one WorkloadEntry.
 WorkloadGroup has no relationship to resources which control service registry like ServiceEntry
-and as such doesn't configure host name for these workloads.
          
+and as such doesn’t configure host name for these workloads.
          
 
 
@@ -94,7 +94,7 @@ 
          WorkloadGroup
          Template to be used for the generation of WorkloadEntry resources that belong to this WorkloadGroup.
 Please note that address and labels fields should not be set in the template, and an empty serviceAccount
 should default to default. The workload identities (mTLS certificates) will be bootstrapped using the
-specified service account's token. Workload entries in this group will be in the same namespace as the
+specified service account’s token. Workload entries in this group will be in the same namespace as the
 workload group, and inherit the labels and annotations from the above metadata field.
          
@@ -264,7 +264,7 @@ 
          HTTPHealthCheckConfig
          
diff --git a/content/en/docs/reference/config/security/authorization-policy/index.html b/content/en/docs/reference/config/security/authorization-policy/index.html
index 5587f17689834..536249a09fa01 100644
--- a/content/en/docs/reference/config/security/authorization-policy/index.html
+++ b/content/en/docs/reference/config/security/authorization-policy/index.html
@@ -30,19 +30,19 @@
 The request will not be audited if there are no such supporting plugins enabled.
 Currently, the only supported plugin is the Stackdriver plugin.
          Here is an example of Istio Authorization Policy:
          
-
          It sets the action to "ALLOW" to create an allow policy. The default action is "ALLOW"
+
          It sets the action to “ALLOW” to create an allow policy. The default action is “ALLOW”
 but it is useful to be explicit in the policy.
          It allows requests from:
            
-
          • service account "cluster.local/ns/default/sa/sleep" or
            • 
-
          • namespace "test"
            • 
+
          • service account “cluster.local/ns/default/sa/sleep” or
            • 
+
          • namespace “test”
            • 
 
          to access the workload with:
            
-
          • "GET" method at paths of prefix "/info" or,
            • 
-
          • "POST" method at path "/data".
            • 
+
          • “GET” method at paths of prefix “/info” or,
            • 
+
          • “POST” method at path “/data”.
            • 
 
          
-
          when the request has a valid JWT token issued by "https://accounts.google.com".
          
+
          when the request has a valid JWT token issued by “https://accounts.google.com”.
          Any other requests will be denied.
          apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -68,9 +68,9 @@
     - key: request.auth.claims[iss]
       values: ["https://accounts.google.com"]
 
          
-
          The following is another example that sets action to "DENY" to create a deny policy.
-It denies requests from the "dev" namespace to the "POST" method on all workloads
-in the "foo" namespace.
          
+
          The following is another example that sets action to “DENY” to create a deny policy.
+It denies requests from the “dev” namespace to the “POST” method on all workloads
+in the “foo” namespace.
          apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -86,8 +86,8 @@
     - operation:
         methods: ["POST"]
 
          
-
          The following authorization policy sets the action to "AUDIT". It will audit any GET requests to the path with the
-prefix "/user/profile".
          
+
          The following authorization policy sets the action to “AUDIT”. It will audit any GET requests to the path with the
+prefix “/user/profile”.
          apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -104,12 +104,12 @@
         methods: ["GET"]
         paths: ["/user/profile/*"]
 
          
-
          Authorization Policy scope (target) is determined by "metadata/namespace" and
-an optional "selector".
          
+
          Authorization Policy scope (target) is determined by “metadata/namespace” and
+an optional “selector”.
            
-
          • "metadata/namespace" tells which namespace the policy applies. If set to root
+
          • “metadata/namespace” tells which namespace the policy applies. If set to root
 namespace, the policy applies to all namespaces in a mesh.
            • 
-
          • workload "selector" can be used to further restrict where a policy applies.
            • 
+
          • workload “selector” can be used to further restrict where a policy applies.
            • 
 
          For example,
          The following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
@@ -132,7 +132,7 @@
  rules:
  - {}
 
-
          The following authorization policy applies to workloads containing label "app: httpbin" in namespace bar. It allows
+
          The following authorization policy applies to workloads containing label “app: httpbin” in namespace bar. It allows
 nothing and effectively denies all requests to the selected workloads.
          apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -144,8 +144,8 @@
     matchLabels:
       app: httpbin
 
          
-
          The following authorization policy applies to workloads containing label "version: v1" in all namespaces in the mesh.
-(Assuming the root namespace is configured to "istio-system").
          
+
          The following authorization policy applies to workloads containing label “version: v1” in all namespaces in the mesh.
+(Assuming the root namespace is configured to “istio-system”).
          apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -230,10 +230,10 @@ 
          Rule
          
 matches the request. An empty rule is always matched.
          
 
          Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
          
 
            
-
          • Exact match: "abc" will match on value "abc".
            • 
-
          • Prefix match: "abc*" will match on value "abc" and "abcd".
            • 
-
          • Suffix match: "*abc" will match on value "abc" and "xabc".
            • 
-
          • Presence match: "*" will match when value is not empty.
            • 
+
          • Exact match: “abc” will match on value “abc”.
            • 
+
          • Prefix match: “abc*” will match on value “abc” and “abcd”.
            • 
+
          • Suffix match: “*abc” will match on value “abc” and “xabc”.
            • 
+
          • Presence match: “*” will match when value is not empty.
            • 
 
          
 
 
          
 
 
 
 
 
          string
 
 
          Host name to connect to, defaults to the pod IP. You probably want to set
-"Host" in httpHeaders instead.
          
+“Host” in httpHeaders instead.
          
 
           		
 
diff --git a/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html b/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html
index 5aed926a36e3d..5d855fe276649 100644
--- a/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html
+++ b/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html
@@ -12,9 +12,9 @@
 ---
 
          WasmPlugins provides a mechanism to extend the functionality provided by
 the Istio proxy through WebAssembly filters.
          
-
          Order of execution (as part of Envoy's filter chain) is determined by
+
          Order of execution (as part of Envoy’s filter chain) is determined by
 phase and priority settings, allowing the configuration of complex
-interactions between user-supplied WasmPlugins and Istio's internal
+interactions between user-supplied WasmPlugins and Istio’s internal
 filters.
          
 
          Examples:
          
 
          AuthN Filter deployed to ingress-gateway that implements an OpenID flow
@@ -110,8 +110,8 @@
 signed token that contains information about which files and functions of the
 system are available to the user that was previously authenticated. The
 acl-check filter writes this token to a header. Finally, the check-header
-filter verifies the token in that header and makes sure that the token's
-contents (the permitted 'function') matches its plugin configuration.
          
+filter verifies the token in that header and makes sure that the token’s
+contents (the permitted ‘function’) matches its plugin configuration.
          
 
          The resulting filter chain looks like this:
 -> openid-connect -> istio.authn -> acl-check -> check-header -> router
          
 
          apiVersion: extensions.istio.io/v1alpha1
@@ -385,7 +385,7 @@ 
          EnvVar
          
 
          		EnvValueSource
 
 
          Required
-Source for the environment variable's value.
          
+Source for the environment variable’s value.
          
 
           		
 
@@ -398,7 +398,7 @@ 
          EnvVar
          
           		
 
          Value for the environment variable.
 Note that if value_from is HOST, it will be ignored.
-Defaults to "".
          
+Defaults to “”.
          
 
           		
 
@@ -514,7 +514,7 @@ 
          EnvValueSource
          
 
          
 HOST
 
-
          Istio-proxy's environment variables exposed to this VM.
          
+
          Istio-proxy’s environment variables exposed to this VM.
          
 
           		
 
          
 
 
 
 
 
 
 
 
 
 
 
 
 
 
          
@@ -289,8 +289,8 @@ 
          Source
          
 
          
 
          Source specifies the source identities of a request. Fields in the source are
 ANDed together.
          
-
          For example, the following source matches if the principal is "admin" or "dev"
-and the namespace is "prod" or "test" and the ip is not "1.2.3.4".
          
+
          For example, the following source matches if the principal is “admin” or “dev”
+and the namespace is “prod” or “test” and the ip is not “1.2.3.4”.
          
 
          principals: ["admin", "dev"]
 namespaces: ["prod", "test"]
 notIpBlocks: ["1.2.3.4"]
@@ -384,8 +384,8 @@ 
          Source
          
 
          
@@ -412,7 +412,7 @@ 
          Source
          
 To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig
 when you install Istio or using an annotation on the ingress gateway.  See the documentation here:
 Configuring Gateway Network Topology.
-Single IP (e.g. "1.2.3.4") and CIDR (e.g. "1.2.3.0/24") are supported.
+Single IP (e.g. “1.2.3.4”) and CIDR (e.g. “1.2.3.0/24”) are supported.
 This is the same as the remote.ip attribute.
          
 
          If not set, any IP is allowed.
          
 
@@ -439,8 +439,8 @@ 
          Operation
          
 
          
 
          Operation specifies the operations of a request. Fields in the operation are
 ANDed together.
          
-
          For example, the following operation matches if the host has suffix ".example.com"
-and the method is "GET" or "HEAD" and the path doesn't have prefix "/admin".
          
+
          For example, the following operation matches if the host has suffix “.example.com”
+and the method is “GET” or “HEAD” and the path doesn’t have prefix “/admin”.
          
 
          hosts: ["*.example.com"]
 methods: ["GET", "HEAD"]
 notPaths: ["/admin*"]
@@ -509,7 +509,7 @@ 
          Operation
          
 
          
@@ -534,7 +534,7 @@ 
          Operation
          
           
@@ -738,7 +738,7 @@ 
          AuthorizationPolicy.Action
          
 the authorization decision to it.
          
 
          Note: The CUSTOM action is currently an alpha feature and is subject to breaking changes in later versions.
          
 
          The following authorization policy applies to an ingress gateway and delegates the authorization check to a named extension
-"my-custom-authz" if the request path has prefix "/admin/".
          
+“my-custom-authz” if the request path has prefix “/admin/”.
          
 
          apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
diff --git a/content/en/docs/reference/config/security/jwt/index.html b/content/en/docs/reference/config/security/jwt/index.html
index 35690218ff4be..ded4f6c0a2def 100644
--- a/content/en/docs/reference/config/security/jwt/index.html
+++ b/content/en/docs/reference/config/security/jwt/index.html
@@ -83,7 +83,7 @@ 
          JWTRule
          
 
          
@@ -828,8 +828,8 @@ 
          MetricsOverrides.TagOverride
          
 
          ipBlocks
 string[]
 
-
          Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. "1.2.3.4") and
-CIDR (e.g. "1.2.3.0/24") are supported. This is the same as the source.ip attribute.
          
+
          Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. “1.2.3.4”) and
+CIDR (e.g. “1.2.3.0/24”) are supported. This is the same as the source.ip attribute.
          
 
          If not set, any IP is allowed.
          
 
           		string[]
 
 
          Optional. A list of methods as specified in the HTTP request.
-For gRPC service, this will always be "POST".
          
+For gRPC service, this will always be “POST”.
          
 
          If not set, any method is allowed. Must be used only with HTTP.
          
 
           		
 
          Optional. A list of paths as specified in the HTTP request. See the Authorization Policy Normalization
 for details of the path normalization.
-For gRPC service, this will be the fully-qualified name in the form of "/package.service/method".
          
+For gRPC service, this will be the fully-qualified name in the form of “/package.service/method”.
          
 
          If not set, any path is allowed. Must be used only with HTTP.
          
 
           		jwksUri
 string
 
-
          URL of the provider's public key set to validate signature of the
+
          URL of the provider’s public key set to validate signature of the
 JWT. See OpenID Discovery.
          
 
          Optional if the key set document can either (a) be retrieved from
 OpenID
@@ -116,7 +116,7 @@ 
          JWTRule
          
           		JWTHeader[]
 
 
          List of header locations from which JWT is expected. For example, below is the location spec
-if JWT is expected to be found in x-jwt-assertion header, and have "Bearer " prefix:
          
+if JWT is expected to be found in x-jwt-assertion header, and have “Bearer " prefix:
          
 
            fromHeaders:
   - name: x-jwt-assertion
     prefix: "Bearer "
@@ -203,8 +203,8 @@ 
          JWTHeader
          
 
          		string
 
 
          The prefix that should be stripped before decoding the token.
-For example, for "Authorization: Bearer ", prefix="Bearer " with a space at the end.
-If the header doesn't have this exact prefix, it is considered invalid.
          
+For example, for “Authorization: Bearer ”, prefix=“Bearer " with a space at the end.
+If the header doesn’t have this exact prefix, it is considered invalid.
          
 
           		
 
diff --git a/content/en/docs/reference/config/security/request_authentication/index.html b/content/en/docs/reference/config/security/request_authentication/index.html
index 78df3bad23197..2e568fba5c633 100644
--- a/content/en/docs/reference/config/security/request_authentication/index.html
+++ b/content/en/docs/reference/config/security/request_authentication/index.html
@@ -49,7 +49,7 @@ 
          RequestAuthentication
          
         requestPrincipals: ["*"]
 
 
            
-
          • A policy in the root namespace ("istio-system" by default) applies to workloads in all namespaces
+
          • A policy in the root namespace (“istio-system” by default) applies to workloads in all namespaces
 in a mesh. The following policy makes all workloads only accept requests that contain a
 valid JWT token.
            • 
 
          
@@ -138,7 +138,7 @@ 
          RequestAuthentication
          
         paths: ["/healthz"]
 
 
          [Experimental] Routing based on derived metadata
-is now supported. A prefix '@' is used to denote a match against internal metadata instead of the headers in the request.
+is now supported. A prefix ‘@’ is used to denote a match against internal metadata instead of the headers in the request.
 Currently this feature is only supported for the following metadata:
          
 
            
 
          • request.auth.claims.{claim-name}[.{sub-claim}]* which are extracted from validated JWT tokens. The claim name
@@ -148,7 +148,7 @@ 
            RequestAuthentication
            
 
              
 
            • RequestAuthentication to decode and validate a JWT. This also makes the @request.auth.claims available for use in the VirtualService.
              • 
 
            • AuthorizationPolicy to check for valid principals in the request. This makes the JWT required for the request.
              • 
-
            • VirtualService to route the request based on the "sub" claim.
              • 
+
            • VirtualService to route the request based on the “sub” claim.
              • 
 
            
 
            apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
@@ -231,7 +231,7 @@ 
            RequestAuthentication
            
 
          		jwtRules
 JWTRule[]
 
-
          Define the list of JWTs that can be validated at the selected workloads' proxy. A valid token
+
          Define the list of JWTs that can be validated at the selected workloads’ proxy. A valid token
 will be used to extract the authenticated identity.
 Each rule will be activated only when a token is presented at the location recognized by the
 rule. The token will be validated based on the JWT rule config. If validation fails, the request will
diff --git a/content/en/docs/reference/config/telemetry/index.html b/content/en/docs/reference/config/telemetry/index.html
index fcd55d89239ed..6e94084fc21a2 100644
--- a/content/en/docs/reference/config/telemetry/index.html
+++ b/content/en/docs/reference/config/telemetry/index.html
@@ -35,7 +35,7 @@
   tracing:
   - randomSamplingPercentage: 10.00
 
-
          Policy to disable trace reporting for the "foo" workload (note: tracing
+
          Policy to disable trace reporting for the “foo” workload (note: tracing
 context will still be propagated):
          
 
          apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
@@ -508,9 +508,9 @@ 
          MetricsOverrides
          
 
          		disabled
 BoolValue
 
-
          Optional. Must explicitly set this to "true" to turn off metrics reporting
-for the listed metrics. If disabled has been set to "true" in a parent
-configuration, it must explicitly be set to "false" to turn metrics
+
          Optional. Must explicitly set this to “true” to turn off metrics reporting
+for the listed metrics. If disabled has been set to “true” in a parent
+configuration, it must explicitly be set to “false” to turn metrics
 reporting on in the workloads selected by the Telemetry resource.
          
 
           		
 
          Value is only considered if the operation is UPSERT.
 Values are CEL expressions over
-attributes. Examples include: "string(destination.port)" and
-"request.host". Istio exposes all standard Envoy
+attributes. Examples include: “string(destination.port)” and
+“request.host”. Istio exposes all standard Envoy
 attributes.
 Additionally, Istio exposes node metadata as attributes.
 More information is provided in the customization
diff --git a/content/zh/docs/reference/config/istio.analysis.v1alpha1/index.html b/content/zh/docs/reference/config/istio.analysis.v1alpha1/index.html
index be16cc59a07b1..6f24f5da011f4 100644
--- a/content/zh/docs/reference/config/istio.analysis.v1alpha1/index.html
+++ b/content/zh/docs/reference/config/istio.analysis.v1alpha1/index.html
@@ -65,10 +65,10 @@ 
          AnalysisMessageBase
          
 
 
          AnalysisMessageWeakSchema
          
 
          
-
          AnalysisMessageWeakSchema is the set of information that's needed to define a
+
          AnalysisMessageWeakSchema is the set of information that’s needed to define a
 weakly-typed schema. The purpose of this proto is to provide a mechanism for
 validating istio/istio/galley/pkg/config/analysis/msg/messages.yaml to make
-sure that we don't allow committing underspecified types.
          
+sure that we don’t allow committing underspecified types.
          
 
 
@@ -175,8 +175,8 @@ 
          GenericAnalysisMessage
          
@@ -264,7 +264,7 @@ 
          AnalysisMessageBase.Type
          
@@ -304,7 +304,7 @@ 
          AnalysisMessageWeakSchema.ArgType
          Required. Should be a golang type, used in code generation.
 Ideally this will change to a less language-pinned type before this gets
-out of alpha, but for compatibility with current istio/istio code it's
+out of alpha, but for compatibility with current istio/istio code it’s
 go_type for now.
          
diff --git a/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html b/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
index 308ebb3a6b012..82eb892f2bf8f 100644
--- a/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
+++ b/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
@@ -172,7 +172,7 @@ 
          MeshConfig
          
@@ -211,7 +211,7 @@ 
          MeshConfig
          
@@ -324,7 +324,7 @@ 
          MeshConfig
          
@@ -384,7 +384,7 @@ 
          MeshConfig
          
@@ -533,7 +533,7 @@ 
          MeshConfig
          
@@ -557,7 +557,7 @@ 
          MeshConfig
          
@@ -1265,7 +1265,7 @@ 
          Mesh
 
          
@@ -1310,7 +1310,7 @@ 
          Mes
 The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
 to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
-
          Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".
          
+
          Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.
          
 
 
 
          
@@ -1450,9 +1450,9 @@ 
          Mes
 
          Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
 https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
          
 
            
-
          • Exact match: "abc" will match on value "abc".
            • 
-
          • Prefix match: "abc*" will match on value "abc" and "abcd".
            • 
-
          • Suffix match: "*abc" will match on value "abc" and "xabc".
            • 
+
          • Exact match: “abc” will match on value “abc”.
            • 
+
          • Prefix match: “abc*” will match on value “abc” and “abcd”.
            • 
+
          • Suffix match: “*abc” will match on value “abc” and “xabc”.
            • 
 
          
 
 
@@ -1474,9 +1474,9 @@ 
          Mes
 
          Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
 https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
          
 
            
-
          • Exact match: "abc" will match on value "abc".
            • 
-
          • Prefix match: "abc*" will match on value "abc" and "abcd".
            • 
-
          • Suffix match: "*abc" will match on value "abc" and "xabc".
            • 
+
          • Exact match: “abc” will match on value “abc”.
            • 
+
          • Prefix match: “abc*” will match on value “abc” and “abcd”.
            • 
+
          • Suffix match: “*abc” will match on value “abc” and “xabc”.
            • 
 
          
 
 
@@ -1495,9 +1495,9 @@ 
          Mes
 
          Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
 https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
          
 
            
-
          • Exact match: "abc" will match on value "abc".
            • 
-
          • Prefix match: "abc*" will match on value "abc" and "abcd".
            • 
-
          • Suffix match: "*abc" will match on value "abc" and "xabc".
            • 
+
          • Exact match: “abc” will match on value “abc”.
            • 
+
          • Prefix match: “abc*” will match on value “abc” and “abcd”.
            • 
+
          • Suffix match: “*abc” will match on value “abc” and “xabc”.
            • 
 
          
 
 
@@ -1528,7 +1528,7 @@ 
          Mes
 The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
 to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
-
          Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".
          
+
          Example: “my-ext-authz.foo.svc.cluster.local” or “bar/my-ext-authz.example.com”.
          
 
 
 
          
@@ -2121,7 +2121,7 @@ 
          MeshConfig.Exten
 The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
 to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
-
          Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
          
+
          Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.
          
 
 
 
          
@@ -2191,7 +2191,7 @@ 
          MeshConfig.E
 The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
 to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
-
          Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
          
+
          Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.
          
 
 
 
          
@@ -2229,7 +2229,7 @@ 
          MeshConfig.E
 
          
@@ -2396,8 +2396,8 @@ 
          k8s.io.apimachinery.
 
          
@@ -2610,7 +2610,7 @@ 
          ProxyConfig
          
 source-based routing scenarios.
          Since Istio does not assign a local service/service version to each
 Envoy instance, the name is same for all of them.  However, the
-source/caller's identity (e.g., IP address) is encoded in the
+source/caller’s identity (e.g., IP address) is encoded in the
 --service-node flag when launching Envoy.  When the RDS service
 receives API calls from Envoy, it uses the value of the service-node
 flag to compute routes that are relative to the service instances
@@ -2723,10 +2723,10 @@ 
          ProxyConfig
          
@@ -2788,7 +2788,7 @@ 
          ProxyConfig
          Address of the service to which access logs from Envoys should be
 sent. (e.g. accesslog-service:15000). See Access Log
 Service
-for details about Envoy's gRPC Access Log Service API.
          
+for details about Envoy’s gRPC Access Log Service API.
          
@@ -3106,7 +3106,7 @@ 
          Tracing.Datadog
          Tracing.Stackdriver
          
 
          Stackdriver defines configuration for a Stackdriver tracer.
-See Envoy's OpenCensus trace configuration
+See Envoy’s OpenCensus trace configuration
 and
 OpenCensus trace config for details.
          
 
@@ -3127,7 +3127,7 @@ 
          Tracing.OpenCensusAgent
          
 
          
 
          OpenCensusAgent defines configuration for an OpenCensus tracer writing to
 an OpenCensus agent backend. See
-Envoy's OpenCensus trace configuration
+Envoy’s OpenCensus trace configuration
 and
 OpenCensus trace config
 for details.
          
@@ -3361,8 +3361,8 @@ 
          Network.NetworkEndpoints
          
 
 
        • 
 
          Explicitly:
          
-
          a. By matching the registry name with one of the "fromRegistry"
-in the mesh config. A "from_registry" can only be assigned to a
+
          a. By matching the registry name with one of the “fromRegistry”
+in the mesh config. A “from_registry” can only be assigned to a
 single network.
          
 
          b. By matching the IP against one of the CIDR ranges in a mesh
 config network. The CIDR ranges must not overlap and be assigned to
diff --git a/content/zh/docs/reference/config/istio.operator.v1alpha1/index.html b/content/zh/docs/reference/config/istio.operator.v1alpha1/index.html
index 7578af3f61ccc..f1c5f2147174f 100644
--- a/content/zh/docs/reference/config/istio.operator.v1alpha1/index.html
+++ b/content/zh/docs/reference/config/istio.operator.v1alpha1/index.html
@@ -11,7 +11,7 @@
 ---
 
          Configuration affecting Istio control plane installation version and shape.
 Note: unlike other Istio protos, field names must use camelCase. This is asserted in tests.
-Without camelCase, the json tag on the Go struct will not match the user's JSON representation.
+Without camelCase, the json tag on the Go struct will not match the user’s JSON representation.
 This leads to Kubernetes merge libraries, which rely on this tag, to fail.
 All other usages use jsonpb which does not use the json tag.
          
 
@@ -3932,7 +3932,7 @@ 
          k8s.io.api.core.v1.VolumeMount
          
 
          • 
@@ -3971,9 +3971,9 @@ 
          k8s.io.api.core.v1.VolumeMount
          
diff --git a/content/zh/docs/reference/config/meta/v1beta1/istio-status/index.html b/content/zh/docs/reference/config/meta/v1beta1/istio-status/index.html
index 2d3fc29cf4147..48be4f360d77c 100644
--- a/content/zh/docs/reference/config/meta/v1beta1/istio-status/index.html
+++ b/content/zh/docs/reference/config/meta/v1beta1/istio-status/index.html
@@ -39,7 +39,7 @@ 
          IstioStatus
          
diff --git a/content/zh/docs/reference/config/networking/destination-rule/index.html b/content/zh/docs/reference/config/networking/destination-rule/index.html
index 775ff6993cae5..83bd9dbb0c453 100644
--- a/content/zh/docs/reference/config/networking/destination-rule/index.html
+++ b/content/zh/docs/reference/config/networking/destination-rule/index.html
@@ -201,15 +201,15 @@ 
          DestinationRule
          
@@ -367,7 +367,7 @@ 
          TrafficPolicy
          
@@ -899,7 +899,7 @@ 
          OutlierDetection
          ClientTLSSettings
          
-
          SSL/TLS related settings for upstream connections. See Envoy's TLS
+
          SSL/TLS related settings for upstream connections. See Envoy’s TLS
 context
 for more details. These settings are common to both HTTP and TCP upstreams.
          
 
          For example, the following rule configures a client to use mutual TLS
@@ -1033,7 +1033,7 @@ 
          ClientTLSSettings
          
 
          
@@ -1047,7 +1047,7 @@ 
          ClientTLSSettings
          
@@ -1086,7 +1086,7 @@ 
          ClientTLSSettings
          
@@ -1845,8 +1845,8 @@ 
          ConnectionPoolSettings.
 
 
          LocalityLoadBalancerSetting.Distribute
          
-
          Describes how traffic originating in the 'from' zone or sub-zone is
-distributed over a set of 'to' zones. Syntax for specifying a zone is
+
          Describes how traffic originating in the ‘from’ zone or sub-zone is
+distributed over a set of ’to’ zones. Syntax for specifying a zone is
 {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
 segment of the specification. Examples:
          
 
          * - matches all localities
          
@@ -1867,7 +1867,7 @@ 
          LocalityLoadBalancerSetting.Dist
 
          
@@ -947,7 +947,7 @@ 
          EnvoyFilter.RouteC
 
          
@@ -1001,7 +1001,7 @@ 
          EnvoyFilter.ListenerMatch.Fi
 
          
diff --git a/content/zh/docs/reference/config/networking/gateway/index.html b/content/zh/docs/reference/config/networking/gateway/index.html
index fffb4ef2504dc..b26944779ea6a 100644
--- a/content/zh/docs/reference/config/networking/gateway/index.html
+++ b/content/zh/docs/reference/config/networking/gateway/index.html
@@ -136,9 +136,9 @@
 http://uk.bookinfo.com:9080/reviews,
 http://eu.bookinfo.com:9080/reviews into two versions (prod and qa) of
 an internal reviews service on port 9080. In addition, requests
-containing the cookie "user: dev-123" will be sent to special port 7777
+containing the cookie “user: dev-123” will be sent to special port 7777
 in the qa version. The same rule is also applicable inside the mesh for
-requests to the "reviews.prod.svc.cluster.local" service. This rule is
+requests to the “reviews.prod.svc.cluster.local” service. This rule is
 applicable across ports 443, 9080. Note that http://uk.bookinfo.com
 gets redirected to https://uk.bookinfo.com (i.e. 80 redirects to 443).
          {{}}
@@ -346,8 +346,8 @@ 
          Gateway
          One or more labels that indicate a specific set of pods/VMs
 on which this gateway configuration should be applied.
 By default workloads are searched across all namespaces based on label selectors.
-This implies that a gateway resource in the namespace "foo" can select pods in
-the namespace "bar" based on labels.
+This implies that a gateway resource in the namespace “foo” can select pods in
+the namespace “bar” based on labels.
 This behavior can be controlled via the PILOT_SCOPE_GATEWAY_TO_NAMESPACE
 environment variable in istiod. If this variable is set
 to true, the scope of label search is restricted to the configuration
@@ -545,12 +545,12 @@ 
          Server
          
 Any associated DestinationRule in the selected namespace will also be used.
          A VirtualService must be bound to the gateway and must have one or
 more hosts that match the hosts specified in a server. The match
-could be an exact match or a suffix match with the server's hosts. For
-example, if the server's hosts specifies *.example.com, a
+could be an exact match or a suffix match with the server’s hosts. For
+example, if the server’s hosts specifies *.example.com, a
 VirtualService with hosts dev.example.com or prod.example.com will
 match. However, a VirtualService with host example.com or
 newexample.com will not match.
          
-
          NOTE: Only virtual services exported to the gateway's namespace
+
          NOTE: Only virtual services exported to the gateway’s namespace
 (e.g., exportTo value of *) can be referenced.
 Private configurations (e.g., exportTo set to .) will not be
 available. Refer to the exportTo setting in VirtualService,
@@ -565,7 +565,7 @@ 
          Server
          
 
 
          string[]
 
 
          A list of strings specifying the resource identifiers that were the cause
-of message generation. A "path" here is a (NAMESPACE/)?RESOURCETYPE/NAME
-tuple that uniquely identifies a particular resource. There doesn't seem to
+of message generation. A “path” here is a (NAMESPACE/)?RESOURCETYPE/NAME
+tuple that uniquely identifies a particular resource. There doesn’t seem to
 be a single concept for this, but this is intuitively taken from
 https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology
 At least one is required.
          
@@ -250,8 +250,8 @@ 
          AnalysisMessageBase.Type
          
           		name
 string
 
-
          A human-readable name for the message type. e.g. "InternalError",
-"PodMissingProxy". This should be the same for all messages of the same type.
+
          A human-readable name for the message type. e.g. “InternalError”,
+“PodMissingProxy”. This should be the same for all messages of the same type.
 Required.
          
 
           		
 string
 
 
          A 7 character code matching ^IST[0-9]{4}$ intended to uniquely identify
-the message type. (e.g. "IST0001" is mapped to the "InternalError" message
+the message type. (e.g. “IST0001” is mapped to the “InternalError” message
 type.) 0000-0100 are reserved. Required.
          
 
           		
 
 
 
 string
 
 
          Format for the proxy access log
-Empty value results in proxy's default access log format
          
+Empty value results in proxy’s default access log format
          
 
           		
 
@@ -195,9 +195,9 @@ 
          MeshConfig
          
           		enableEnvoyAccessLogService
 bool
 
-
          This flag enables Envoy's gRPC Access Log Service.
+
          This flag enables Envoy’s gRPC Access Log Service.
 See Access Log Service
-for details about Envoy's gRPC Access Log Service API.
+for details about Envoy’s gRPC Access Log Service API.
 Default value is false.
          
 
           		
 
 
          This flag disables Envoy Listener logs.
 See Listener Access Log
-Istio Enables Envoy's listener access logs on "NoRoute" response flag.
+Istio Enables Envoy’s listener access logs on “NoRoute” response flag.
 Default value is false.
          
 
           		
 CertificateData[]
 
 
          The extra root certificates for workload-to-workload communication.
-The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret)
+The plugin certificates (the ‘cacerts’ secret) or self-signed certificates (the ‘istio-ca-secret’ secret)
 are automatically added by Istiod.
 The CA certificate that signs the workload certificates is automatically added by Istio Agent.
          
 
@@ -345,9 +345,9 @@ 
          MeshConfig
          
 . - Current Namespace
 ~ - No Namespace
 
-
          If not set the system will use "*" as the default value which implies that
+
          If not set the system will use “*” as the default value which implies that
 services are exported to all namespaces.
          
-
          All namespaces is a reasonable default for implementations that don't
+
          All namespaces is a reasonable default for implementations that don’t
 need to restrict access or visibility of services across namespace
 boundaries. If that requirement is present it is generally good practice to
 make the default Current namespace so that services are only visible
@@ -370,7 +370,7 @@ 
          MeshConfig
          
           		
 
          The default value for the VirtualService.export_to field. Has the same
 syntax as default_service_export_to.
          
-
          If not set the system will use "*" as the default value which implies that
+
          If not set the system will use “*” as the default value which implies that
 virtual services are exported to all namespaces
          
 
           		
 
 
          The default value for the DestinationRule.export_to field. Has the same
 syntax as default_service_export_to.
          
-
          If not set the system will use "*" as the default value which implies that
+
          If not set the system will use “*” as the default value which implies that
 destination rules are exported to all namespaces
          
 
           		
 extensionProviders
 ExtensionProvider[]
 
-
          Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy
+
          Defines a list of extension providers that extend Istio’s functionality. For example, the AuthorizationPolicy
 can be used with an extension provider to delegate the authorization decision to a custom authorization system.
          
 
           		
 LabelSelector[]
 
 
          A list of Kubernetes selectors that specify the set of namespaces that Istio considers when
-computing configuration updates for sidecars. This can be used to reduce Istio's computational load
+computing configuration updates for sidecars. This can be used to reduce Istio’s computational load
 by limiting the number of entities (including services, pods, and endpoints) that are watched and processed.
 If omitted, Istio will use the default behavior of processing all namespaces in the cluster.
 Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector.
@@ -591,7 +591,7 @@ 
          MeshConfig
          
           		
 
          ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are
 normalized by the sidecars and gateways.
-The normalized paths will be used in all aspects through the requests' lifetime on the
+The normalized paths will be used in all aspects through the requests’ lifetime on the
 sidecars and gateways, which includes routing decisions in outbound direction (client proxy),
 authorization policy match and enforcement in inbound direction (server proxy), and the URL
 path proxied to the upstream service.
@@ -608,7 +608,7 @@ 
          MeshConfig
          
           		
 
          Configure the default HTTP retry policy.
 The default number of retry attempts is set at 2 for these errors:
-"connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes".
+“connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes”.
 Setting the number of attempts to 0 disables retry policy globally.
 This setting can be overriden on a per-host basis using the Virtual Service
 API.
@@ -862,8 +862,8 @@ 
          MeshConfig.CA
          
 
        • DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
 DISABLE MODE can also be used for testing
          • 
 
        • TLS MUTUAL MODE be on by default. If the CA certificates
-(cert bundle to verify the CA server's certificate) is omitted, Istiod will
-use the system root certs to verify the CA server's certificate.
          • 
+(cert bundle to verify the CA server’s certificate) is omitted, Istiod will
+use the system root certs to verify the CA server’s certificate.
 
 
           		
 
          When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached.
 The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
-A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
+A “x-envoy-auth-partial-body: false|true” metadata header will be added to the authorization request message
 indicating if the body data is partial.
          
 
           		
@@ -1346,8 +1346,8 @@ 
          Mes
 
          		string
 
 
          Sets a prefix to the value of authorization request header Path.
-For example, setting this to "/check" for an original user request at path "/admin" will cause the
-authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin".
          
+For example, setting this to “/check” for an original user request at path “/admin” will cause the
+authorization check request to be sent to the authorization service at the path “/check/admin” instead of “/admin”.
          
 
           		
 
@@ -1360,7 +1360,7 @@ 
          Mes
 
          		
 
          If true, the user request will be allowed even if the communication with the authorization service has failed,
 or if the authorization service has returned a HTTP 5xx error.
-Default is false and the request will be rejected with "Forbidden" response.
          
+Default is false and the request will be rejected with “Forbidden” response.
          
 
           		
 
@@ -1372,7 +1372,7 @@ 
          Mes
 
          		string
 
 
          Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
-The default status is "403" (HTTP Forbidden).
          
+The default status is “403” (HTTP Forbidden).
          
 
           		
 
@@ -1405,9 +1405,9 @@ 
          Mes
 
          Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
 https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
          
 
            
-
          • Exact match: "abc" will match on value "abc".
            • 
-
          • Prefix match: "abc*" will match on value "abc" and "abcd".
            • 
-
          • Suffix match: "*abc" will match on value "abc" and "xabc".
            • 
+
          • Exact match: “abc” will match on value “abc”.
            • 
+
          • Prefix match: “abc*” will match on value “abc” and “abcd”.
            • 
+
          • Suffix match: “*abc” will match on value “abc” and “xabc”.
            • 
 
          
 
 
          		
@@ -1577,7 +1577,7 @@ 
          Mes
 
          		string
 
 
          Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
-The default status is "403" (HTTP Forbidden).
          
+The default status is “403” (HTTP Forbidden).
          
 
           		
 
@@ -1620,7 +1620,7 @@ 
          MeshConfig.Extension
 The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
 to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
-
          Example: "zipkin.default.svc.cluster.local" or "bar/zipkin.example.com".
          
+
          Example: “zipkin.default.svc.cluster.local” or “bar/zipkin.example.com”.
          
 
 
          		
 
@@ -1677,7 +1677,7 @@ 
          MeshConfig.Extens
 The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
 to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
-
          Example: "lightstep.default.svc.cluster.local" or "bar/lightstep.example.com".
          
+
          Example: “lightstep.default.svc.cluster.local” or “bar/lightstep.example.com”.
          
 
 
          		
 
@@ -1743,7 +1743,7 @@ 
          MeshConfig.Extensio
 The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
 to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
-
          Example: "datadog.default.svc.cluster.local" or "bar/datadog.example.com".
          
+
          Example: “datadog.default.svc.cluster.local” or “bar/datadog.example.com”.
          
 
 
          		
 
@@ -1798,7 +1798,7 @@ 
          MeshConfig.Exten
 The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
 to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
-
          Example: "skywalking.default.svc.cluster.local" or "bar/skywalking.example.com".
          
+
          Example: “skywalking.default.svc.cluster.local” or “bar/skywalking.example.com”.
          
 
 
          		
 
@@ -1877,7 +1877,7 @@ 
          MeshConfig.
 
          
 
          Defines configuration for an OpenCensus tracer writing to an OpenCensus backend.
          
 
          WARNING: OpenCensusAgentTracingProviders should be used with extreme care. Configuration of
-OpenCensus providers CANNOT be changed during the course of proxy's lifetime due to a limitation
+OpenCensus providers CANNOT be changed during the course of proxy’s lifetime due to a limitation
 in the implementation of OpenCensus driver in Envoy. This means only a single provider configuration
 may be used for OpenCensus at any given time for a proxy or group of proxies AND that any change to the provider
 configuration MUST be accompanied by a restart of all proxies that will use that configuration.
          
@@ -1902,7 +1902,7 @@ 
          MeshConfig.
 The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
 to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
-
          Example: "ocagent.default.svc.cluster.local" or "bar/ocagent.example.com".
          
+
          Example: “ocagent.default.svc.cluster.local” or “bar/ocagent.example.com”.
          
 
 
          		
 
@@ -2017,7 +2017,7 @@ 
          MeshConfig.Exte
 The format is [<Namespace>/]<Hostname>. The specification of <Namespace> is required only when it is insufficient
 to unambiguously resolve a service in the service registry. The <Hostname> is a fully qualified host name of a
 service defined by the Kubernetes service or ServiceEntry.
          
-
          Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
          
+
          Example: “envoy-als.foo.svc.cluster.local” or “bar/envoy-als.example.com”.
          
 
 
          		
 
@@ -2042,8 +2042,8 @@ 
          MeshConfig.Exte
 
          Optional. The friendly name of the access log.
 Defaults:
          
 
            
-
          • "http_envoy_accesslog"
            • 
-
          • "listener_envoy_accesslog"
            • 
+
          • “http_envoy_accesslog”
            • 
+
          • “listener_envoy_accesslog”
            • 
 
          
 
 
          		
@@ -2146,8 +2146,8 @@ 
          MeshConfig.Exten
 
          Optional. The friendly name of the access log.
 Defaults:
          
 
            
-
          • "tcp_envoy_accesslog"
            • 
-
          • "listener_envoy_accesslog"
            • 
+
          • “tcp_envoy_accesslog”
            • 
+
          • “listener_envoy_accesslog”
            • 
 
          
 
 
          		
@@ -2216,7 +2216,7 @@ 
          MeshConfig.E
 
          Optional. The friendly name of the access log.
 Defaults:
          
 
            
-
          • "otel_envoy_accesslog"
            • 
+
          • “otel_envoy_accesslog”
            • 
 
          
 
 
          		LogFormat
 
 
          Optional. Format for the proxy access log
-Empty value results in proxy's default access log format, following Envoy access logging formatting.
          
+Empty value results in proxy’s default access log format, following Envoy access logging formatting.
          
 
           		
 
@@ -2261,7 +2261,7 @@ 
          MeshConfig.Ext
 
          Example:
 labels:
 path: request.url_path
-foo: request.headers['x-foo']
          
+foo: request.headers[‘x-foo’]
          
 
 
          		
 
@@ -2290,7 +2290,7 @@ 
          MeshC
 
          Textual format for the envoy access logs. Envoy command operators may be
 used in the format. The format string documentation
 provides more information.
          
-
          NOTE: Istio will insert a newline ('\n') on all formats (if missing).
          
+
          NOTE: Istio will insert a newline (’\n’) on all formats (if missing).
          
 
          Example: text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"
          
 
 
          		map<string, string>
 
 
          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-map is equivalent to an element of matchExpressions, whose key field is "key", the
-operator is "In", and the values array contains only "value". The requirements are ANDed.
+map is equivalent to an element of matchExpressions, whose key field is “key”, the
+operator is “In”, and the values array contains only “value”. The requirements are ANDed.
 +optional
          
 
           		
 
 statNameLength
 int32
 
-
          Maximum length of name field in Envoy's metrics. The length of the name field
+
          Maximum length of name field in Envoy’s metrics. The length of the name field
 is determined by the length of a name field in a service and the set of labels that
 comprise a particular version of the service. The default value is set to 189 characters.
-Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric.
+Envoy’s internal metrics take up 67 characters, for a total of 256 character name per metric.
 Increase the value of this field if you find that the metrics from Envoys are truncated.
          
 
           		
 
 
 
 
@@ -2801,7 +2801,7 @@ 
          ProxyConfig
          
           		
 
          Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000).
 See Metric Service
-for details about Envoy's Metrics Service API.
          
+for details about Envoy’s Metrics Service API.
          
 
           		
 
@@ -2937,7 +2937,7 @@ 
          ProxyConfig
          
 
          Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior.
 This feature adds hooks to delay application startup until the pod proxy
 is ready to accept traffic, mitigating some startup race conditions.
-Default value is 'false'.
          
+Default value is ‘false’.
          
 
           		
 
@@ -2950,7 +2950,7 @@ 
          ProxyConfig
          
           		
 
          The PEM data of the extra root certificates for workload-to-workload communication.
 This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA.
-The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret)
+The plugin certificates (the ‘cacerts’ secret), self-signed certificates (the ‘istio-ca-secret’ secret)
 are added automatically by Istiod.
          
 
           		
 
 string
 
 
          Path within the container at which the volume should be mounted.  Must
-not contain ':'.
          
+not contain ‘:’.
          
 
           		
 
@@ -3943,8 +3943,8 @@ 
          k8s.io.api.core.v1.VolumeMount
          
           		subPath
 string
 
-
          Path within the volume from which the container's volume should be mounted.
-Defaults to "" (volume's root).
+
          Path within the volume from which the container’s volume should be mounted.
+Defaults to "" (volume’s root).
 +optional
          
 
           		
 subPathExpr
 string
 
-
          Expanded path within the volume from which the container's volume should be mounted.
-Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
-Defaults to "" (volume's root).
+
          Expanded path within the volume from which the container’s volume should be mounted.
+Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container’s environment.
+Defaults to "" (volume’s root).
 SubPathExpr and SubPath are mutually exclusive.
 +optional
          
 
@@ -4007,8 +4007,8 @@ 
          k8s.io.apimachinery.
 
          		map<string, string>
 
 
          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-map is equivalent to an element of matchExpressions, whose key field is "key", the
-operator is "In", and the values array contains only "value". The requirements are ANDed.
+map is equivalent to an element of matchExpressions, whose key field is “key”, the
+operator is “In”, and the values array contains only “value”. The requirements are ANDed.
 +optional
          
 
           		
 validationMessages
 AnalysisMessageBase[]
 
-
          Includes any errors or warnings detected by Istio's analyzers.
+
          Includes any errors or warnings detected by Istio’s analyzers.
 +optional
 +patchMergeKey=type
 +patchStrategy=merge
          
@@ -54,7 +54,7 @@ 
          IstioStatus
          
           		int64
 
 
          Resource Generation to which the Reconciled Condition refers.
-When this value is not equal to the object's metadata generation, reconciled condition  calculation for the current
+When this value is not equal to the object’s metadata generation, reconciled condition  calculation for the current
 generation is still in progress.  See https://istio.io/latest/docs/reference/config/config-status/ for more info.
 +optional
          
 
@@ -129,7 +129,7 @@ 
          IstioCondition
          
           		reason
 string
 
-
          Unique, one-word, CamelCase reason for the condition's last transition.
+
          Unique, one-word, CamelCase reason for the condition’s last transition.
 +optional
          
 
           		
 string
 
 
          The name of a service from the service registry. Service
-names are looked up from the platform's service registry (e.g.,
+names are looked up from the platform’s service registry (e.g.,
 Kubernetes services, Consul services, etc.) and from the hosts
 declared by ServiceEntries. Rules defined for
 services that do not exist in the service registry will be ignored.
          
-
          Note for Kubernetes users: When short names are used (e.g. "reviews"
-instead of "reviews.default.svc.cluster.local"), Istio will interpret
+
          Note for Kubernetes users: When short names are used (e.g. “reviews”
+instead of “reviews.default.svc.cluster.local”), Istio will interpret
 the short name based on the namespace of the rule, not the service. A
-rule in the "default" namespace containing a host "reviews" will be
-interpreted as "reviews.default.svc.cluster.local", irrespective of
+rule in the “default” namespace containing a host “reviews” will be
+interpreted as “reviews.default.svc.cluster.local”, irrespective of
 the actual namespace associated with the reviews service. To avoid
 potential misconfigurations, it is recommended to always use fully
 qualified domain names over short names.
          
@@ -257,8 +257,8 @@ 
          DestinationRule
          
 across namespace boundaries.
          
 
          If no namespaces are specified then the destination rule is exported to all
 namespaces by default.
          
-
          The value "." is reserved and defines an export to the same namespace that
-the destination rule is declared in. Similarly, the value "*" is reserved and
+
          The value “.” is reserved and defines an export to the same namespace that
+the destination rule is declared in. Similarly, the value “*” is reserved and
 defines an export to all namespaces.
          
 
           		
 
 
          Configuration of tunneling TCP over other transport or application layers
 for the host configured in the DestinationRule.
-Tunnel settings can be applied to TCP or TLS routes and can't be applied to HTTP routes.
          
+Tunnel settings can be applied to TCP or TLS routes and can’t be applied to HTTP routes.
          
 
           		
 
@@ -488,7 +488,7 @@ 
          Subset
          
 
 
          LoadBalancerSettings
          
 
          
-
          Load balancing policies to apply for a specific destination. See Envoy's
+
          Load balancing policies to apply for a specific destination. See Envoy’s
 load balancing
 documentation
 for more details.
          
@@ -617,7 +617,7 @@ 
          LoadBalancerSettings
          
 
          ConnectionPoolSettings
          
 
          
 
          Connection pool settings for an upstream host. The settings apply to
-each individual host in the upstream service.  See Envoy's circuit
+each individual host in the upstream service.  See Envoy’s circuit
 breaker
 for more details. Connection pool settings can be applied at the TCP
 level as well as at HTTP level.
          
@@ -703,11 +703,11 @@ 
          OutlierDetection
          
 errors for API calls are ejected from the pool for a pre-defined period
 of time. For TCP services, connection timeouts or connection
 failures to a given host counts as an error when measuring the
-consecutive errors metric. See Envoy's outlier
+consecutive errors metric. See Envoy’s outlier
 detection
 for more details.
          
 
          The following rule sets a connection pool size of 100 HTTP1 connections
-with no more than 10 req/connection to the "reviews" service. In addition,
+with no more than 10 req/connection to the “reviews” service. In addition,
 it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
 hosts to be scanned every 5 mins so that any host that fails 7 consecutive
 times with a 502, 503, or 504 error code will be ejected for 15 minutes.
          
@@ -886,7 +886,7 @@ 
          OutlierDetection
          
 percentage of healthy hosts in the load balancing pool drops below this
 threshold, outlier detection will be disabled and the proxy will load balance
 across all hosts in the pool (healthy and unhealthy). The threshold can be
-disabled by setting it to 0%. The default is 0% as it's not typically
+disabled by setting it to 0%. The default is 0% as it’s not typically
 applicable in k8s environments with few pods per service.
          
 
 
          		
 
 
 string
 
 
          REQUIRED if mode is MUTUAL. The path to the file holding the
-client's private key.
+client’s private key.
 Should be empty if mode is ISTIO_MUTUAL.
          
 
           		
 
 
          OPTIONAL: The path to the file containing certificate authority
 certificates to use in verifying a presented server certificate. If
-omitted, the proxy will not verify the server's certificate.
+omitted, the proxy will not verify the server’s certificate.
 Should be empty if mode is ISTIO_MUTUAL.
          
 
           		
 
 
          A list of alternate names to verify the subject identity in the
 certificate. If specified, the proxy will verify that the server
-certificate's subject alt name matches one of the specified values.
+certificate’s subject alt name matches one of the specified values.
 If specified, this list overrides the value of subject_alt_names
 from the ServiceEntry. If unspecified, automatic validation of upstream
 presented certificate for new upstream connections will be done based on the
@@ -1145,13 +1145,13 @@ 
          LocalityLoadBalancerSetting
          
 {region}/{zone}/{sub-zone} form. For additional detail refer to
 Locality Weight
 The following example shows how to setup locality weights mesh-wide.
          
-
          Given a mesh with workloads and their service deployed to "us-west/zone1/"
-and "us-west/zone2/". This example specifies that when traffic accessing a
-service originates from workloads in "us-west/zone1/", 80% of the traffic
-will be sent to endpoints in "us-west/zone1/", i.e the same zone, and the
-remaining 20% will go to endpoints in "us-west/zone2/". This setup is
+
          Given a mesh with workloads and their service deployed to “us-west/zone1/”
+and “us-west/zone2/”. This example specifies that when traffic accessing a
+service originates from workloads in “us-west/zone1/”, 80% of the traffic
+will be sent to endpoints in “us-west/zone1/”, i.e the same zone, and the
+remaining 20% will go to endpoints in “us-west/zone2/”. This setup is
 intended to favor routing traffic to endpoints in the same locality.
-A similar setting is specified for traffic originating in "us-west/zone2/".
          
+A similar setting is specified for traffic originating in “us-west/zone2/”.
          
 
            distribute:
     - from: us-west/zone1/*
       to:
@@ -1164,8 +1164,8 @@ 
          LocalityLoadBalancerSetting
          
 
          
 
          If the goal of the operator is not to distribute load across zones and
 regions but rather to restrict the regionality of failover to meet other
-operational requirements an operator can set a 'failover' policy instead of
-a 'distribute' policy.
          
+operational requirements an operator can set a ‘failover’ policy instead of
+a ‘distribute’ policy.
          
 
          The following example sets up a locality failover policy for regions.
 Assume a service resides in zones within us-east, us-west & eu-west
 this example specifies that when endpoints within us-east become unhealthy
@@ -1723,7 +1723,7 @@ 
          ConnectionPoolSettings.HTTPSettings
 
          		int32
 
 
          Maximum number of requests per connection to a backend. Setting this
-parameter to 1 disables keep alive. Default 0, meaning "unlimited",
+parameter to 1 disables keep alive. Default 0, meaning “unlimited”,
 up to 2^29.
          
 
           		
 from
 string
 
-
          Originating locality, '/' separated, e.g. 'region/zone/sub_zone'.
          
+
          Originating locality, ‘/’ separated, e.g. ‘region/zone/sub_zone’.
          
 
           		
 
@@ -1926,7 +1926,7 @@ 
          LocalityLoadBalancerSetting.Failov
 
          		string
 
 
          Destination region the traffic will fail over to when endpoints in
-the 'from' region becomes unhealthy.
          
+the ‘from’ region becomes unhealthy.
          
 
           		
 
diff --git a/content/zh/docs/reference/config/networking/envoy-filter/index.html b/content/zh/docs/reference/config/networking/envoy-filter/index.html
index 0040598f3e815..99a38866971cc 100644
--- a/content/zh/docs/reference/config/networking/envoy-filter/index.html
+++ b/content/zh/docs/reference/config/networking/envoy-filter/index.html
@@ -21,9 +21,9 @@
 application of these EnvoyFilters is as follows: all EnvoyFilters
 in the config root
 namespace,
-followed by all matching EnvoyFilters in the workload's namespace.
          
+followed by all matching EnvoyFilters in the workload’s namespace.
          
 
          NOTE 1: Some aspects of this API are deeply tied to the internal
-implementation in Istio networking subsystem as well as Envoy's XDS
+implementation in Istio networking subsystem as well as Envoy’s XDS
 API. While the EnvoyFilter API by itself will maintain backward
 compatibility, any envoy configuration provided through this
 mechanism should be carefully monitored across Istio proxy version
@@ -83,9 +83,9 @@
           common_http_protocol_options:
             idle_timeout: 30s
 
-
          The following example enables Envoy's Lua filter for all inbound
+
          The following example enables Envoy’s Lua filter for all inbound
 HTTP calls arriving at service port 8080 of the reviews service pod
-with labels "app: reviews", in the bookinfo namespace. The lua
+with labels “app: reviews”, in the bookinfo namespace. The lua
 filter calls out to an external service internal.org.net:8888 that
 requires a special cluster definition in envoy. The cluster is also
 added to the sidecar as part of this configuration.
          
@@ -471,7 +471,7 @@ 
          EnvoyFilter.ProxyMatch
          
           		map<string, string>
 
 
          Match on the node metadata supplied by a proxy when connecting
-to Istio Pilot. Note that while Envoy's node metadata is of
+to Istio Pilot. Note that while Envoy’s node metadata is of
 type Struct, only string key-value pairs are processed by
 Pilot. All keys specified in the metadata must match with exact
 values. The match will fail if any of the specified keys are
@@ -602,7 +602,7 @@ 
          EnvoyFilter.RouteConfigurationMatch
 
          		gateway
 string
 
-
          The Istio gateway config's namespace/name for which this route
+
          The Istio gateway config’s namespace/name for which this route
 configuration was generated. Applies only if the context is
 GATEWAY. Should be in the namespace/name format. Use this field
 in conjunction with the portNumber and portName to accurately
@@ -905,7 +905,7 @@ 
          EnvoyFilter.RouteConfigu
 
          		
 
          The Route objects generated by default are named as
 default.  Route objects generated using a virtual service
-will carry the name used in the virtual service's HTTP
+will carry the name used in the virtual service’s HTTP
 routes.
          
 
           		
 
          The VirtualHosts objects generated by Istio are named as
 host:port, where the host typically corresponds to the
-VirtualService's host field or the hostname of a service in the
+VirtualService’s host field or the hostname of a service in the
 registry.
          
 
           		sni
 string
 
-
          The SNI value used by a filter chain's match condition.  This
+
          The SNI value used by a filter chain’s match condition.  This
 condition will evaluate to false if the filter chain has no
 sni match.
          
 
@@ -1017,7 +1017,7 @@ 
          EnvoyFilter.ListenerMatch.Fi
 
          Applies only to SIDECAR_INBOUND context. If non-empty, a
 transport protocol to consider when determining a filter
 chain match.  This value will be compared against the
-transport protocol of a new connection, when it's detected by
+transport protocol of a new connection, when it’s detected by
 the tls_inspector listener filter.
          
 
          Accepted values include:
          
 
            
@@ -1037,7 +1037,7 @@ 
            EnvoyFilter.ListenerMatch.Fi
 
            Applies only to sidecars. If non-empty, a comma separated set
 of application protocols to consider when determining a
 filter chain match.  This value will be compared against the
-application protocols of a new connection, when it's detected
+application protocols of a new connection, when it’s detected
 by one of the listener filters such as the http_inspector.
            
 
            Accepted values include: h2, http/1.1, http/1.0
            
 
@@ -1063,7 +1063,7 @@ 
            EnvoyFilter.ListenerMatch.Fi
 
          		destinationPort
 uint32
 
-
          The destination_port value used by a filter chain's match condition.
+
          The destination_port value used by a filter chain’s match condition.
 This condition will evaluate to false if the filter chain has no destination_port match.
          
 
           		
 
 
 
 tls
 ServerTLSSettings
 
-
          Set of TLS related options that govern the server's behavior. Use
+
          Set of TLS related options that govern the server’s behavior. Use
 these options to control if all http requests should be redirected to
 https, and the TLS modes to use.
          
 
@@ -709,7 +709,7 @@ 
          ServerTLSSettings
          
           		string
 
 
          REQUIRED if mode is SIMPLE or MUTUAL. The path to the file
-holding the server's private key.
          
+holding the server’s private key.
          
 
           		
 
diff --git a/content/zh/docs/reference/config/networking/service-entry/index.html b/content/zh/docs/reference/config/networking/service-entry/index.html
index 911964ffb94bb..9fd6d7fcf46d1 100644
--- a/content/zh/docs/reference/config/networking/service-entry/index.html
+++ b/content/zh/docs/reference/config/networking/service-entry/index.html
@@ -10,13 +10,13 @@
 aliases: [/zh/docs/reference/config/networking/v1alpha3/service-entry]
 number_of_entries: 3
 ---
-
          ServiceEntry enables adding additional entries into Istio's
+
          ServiceEntry enables adding additional entries into Istio’s
 internal service registry, so that auto-discovered services in the
 mesh can access/route to these manually specified services. A
 service entry describes the properties of a service (DNS name,
 VIPs, ports, protocols, endpoints). These services could be
 external to the mesh (e.g., web APIs) or mesh-internal services
-that are not part of the platform's service registry (e.g., a set
+that are not part of the platform’s service registry (e.g., a set
 of VMs talking to services in Kubernetes). In addition, the
 endpoints of a service entry can also be dynamically selected by
 using the workloadSelector field. These endpoints can be VM
@@ -67,7 +67,7 @@
 
          {{}}
 {{}}
          
 
          The following configuration adds a set of MongoDB instances running on
-unmanaged VMs to Istio's registry, so that these services can be treated
+unmanaged VMs to Istio’s registry, so that these services can be treated
 as any other service in the mesh. The associated DestinationRule is used
 to initiate mTLS connections to the database instances.
          
 
          {{}}
@@ -232,10 +232,10 @@
 the wikipedia domains.
          
 
          The following example demonstrates the use of a dedicated egress gateway
 through which all external service traffic is forwarded.
-The 'exportTo' field allows for control over the visibility of a service
+The ’exportTo’ field allows for control over the visibility of a service
 declaration to other namespaces in the mesh. By default, a service is exported
 to all namespaces. The following example restricts the visibility to the
-current namespace, represented by ".", so that it cannot be used by other
+current namespace, represented by “.”, so that it cannot be used by other
 namespaces.
          
 
          {{}}
 {{}}
          
@@ -687,7 +687,7 @@
 
 
          ServiceEntry
          
 
          
-
          ServiceEntry enables adding additional entries into Istio's internal
+
          ServiceEntry enables adding additional entries into Istio’s internal
 service registry.
          
 
 
@@ -835,11 +835,11 @@ 
          ServiceEntry
          
 namespace boundaries.
          If no namespaces are specified then the service is exported to all
 namespaces by default.
          
-
          The value "." is reserved and defines an export to the same namespace that
-the service is declared in. Similarly the value "*" is reserved and
+
          The value “.” is reserved and defines an export to the same namespace that
+the service is declared in. Similarly the value “*” is reserved and
 defines an export to all namespaces.
          For a Kubernetes Service, the equivalent effect can be achieved by setting
-the annotation "networking.istio.io/exportTo" to a comma-separated list
+the annotation “networking.istio.io/exportTo” to a comma-separated list
 of namespace names.
          
@@ -851,7 +851,7 @@ 
          ServiceEntry
          
 
 
 
 
 
          subjectAltNames
 string[]
 
-
          If specified, the proxy will verify that the server certificate's
+
          If specified, the proxy will verify that the server certificate’s
 subject alternate name matches one of the specified values.
          
 
          NOTE: When using the workloadEntry with workloadSelectors, the
 service account specified in the workloadEntry will also be used
@@ -872,7 +872,7 @@ 
          ServiceEntry.Location
          
 outside the mesh.  Location determines the behavior of several
 features, such as service-to-service mTLS authentication, policy
 enforcement, etc. When communicating with services outside the mesh,
-Istio's mTLS authentication is disabled, and policy enforcement is
+Istio’s mTLS authentication is disabled, and policy enforcement is
 performed on the client-side as opposed to server-side.
          
 
 
diff --git a/content/zh/docs/reference/config/networking/sidecar/index.html b/content/zh/docs/reference/config/networking/sidecar/index.html
index d99f4f33e37bd..c4e1c50ddff57 100644
--- a/content/zh/docs/reference/config/networking/sidecar/index.html
+++ b/content/zh/docs/reference/config/networking/sidecar/index.html
@@ -289,7 +289,7 @@
 outbound traffic on 192.168.0.0/16 subnet. Assume that the VM has an
 additional network interface on 172.16.0.0/16 subnet for inbound
 traffic. The following Sidecar configuration allows the VM to expose a
-listener on 172.16.1.32:80 (the VM's IP) for traffic arriving from the
+listener on 172.16.1.32:80 (the VM’s IP) for traffic arriving from the
 172.16.0.0/16 subnet.
          NOTE: The ISTIO_META_INTERCEPTION_MODE metadata on the
 proxy in the VM should contain REDIRECT or TPROXY as its value,
@@ -360,7 +360,7 @@
 The traffic is then forwarded to the attached workload instance
 listening on a Unix domain socket.
 It is expected that PeerAuthentication policy would be configured
-in order to set mTLS mode to "DISABLE" on specific
+in order to set mTLS mode to “DISABLE” on specific
 ports.
 In this example, the mTLS mode is disabled on PORT 80.
 This feature is currently experimental.
          
@@ -674,10 +674,10 @@ 
          IstioEgressListener
          
 service from any available namespace while ./foo.example.com only selects
 the service from the namespace of the sidecar. If a host is set to */*,
 Istio will configure the sidecar to be able to reach every service in the
-mesh that is exported to the sidecar's namespace. The value ~/* can be used
+mesh that is exported to the sidecar’s namespace. The value ~/* can be used
 to completely trim the configuration for sidecars that simply receive traffic
 and respond, but make no outbound connections of their own.
          
-
          NOTE: Only services and configuration artifacts exported to the sidecar's
+
          NOTE: Only services and configuration artifacts exported to the sidecar’s
 namespace (e.g., exportTo value of *) can be referenced.
 Private configurations (e.g., exportTo set to .) will
 not be available. Refer to the exportTo setting in VirtualService,
diff --git a/content/zh/docs/reference/config/networking/virtual-service/index.html b/content/zh/docs/reference/config/networking/virtual-service/index.html
index f83a8def9b936..2c1b51dff3e73 100644
--- a/content/zh/docs/reference/config/networking/virtual-service/index.html
+++ b/content/zh/docs/reference/config/networking/virtual-service/index.html
@@ -40,9 +40,9 @@
 
          The source of traffic can also be matched in a routing rule. This allows routing
 to be customized for specific client contexts.
          The following example on Kubernetes, routes all HTTP traffic by default to
-pods of the reviews service with label "version: v1". In addition,
+pods of the reviews service with label “version: v1”. In addition,
 HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will
-be rewritten to /newcatalog and sent to pods with label "version: v2".
          
+be rewritten to /newcatalog and sent to pods with label “version: v2”.
          {{}}
 {{}}
          apiVersion: networking.istio.io/v1alpha3
@@ -169,11 +169,11 @@ 
          VirtualService
          
 caveats. Refer to the
 Operations Guide
 for details.
          
-
          Note for Kubernetes users: When short names are used (e.g. "reviews"
-instead of "reviews.default.svc.cluster.local"), Istio will interpret
+
          Note for Kubernetes users: When short names are used (e.g. “reviews”
+instead of “reviews.default.svc.cluster.local”), Istio will interpret
 the short name based on the namespace of the rule, not the service. A
-rule in the "default" namespace containing a host "reviews" will be
-interpreted as "reviews.default.svc.cluster.local", irrespective of
+rule in the “default” namespace containing a host “reviews” will be
+interpreted as “reviews.default.svc.cluster.local”, irrespective of
 the actual namespace associated with the reviews service. To avoid
 potential misconfigurations, it is recommended to always use fully
 qualified domain names over short names.
          
@@ -195,7 +195,7 @@ 
          VirtualService
          
 
          The names of gateways and sidecars that should apply these routes.
 Gateways in other namespaces may be referred to by
 <gateway namespace>/<gateway name>; specifying a gateway with no
-namespace qualifier is the same as specifying the VirtualService's
+namespace qualifier is the same as specifying the VirtualService’s
 namespace. A single VirtualService is used for sidecars inside the mesh as
 well as for one or more gateways. The selection condition imposed by this
 field can be overridden using the source field in the match conditions
@@ -216,7 +216,7 @@ 
          VirtualService
          
 
          
@@ -286,20 +286,20 @@ 
          Destination
          
 
          Destination indicates the network addressable service to which the
 request/connection will be sent after processing a routing rule. The
 destination.host should unambiguously refer to a service in the service
-registry. Istio's service registry is composed of all the services found
-in the platform's service registry (e.g., Kubernetes services, Consul
+registry. Istio’s service registry is composed of all the services found
+in the platform’s service registry (e.g., Kubernetes services, Consul
 services), as well as services declared through the
 ServiceEntry resource.
          
-
          Note for Kubernetes users: When short names are used (e.g. "reviews"
-instead of "reviews.default.svc.cluster.local"), Istio will interpret
+
          Note for Kubernetes users: When short names are used (e.g. “reviews”
+instead of “reviews.default.svc.cluster.local”), Istio will interpret
 the short name based on the namespace of the rule, not the service. A
-rule in the "default" namespace containing a host "reviews will be
-interpreted as "reviews.default.svc.cluster.local", irrespective of the
+rule in the “default” namespace containing a host “reviews will be
+interpreted as “reviews.default.svc.cluster.local”, irrespective of the
 actual namespace associated with the reviews service. To avoid potential
 misconfigurations, it is recommended to always use fully qualified
 domain names over short names.
          
 
          The following Kubernetes example routes all traffic by default to pods
-of the reviews service with label "version: v1" (i.e., subset v1), and
+of the reviews service with label “version: v1” (i.e., subset v1), and
 some to subset v2, in a Kubernetes environment.
          
 
          {{}}
 {{}}
          
@@ -398,10 +398,10 @@ 
          Destination
          
 productpage.prod.svc.cluster.local service in Kubernetes. Notice that
 there are no subsets defined in this rule. Istio will fetch all
 instances of productpage.prod.svc.cluster.local service from the service
-registry and populate the sidecar's load balancing pool. Also, notice
+registry and populate the sidecar’s load balancing pool. Also, notice
 that this rule is set in the istio-system namespace but uses the fully
 qualified domain name of the productpage service,
-productpage.prod.svc.cluster.local. Therefore the rule's namespace does
+productpage.prod.svc.cluster.local. Therefore the rule’s namespace does
 not have an impact in resolving the name of the productpage service.
          
 
          {{}}
 {{}}
          
@@ -438,7 +438,7 @@ 
          Destination
          
 
          {{}}
 {{}}
          
 
          To control routing for traffic bound to services outside the mesh, external
-services must first be added to Istio's internal service registry using the
+services must first be added to Istio’s internal service registry using the
 ServiceEntry resource. VirtualServices can then be defined to control traffic
 bound to these external services. For example, the following rules define a
 Service for wikipedia.org and set a timeout of 5s for HTTP requests.
          
@@ -518,15 +518,15 @@ 
          Destination
          
           
@@ -1400,17 +1400,17 @@ 
          HTTPMatchRequest
          
 
          Ex:
          
 
            
 
          • 
-
            For a query parameter like "?key=true", the map key would be "key" and
+
            For a query parameter like “?key=true”, the map key would be “key” and
 the string match could be defined as exact: "true".
            
 
            • 
 
          • 
-
            For a query parameter like "?key", the map key would be "key" and the
+
            For a query parameter like “?key”, the map key would be “key” and the
 string match could be defined as exact: "".
            
 
            • 
 
          • 
-
            For a query parameter like "?key=123", the map key would be "key" and the
+
            For a query parameter like “?key=123”, the map key would be “key” and the
 string match could be defined as regex: "\d+$". Note that this
-configuration will only match values like "123" but not "a123" or "123a".
            
+configuration will only match values like “123” but not “a123” or “123a”.
            
 
            • 
 
          
 
          Note: prefix matching is currently not supported.
          
@@ -1464,7 +1464,7 @@ 
          HTTPMatchRequest
          
           
diff --git a/content/zh/docs/reference/config/networking/workload-entry/index.html b/content/zh/docs/reference/config/networking/workload-entry/index.html
index 019e509c51d89..62ce572ccb6b8 100644
--- a/content/zh/docs/reference/config/networking/workload-entry/index.html
+++ b/content/zh/docs/reference/config/networking/workload-entry/index.html
@@ -110,7 +110,7 @@
 
          {{}}
 {{}}
          
 
          The following example declares the same VM workload using
-its fully qualified DNS name. The service entry's resolution
+its fully qualified DNS name. The service entry’s resolution
 mode should be changed to DNS to indicate that the client-side
 sidecars should dynamically resolve the DNS name at runtime before
 forwarding the request.
          
@@ -227,13 +227,13 @@ 
          WorkloadEntry
          
 
          
 
 
 
 
          HTTPRoute[]
 
 
          An ordered list of route rules for HTTP traffic. HTTP routes will be
-applied to platform service ports named 'http-'/'http2-'/'grpc-*', gateway
+applied to platform service ports named ‘http-’/‘http2-’/‘grpc-*’, gateway
 ports with protocol HTTP/HTTP2/GRPC/ TLS-terminated-HTTPS and service
 entry ports using HTTP/HTTP2/GRPC protocols.  The first rule matching
 an incoming request is used.
          
@@ -233,10 +233,10 @@ 
          VirtualService
          
 
          An ordered list of route rule for non-terminated TLS & HTTPS
 traffic. Routing is typically performed using the SNI value presented
 by the ClientHello message. TLS routes will be applied to platform
-service ports named 'https-', 'tls-', unterminated gateway ports using
-HTTPS/TLS protocols (i.e. with "passthrough" TLS mode) and service
+service ports named ‘https-’, ’tls-’, unterminated gateway ports using
+HTTPS/TLS protocols (i.e. with “passthrough” TLS mode) and service
 entry ports using HTTPS/TLS protocols.  The first rule matching an
-incoming request is used.  NOTE: Traffic 'https-' or 'tls-' ports
+incoming request is used.  NOTE: Traffic ‘https-’ or ’tls-’ ports
 without associated virtual service will be treated as opaque TCP
 traffic.
          
 
@@ -269,8 +269,8 @@ 
          VirtualService
          
 across namespace boundaries.
          
 
          If no namespaces are specified then the virtual service is exported to all
 namespaces by default.
          
-
          The value "." is reserved and defines an export to the same namespace that
-the virtual service is declared in. Similarly the value "*" is reserved and
+
          The value “.” is reserved and defines an export to the same namespace that
+the virtual service is declared in. Similarly the value “*” is reserved and
 defines an export to all namespaces.
          
 
           		string
 
 
          The name of a service from the service registry. Service
-names are looked up from the platform's service registry (e.g.,
+names are looked up from the platform’s service registry (e.g.,
 Kubernetes services, Consul services, etc.) and from the hosts
 declared by ServiceEntry. Traffic forwarded to
 destinations that are not found in either of the two, will be dropped.
          
-
          Note for Kubernetes users: When short names are used (e.g. "reviews"
-instead of "reviews.default.svc.cluster.local"), Istio will interpret
+
          Note for Kubernetes users: When short names are used (e.g. “reviews”
+instead of “reviews.default.svc.cluster.local”), Istio will interpret
 the short name based on the namespace of the rule, not the service. A
-rule in the "default" namespace containing a host "reviews will be
-interpreted as "reviews.default.svc.cluster.local", irrespective of
+rule in the “default” namespace containing a host “reviews will be
+interpreted as “reviews.default.svc.cluster.local”, irrespective of
 the actual namespace associated with the reviews service. To avoid
 potential misconfiguration, it is recommended to always use fully
 qualified domain names over short names.
          
@@ -585,7 +585,7 @@ 
          HTTPRoute
          
           		string
 
 
          The name assigned to the route for debugging purposes. The
-route's name will be concatenated with the match's name and will
+route’s name will be concatenated with the match’s name and will
 be logged in the access logs for requests matching this
 route/match.
          
 
@@ -662,7 +662,7 @@ 
          HTTPRoute
          
 
          NOTE:
          
 
            
 
          1. Only one level delegation is supported.
            2. 
-
          2. The delegate's HTTPMatchRequest must be a strict subset of the root's,
+
          3. The delegate’s HTTPMatchRequest must be a strict subset of the root’s,
 otherwise there is a conflict and the HTTPRoute will not take effect.
            4. 
 
          
 
@@ -857,7 +857,7 @@ 
          Delegate
          
           		string
 
 
          Namespace specifies the namespace where the delegate VirtualService resides.
-By default, it is same to the root's.
          
+By default, it is same to the root’s.
          
 
           		
 
@@ -976,7 +976,7 @@ 
          TLSRoute
          
 
          
 
          Describes match conditions and actions for routing unterminated TLS
 traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
-traffic arriving at port 443 of gateway called "mygateway" to internal
+traffic arriving at port 443 of gateway called “mygateway” to internal
 services in the mesh based on the SNI value.
          
 
          {{}}
 {{}}
          
@@ -1223,8 +1223,8 @@ 
          HTTPMatchRequest
          
 
          		name
 string
 
-
          The name assigned to a match. The match's name will be
-concatenated with the parent route's name and will be logged in
+
          The name assigned to a match. The match’s name will be
+concatenated with the parent route’s name and will be logged in
 the access logs for requests matching this route.
          
 
           		
 
          The human readable prefix to use when emitting statistics for this route.
 The statistics are generated with prefix route.<stat_prefix>.
-This should be set for highly critical routes that one wishes to get "per-route" statistics on.
+This should be set for highly critical routes that one wishes to get “per-route” statistics on.
 This prefix is only for proxy-level statistics (envoy_) and not service-level (istio_) statistics.
 Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-route-stat-prefix
 for statistics that are generated when this is configured.
          
@@ -1482,9 +1482,9 @@ 
          HTTPRouteDestination
          
 
          Each routing rule is associated with one or more service versions (see
 glossary in beginning of document). Weights associated with the version
 determine the proportion of traffic it receives. For example, the
-following rule will route 25% of traffic for the "reviews" service to
-instances with the "v2" tag and the remaining traffic (i.e., 75%) to
-"v1".
          
+following rule will route 25% of traffic for the “reviews” service to
+instances with the “v2” tag and the remaining traffic (i.e., 75%) to
+“v1”.
          
 
          {{}}
 {{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
@@ -1799,7 +1799,7 @@ 
          TLSMatchAttributes
          
 
          SNI (server name indicator) to match on. Wildcard prefixes
 can be used in the SNI value, e.g., *.com will match foo.example.com
 as well as example.com. An SNI value must be a subset (i.e., fall
-within the domain) of the corresponding virtual serivce's hosts.
          
+within the domain) of the corresponding virtual serivce’s hosts.
          
 
 
          		
 
@@ -2784,7 +2784,7 @@ 
          HTTPFaultInjection.Delay
          
 
          
 
          Delay specification is used to inject latency into the request
 forwarding path. The following example will introduce a 5 second delay
-in 1 out of every 1000 requests to the "v1" version of the "reviews"
+in 1 out of every 1000 requests to the “v1” version of the “reviews”
 service from all pods with label env: prod
          
 
          {{}}
 {{}}
          
@@ -2891,7 +2891,7 @@ 
          HTTPFaultInjection.Abort
          
 
          
 
          Abort specification is used to prematurely abort a request with a
 pre-specified error code. The following example will return an HTTP 400
-error code for 1 out of every 1000 requests to the "ratings" service "v1".
          
+error code for 1 out of every 1000 requests to the “ratings” service “v1”.
          
 
          {{}}
 {{}}
          
 
          apiVersion: networking.istio.io/v1alpha3
@@ -2966,7 +2966,7 @@ 
          HTTPFaultInjection.Abort
          
 
          		
 
          GRPC status code to use to abort the request. The supported
 codes are documented in https://github.com/grpc/grpc/blob/master/doc/statuscodes.md
-Note: If you want to return the status "Unavailable", then you should
+Note: If you want to return the status “Unavailable”, then you should
 specify the code as UNAVAILABLE(all caps), but not 14.
          
 
           		map<string, uint32>
 
 
          Set of ports associated with the endpoint. If the port map is
-specified, it must be a map of servicePortName to this endpoint's
+specified, it must be a map of servicePortName to this endpoint’s
 port, such that traffic to the service port will be forwarded to
-the endpoint port that maps to the service's portName. If
-omitted, and the targetPort is specified as part of the service's
+the endpoint port that maps to the service’s portName. If
+omitted, and the targetPort is specified as part of the service’s
 port specification, traffic to the service port will be forwarded
 to one of the endpoints on the specified targetPort. If both
-the targetPort and endpoint's port map are not specified, traffic
+the targetPort and endpoint’s port map are not specified, traffic
 to a service port will be forwarded to one of the endpoints on
 the same port.
          
 
          NOTE 1: Do not use for unix:// addresses.
          
@@ -287,7 +287,7 @@ 
          WorkloadEntry
          
 endpoints within the same locality as the sidecar. If none of the
 endpoints in the locality are available, endpoints parent locality
 (but within the same network ID) will be chosen. For example, if
-there are two endpoints in same network (networkID "n1"), say e1
+there are two endpoints in same network (networkID “n1”), say e1
 with locality us/us-east-1/az-1/r11 and e2 with locality
 us/us-east-1/az-2/r12, a sidecar from us/us-east-1/az-1/r11 locality
 will prefer e1 from the same locality over e2 from a different
diff --git a/content/zh/docs/reference/config/networking/workload-group/index.html b/content/zh/docs/reference/config/networking/workload-group/index.html
index 91f14e4132324..ea466e3b9e46c 100644
--- a/content/zh/docs/reference/config/networking/workload-group/index.html
+++ b/content/zh/docs/reference/config/networking/workload-group/index.html
@@ -63,7 +63,7 @@ 
          WorkloadGroup
          
 provides a template for WorkloadEntry, similar to how Deployment specifies properties
 of workloads via Pod templates. A WorkloadGroup can have more than one WorkloadEntry.
 WorkloadGroup has no relationship to resources which control service registry like ServiceEntry
-and as such doesn't configure host name for these workloads.
          
+and as such doesn’t configure host name for these workloads.
          
 
 
@@ -94,7 +94,7 @@ 
          WorkloadGroup
          Template to be used for the generation of WorkloadEntry resources that belong to this WorkloadGroup.
 Please note that address and labels fields should not be set in the template, and an empty serviceAccount
 should default to default. The workload identities (mTLS certificates) will be bootstrapped using the
-specified service account's token. Workload entries in this group will be in the same namespace as the
+specified service account’s token. Workload entries in this group will be in the same namespace as the
 workload group, and inherit the labels and annotations from the above metadata field.
          
@@ -264,7 +264,7 @@ 
          HTTPHealthCheckConfig
          
diff --git a/content/zh/docs/reference/config/security/authorization-policy/index.html b/content/zh/docs/reference/config/security/authorization-policy/index.html
index c77d41699f404..7562ce83f6d8c 100644
--- a/content/zh/docs/reference/config/security/authorization-policy/index.html
+++ b/content/zh/docs/reference/config/security/authorization-policy/index.html
@@ -30,19 +30,19 @@
 The request will not be audited if there are no such supporting plugins enabled.
 Currently, the only supported plugin is the Stackdriver plugin.
          Here is an example of Istio Authorization Policy:
          
-
          It sets the action to "ALLOW" to create an allow policy. The default action is "ALLOW"
+
          It sets the action to “ALLOW” to create an allow policy. The default action is “ALLOW”
 but it is useful to be explicit in the policy.
          It allows requests from:
            
-
          • service account "cluster.local/ns/default/sa/sleep" or
            • 
-
          • namespace "test"
            • 
+
          • service account “cluster.local/ns/default/sa/sleep” or
            • 
+
          • namespace “test”
            • 
 
          to access the workload with:
            
-
          • "GET" method at paths of prefix "/info" or,
            • 
-
          • "POST" method at path "/data".
            • 
+
          • “GET” method at paths of prefix “/info” or,
            • 
+
          • “POST” method at path “/data”.
            • 
 
          
-
          when the request has a valid JWT token issued by "https://accounts.google.com".
          
+
          when the request has a valid JWT token issued by “https://accounts.google.com”.
          Any other requests will be denied.
          apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -68,9 +68,9 @@
     - key: request.auth.claims[iss]
       values: ["https://accounts.google.com"]
 
          
-
          The following is another example that sets action to "DENY" to create a deny policy.
-It denies requests from the "dev" namespace to the "POST" method on all workloads
-in the "foo" namespace.
          
+
          The following is another example that sets action to “DENY” to create a deny policy.
+It denies requests from the “dev” namespace to the “POST” method on all workloads
+in the “foo” namespace.
          apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -86,8 +86,8 @@
     - operation:
         methods: ["POST"]
 
          
-
          The following authorization policy sets the action to "AUDIT". It will audit any GET requests to the path with the
-prefix "/user/profile".
          
+
          The following authorization policy sets the action to “AUDIT”. It will audit any GET requests to the path with the
+prefix “/user/profile”.
          apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -104,12 +104,12 @@
         methods: ["GET"]
         paths: ["/user/profile/*"]
 
          
-
          Authorization Policy scope (target) is determined by "metadata/namespace" and
-an optional "selector".
          
+
          Authorization Policy scope (target) is determined by “metadata/namespace” and
+an optional “selector”.
            
-
          • "metadata/namespace" tells which namespace the policy applies. If set to root
+
          • “metadata/namespace” tells which namespace the policy applies. If set to root
 namespace, the policy applies to all namespaces in a mesh.
            • 
-
          • workload "selector" can be used to further restrict where a policy applies.
            • 
+
          • workload “selector” can be used to further restrict where a policy applies.
            • 
 
          For example,
          The following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
@@ -132,7 +132,7 @@
  rules:
  - {}
 
-
          The following authorization policy applies to workloads containing label "app: httpbin" in namespace bar. It allows
+
          The following authorization policy applies to workloads containing label “app: httpbin” in namespace bar. It allows
 nothing and effectively denies all requests to the selected workloads.
          apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@@ -144,8 +144,8 @@
     matchLabels:
       app: httpbin
 
          
-
          The following authorization policy applies to workloads containing label "version: v1" in all namespaces in the mesh.
-(Assuming the root namespace is configured to "istio-system").
          
+
          The following authorization policy applies to workloads containing label “version: v1” in all namespaces in the mesh.
+(Assuming the root namespace is configured to “istio-system”).
          apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -230,10 +230,10 @@ 
          Rule
          
 matches the request. An empty rule is always matched.
          
 
          Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
          
 
            
-
          • Exact match: "abc" will match on value "abc".
            • 
-
          • Prefix match: "abc*" will match on value "abc" and "abcd".
            • 
-
          • Suffix match: "*abc" will match on value "abc" and "xabc".
            • 
-
          • Presence match: "*" will match when value is not empty.
            • 
+
          • Exact match: “abc” will match on value “abc”.
            • 
+
          • Prefix match: “abc*” will match on value “abc” and “abcd”.
            • 
+
          • Suffix match: “*abc” will match on value “abc” and “xabc”.
            • 
+
          • Presence match: “*” will match when value is not empty.
            • 
 
          
 
 
          
 
 
 
 
 
          string
 
 
          Host name to connect to, defaults to the pod IP. You probably want to set
-"Host" in httpHeaders instead.
          
+“Host” in httpHeaders instead.
          
 
           		
 
diff --git a/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html b/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html
index 0bee21e37c9f8..8983b86059951 100644
--- a/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html
+++ b/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html
@@ -12,9 +12,9 @@
 ---
 
          WasmPlugins provides a mechanism to extend the functionality provided by
 the Istio proxy through WebAssembly filters.
          
-
          Order of execution (as part of Envoy's filter chain) is determined by
+
          Order of execution (as part of Envoy’s filter chain) is determined by
 phase and priority settings, allowing the configuration of complex
-interactions between user-supplied WasmPlugins and Istio's internal
+interactions between user-supplied WasmPlugins and Istio’s internal
 filters.
          
 
          Examples:
          
 
          AuthN Filter deployed to ingress-gateway that implements an OpenID flow
@@ -110,8 +110,8 @@
 signed token that contains information about which files and functions of the
 system are available to the user that was previously authenticated. The
 acl-check filter writes this token to a header. Finally, the check-header
-filter verifies the token in that header and makes sure that the token's
-contents (the permitted 'function') matches its plugin configuration.
          
+filter verifies the token in that header and makes sure that the token’s
+contents (the permitted ‘function’) matches its plugin configuration.
          
 
          The resulting filter chain looks like this:
 -> openid-connect -> istio.authn -> acl-check -> check-header -> router
          
 
          apiVersion: extensions.istio.io/v1alpha1
@@ -385,7 +385,7 @@ 
          EnvVar
          
 
          		EnvValueSource
 
 
          Required
-Source for the environment variable's value.
          
+Source for the environment variable’s value.
          
 
           		
 
@@ -398,7 +398,7 @@ 
          EnvVar
          
           		
 
          Value for the environment variable.
 Note that if value_from is HOST, it will be ignored.
-Defaults to "".
          
+Defaults to “”.
          
 
           		
 
@@ -514,7 +514,7 @@ 
          EnvValueSource
          
 
          
 HOST
 
-
          Istio-proxy's environment variables exposed to this VM.
          
+
          Istio-proxy’s environment variables exposed to this VM.
          
 
           		
 
          
 
 
 
 
 
 
 
 
 
 
 
 
 
 
          
@@ -289,8 +289,8 @@ 
          Source
          
 
          
 
          Source specifies the source identities of a request. Fields in the source are
 ANDed together.
          
-
          For example, the following source matches if the principal is "admin" or "dev"
-and the namespace is "prod" or "test" and the ip is not "1.2.3.4".
          
+
          For example, the following source matches if the principal is “admin” or “dev”
+and the namespace is “prod” or “test” and the ip is not “1.2.3.4”.
          
 
          principals: ["admin", "dev"]
 namespaces: ["prod", "test"]
 notIpBlocks: ["1.2.3.4"]
@@ -384,8 +384,8 @@ 
          Source
          
 
          
@@ -412,7 +412,7 @@ 
          Source
          
 To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig
 when you install Istio or using an annotation on the ingress gateway.  See the documentation here:
 Configuring Gateway Network Topology.
-Single IP (e.g. "1.2.3.4") and CIDR (e.g. "1.2.3.0/24") are supported.
+Single IP (e.g. “1.2.3.4”) and CIDR (e.g. “1.2.3.0/24”) are supported.
 This is the same as the remote.ip attribute.
          
 
          If not set, any IP is allowed.
          
 
@@ -439,8 +439,8 @@ 
          Operation
          
 
          
 
          Operation specifies the operations of a request. Fields in the operation are
 ANDed together.
          
-
          For example, the following operation matches if the host has suffix ".example.com"
-and the method is "GET" or "HEAD" and the path doesn't have prefix "/admin".
          
+
          For example, the following operation matches if the host has suffix “.example.com”
+and the method is “GET” or “HEAD” and the path doesn’t have prefix “/admin”.
          
 
          hosts: ["*.example.com"]
 methods: ["GET", "HEAD"]
 notPaths: ["/admin*"]
@@ -509,7 +509,7 @@ 
          Operation
          
 
          
@@ -534,7 +534,7 @@ 
          Operation
          
           
@@ -738,7 +738,7 @@ 
          AuthorizationPolicy.Action
          
 the authorization decision to it.
          
 
          Note: The CUSTOM action is currently an alpha feature and is subject to breaking changes in later versions.
          
 
          The following authorization policy applies to an ingress gateway and delegates the authorization check to a named extension
-"my-custom-authz" if the request path has prefix "/admin/".
          
+“my-custom-authz” if the request path has prefix “/admin/”.
          
 
          apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
diff --git a/content/zh/docs/reference/config/security/jwt/index.html b/content/zh/docs/reference/config/security/jwt/index.html
index b8a08bcf6f5f6..bdb53deeebccd 100644
--- a/content/zh/docs/reference/config/security/jwt/index.html
+++ b/content/zh/docs/reference/config/security/jwt/index.html
@@ -83,7 +83,7 @@ 
          JWTRule
          
 
          
@@ -828,8 +828,8 @@ 
          MetricsOverrides.TagOverride
          
 
          ipBlocks
 string[]
 
-
          Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. "1.2.3.4") and
-CIDR (e.g. "1.2.3.0/24") are supported. This is the same as the source.ip attribute.
          
+
          Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. “1.2.3.4”) and
+CIDR (e.g. “1.2.3.0/24”) are supported. This is the same as the source.ip attribute.
          
 
          If not set, any IP is allowed.
          
 
           		string[]
 
 
          Optional. A list of methods as specified in the HTTP request.
-For gRPC service, this will always be "POST".
          
+For gRPC service, this will always be “POST”.
          
 
          If not set, any method is allowed. Must be used only with HTTP.
          
 
           		
 
          Optional. A list of paths as specified in the HTTP request. See the Authorization Policy Normalization
 for details of the path normalization.
-For gRPC service, this will be the fully-qualified name in the form of "/package.service/method".
          
+For gRPC service, this will be the fully-qualified name in the form of “/package.service/method”.
          
 
          If not set, any path is allowed. Must be used only with HTTP.
          
 
           		jwksUri
 string
 
-
          URL of the provider's public key set to validate signature of the
+
          URL of the provider’s public key set to validate signature of the
 JWT. See OpenID Discovery.
          
 
          Optional if the key set document can either (a) be retrieved from
 OpenID
@@ -116,7 +116,7 @@ 
          JWTRule
          
           		JWTHeader[]
 
 
          List of header locations from which JWT is expected. For example, below is the location spec
-if JWT is expected to be found in x-jwt-assertion header, and have "Bearer " prefix:
          
+if JWT is expected to be found in x-jwt-assertion header, and have “Bearer " prefix:
          
 
            fromHeaders:
   - name: x-jwt-assertion
     prefix: "Bearer "
@@ -203,8 +203,8 @@ 
          JWTHeader
          
 
          		string
 
 
          The prefix that should be stripped before decoding the token.
-For example, for "Authorization: Bearer ", prefix="Bearer " with a space at the end.
-If the header doesn't have this exact prefix, it is considered invalid.
          
+For example, for “Authorization: Bearer ”, prefix=“Bearer " with a space at the end.
+If the header doesn’t have this exact prefix, it is considered invalid.
          
 
           		
 
diff --git a/content/zh/docs/reference/config/security/request_authentication/index.html b/content/zh/docs/reference/config/security/request_authentication/index.html
index 3b2dea6151476..e881d57cb5fe7 100644
--- a/content/zh/docs/reference/config/security/request_authentication/index.html
+++ b/content/zh/docs/reference/config/security/request_authentication/index.html
@@ -49,7 +49,7 @@ 
          RequestAuthentication
          
         requestPrincipals: ["*"]
 
 
            
-
          • A policy in the root namespace ("istio-system" by default) applies to workloads in all namespaces
+
          • A policy in the root namespace (“istio-system” by default) applies to workloads in all namespaces
 in a mesh. The following policy makes all workloads only accept requests that contain a
 valid JWT token.
            • 
 
          
@@ -138,7 +138,7 @@ 
          RequestAuthentication
          
         paths: ["/healthz"]
 
 
          [Experimental] Routing based on derived metadata
-is now supported. A prefix '@' is used to denote a match against internal metadata instead of the headers in the request.
+is now supported. A prefix ‘@’ is used to denote a match against internal metadata instead of the headers in the request.
 Currently this feature is only supported for the following metadata:
          
 
            
 
          • request.auth.claims.{claim-name}[.{sub-claim}]* which are extracted from validated JWT tokens. The claim name
@@ -148,7 +148,7 @@ 
            RequestAuthentication
            
 
              
 
            • RequestAuthentication to decode and validate a JWT. This also makes the @request.auth.claims available for use in the VirtualService.
              • 
 
            • AuthorizationPolicy to check for valid principals in the request. This makes the JWT required for the request.
              • 
-
            • VirtualService to route the request based on the "sub" claim.
              • 
+
            • VirtualService to route the request based on the “sub” claim.
              • 
 
            
 
            apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
@@ -231,7 +231,7 @@ 
            RequestAuthentication
            
 
          		jwtRules
 JWTRule[]
 
-
          Define the list of JWTs that can be validated at the selected workloads' proxy. A valid token
+
          Define the list of JWTs that can be validated at the selected workloads’ proxy. A valid token
 will be used to extract the authenticated identity.
 Each rule will be activated only when a token is presented at the location recognized by the
 rule. The token will be validated based on the JWT rule config. If validation fails, the request will
diff --git a/content/zh/docs/reference/config/telemetry/index.html b/content/zh/docs/reference/config/telemetry/index.html
index 68d226baf35c1..014cf8e80f3fc 100644
--- a/content/zh/docs/reference/config/telemetry/index.html
+++ b/content/zh/docs/reference/config/telemetry/index.html
@@ -35,7 +35,7 @@
   tracing:
   - randomSamplingPercentage: 10.00
 
-
          Policy to disable trace reporting for the "foo" workload (note: tracing
+
          Policy to disable trace reporting for the “foo” workload (note: tracing
 context will still be propagated):
          
 
          apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
@@ -508,9 +508,9 @@ 
          MetricsOverrides
          
 
          		disabled
 BoolValue
 
-
          Optional. Must explicitly set this to "true" to turn off metrics reporting
-for the listed metrics. If disabled has been set to "true" in a parent
-configuration, it must explicitly be set to "false" to turn metrics
+
          Optional. Must explicitly set this to “true” to turn off metrics reporting
+for the listed metrics. If disabled has been set to “true” in a parent
+configuration, it must explicitly be set to “false” to turn metrics
 reporting on in the workloads selected by the Telemetry resource.
          
 
           		
 
          Value is only considered if the operation is UPSERT.
 Values are CEL expressions over
-attributes. Examples include: "string(destination.port)" and
-"request.host". Istio exposes all standard Envoy
+attributes. Examples include: “string(destination.port)” and
+“request.host”. Istio exposes all standard Envoy
 attributes.
 Additionally, Istio exposes node metadata as attributes.
 More information is provided in the customization