Automator: update common-files@master in istio/api@master (#3538 )

Automator: update common-files@master in istio/api@master (#3536 )
Automator: update common-files@master in istio/api@master (#3533 )
2025-07-10 07:06:33 -04:00 · 2025-07-08 05:37:30 -04:00 · 2025-06-30 16:45:23 -04:00 · 2025-06-26 08:13:19 -04:00 · 2025-06-25 12:53:18 -04:00 · 2025-06-25 11:14:18 -04:00
149 changed files with 14784 additions and 18495 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@ -1,6 +1,6 @@
 {
  "name": "istio build-tools",
-  "image": "gcr.io/istio-testing/build-tools:master-4759bf88d40172234fc6a0b9e11a4c5f1ea58a90",
+  "image": "gcr.io/istio-testing/build-tools:master-8e6480403f5cf4c9a4cd9d65174d01850e632e1a",
  "privileged": true,
  "remoteEnv": {
    "USE_GKE_GCLOUD_AUTH_PLUGIN": "True",
--- a/GUIDELINES.md
+++ b/GUIDELINES.md
@ -19,6 +19,7 @@ followed for Istio APIs.
 - [Proto Guidelines](#proto-guidelines)
    - [Style](#style)
    - [Basic Proto Versioning](#basic-proto-ersioning)
+- [Validation Guidelines](#validation-guidelines)
 - [CRD Guidelines](#crd-guidelines)
    - [Style](#crd-style)
    - [Basic CRD Versioning](#basic-crd-versioning)
@ -214,6 +215,75 @@ protos.

    - Loosening validation is permitted. As a result, it is recommended to err on the side of stricter validation.

+## Validation Guidelines
+
+All types should have as strict validation specified on it as possible to rule out invalid states.
+These are ultimately compiled to Kubernetes CustomResourceDefinitions, which use OpenAPI validation with some Kubernetes extras.
+This is handled by our own custom [protoc-gen-crd](https://github.com/istio/tools/tree/master/cmd/protoc-gen-crd) which compiles our
+protobuf definitions down to CRDs.
+
+There are a few types of validations:
+* Automatic ones, based on the protobuf type. For example, a UInt32Value automatically has a validation to check the number between `0` and `MaxUint32`
+* Protobuf `field_behavior`. Currently only `[(google.api.field_behavior) = REQUIRED]` is implemented.
+* Comment driven validations (see below).
+
+Most validation is driven by comments on fields and messages.
+All validations in [KubeBuilder](https://book.kubebuilder.io/reference/markers/crd-validation) are supported, as well as some extras:
+
+- `+protoc-gen-crd:map-value-validation`: apply the validation to each *value* in a map.
+  Note it's not possible to apply validations to each key. You can, however, validate the entire map together with a CEL rule.
+- `+protoc-gen-crd:list-value-validation`: apply the validation to each value in a list.
+- `+protoc-gen-crd:duration-validation:none`: exclude the default requirement that a duration field is non-zero.
+- `+protoc-gen-crd:validation:XIntOrString`: marks a field as accepting integers or strings.
+- `+protoc-gen-crd:validation:IgnoreSubValidation`: if referencing a message in a field, and that message has some validation on it already, exclude the listed validations.
+  This is uncommon, but can be used when referencing a message in a certain context has different rules than others.
+
+The most common validations are:
+- Sizes: `MaxLength` (strings), `MaxItems` (lists), `MaxProperties` (maps)
+- Regex: `Pattern`
+- CEL: `XValidation`
+
+### CEL
+
+[CEL](https://cel.dev/) is a small language that allows us to write expressions to represent validation logic.
+This comes with a lot of quirks!
+
+Useful tools and references:
+* [CEL playground](https://playcel.undistro.io/) allows an easy way to run CEL expressions against some types.
+* [Kubernetes CEL docs](https://kubernetes.io/docs/reference/using-api/cel/).
+* [CEL language definition](https://github.com/google/cel-spec/blob/master/doc/langdef.md).
+
+The biggest challenge with CEL is the complexity limit imposed by Kubernetes.
+This estimates the cost to run the function, and rejects it if it is too high.
+This takes into account the cost of a function and the cost of *potential* inputs.
+This makes it, typically, required to put maximum size bounds on items.
+
+Kubernetes changes version-to-version on how it estimates cost (usually getting more lenient) and what functions are available.
+We want to target the oldest version for compatibility purposes.
+Our tests do not currently cover this (a prototype of doing so can be found [here](https://github.com/istio/api/pull/3275)).
+A list of what features are in which versions can be found [here](https://kubernetes.io/docs/reference/using-api/cel/#cel-options-language-features-and-libraries).
+
+Istio has some custom macros that are expanded at compile time, driven by the [celpp](https://github.com/howardjohn/celpp) package.
+This extends CEL with these capabilities:
+* **default**. Usage: `default(self.x, 'DEF')`.
+* **oneof**. Usage: `oneof(self.x, self.y, self.z)`. This checks that 0 or 1 of these fields is set.
+* **index**. Usage: `self.index({}, x, z, b)`. This does `self.x.z.b` and returns `{}` if any of these is not set.
+
+Unlike typical Go usage, CEL does not have a concept of zero values for unset fields.
+As a result, an optional field needs special care.
+Do not write `self.fruit == 'apple'`, for instance, write `default(self.fruit, '') == 'apple'.
+
+### Testing
+
+As validation logic is really easy to get wrong, it's useful to write tests.
+This is done by adding YAML files under `tests/testdata`.
+Each type has a `valid` and `invalid` file to do positive and negative cases.
+
+Aside from explicitly testing these, these also form the seed corpus for fuzzing when these are pulled into `istio/istio`.
+This fuzz testing verifies the CRD validation has the same result as the webhook (Golang) validation code.
+Currently, this mostly serves to ensure we do not make something overly strict.
+In the future, it may show us that its safe to disable the webhook entirely, if CRD validation can cover the full validation surface.
+
 ## CRD Guidelines

 ### CRD Style
--- a/analysis/v1alpha1/message.pb.go
+++ b/analysis/v1alpha1/message.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.35.1
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: analysis/v1alpha1/message.proto

@ -33,6 +33,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -99,11 +100,8 @@ func (AnalysisMessageBase_Level) EnumDescriptor() ([]byte, []int) {
 // AnalysisMessageBase describes some common information that is needed for all
 // messages. All information should be static with respect to the error code.
 type AnalysisMessageBase struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	Type *AnalysisMessageBase_Type `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"`
+	state protoimpl.MessageState    `protogen:"open.v1"`
+	Type  *AnalysisMessageBase_Type `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"`
 	// Represents how severe a message is. Required.
 	Level AnalysisMessageBase_Level `protobuf:"varint,2,opt,name=level,proto3,enum=istio.analysis.v1alpha1.AnalysisMessageBase_Level" json:"level,omitempty"`
 	// A url pointing to the Istio documentation for this specific error type.
@ -111,6 +109,8 @@ type AnalysisMessageBase struct {
 	// `^http(s)?://(preliminary\.)?istio.io/docs/reference/config/analysis/`
 	// Required.
 	DocumentationUrl string `protobuf:"bytes,3,opt,name=documentation_url,json=documentationUrl,proto3" json:"documentation_url,omitempty"`
+	unknownFields    protoimpl.UnknownFields
+	sizeCache        protoimpl.SizeCache
 }

 func (x *AnalysisMessageBase) Reset() {
@ -169,10 +169,7 @@ func (x *AnalysisMessageBase) GetDocumentationUrl() string {
 // validating istio/istio/galley/pkg/config/analysis/msg/messages.yaml to make
 // sure that we don't allow committing underspecified types.
 type AnalysisMessageWeakSchema struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Required
 	MessageBase *AnalysisMessageBase `protobuf:"bytes,1,opt,name=message_base,json=messageBase,proto3" json:"message_base,omitempty"`
 	// A human readable description of what the error means. Required.
@ -182,7 +179,9 @@ type AnalysisMessageWeakSchema struct {
 	// Required.
 	Template string `protobuf:"bytes,3,opt,name=template,proto3" json:"template,omitempty"`
 	// A description of the arguments for a particular message type
-	Args []*AnalysisMessageWeakSchema_ArgType `protobuf:"bytes,4,rep,name=args,proto3" json:"args,omitempty"`
+	Args          []*AnalysisMessageWeakSchema_ArgType `protobuf:"bytes,4,rep,name=args,proto3" json:"args,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *AnalysisMessageWeakSchema) Reset() {
@ -250,10 +249,7 @@ func (x *AnalysisMessageWeakSchema) GetArgs() []*AnalysisMessageWeakSchema_ArgTy
 // list of args at runtime. Developers can also create stronger-typed versions
 // of GenericAnalysisMessage for well-known and stable message types.
 type GenericAnalysisMessage struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Required
 	MessageBase *AnalysisMessageBase `protobuf:"bytes,1,opt,name=message_base,json=messageBase,proto3" json:"message_base,omitempty"`
 	// Any message-type specific arguments that need to get codified. Optional.
@ -265,6 +261,8 @@ type GenericAnalysisMessage struct {
 	// https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology
 	// At least one is required.
 	ResourcePaths []string `protobuf:"bytes,3,rep,name=resource_paths,json=resourcePaths,proto3" json:"resource_paths,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *GenericAnalysisMessage) Reset() {
@ -321,14 +319,13 @@ func (x *GenericAnalysisMessage) GetResourcePaths() []string {
 // InternalErrorAnalysisMessage is a strongly-typed message representing some
 // error in Istio code that prevented us from performing analysis at all.
 type InternalErrorAnalysisMessage struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Required
 	MessageBase *AnalysisMessageBase `protobuf:"bytes,1,opt,name=message_base,json=messageBase,proto3" json:"message_base,omitempty"`
 	// Any detail regarding specifics of the error. Should be human-readable.
-	Detail string `protobuf:"bytes,2,opt,name=detail,proto3" json:"detail,omitempty"`
+	Detail        string `protobuf:"bytes,2,opt,name=detail,proto3" json:"detail,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *InternalErrorAnalysisMessage) Reset() {
@ -380,10 +377,7 @@ func (x *InternalErrorAnalysisMessage) GetDetail() string {
 // one-to-one mapping between name and code. (i.e. do not re-use names or
 // codes between message types.)
 type AnalysisMessageBase_Type struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// A human-readable name for the message type. e.g. "InternalError",
 	// "PodMissingProxy". This should be the same for all messages of the same type.
 	// Required.
@ -391,7 +385,9 @@ type AnalysisMessageBase_Type struct {
 	// A 7 character code matching `^IST[0-9]{4}$` intended to uniquely identify
 	// the message type. (e.g. "IST0001" is mapped to the "InternalError" message
 	// type.) 0000-0100 are reserved. Required.
-	Code string `protobuf:"bytes,2,opt,name=code,proto3" json:"code,omitempty"`
+	Code          string `protobuf:"bytes,2,opt,name=code,proto3" json:"code,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *AnalysisMessageBase_Type) Reset() {
@ -439,17 +435,16 @@ func (x *AnalysisMessageBase_Type) GetCode() string {
 }

 type AnalysisMessageWeakSchema_ArgType struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Required
 	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
 	// Required. Should be a golang type, used in code generation.
 	// Ideally this will change to a less language-pinned type before this gets
 	// out of alpha, but for compatibility with current istio/istio code it's
 	// go_type for now.
-	GoType string `protobuf:"bytes,2,opt,name=go_type,json=goType,proto3" json:"go_type,omitempty"`
+	GoType        string `protobuf:"bytes,2,opt,name=go_type,json=goType,proto3" json:"go_type,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *AnalysisMessageWeakSchema_ArgType) Reset() {
@ -498,85 +493,45 @@ func (x *AnalysisMessageWeakSchema_ArgType) GetGoType() string {

 var File_analysis_v1alpha1_message_proto protoreflect.FileDescriptor

-var file_analysis_v1alpha1_message_proto_rawDesc = []byte{
-	0x0a, 0x1f, 0x61, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70,
-	0x68, 0x61, 0x31, 0x2f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x12, 0x17, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69,
-	0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1c, 0x67, 0x6f, 0x6f, 0x67,
-	0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x73, 0x74, 0x72, 0x75,
-	0x63, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xbb, 0x02, 0x0a, 0x13, 0x41, 0x6e, 0x61,
-	0x6c, 0x79, 0x73, 0x69, 0x73, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42, 0x61, 0x73, 0x65,
-	0x12, 0x45, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x31,
-	0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x2e,
-	0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x41, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69,
-	0x73, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42, 0x61, 0x73, 0x65, 0x2e, 0x54, 0x79, 0x70,
-	0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x48, 0x0a, 0x05, 0x6c, 0x65, 0x76, 0x65, 0x6c,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x32, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61,
-	0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31,
-	0x2e, 0x41, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
-	0x42, 0x61, 0x73, 0x65, 0x2e, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x52, 0x05, 0x6c, 0x65, 0x76, 0x65,
-	0x6c, 0x12, 0x2b, 0x0a, 0x11, 0x64, 0x6f, 0x63, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x10, 0x64, 0x6f,
-	0x63, 0x75, 0x6d, 0x65, 0x6e, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x72, 0x6c, 0x1a, 0x2e,
-	0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x63, 0x6f,
-	0x64, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x63, 0x6f, 0x64, 0x65, 0x22, 0x36,
-	0x0a, 0x05, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x12, 0x0b, 0x0a, 0x07, 0x55, 0x4e, 0x4b, 0x4e, 0x4f,
-	0x57, 0x4e, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, 0x03, 0x12,
-	0x0b, 0x0a, 0x07, 0x57, 0x41, 0x52, 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x08, 0x12, 0x08, 0x0a, 0x04,
-	0x49, 0x4e, 0x46, 0x4f, 0x10, 0x0c, 0x22, 0xb2, 0x02, 0x0a, 0x19, 0x41, 0x6e, 0x61, 0x6c, 0x79,
-	0x73, 0x69, 0x73, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x57, 0x65, 0x61, 0x6b, 0x53, 0x63,
-	0x68, 0x65, 0x6d, 0x61, 0x12, 0x4f, 0x0a, 0x0c, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x5f,
-	0x62, 0x61, 0x73, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x69, 0x73, 0x74,
-	0x69, 0x6f, 0x2e, 0x61, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c,
-	0x70, 0x68, 0x61, 0x31, 0x2e, 0x41, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x4d, 0x65, 0x73,
-	0x73, 0x61, 0x67, 0x65, 0x42, 0x61, 0x73, 0x65, 0x52, 0x0b, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67,
-	0x65, 0x42, 0x61, 0x73, 0x65, 0x12, 0x20, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70,
-	0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x65, 0x73, 0x63,
-	0x72, 0x69, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x74, 0x65, 0x6d, 0x70, 0x6c,
-	0x61, 0x74, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x74, 0x65, 0x6d, 0x70, 0x6c,
-	0x61, 0x74, 0x65, 0x12, 0x4e, 0x0a, 0x04, 0x61, 0x72, 0x67, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28,
-	0x0b, 0x32, 0x3a, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x6e, 0x61, 0x6c, 0x79, 0x73,
-	0x69, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x41, 0x6e, 0x61, 0x6c,
-	0x79, 0x73, 0x69, 0x73, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x57, 0x65, 0x61, 0x6b, 0x53,
-	0x63, 0x68, 0x65, 0x6d, 0x61, 0x2e, 0x41, 0x72, 0x67, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x61,
-	0x72, 0x67, 0x73, 0x1a, 0x36, 0x0a, 0x07, 0x41, 0x72, 0x67, 0x54, 0x79, 0x70, 0x65, 0x12, 0x12,
-	0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61,
-	0x6d, 0x65, 0x12, 0x17, 0x0a, 0x07, 0x67, 0x6f, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x06, 0x67, 0x6f, 0x54, 0x79, 0x70, 0x65, 0x22, 0xbd, 0x01, 0x0a, 0x16,
-	0x47, 0x65, 0x6e, 0x65, 0x72, 0x69, 0x63, 0x41, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x4d,
-	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x4f, 0x0a, 0x0c, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67,
-	0x65, 0x5f, 0x62, 0x61, 0x73, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x69,
-	0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x2e, 0x76, 0x31,
-	0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x41, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x4d,
-	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42, 0x61, 0x73, 0x65, 0x52, 0x0b, 0x6d, 0x65, 0x73, 0x73,
-	0x61, 0x67, 0x65, 0x42, 0x61, 0x73, 0x65, 0x12, 0x2b, 0x0a, 0x04, 0x61, 0x72, 0x67, 0x73, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x52, 0x04,
-	0x61, 0x72, 0x67, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65,
-	0x5f, 0x70, 0x61, 0x74, 0x68, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x72, 0x65,
-	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x50, 0x61, 0x74, 0x68, 0x73, 0x22, 0x87, 0x01, 0x0a, 0x1c,
-	0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x41, 0x6e, 0x61,
-	0x6c, 0x79, 0x73, 0x69, 0x73, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x4f, 0x0a, 0x0c,
-	0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x5f, 0x62, 0x61, 0x73, 0x65, 0x18, 0x01, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x6e, 0x61, 0x6c, 0x79,
-	0x73, 0x69, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x41, 0x6e, 0x61,
-	0x6c, 0x79, 0x73, 0x69, 0x73, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42, 0x61, 0x73, 0x65,
-	0x52, 0x0b, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42, 0x61, 0x73, 0x65, 0x12, 0x16, 0x0a,
-	0x06, 0x64, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x64,
-	0x65, 0x74, 0x61, 0x69, 0x6c, 0x42, 0x20, 0x5a, 0x1e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69,
-	0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x61, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x2f, 0x76,
-	0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+const file_analysis_v1alpha1_message_proto_rawDesc = "" +
+	"\n" +
+	"\x1fanalysis/v1alpha1/message.proto\x12\x17istio.analysis.v1alpha1\x1a\x1cgoogle/protobuf/struct.proto\"\xbb\x02\n" +
+	"\x13AnalysisMessageBase\x12E\n" +
+	"\x04type\x18\x01 \x01(\v21.istio.analysis.v1alpha1.AnalysisMessageBase.TypeR\x04type\x12H\n" +
+	"\x05level\x18\x02 \x01(\x0e22.istio.analysis.v1alpha1.AnalysisMessageBase.LevelR\x05level\x12+\n" +
+	"\x11documentation_url\x18\x03 \x01(\tR\x10documentationUrl\x1a.\n" +
+	"\x04Type\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12\x12\n" +
+	"\x04code\x18\x02 \x01(\tR\x04code\"6\n" +
+	"\x05Level\x12\v\n" +
+	"\aUNKNOWN\x10\x00\x12\t\n" +
+	"\x05ERROR\x10\x03\x12\v\n" +
+	"\aWARNING\x10\b\x12\b\n" +
+	"\x04INFO\x10\f\"\xb2\x02\n" +
+	"\x19AnalysisMessageWeakSchema\x12O\n" +
+	"\fmessage_base\x18\x01 \x01(\v2,.istio.analysis.v1alpha1.AnalysisMessageBaseR\vmessageBase\x12 \n" +
+	"\vdescription\x18\x02 \x01(\tR\vdescription\x12\x1a\n" +
+	"\btemplate\x18\x03 \x01(\tR\btemplate\x12N\n" +
+	"\x04args\x18\x04 \x03(\v2:.istio.analysis.v1alpha1.AnalysisMessageWeakSchema.ArgTypeR\x04args\x1a6\n" +
+	"\aArgType\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12\x17\n" +
+	"\ago_type\x18\x02 \x01(\tR\x06goType\"\xbd\x01\n" +
+	"\x16GenericAnalysisMessage\x12O\n" +
+	"\fmessage_base\x18\x01 \x01(\v2,.istio.analysis.v1alpha1.AnalysisMessageBaseR\vmessageBase\x12+\n" +
+	"\x04args\x18\x02 \x01(\v2\x17.google.protobuf.StructR\x04args\x12%\n" +
+	"\x0eresource_paths\x18\x03 \x03(\tR\rresourcePaths\"\x87\x01\n" +
+	"\x1cInternalErrorAnalysisMessage\x12O\n" +
+	"\fmessage_base\x18\x01 \x01(\v2,.istio.analysis.v1alpha1.AnalysisMessageBaseR\vmessageBase\x12\x16\n" +
+	"\x06detail\x18\x02 \x01(\tR\x06detailB Z\x1eistio.io/api/analysis/v1alpha1b\x06proto3"

 var (
 	file_analysis_v1alpha1_message_proto_rawDescOnce sync.Once
-	file_analysis_v1alpha1_message_proto_rawDescData = file_analysis_v1alpha1_message_proto_rawDesc
+	file_analysis_v1alpha1_message_proto_rawDescData []byte
 )

 func file_analysis_v1alpha1_message_proto_rawDescGZIP() []byte {
 	file_analysis_v1alpha1_message_proto_rawDescOnce.Do(func() {
-		file_analysis_v1alpha1_message_proto_rawDescData = protoimpl.X.CompressGZIP(file_analysis_v1alpha1_message_proto_rawDescData)
+		file_analysis_v1alpha1_message_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_analysis_v1alpha1_message_proto_rawDesc), len(file_analysis_v1alpha1_message_proto_rawDesc)))
 	})
 	return file_analysis_v1alpha1_message_proto_rawDescData
 }
@ -617,7 +572,7 @@ func file_analysis_v1alpha1_message_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_analysis_v1alpha1_message_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_analysis_v1alpha1_message_proto_rawDesc), len(file_analysis_v1alpha1_message_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   6,
 			NumExtensions: 0,
@ -629,7 +584,6 @@ func file_analysis_v1alpha1_message_proto_init() {
 		MessageInfos:      file_analysis_v1alpha1_message_proto_msgTypes,
 	}.Build()
 	File_analysis_v1alpha1_message_proto = out.File
-	file_analysis_v1alpha1_message_proto_rawDesc = nil
 	file_analysis_v1alpha1_message_proto_goTypes = nil
 	file_analysis_v1alpha1_message_proto_depIdxs = nil
 }
--- a/analysis/v1alpha1/message.pb.html
+++ b/analysis/v1alpha1/message.pb.html
@ -18,35 +18,30 @@ messages. All information should be static with respect to the error code.</p>
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="AnalysisMessageBase-type">
-<td><code>type</code></td>
-<td><code><a href="#AnalysisMessageBase-Type">Type</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageBase-type">type</a></code></div>
+<div class="type"><a href="#AnalysisMessageBase-Type">Type</a></div>
+</div></td>
 <td>
 </td>
-<td>
-No
-</td>
 </tr>
 <tr id="AnalysisMessageBase-level">
-<td><code>level</code></td>
-<td><code><a href="#AnalysisMessageBase-Level">Level</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageBase-level">level</a></code></div>
+<div class="type"><a href="#AnalysisMessageBase-Level">Level</a></div>
+</div></td>
 <td>
 <p>Represents how severe a message is. Required.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="AnalysisMessageBase-documentation_url">
-<td><code>documentationUrl</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageBase-documentation_url">documentationUrl</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>A url pointing to the Istio documentation for this specific error type.
 Should be of the form
@ -54,8 +49,83 @@ Should be of the form
 Required.</p>

 </td>
+</tr>
+</tbody>
+</table>
+</section>
+<h3 id="AnalysisMessageBase-Type">Type</h3>
+<section>
+<p>A unique identifier for the type of message. Name is intended to be
+human-readable, code is intended to be machine readable. There should be a
+one-to-one mapping between name and code. (i.e. do not re-use names or
+codes between message types.)</p>
+
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="AnalysisMessageBase-Type-name">
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageBase-Type-name">name</a></code></div>
+<div class="type">string</div>
+</div></td>
+<td>
+<p>A human-readable name for the message type. e.g. &ldquo;InternalError&rdquo;,
+&ldquo;PodMissingProxy&rdquo;. This should be the same for all messages of the same type.
+Required.</p>
+
+</td>
+</tr>
+<tr id="AnalysisMessageBase-Type-code">
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageBase-Type-code">code</a></code></div>
+<div class="type">string</div>
+</div></td>
+<td>
+<p>A 7 character code matching <code>^IST[0-9]{4}$</code> intended to uniquely identify
+the message type. (e.g. &ldquo;IST0001&rdquo; is mapped to the &ldquo;InternalError&rdquo; message
+type.) 0000-0100 are reserved. Required.</p>
+
+</td>
+</tr>
+</tbody>
+</table>
+</section>
+<h3 id="AnalysisMessageBase-Level">Level</h3>
+<section>
+<p>The values here are chosen so that more severe messages get sorted higher,
+as well as leaving space in between to add more later</p>
+
+<table class="enum-values">
+<thead>
+<tr>
+<th>Name</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="AnalysisMessageBase-Level-UNKNOWN">
+<td><code><a href="#AnalysisMessageBase-Level-UNKNOWN">UNKNOWN</a></code></td>
+<td>
+<p>invalid, but included for proto compatibility for 0 values</p>
+
+</td>
+</tr>
+<tr id="AnalysisMessageBase-Level-ERROR">
+<td><code><a href="#AnalysisMessageBase-Level-ERROR">ERROR</a></code></td>
+<td>
+</td>
+</tr>
+<tr id="AnalysisMessageBase-Level-WARNING">
+<td><code><a href="#AnalysisMessageBase-Level-WARNING">WARNING</a></code></td>
+<td>
+</td>
+</tr>
+<tr id="AnalysisMessageBase-Level-INFO">
+<td><code><a href="#AnalysisMessageBase-Level-INFO">INFO</a></code></td>
 <td>
-No
 </td>
 </tr>
 </tbody>
@ -72,56 +142,80 @@ sure that we don&rsquo;t allow committing underspecified types.</p>
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="AnalysisMessageWeakSchema-message_base">
-<td><code>messageBase</code></td>
-<td><code><a href="#AnalysisMessageBase">AnalysisMessageBase</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-message_base">messageBase</a></code></div>
+<div class="type"><a href="#AnalysisMessageBase">AnalysisMessageBase</a></div>
+</div></td>
 <td>
 <p>Required</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="AnalysisMessageWeakSchema-description">
-<td><code>description</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-description">description</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>A human readable description of what the error means. Required.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="AnalysisMessageWeakSchema-template">
-<td><code>template</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-template">template</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>A go-style template string (<a href="https://golang.org/pkg/fmt/#hdr-Printing">https://golang.org/pkg/fmt/#hdr-Printing</a>)
 defining how to combine the args for a  particular message into a log line.
 Required.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="AnalysisMessageWeakSchema-args">
-<td><code>args</code></td>
-<td><code><a href="#AnalysisMessageWeakSchema-ArgType">ArgType[]</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-args">args</a></code></div>
+<div class="type"><a href="#AnalysisMessageWeakSchema-ArgType">ArgType[]</a></div>
+</div></td>
 <td>
 <p>A description of the arguments for a particular message type</p>

 </td>
+</tr>
+</tbody>
+</table>
+</section>
+<h3 id="AnalysisMessageWeakSchema-ArgType">ArgType</h3>
+<section>
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="AnalysisMessageWeakSchema-ArgType-name">
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-ArgType-name">name</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
-No
+<p>Required</p>
+
+</td>
+</tr>
+<tr id="AnalysisMessageWeakSchema-ArgType-go_type">
+<td><div class="field"><div class="name"><code><a href="#AnalysisMessageWeakSchema-ArgType-go_type">goType</a></code></div>
+<div class="type">string</div>
+</div></td>
+<td>
+<p>Should be a golang type, used in code generation.
+Ideally this will change to a less language-pinned type before this gets
+out of alpha, but for compatibility with current istio/istio code it&rsquo;s
+go_type for now.</p>
+
 </td>
 </tr>
 </tbody>
@ -140,37 +234,32 @@ of GenericAnalysisMessage for well-known and stable message types.</p>
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="GenericAnalysisMessage-message_base">
-<td><code>messageBase</code></td>
-<td><code><a href="#AnalysisMessageBase">AnalysisMessageBase</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#GenericAnalysisMessage-message_base">messageBase</a></code></div>
+<div class="type"><a href="#AnalysisMessageBase">AnalysisMessageBase</a></div>
+</div></td>
 <td>
 <p>Required</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="GenericAnalysisMessage-args">
-<td><code>args</code></td>
-<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#GenericAnalysisMessage-args">args</a></code></div>
+<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct</a></div>
+</div></td>
 <td>
 <p>Any message-type specific arguments that need to get codified. Optional.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="GenericAnalysisMessage-resource_paths">
-<td><code>resourcePaths</code></td>
-<td><code>string[]</code></td>
+<td><div class="field"><div class="name"><code><a href="#GenericAnalysisMessage-resource_paths">resourcePaths</a></code></div>
+<div class="type">string[]</div>
+</div></td>
 <td>
 <p>A list of strings specifying the resource identifiers that were the cause
 of message generation. A &ldquo;path&rdquo; here is a (NAMESPACE/)?RESOURCETYPE/NAME
@ -179,9 +268,6 @@ be a single concept for this, but this is intuitively taken from
 <a href="https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology">https://kubernetes.io/docs/reference/using-api/api-concepts/#standard-api-terminology</a>
 At least one is required.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 </tbody>
@ -196,156 +282,26 @@ error in Istio code that prevented us from performing analysis at all.</p>
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="InternalErrorAnalysisMessage-message_base">
-<td><code>messageBase</code></td>
-<td><code><a href="#AnalysisMessageBase">AnalysisMessageBase</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#InternalErrorAnalysisMessage-message_base">messageBase</a></code></div>
+<div class="type"><a href="#AnalysisMessageBase">AnalysisMessageBase</a></div>
+</div></td>
 <td>
 <p>Required</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="InternalErrorAnalysisMessage-detail">
-<td><code>detail</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#InternalErrorAnalysisMessage-detail">detail</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>Any detail regarding specifics of the error. Should be human-readable.</p>

-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="AnalysisMessageBase-Type">AnalysisMessageBase.Type</h2>
-<section>
-<p>A unique identifier for the type of message. Name is intended to be
-human-readable, code is intended to be machine readable. There should be a
-one-to-one mapping between name and code. (i.e. do not re-use names or
-codes between message types.)</p>
-
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="AnalysisMessageBase-Type-name">
-<td><code>name</code></td>
-<td><code>string</code></td>
-<td>
-<p>A human-readable name for the message type. e.g. &ldquo;InternalError&rdquo;,
-&ldquo;PodMissingProxy&rdquo;. This should be the same for all messages of the same type.
-Required.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="AnalysisMessageBase-Type-code">
-<td><code>code</code></td>
-<td><code>string</code></td>
-<td>
-<p>A 7 character code matching <code>^IST[0-9]{4}$</code> intended to uniquely identify
-the message type. (e.g. &ldquo;IST0001&rdquo; is mapped to the &ldquo;InternalError&rdquo; message
-type.) 0000-0100 are reserved. Required.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="AnalysisMessageWeakSchema-ArgType">AnalysisMessageWeakSchema.ArgType</h2>
-<section>
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="AnalysisMessageWeakSchema-ArgType-name">
-<td><code>name</code></td>
-<td><code>string</code></td>
-<td>
-<p>Required</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="AnalysisMessageWeakSchema-ArgType-go_type">
-<td><code>goType</code></td>
-<td><code>string</code></td>
-<td>
-<p>Required. Should be a golang type, used in code generation.
-Ideally this will change to a less language-pinned type before this gets
-out of alpha, but for compatibility with current istio/istio code it&rsquo;s
-go_type for now.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="AnalysisMessageBase-Level">AnalysisMessageBase.Level</h2>
-<section>
-<p>The values here are chosen so that more severe messages get sorted higher,
-as well as leaving space in between to add more later</p>
-
-<table class="enum-values">
-<thead>
-<tr>
-<th>Name</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr id="AnalysisMessageBase-Level-UNKNOWN">
-<td><code>UNKNOWN</code></td>
-<td>
-<p>invalid, but included for proto compatibility for 0 values</p>
-
-</td>
-</tr>
-<tr id="AnalysisMessageBase-Level-ERROR">
-<td><code>ERROR</code></td>
-<td>
-</td>
-</tr>
-<tr id="AnalysisMessageBase-Level-WARNING">
-<td><code>WARNING</code></td>
-<td>
-</td>
-</tr>
-<tr id="AnalysisMessageBase-Level-INFO">
-<td><code>INFO</code></td>
-<td>
 </td>
 </tr>
 </tbody>
--- a/analysis/v1alpha1/message.proto
+++ b/analysis/v1alpha1/message.proto
@ -24,7 +24,7 @@ package istio.analysis.v1alpha1;

 import "google/protobuf/struct.proto";

-option go_package="istio.io/api/analysis/v1alpha1";
+option go_package = "istio.io/api/analysis/v1alpha1";

 // There are four messages described in this file. One of them is a struct
 // common to the other three: AnalysisMessageBase. Using this, we can construct
@ -78,7 +78,6 @@ message AnalysisMessageBase {
  // `^http(s)?://(preliminary\.)?istio.io/docs/reference/config/analysis/`
  // Required.
  string documentation_url = 3;
-
 }

 // AnalysisMessageWeakSchema is the set of information that's needed to define a
--- a/annotation/annotations.gen.go
+++ b/annotation/annotations.gen.go
@ -125,6 +125,19 @@ This is intended to be used when enrolling a workload that only receives traffic
 		},
 	}

+	AmbientDnsCapture = Instance {
+		Name:          "ambient.istio.io/dns-capture",
+		Description:   `When specified on a "Pod" enrolled in ambient mesh, controls whether DNS traffic (TCP and UDP on port 53) will be captured and proxied in ambient.
+Note that setting this to "false" will break some Istio features, such as ServiceEntries and egress waypoints, but may be desirable for workloads that interact poorly with DNS proxies.
+`,
+		FeatureStatus: Alpha,
+		Hidden:        true,
+		Deprecated:    false,
+		Resources: []ResourceTypes{
+			Pod,
+		},
+	}
+
 	AmbientRedirection = Instance {
 		Name:          "ambient.istio.io/redirection",
 		Description:   `Automatically configured by Istio to indicate a Pod was successfully enrolled in ambient mode.
@ -272,6 +285,19 @@ This takes the format: "<protocol>" or "<protocol>/<port>".
 		},
 	}

+	IoIstioRerouteVirtualInterfaces = Instance {
+		Name:          "istio.io/reroute-virtual-interfaces",
+		Description:   `A comma separated list of virtual interfaces whose inbound traffic will be unconditionally treated as outbound. This allows workloads using virtualized networking (kubeVirt, VMs, docker-in-docker, etc) to function correctly with mesh traffic capture.
+Note: When using docker-in-docker container, the default bridge interface name is typically "docker0". However, custom networks (often used with docker compose) are assigned a randomized interface name. To have a predictable name, you can configure the Docker option "com.docker.network.bridge.name" with a fixed value and use that name in the annotation.
+`,
+		FeatureStatus: Alpha,
+		Hidden:        false,
+		Deprecated:    false,
+		Resources: []ResourceTypes{
+			Pod,
+		},
+	}
+
 	IoIstioRev = Instance {
 		Name:          "istio.io/rev",
 		Description:   "Specifies a control plane revision to which a given proxy "+
@ -314,9 +340,11 @@ This takes the format: "<protocol>" or "<protocol>/<port>".
 	NetworkingExportTo = Instance {
 		Name:          "networking.istio.io/exportTo",
 		Description:   "Specifies the namespaces to which this service should be "+
-                        "exported to. A value of '*' indicates it is reachable "+
-                        "within the mesh '.' indicates it is reachable within its "+
-                        "namespace.",
+                        "exported to. A value of `*` indicates it is reachable "+
+                        "within the mesh. `.` indicates it is reachable within its "+
+                        "namespace. '~' indicates it is hidden and exported to no "+
+                        "namespaces. Additionally, a list of comma separated "+
+                        "namespace names can be specified.",
 		FeatureStatus: Alpha,
 		Hidden:        false,
 		Deprecated:    false,
@ -493,18 +521,6 @@ Accepted values:
 		},
 	}

-	SidecarEnableCoreDump = Instance {
-		Name:          "sidecar.istio.io/enableCoreDump",
-		Description:   "Specifies whether or not an Envoy sidecar should enable "+
-                        "core dump.",
-		FeatureStatus: Alpha,
-		Hidden:        false,
-		Deprecated:    false,
-		Resources: []ResourceTypes{
-			Pod,
-		},
-	}
-
 	SidecarExtraStatTags = Instance {
 		Name:          "sidecar.istio.io/extraStatTags",
 		Description:   "An additional list of tags to extract from the in-proxy "+
@ -521,8 +537,10 @@ Accepted values:
 	SidecarInject = Instance {
 		Name:          "sidecar.istio.io/inject",
 		Description:   "Specifies whether or not an Envoy sidecar should be "+
-                        "automatically injected into the workload. Deprecated in "+
-                        "favor of `sidecar.istio.io/inject` label.",
+                        "automatically injected into the workload. This annotation "+
+                        "has been deprecated in favor of the "+
+                        "`sidecar.istio.io/inject` label documented "+
+                        "[here](/docs/reference/config/labels/#SidecarInject).",
 		FeatureStatus: Beta,
 		Hidden:        false,
 		Deprecated:    true,
@ -650,6 +668,19 @@ Accepted values:
 		},
 	}

+	SidecarStatsCompression = Instance {
+		Name:          "sidecar.istio.io/statsCompression",
+		Description:   `Specifies the compression algorithm to use for stats emitted by the Envoy sidecar.
+Supported values are "brotli", "gzip", and "zstd".
+`,
+		FeatureStatus: Alpha,
+		Hidden:        false,
+		Deprecated:    false,
+		Resources: []ResourceTypes{
+			Pod,
+		},
+	}
+
 	SidecarStatsHistogramBuckets = Instance {
 		Name:          "sidecar.istio.io/statsHistogramBuckets",
 		Description:   "Specifies the custom histogram buckets with a prefix "+
@ -876,10 +907,12 @@ Accepted values:
 	SidecarTrafficKubevirtInterfaces = Instance {
 		Name:          "traffic.sidecar.istio.io/kubevirtInterfaces",
 		Description:   "A comma separated list of virtual interfaces whose "+
-                        "inbound traffic (from VM) will be treated as outbound.",
+                        "inbound traffic (from VM) will be treated as outbound. "+
+                        "Deprecated in favor of "+
+                        "`istio.io/redirect-virtual-interfaces`",
 		FeatureStatus: Alpha,
 		Hidden:        false,
-		Deprecated:    false,
+		Deprecated:    true,
 		Resources: []ResourceTypes{
 			Pod,
 		},
@ -892,6 +925,7 @@ func AllResourceAnnotations() []*Instance {
 		&AlphaCanonicalServiceAccounts,
 		&AlphaKubernetesServiceAccounts,
 		&AmbientBypassInboundCapture,
+		&AmbientDnsCapture,
 		&AmbientRedirection,
 		&AmbientWaypointInboundBinding,
 		&GalleyAnalyzeSuppress,
@ -903,6 +937,7 @@ func AllResourceAnnotations() []*Instance {
 		&IoIstioConnectedAt,
 		&IoIstioDisconnectedAt,
 		&IoIstioDryRun,
+		&IoIstioRerouteVirtualInterfaces,
 		&IoIstioRev,
 		&IoIstioWorkloadController,
 		&IoKubernetesIngressClass,
@ -920,7 +955,6 @@ func AllResourceAnnotations() []*Instance {
 		&SidecarBootstrapOverride,
 		&SidecarComponentLogLevel,
 		&SidecarDiscoveryAddress,
-		&SidecarEnableCoreDump,
 		&SidecarExtraStatTags,
 		&SidecarInject,
 		&SidecarInterceptionMode,
@ -933,6 +967,7 @@ func AllResourceAnnotations() []*Instance {
 		&SidecarProxyMemory,
 		&SidecarProxyMemoryLimit,
 		&SidecarRewriteAppHTTPProbers,
+		&SidecarStatsCompression,
 		&SidecarStatsHistogramBuckets,
 		&SidecarStatsInclusionPrefixes,
 		&SidecarStatsInclusionRegexps,
--- a/annotation/annotations.pb.html
+++ b/annotation/annotations.pb.html
@ -99,6 +99,29 @@ User should not manually modify this annotation.</p>
    </tr>
  </tbody>
 </table>
+<h2 id="IoIstioRerouteVirtualInterfaces">istio.io/reroute-virtual-interfaces</h2>
+<table class="annotations">
+  <tbody>
+    <tr>
+      <th>Name</th>
+      <td><code>istio.io/reroute-virtual-interfaces</code></td>
+    </tr>
+    <tr>
+      <th>Feature Status</th>
+      <td>Alpha</td>
+    </tr>
+    <tr>
+      <th>Resource Types</th>
+      <td>[Pod]</td>
+    </tr>
+    <tr>
+      <th>Description</th>
+      <td><p>A comma separated list of virtual interfaces whose inbound traffic will be unconditionally treated as outbound. This allows workloads using virtualized networking (kubeVirt, VMs, docker-in-docker, etc) to function correctly with mesh traffic capture.
+Note: When using docker-in-docker container, the default bridge interface name is typically <code>docker0</code>. However, custom networks (often used with docker compose) are assigned a randomized interface name. To have a predictable name, you can configure the Docker option <code>com.docker.network.bridge.name</code> with a fixed value and use that name in the annotation.</p>
+</td>
+    </tr>
+  </tbody>
+</table>
 <h2 id="IoIstioRev">istio.io/rev</h2>
 <table class="annotations">
  <tbody>
@ -160,7 +183,7 @@ User should not manually modify this annotation.</p>
    </tr>
    <tr>
      <th>Description</th>
-      <td><p>Specifies the namespaces to which this service should be exported to. A value of &lsquo;*&rsquo; indicates it is reachable within the mesh &lsquo;.&rsquo; indicates it is reachable within its namespace.</p>
+      <td><p>Specifies the namespaces to which this service should be exported to. A value of <code>*</code> indicates it is reachable within the mesh. <code>.</code> indicates it is reachable within its namespace. &lsquo;~&rsquo; indicates it is hidden and exported to no namespaces. Additionally, a list of comma separated namespace names can be specified.</p>
 </td>
    </tr>
  </tbody>
@ -420,28 +443,6 @@ If that backend becomes unhealthy, traffic will sent to <code>us-east</code>.</l
    </tr>
  </tbody>
 </table>
-<h2 id="SidecarEnableCoreDump">sidecar.istio.io/enableCoreDump</h2>
-<table class="annotations">
-  <tbody>
-    <tr>
-      <th>Name</th>
-      <td><code>sidecar.istio.io/enableCoreDump</code></td>
-    </tr>
-    <tr>
-      <th>Feature Status</th>
-      <td>Alpha</td>
-    </tr>
-    <tr>
-      <th>Resource Types</th>
-      <td>[Pod]</td>
-    </tr>
-    <tr>
-      <th>Description</th>
-      <td><p>Specifies whether or not an Envoy sidecar should enable core dump.</p>
-</td>
-    </tr>
-  </tbody>
-</table>
 <h2 id="SidecarExtraStatTags">sidecar.istio.io/extraStatTags</h2>
 <table class="annotations">
  <tbody>
@ -481,7 +482,7 @@ If that backend becomes unhealthy, traffic will sent to <code>us-east</code>.</l
    </tr>
    <tr>
      <th>Description</th>
-      <td><p>Specifies whether or not an Envoy sidecar should be automatically injected into the workload. Deprecated in favor of <code>sidecar.istio.io/inject</code> label.</p>
+      <td><p>Specifies whether or not an Envoy sidecar should be automatically injected into the workload. This annotation has been deprecated in favor of the <code>sidecar.istio.io/inject</code> label documented <a href="/docs/reference/config/labels/#SidecarInject">here</a>.</p>
 </td>
    </tr>
  </tbody>
@ -706,6 +707,29 @@ If that backend becomes unhealthy, traffic will sent to <code>us-east</code>.</l
    </tr>
  </tbody>
 </table>
+<h2 id="SidecarStatsCompression">sidecar.istio.io/statsCompression</h2>
+<table class="annotations">
+  <tbody>
+    <tr>
+      <th>Name</th>
+      <td><code>sidecar.istio.io/statsCompression</code></td>
+    </tr>
+    <tr>
+      <th>Feature Status</th>
+      <td>Alpha</td>
+    </tr>
+    <tr>
+      <th>Resource Types</th>
+      <td>[Pod]</td>
+    </tr>
+    <tr>
+      <th>Description</th>
+      <td><p>Specifies the compression algorithm to use for stats emitted by the Envoy sidecar.
+Supported values are <code>brotli</code>, <code>gzip</code>, and <code>zstd</code>.</p>
+</td>
+    </tr>
+  </tbody>
+</table>
 <h2 id="SidecarStatsHistogramBuckets">sidecar.istio.io/statsHistogramBuckets</h2>
 <table class="annotations">
  <tbody>
@ -1083,13 +1107,13 @@ If that backend becomes unhealthy, traffic will sent to <code>us-east</code>.</l
 <h2 id="SidecarTrafficKubevirtInterfaces">traffic.sidecar.istio.io/kubevirtInterfaces</h2>
 <table class="annotations">
  <tbody>
-    <tr>
+    <tr class="deprecated">
      <th>Name</th>
      <td><code>traffic.sidecar.istio.io/kubevirtInterfaces</code></td>
    </tr>
    <tr>
      <th>Feature Status</th>
-      <td>Alpha</td>
+      <td>Deprecated</td>
    </tr>
    <tr>
      <th>Resource Types</th>
@ -1097,7 +1121,7 @@ If that backend becomes unhealthy, traffic will sent to <code>us-east</code>.</l
    </tr>
    <tr>
      <th>Description</th>
-      <td><p>A comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound.</p>
+      <td><p>A comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound. Deprecated in favor of <code>istio.io/redirect-virtual-interfaces</code></p>
 </td>
    </tr>
  </tbody>
--- a/annotation/annotations.yaml
+++ b/annotation/annotations.yaml
@ -46,8 +46,8 @@ annotations:
  - name: networking.istio.io/exportTo
    featureStatus: Alpha
    description: Specifies the namespaces to which this service should be exported to.
-      A value of '*' indicates it is reachable within the mesh '.' indicates it is
-      reachable within its namespace.
+      A value of `*` indicates it is reachable within the mesh. `.` indicates it is
+      reachable within its namespace. '~' indicates it is hidden and exported to no namespaces. Additionally, a list of comma separated namespace names can be specified.
    deprecated: false
    hidden: false
    resources:
@ -56,7 +56,8 @@ annotations:
  - name: sidecar.istio.io/inject
    featureStatus: Beta
    description: Specifies whether or not an Envoy sidecar should be automatically
-      injected into the workload. Deprecated in favor of `sidecar.istio.io/inject` label.
+      injected into the workload. This annotation has been deprecated in favor of the
+      `sidecar.istio.io/inject` label documented [here](/docs/reference/config/labels/#SidecarInject).
    deprecated: true
    hidden: false
    resources:
@ -207,14 +208,6 @@ annotations:
    resources:
      - Pod

-  - name: sidecar.istio.io/enableCoreDump
-    featureStatus: Alpha
-    description: Specifies whether or not an Envoy sidecar should enable core dump.
-    deprecated: false
-    hidden: false
-    resources:
-      - Pod
-
  - name: status.sidecar.istio.io/port
    featureStatus: Alpha
    description: Specifies the HTTP status Port for the Envoy sidecar. If zero, the
@ -370,8 +363,8 @@ annotations:
  - name: traffic.sidecar.istio.io/kubevirtInterfaces
    featureStatus: Alpha
    description: A comma separated list of virtual interfaces whose inbound traffic
-      (from VM) will be treated as outbound.
-    deprecated: false
+      (from VM) will be treated as outbound. Deprecated in favor of `istio.io/redirect-virtual-interfaces`
+    deprecated: true
    hidden: false
    resources:
      - Pod
@ -580,3 +573,33 @@ annotations:
    hidden: true
    resources:
      - Pod
+
+  - name: istio.io/reroute-virtual-interfaces
+    featureStatus: Alpha
+    description: |
+      A comma separated list of virtual interfaces whose inbound traffic will be unconditionally treated as outbound. This allows workloads using virtualized networking (kubeVirt, VMs, docker-in-docker, etc) to function correctly with mesh traffic capture.
+      Note: When using docker-in-docker container, the default bridge interface name is typically `docker0`. However, custom networks (often used with docker compose) are assigned a randomized interface name. To have a predictable name, you can configure the Docker option `com.docker.network.bridge.name` with a fixed value and use that name in the annotation.
+    deprecated: false
+    hidden: false
+    resources:
+      - Pod
+
+  - name: ambient.istio.io/dns-capture
+    featureStatus: Alpha
+    description: |
+      When specified on a `Pod` enrolled in ambient mesh, controls whether DNS traffic (TCP and UDP on port 53) will be captured and proxied in ambient.
+      Note that setting this to `false` will break some Istio features, such as ServiceEntries and egress waypoints, but may be desirable for workloads that interact poorly with DNS proxies.
+    deprecated: false
+    hidden: true
+    resources:
+      - Pod
+
+  - name: sidecar.istio.io/statsCompression
+    featureStatus: Alpha
+    description: |
+      Specifies the compression algorithm to use for stats emitted by the Envoy sidecar.
+      Supported values are `brotli`, `gzip`, and `zstd`.
+    deprecated: false
+    hidden: false
+    resources:
+      - Pod
--- a/authentication/v1alpha1/istio.authentication.v1alpha1.pb.html
+++ b/authentication/v1alpha1/istio.authentication.v1alpha1.pb.html
@ -1,9 +0,0 @@
---
-title: istio.authentication.v1alpha1
-layout: protoc-gen-docs
-generator: protoc-gen-docs
-schema: istio.authentication.v1alpha1.Policy
-number_of_entries: 0
---
-<p>This package defines user-facing authentication policy.</p>
-
--- a/authentication/v1alpha1/policy.pb.go
+++ b/authentication/v1alpha1/policy.pb.go
--- a/authentication/v1alpha1/policy.proto
+++ b/authentication/v1alpha1/policy.proto
@ -1,432 +0,0 @@
-// Copyright 2018 Istio Authors
-//
-//   Licensed under the Apache License, Version 2.0 (the "License");
-//   you may not use this file except in compliance with the License.
-//   You may obtain a copy of the License at
-//
-//       http://www.apache.org/licenses/LICENSE-2.0
-//
-//   Unless required by applicable law or agreed to in writing, software
-//   distributed under the License is distributed on an "AS IS" BASIS,
-//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-//   See the License for the specific language governing permissions and
-//   limitations under the License.
-
-syntax = "proto3";
-
-// $schema: istio.authentication.v1alpha1.Policy
-// $mode: package
-
-// This package defines user-facing authentication policy.
-package istio.authentication.v1alpha1;
-
-import "google/api/field_behavior.proto";
-
-option go_package = "istio.io/api/authentication/v1alpha1";
-
-// $hide_from_docs
-// Describes how to match a given string. Match is case-sensitive.
-message StringMatch {
-  oneof match_type {
-    // exact string match.
-    string exact = 1;
-
-    // prefix-based match.
-    string prefix = 2;
-
-    // suffix-based match.
-    string suffix = 3;
-
-    // RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
-    string regex = 4;
-  }
-}
-
-// $hide_from_docs
-// Deprecated. Please use security/v1beta1/PeerAuthentication instead.
-// TLS authentication params.
-message MutualTls {
-  // $hide_from_docs
-  // Defines the acceptable connection TLS mode.
-  enum Mode {
-    // Client cert must be presented, connection is in TLS.
-    STRICT = 0;
-
-    // Connection can be either plaintext or TLS with Client cert.
-    PERMISSIVE = 1;
-  };
-
-  // Deprecated. Please use mode = PERMISSIVE instead.
-  // If set, will translate to `TLS_PERMISSIVE` mode.
-  // Set this flag to true to allow regular TLS (i.e without client x509
-  // certificate). If request carries client certificate, identity will be
-  // extracted and used (set to peer identity). Otherwise, peer identity will
-  // be left unset.
-  // When the flag is false (default), request must have client certificate.
-  bool allow_tls = 1 [deprecated=true];
-
-  // Defines the mode of mTLS authentication.
-  Mode mode = 2;
-}
-
-// $hide_from_docs
-// Deprecated. Please use security/v1beta1/RequestAuthentication instead.
-// JSON Web Token (JWT) token format for authentication as defined by
-// [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and
-// [OIDC 1.0](http://openid.net/connect) for how this is used in the whole
-// authentication flow.
-//
-// For example:
-//
-// A JWT for any requests:
-//
-// ```yaml
-// issuer: https://example.com
-// audiences:
-// - bookstore_android.apps.googleusercontent.com
-//   bookstore_web.apps.googleusercontent.com
-// jwksUri: https://example.com/.well-known/jwks.json
-// ```
-//
-// A JWT for all requests except request at path `/health_check` and path with
-// prefix `/status/`. This is useful to expose some paths for public access but
-// keep others JWT validated.
-//
-// ```yaml
-// issuer: https://example.com
-// jwksUri: https://example.com/.well-known/jwks.json
-// triggerRules:
-// - excludedPaths:
-//   - exact: /health_check
-//   - prefix: /status/
-// ```
-//
-// A JWT only for requests at path `/admin`. This is useful to only require JWT
-// validation on a specific set of paths but keep others public accessible.
-//
-// ```yaml
-// issuer: https://example.com
-// jwksUri: https://example.com/.well-known/jwks.json
-// triggerRules:
-// - includedPaths:
-//   - prefix: /admin
-// ```
-//
-// A JWT only for requests at path of prefix `/status/` but except the path of
-// `/status/version`. This means for any request path with prefix `/status/` except
-// `/status/version` will require a valid JWT to proceed.
-//
-// ```yaml
-// issuer: https://example.com
-// jwksUri: https://example.com/.well-known/jwks.json
-// triggerRules:
-// - excludedPaths:
-//   - exact: /status/version
-//   includedPaths:
-//   - prefix: /status/
-// ```
-message Jwt {
-  // Identifies the issuer that issued the JWT. See
-  // [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1)
-  // Usually a URL or an email address.
-  //
-  // Example: https://securetoken.google.com
-  // Example: 1234567-compute@developer.gserviceaccount.com
-  string issuer = 1;
-
-  // The list of JWT
-  // [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3).
-  // that are allowed to access. A JWT containing any of these
-  // audiences will be accepted.
-  //
-  // The service name will be accepted if audiences is empty.
-  //
-  // Example:
-  //
-  // ```yaml
-  // audiences:
-  // - bookstore_android.apps.googleusercontent.com
-  //   bookstore_web.apps.googleusercontent.com
-  // ```
-  repeated string audiences = 2;
-
-  // URL of the provider's public key set to validate signature of the
-  // JWT. See [OpenID Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
-  //
-  // Optional if the key set document can either (a) be retrieved from
-  // [OpenID
-  // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) of
-  // the issuer or (b) inferred from the email domain of the issuer (e.g. a
-  // Google service account).
-  //
-  // Example: `https://www.googleapis.com/oauth2/v1/certs`
-  //
-  // Note: Only one of jwks_uri and jwks should be used.
-  string jwks_uri = 3;
-
-  // JSON Web Key Set of public keys to validate signature of the JWT.
-  // See https://auth0.com/docs/jwks.
-  //
-  // Note: Only one of jwks_uri and jwks should be used.
-  string jwks = 10;
-
-  // Two fields below define where to extract the JWT from an HTTP request.
-  //
-  // If no explicit location is specified the following default
-  // locations are tried in order:
-  //
-  //     1) The Authorization header using the Bearer schema,
-  //        e.g. Authorization: Bearer <token>. (see
-  //        [Authorization Request Header
-  //        Field](https://tools.ietf.org/html/rfc6750#section-2.1))
-  //
-  //     2) `access_token` query parameter (see
-  //     [URI Query Parameter](https://tools.ietf.org/html/rfc6750#section-2.3))
-
-  // JWT is sent in a request header. `header` represents the
-  // header name.
-  //
-  // For example, if `header=x-goog-iap-jwt-assertion`, the header
-  // format will be `x-goog-iap-jwt-assertion: <JWT>`.
-  repeated string jwt_headers = 6;
-
-  // JWT is sent in a query parameter. `query` represents the
-  // query parameter name.
-  //
-  // For example, `query=jwt_token`.
-  repeated string jwt_params = 7;
-
-  // $hide_from_docs
-  // Trigger rule to match against a request. The trigger rule is satisfied if
-  // and only if both rules, excluded_paths and include_paths are satisfied.
-  message TriggerRule {
-    // List of paths to be excluded from the request. The rule is satisfied if
-    // request path does not match to any of the path in this list.
-    repeated StringMatch excluded_paths = 1;
-
-    // List of paths that the request must include. If the list is not empty, the
-    // rule is satisfied if request path matches at least one of the path in the list.
-    // If the list is empty, the rule is ignored, in other words the rule is always satisfied.
-    repeated StringMatch included_paths = 2;
-  }
-
-  // List of trigger rules to decide if this JWT should be used to validate the
-  // request. The JWT validation happens if any one of the rules matched.
-  // If the list is not empty and none of the rules matched, authentication will
-  // skip the JWT validation.
-  // Leave this empty to always trigger the JWT validation.
-  repeated TriggerRule trigger_rules = 9;
-
-  // $hide_from_docs
-  // Next available field number: 11
-}
-
-// $hide_from_docs
-// Deprecated. Please use security/v1beta1/PeerAuthentication instead.
-// PeerAuthenticationMethod defines one particular type of authentication. Only mTLS is supported
-// at the moment.
-// The type can be progammatically determine by checking the type of the
-// "params" field.
-message PeerAuthenticationMethod {
-  // $hide_from_docs
-  oneof params {
-    // Set if mTLS is used.
-    MutualTls mtls = 1;
-
-    // $hide_from_docs
-    // Deprecated.
-    // Set if JWT is used. This option was never available.
-    Jwt jwt = 2 [deprecated=true];
-  }
-}
-
-// $hide_from_docs
-// Deprecated. Please use security/v1beta1/RequestAuthentication instead.
-// OriginAuthenticationMethod defines authentication method/params for origin
-// authentication. Origin could be end-user, device, delegate service etc.
-// Currently, only JWT is supported for origin authentication.
-message OriginAuthenticationMethod {
-  // Jwt params for the method.
-  Jwt jwt = 1;
-}
-
-// $hide_from_docs
-// Deprecated. When using security/v1beta1/RequestAuthentication, the request principal always
-// comes from request authentication (i.e JWT).
-// Associates authentication with request principal.
-enum PrincipalBinding {
-  // Principal will be set to the identity from peer authentication.
-  USE_PEER = 0;
-
-  // Principal will be set to the identity from origin authentication.
-  USE_ORIGIN = 1;
-}
-
-// $hide_from_docs
-// Policy defines what authentication methods can be accepted on workload(s),
-// and if authenticated, which method/certificate will set the request principal
-// (i.e request.auth.principal attribute).
-//
-// Authentication policy is composed of 2-part authentication:
-// - peer: verify caller service credentials. This part will set source.user
-// (peer identity).
-// - origin: verify the origin credentials. This part will set request.auth.user
-// (origin identity), as well as other attributes like request.auth.presenter,
-// request.auth.audiences and raw claims. Note that the identity could be
-// end-user, service account, device etc.
-//
-// Last but not least, the principal binding rule defines which identity (peer
-// or origin) should be used as principal. By default, it uses peer.
-//
-// Examples:
-//
-// Policy to enable mTLS for all services in namespace frod. The policy name must be
-// `default`, and it contains no rule for `targets`.
-//
-// ```yaml
-// apiVersion: authentication.istio.io/v1alpha1
-// kind: Policy
-// metadata:
-//   name: default
-//   namespace: frod
-// spec:
-//   peers:
-//   - mtls:
-// ```
-// Policy to disable mTLS for "productpage" service
-//
-// ```yaml
-// apiVersion: authentication.istio.io/v1alpha1
-// kind: Policy
-// metadata:
-//   name: productpage-mTLS-disable
-//   namespace: frod
-// spec:
-//   targets:
-//   - name: productpage
-// ```
-// Policy to require mTLS for peer authentication, and JWT for origin authentication
-// for productpage:9000 except the path '/health_check' . Principal is set from origin identity.
-//
-// ```yaml
-// apiVersion: authentication.istio.io/v1alpha1
-// kind: Policy
-// metadata:
-//   name: productpage-mTLS-with-JWT
-//   namespace: frod
-// spec:
-//   targets:
-//   - name: productpage
-//     ports:
-//     - number: 9000
-//   peers:
-//   - mtls:
-//   origins:
-//   - jwt:
-//       issuer: "https://securetoken.google.com"
-//       audiences:
-//       - "productpage"
-//       jwksUri: "https://www.googleapis.com/oauth2/v1/certs"
-//       jwtHeaders:
-//       - "x-goog-iap-jwt-assertion"
-//       triggerRules:
-//       - excludedPaths:
-//         - exact: /health_check
-//   principalBinding: USE_ORIGIN
-// ```
-message Policy {
-  // Deprecated. Only mesh-level and namespace-level policies are supported.
-  // List rules to select workloads that the policy should be applied on.
-  // If empty, policy will be used on all workloads in the same namespace.
-  repeated TargetSelector targets = 1 [deprecated=true];
-
-  // $hide_from_docs
-  // Deprecated. Please use security/v1beta1/PeerAuthentication instead.
-  // List of authentication methods that can be used for peer authentication.
-  // They will be evaluated in order; the first validate one will be used to
-  // set peer identity (source.user) and other peer attributes. If none of
-  // these methods pass, request will be rejected with authentication failed error (401).
-  // Leave the list empty if peer authentication is not required
-  repeated PeerAuthenticationMethod peers = 2;
-
-  // Deprecated. Should set mTLS to PERMISSIVE instead.
-  // Set this flag to true to accept request (for peer authentication perspective),
-  // even when none of the peer authentication methods defined above satisfied.
-  // Typically, this is used to delay the rejection decision to next layer (e.g
-  // authorization).
-  // This flag is ignored if no authentication defined for peer (peers field is empty).
-  bool peer_is_optional = 3 [deprecated=true];
-
-  // Deprecated. Please use security/v1beta1/RequestAuthentication instead.
-  // List of authentication methods that can be used for origin authentication.
-  // Similar to peers, these will be evaluated in order; the first validate one
-  // will be used to set origin identity and attributes (i.e request.auth.user,
-  // request.auth.issuer etc). If none of these methods pass, request will be
-  // rejected with authentication failed error (401).
-  // A method may be skipped, depends on its trigger rule. If all of these methods
-  // are skipped, origin authentication will be ignored, as if it is not defined.
-  // Leave the list empty if origin authentication is not required.
-  repeated OriginAuthenticationMethod origins = 4 [deprecated=true];
-
-  // Deprecated. Please use security/v1beta1/RequestAuthentication instead.
-  // Set this flag to true to accept request (for origin authentication perspective),
-  // even when none of the origin authentication methods defined above satisfied.
-  // Typically, this is used to delay the rejection decision to next layer (e.g
-  // authorization).
-  // This flag is ignored if no authentication defined for origin (origins field is empty).
-  bool origin_is_optional = 5 [deprecated=true];
-
-  // Deprecated. Source principal is always from peer, and request principal is always from
-  // RequestAuthentication.
-  // Define whether peer or origin identity should be use for principal. Default
-  // value is USE_PEER.
-  // If peer (or origin) identity is not available, either because of peer/origin
-  // authentication is not defined, or failed, principal will be left unset.
-  // In other words, binding rule does not affect the decision to accept or
-  // reject request.
-  PrincipalBinding principal_binding = 6 [deprecated=true];
-}
-
-// $hide_from_docs
-// Deprecated. Only support mesh and namespace level policy in the future.
-// TargetSelector defines a matching rule to a workload. A workload is selected
-// if it is associated with the service name and service port(s) specified in the selector rule.
-message TargetSelector {
-  // The name must be a short name from the service registry. The
-  // fully qualified domain name will be resolved in a platform specific manner.
-  string name = 1 [(google.api.field_behavior) = REQUIRED];
-
-  reserved 3;
-  reserved "labels";
-
-  // Specifies the ports. Note that this is the port(s) exposed by the service, not workload instance ports.
-  // For example, if a service is defined as below, then `8000` should be used, not `9000`.
-  // ```yaml
-  // kind: Service
-  // metadata:
-  //   ...
-  // spec:
-  //   ports:
-  //   - name: http
-  //     port: 8000
-  //     targetPort: 9000
-  //   selector:
-  //     app: backend
-  // ```
-  //Leave empty to match all ports that are exposed.
-  repeated PortSelector ports = 2;
-}
-
-// $hide_from_docs
-// Deprecated. Only support mesh and namespace level policy in the future.
-// PortSelector specifies the name or number of a port to be used for
-// matching targets for authentication policy. This is copied from
-// networking API to avoid dependency.
-message PortSelector {
-  oneof port {
-    // Valid port number
-    uint32 number = 1;
-    // Port name
-    string name = 2;
-  }
-}
--- a/authentication/v1alpha1/policy_deepcopy.gen.go
+++ b/authentication/v1alpha1/policy_deepcopy.gen.go
@ -1,195 +0,0 @@
-// Code generated by protoc-gen-deepcopy. DO NOT EDIT.
-package v1alpha1
-
-import (
-	proto "google.golang.org/protobuf/proto"
-)
-
-// DeepCopyInto supports using StringMatch within kubernetes types, where deepcopy-gen is used.
-func (in *StringMatch) DeepCopyInto(out *StringMatch) {
-	p := proto.Clone(in).(*StringMatch)
-	*out = *p
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StringMatch. Required by controller-gen.
-func (in *StringMatch) DeepCopy() *StringMatch {
-	if in == nil {
-		return nil
-	}
-	out := new(StringMatch)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new StringMatch. Required by controller-gen.
-func (in *StringMatch) DeepCopyInterface() interface{} {
-	return in.DeepCopy()
-}
-
-// DeepCopyInto supports using MutualTls within kubernetes types, where deepcopy-gen is used.
-func (in *MutualTls) DeepCopyInto(out *MutualTls) {
-	p := proto.Clone(in).(*MutualTls)
-	*out = *p
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MutualTls. Required by controller-gen.
-func (in *MutualTls) DeepCopy() *MutualTls {
-	if in == nil {
-		return nil
-	}
-	out := new(MutualTls)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new MutualTls. Required by controller-gen.
-func (in *MutualTls) DeepCopyInterface() interface{} {
-	return in.DeepCopy()
-}
-
-// DeepCopyInto supports using Jwt within kubernetes types, where deepcopy-gen is used.
-func (in *Jwt) DeepCopyInto(out *Jwt) {
-	p := proto.Clone(in).(*Jwt)
-	*out = *p
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Jwt. Required by controller-gen.
-func (in *Jwt) DeepCopy() *Jwt {
-	if in == nil {
-		return nil
-	}
-	out := new(Jwt)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Jwt. Required by controller-gen.
-func (in *Jwt) DeepCopyInterface() interface{} {
-	return in.DeepCopy()
-}
-
-// DeepCopyInto supports using Jwt_TriggerRule within kubernetes types, where deepcopy-gen is used.
-func (in *Jwt_TriggerRule) DeepCopyInto(out *Jwt_TriggerRule) {
-	p := proto.Clone(in).(*Jwt_TriggerRule)
-	*out = *p
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Jwt_TriggerRule. Required by controller-gen.
-func (in *Jwt_TriggerRule) DeepCopy() *Jwt_TriggerRule {
-	if in == nil {
-		return nil
-	}
-	out := new(Jwt_TriggerRule)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Jwt_TriggerRule. Required by controller-gen.
-func (in *Jwt_TriggerRule) DeepCopyInterface() interface{} {
-	return in.DeepCopy()
-}
-
-// DeepCopyInto supports using PeerAuthenticationMethod within kubernetes types, where deepcopy-gen is used.
-func (in *PeerAuthenticationMethod) DeepCopyInto(out *PeerAuthenticationMethod) {
-	p := proto.Clone(in).(*PeerAuthenticationMethod)
-	*out = *p
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthenticationMethod. Required by controller-gen.
-func (in *PeerAuthenticationMethod) DeepCopy() *PeerAuthenticationMethod {
-	if in == nil {
-		return nil
-	}
-	out := new(PeerAuthenticationMethod)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthenticationMethod. Required by controller-gen.
-func (in *PeerAuthenticationMethod) DeepCopyInterface() interface{} {
-	return in.DeepCopy()
-}
-
-// DeepCopyInto supports using OriginAuthenticationMethod within kubernetes types, where deepcopy-gen is used.
-func (in *OriginAuthenticationMethod) DeepCopyInto(out *OriginAuthenticationMethod) {
-	p := proto.Clone(in).(*OriginAuthenticationMethod)
-	*out = *p
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OriginAuthenticationMethod. Required by controller-gen.
-func (in *OriginAuthenticationMethod) DeepCopy() *OriginAuthenticationMethod {
-	if in == nil {
-		return nil
-	}
-	out := new(OriginAuthenticationMethod)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new OriginAuthenticationMethod. Required by controller-gen.
-func (in *OriginAuthenticationMethod) DeepCopyInterface() interface{} {
-	return in.DeepCopy()
-}
-
-// DeepCopyInto supports using Policy within kubernetes types, where deepcopy-gen is used.
-func (in *Policy) DeepCopyInto(out *Policy) {
-	p := proto.Clone(in).(*Policy)
-	*out = *p
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. Required by controller-gen.
-func (in *Policy) DeepCopy() *Policy {
-	if in == nil {
-		return nil
-	}
-	out := new(Policy)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Policy. Required by controller-gen.
-func (in *Policy) DeepCopyInterface() interface{} {
-	return in.DeepCopy()
-}
-
-// DeepCopyInto supports using TargetSelector within kubernetes types, where deepcopy-gen is used.
-func (in *TargetSelector) DeepCopyInto(out *TargetSelector) {
-	p := proto.Clone(in).(*TargetSelector)
-	*out = *p
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetSelector. Required by controller-gen.
-func (in *TargetSelector) DeepCopy() *TargetSelector {
-	if in == nil {
-		return nil
-	}
-	out := new(TargetSelector)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new TargetSelector. Required by controller-gen.
-func (in *TargetSelector) DeepCopyInterface() interface{} {
-	return in.DeepCopy()
-}
-
-// DeepCopyInto supports using PortSelector within kubernetes types, where deepcopy-gen is used.
-func (in *PortSelector) DeepCopyInto(out *PortSelector) {
-	p := proto.Clone(in).(*PortSelector)
-	*out = *p
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortSelector. Required by controller-gen.
-func (in *PortSelector) DeepCopy() *PortSelector {
-	if in == nil {
-		return nil
-	}
-	out := new(PortSelector)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new PortSelector. Required by controller-gen.
-func (in *PortSelector) DeepCopyInterface() interface{} {
-	return in.DeepCopy()
-}
--- a/authentication/v1alpha1/policy_json.gen.go
+++ b/authentication/v1alpha1/policy_json.gen.go
@ -1,111 +0,0 @@
-// Code generated by protoc-gen-jsonshim. DO NOT EDIT.
-package v1alpha1
-
-import (
-	bytes "bytes"
-	jsonpb "github.com/golang/protobuf/jsonpb"
-)
-
-// MarshalJSON is a custom marshaler for StringMatch
-func (this *StringMatch) MarshalJSON() ([]byte, error) {
-	str, err := PolicyMarshaler.MarshalToString(this)
-	return []byte(str), err
-}
-
-// UnmarshalJSON is a custom unmarshaler for StringMatch
-func (this *StringMatch) UnmarshalJSON(b []byte) error {
-	return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
-}
-
-// MarshalJSON is a custom marshaler for MutualTls
-func (this *MutualTls) MarshalJSON() ([]byte, error) {
-	str, err := PolicyMarshaler.MarshalToString(this)
-	return []byte(str), err
-}
-
-// UnmarshalJSON is a custom unmarshaler for MutualTls
-func (this *MutualTls) UnmarshalJSON(b []byte) error {
-	return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
-}
-
-// MarshalJSON is a custom marshaler for Jwt
-func (this *Jwt) MarshalJSON() ([]byte, error) {
-	str, err := PolicyMarshaler.MarshalToString(this)
-	return []byte(str), err
-}
-
-// UnmarshalJSON is a custom unmarshaler for Jwt
-func (this *Jwt) UnmarshalJSON(b []byte) error {
-	return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
-}
-
-// MarshalJSON is a custom marshaler for Jwt_TriggerRule
-func (this *Jwt_TriggerRule) MarshalJSON() ([]byte, error) {
-	str, err := PolicyMarshaler.MarshalToString(this)
-	return []byte(str), err
-}
-
-// UnmarshalJSON is a custom unmarshaler for Jwt_TriggerRule
-func (this *Jwt_TriggerRule) UnmarshalJSON(b []byte) error {
-	return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
-}
-
-// MarshalJSON is a custom marshaler for PeerAuthenticationMethod
-func (this *PeerAuthenticationMethod) MarshalJSON() ([]byte, error) {
-	str, err := PolicyMarshaler.MarshalToString(this)
-	return []byte(str), err
-}
-
-// UnmarshalJSON is a custom unmarshaler for PeerAuthenticationMethod
-func (this *PeerAuthenticationMethod) UnmarshalJSON(b []byte) error {
-	return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
-}
-
-// MarshalJSON is a custom marshaler for OriginAuthenticationMethod
-func (this *OriginAuthenticationMethod) MarshalJSON() ([]byte, error) {
-	str, err := PolicyMarshaler.MarshalToString(this)
-	return []byte(str), err
-}
-
-// UnmarshalJSON is a custom unmarshaler for OriginAuthenticationMethod
-func (this *OriginAuthenticationMethod) UnmarshalJSON(b []byte) error {
-	return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
-}
-
-// MarshalJSON is a custom marshaler for Policy
-func (this *Policy) MarshalJSON() ([]byte, error) {
-	str, err := PolicyMarshaler.MarshalToString(this)
-	return []byte(str), err
-}
-
-// UnmarshalJSON is a custom unmarshaler for Policy
-func (this *Policy) UnmarshalJSON(b []byte) error {
-	return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
-}
-
-// MarshalJSON is a custom marshaler for TargetSelector
-func (this *TargetSelector) MarshalJSON() ([]byte, error) {
-	str, err := PolicyMarshaler.MarshalToString(this)
-	return []byte(str), err
-}
-
-// UnmarshalJSON is a custom unmarshaler for TargetSelector
-func (this *TargetSelector) UnmarshalJSON(b []byte) error {
-	return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
-}
-
-// MarshalJSON is a custom marshaler for PortSelector
-func (this *PortSelector) MarshalJSON() ([]byte, error) {
-	str, err := PolicyMarshaler.MarshalToString(this)
-	return []byte(str), err
-}
-
-// UnmarshalJSON is a custom unmarshaler for PortSelector
-func (this *PortSelector) UnmarshalJSON(b []byte) error {
-	return PolicyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
-}
-
-var (
-	PolicyMarshaler   = &jsonpb.Marshaler{}
-	PolicyUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true}
-)
--- a/buf.gen-noncrd.yaml
+++ b/buf.gen-noncrd.yaml
@ -9,3 +9,6 @@ plugins:
 - name: docs
  out: .
  opt: warnings=false,dictionary=./dictionaries/en-US,custom_word_list=./dictionaries/custom.txt,per_file=true,mode=html_fragment_with_front_matter
+- name: golang-jsonshim
+  out: .
+  opt: paths=source_relative
--- a/common/.commonfiles.sha
+++ b/common/.commonfiles.sha
@ -1 +1 @@
-82dc68a737b72d394c344d4fd71ff9e9ebf01852
+d46067e1a8ba3db4abe2635af5807f00ba1981e6
--- a/common/Makefile.common.mk
+++ b/common/Makefile.common.mk
@ -106,13 +106,11 @@ update-common:
 	@if [ "$(CONTRIB_OVERRIDE)" != "CONTRIBUTING.md" ]; then\
 		rm $(TMP)/common-files/files/CONTRIBUTING.md;\
 	fi
-# istio/istio.io uses the  Creative Commons Attribution 4.0 license. Don't update LICENSE with the common Apache license.
-	@LICENSE_OVERRIDE=$(shell grep -l "Creative Commons Attribution 4.0 International Public License" LICENSE)
-	@if [ "$(LICENSE_OVERRIDE)" != "LICENSE" ]; then\
-		rm $(TMP)/common-files/files/LICENSE;\
-	fi
 	@cp -a $(TMP)/common-files/files/* $(TMP)/common-files/files/.devcontainer $(TMP)/common-files/files/.gitattributes $(shell pwd)
 	@rm -fr $(TMP)/common-files
+	@if [ "$(AUTOMATOR_REPO)" == "proxy" ]; then\
+		sed -i -e 's/build-tools:/build-tools-proxy:/g' .devcontainer/devcontainer.json;\
+	fi
 	@$(or $(COMMONFILES_POSTPROCESS), true)

 check-clean-repo:
--- a/common/config/.golangci-format.yml
+++ b/common/config/.golangci-format.yml
@ -1,56 +0,0 @@
-# WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY
-#
-# The original version of this file is located in the https://github.com/istio/common-files repo.
-# If you're looking at this file in a different repo and want to make a change, please go to the
-# common-files repo, make the change there and check it in. Then come back to this repo and run
-# "make update-common".
-
-run:
-  # Timeout for analysis, e.g. 30s, 5m.
-  # Default: 1m
-  timeout: 20m
-  build-tags:
-  - integ
-  - integfuzz
-linters:
-  disable-all: true
-  enable:
-  - goimports
-  - gofumpt
-  - gci
-  fast: false
-linters-settings:
-  gci:
-    sections:
-      - standard # Captures all standard packages if they do not match another section.
-      - default # Contains all imports that could not be matched to another section type.
-      - prefix(istio.io/) # Groups all imports with the specified Prefix.
-  goimports:
-    # put imports beginning with prefix after 3rd-party packages;
-    # it's a comma-separated list of prefixes
-    local-prefixes: istio.io/
-issues:
-  # Which dirs to exclude: issues from them won't be reported.
-  # Can use regexp here: `generated.*`, regexp is applied on full path,
-  # including the path prefix if one is set.
-  # Default dirs are skipped independently of this option's value (see exclude-dirs-use-default).
-  # "/" will be replaced by current OS file path separator to properly work on Windows.
-  # Default: []
-  exclude-dirs:
-    - genfiles$
-    - vendor$
-  # Which files to exclude: they will be analyzed, but issues from them won't be reported.
-  # There is no need to include all autogenerated files,
-  # we confidently recognize autogenerated files.
-  # If it's not, please let us know.
-  # "/" will be replaced by current OS file path separator to properly work on Windows.
-  # Default: []
-  exclude-files:
-    - ".*\\.pb\\.go"
-    - ".*\\.gen\\.go"
-  # Maximum issues count per one linter.
-  # Set to 0 to disable.
-  # Default: 50
-  max-issues-per-linter: 0
-  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
-  max-same-issues: 0
--- a/common/config/.golangci.yml
+++ b/common/config/.golangci.yml
@ -1,262 +1,221 @@
-# WARNING: DO NOT EDIT, THIS FILE IS PROBABLY A COPY
-#
-# The original version of this file is located in the https://github.com/istio/common-files repo.
-# If you're looking at this file in a different repo and want to make a change, please go to the
-# common-files repo, make the change there and check it in. Then come back to this repo and run
-# "make update-common".
-
+version: "2"
 run:
-  # Timeout for analysis, e.g. 30s, 5m.
-  # Default: 1m
-  timeout: 20m
  build-tags:
    - integ
    - integfuzz
 linters:
-  disable-all: true
+  default: none
  enable:
-    - errcheck
-    - exportloopref
+    - copyloopvar
    - depguard
+    - errcheck
    - gocritic
-    - gofumpt
-    - goimports
-    - revive
-    - gosimple
+    - gosec
    - govet
    - ineffassign
    - lll
    - misspell
+    - revive
    - staticcheck
-    - stylecheck
-    - typecheck
    - unconvert
    - unparam
    - unused
-    - gci
-    - gosec
-  fast: false
-linters-settings:
-  errcheck:
-    # report about not checking of errors in type assertions: `a := b.(MyStruct)`;
-    # default is false: such cases aren't reported by default.
-    check-type-assertions: false
-    # report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`;
-    # default is false: such cases aren't reported by default.
-    check-blank: false
-  govet:
-    disable:
-      # report about shadowed variables
-      - shadow
-  goimports:
-    # put imports beginning with prefix after 3rd-party packages;
-    # it's a comma-separated list of prefixes
-    local-prefixes: istio.io/
-  misspell:
-    # Correct spellings using locale preferences for US or UK.
-    # Default is to use a neutral variety of English.
-    # Setting locale to US will correct the British spelling of 'colour' to 'color'.
-    locale: US
-    ignore-words:
-      - cancelled
-  lll:
-    # max line length, lines longer will be reported. Default is 120.
-    # '\t' is counted as 1 character by default, and can be changed with the tab-width option
-    line-length: 160
-    # tab width in spaces. Default to 1.
-    tab-width: 1
-  revive:
-    ignore-generated-header: false
-    severity: "warning"
-    confidence: 0.0
+  settings:
+    depguard:
+      rules:
+        DenyGogoProtobuf:
+          files:
+            - $all
+          deny:
+            - pkg: github.com/gogo/protobuf
+              desc: gogo/protobuf is deprecated, use golang/protobuf
+    errcheck:
+      check-type-assertions: false
+      check-blank: false
+    gocritic:
+      disable-all: true
+      enabled-checks:
+        - appendCombine
+        - argOrder
+        - assignOp
+        - badCond
+        - boolExprSimplify
+        - builtinShadow
+        - captLocal
+        - caseOrder
+        - codegenComment
+        - commentedOutCode
+        - commentedOutImport
+        - defaultCaseOrder
+        - deprecatedComment
+        - docStub
+        - dupArg
+        - dupBranchBody
+        - dupCase
+        - dupSubExpr
+        - elseif
+        - emptyFallthrough
+        - equalFold
+        - flagDeref
+        - flagName
+        - hexLiteral
+        - indexAlloc
+        - initClause
+        - methodExprCall
+        - nilValReturn
+        - octalLiteral
+        - offBy1
+        - rangeExprCopy
+        - regexpMust
+        - sloppyLen
+        - stringXbytes
+        - switchTrue
+        - typeAssertChain
+        - typeSwitchVar
+        - typeUnparen
+        - underef
+        - unlambda
+        - unnecessaryBlock
+        - unslice
+        - valSwap
+        - weakCond
+    gosec:
+      includes:
+        - G401
+        - G402
+        - G404
+    govet:
+      disable:
+        - shadow
+    lll:
+      line-length: 160
+      tab-width: 1
+    misspell:
+      locale: US
+      ignore-rules:
+        - cancelled
+    revive:
+      confidence: 0
+      severity: warning
+      rules:
+        - name: blank-imports
+        - name: context-keys-type
+        - name: time-naming
+        - name: var-declaration
+        - name: unexported-return
+        - name: errorf
+        - name: context-as-argument
+        - name: dot-imports
+        - name: error-return
+        - name: error-strings
+        - name: error-naming
+        - name: increment-decrement
+        - name: var-naming
+        - name: package-comments
+        - name: range
+        - name: receiver-naming
+        - name: indent-error-flow
+        - name: superfluous-else
+        - name: modifies-parameter
+        - name: unreachable-code
+        - name: struct-tag
+        - name: constant-logical-expr
+        - name: bool-literal-in-expr
+        - name: redefines-builtin-id
+        - name: imports-blocklist
+        - name: range-val-in-closure
+        - name: range-val-address
+        - name: waitgroup-by-value
+        - name: atomic
+        - name: call-to-gc
+        - name: duplicated-imports
+        - name: string-of-int
+        - name: defer
+          arguments:
+            - - call-chain
+        - name: unconditional-recursion
+        - name: identical-branches
+    unparam:
+      check-exported: false
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
    rules:
-      - name: blank-imports
-      - name: context-keys-type
-      - name: time-naming
-      - name: var-declaration
-      - name: unexported-return
-      - name: errorf
-      - name: context-as-argument
-      - name: dot-imports
-      - name: error-return
-      - name: error-strings
-      - name: error-naming
-      - name: increment-decrement
-      - name: var-naming
-      - name: package-comments
-      - name: range
-      - name: receiver-naming
-      - name: indent-error-flow
-      - name: superfluous-else
-      - name: modifies-parameter
-      - name: unreachable-code
-      - name: struct-tag
-      - name: constant-logical-expr
-      - name: bool-literal-in-expr
-      - name: redefines-builtin-id
-      - name: imports-blacklist
-      - name: range-val-in-closure
-      - name: range-val-address
-      - name: waitgroup-by-value
-      - name: atomic
-      - name: call-to-gc
-      - name: duplicated-imports
-      - name: string-of-int
-      - name: defer
-        arguments:
-          - - "call-chain"
-      - name: unconditional-recursion
-      - name: identical-branches
-        # the following rules can be enabled in the future
-        # - name: empty-lines
-        # - name: confusing-results
-        # - name: empty-block
-        # - name: get-return
-        # - name: confusing-naming
-        # - name: unexported-naming
-        # - name: early-return
-        # - name: unused-parameter
-        # - name: unnecessary-stmt
-        # - name: deep-exit
-        # - name: import-shadowing
-        # - name: modifies-value-receiver
-        # - name: unused-receiver
-        # - name: bare-return
-        # - name: flag-parameter
-        # - name: unhandled-error
-        # - name: if-return
-  unparam:
-    # Inspect exported functions, default is false. Set to true if no external program/library imports your code.
-    # XXX: if you enable this setting, unparam will report a lot of false-positives in text editors:
-    # if it's called for subdir of a project it can't find external interfaces. All text editor integrations
-    # with golangci-lint call it on a directory with the changed file.
-    check-exported: false
-  gci:
-    sections:
-      - standard # Captures all standard packages if they do not match another section.
-      - default # Contains all imports that could not be matched to another section type.
-      - prefix(istio.io/) # Groups all imports with the specified Prefix.
-  gocritic:
-    # Disable all checks.
-    # Default: false
-    disable-all: true
-    # Which checks should be enabled in addition to default checks. Since we don't want
-    # all of the default checks, we do the disable-all first.
-    enabled-checks:
-      - appendCombine
-      - argOrder
-      - assignOp
-      - badCond
-      - boolExprSimplify
-      - builtinShadow
-      - captLocal
-      - caseOrder
-      - codegenComment
-      - commentedOutCode
-      - commentedOutImport
-      - defaultCaseOrder
-      - deprecatedComment
-      - docStub
-      - dupArg
-      - dupBranchBody
-      - dupCase
-      - dupSubExpr
-      - elseif
-      - emptyFallthrough
-      - equalFold
-      - flagDeref
-      - flagName
-      - hexLiteral
-      - indexAlloc
-      - initClause
-      - methodExprCall
-      - nilValReturn
-      - octalLiteral
-      - offBy1
-      - rangeExprCopy
-      - regexpMust
-      - sloppyLen
-      - stringXbytes
-      - switchTrue
-      - typeAssertChain
-      - typeSwitchVar
-      - typeUnparen
-      - underef
-      - unlambda
-      - unnecessaryBlock
-      - unslice
-      - valSwap
-      - weakCond
-  depguard:
-    rules:
-      DenyGogoProtobuf:
-        files:
-          - $all
-        deny:
-          - pkg: github.com/gogo/protobuf
-            desc: "gogo/protobuf is deprecated, use golang/protobuf"
-  gosec:
-    includes:
-      - G401
-      - G402
-      - G404
+      - linters:
+          - errcheck
+          - maligned
+        path: _test\.go$|tests/|samples/
+      - path: _test\.go$
+        text: 'dot-imports: should not use dot imports'
+      - linters:
+          - staticcheck
+        text: 'SA1019: package github.com/golang/protobuf/jsonpb'
+      - linters:
+          - staticcheck
+        text: 'SA1019: "github.com/golang/protobuf/jsonpb"'
+      - linters:
+          - staticcheck
+        text: 'SA1019: grpc.Dial is deprecated: use NewClient instead'
+      - linters:
+          - staticcheck
+        text: 'SA1019: grpc.DialContext is deprecated: use NewClient instead'
+      - linters:
+          - staticcheck
+        text: 'SA1019: grpc.WithBlock is deprecated'
+      - linters:
+          - staticcheck
+        text: 'SA1019: grpc.FailOnNonTempDialError'
+      - linters:
+          - staticcheck
+        text: 'SA1019: grpc.WithReturnConnectionError'
+      - path: (.+)\.go$
+        text: composite literal uses unkeyed fields
+      # TODO: remove following rule in the future
+      - linters:
+          - staticcheck
+        text: 'QF'
+      - linters:
+          - staticcheck
+        text: 'ST1005'
+      - linters:
+          - staticcheck
+        text: 'S1007'
+    paths:
+      - .*\.pb\.go
+      - .*\.gen\.go
+      - genfiles$
+      - vendor$
+      - third_party$
+      - builtin$
+      - examples$
 issues:
-  # List of regexps of issue texts to exclude, empty list by default.
-  # But independently from this option we use default exclude patterns,
-  # it can be disabled by `exclude-use-default: false`. To list all
-  # excluded by default patterns execute `golangci-lint run --help`
-  exclude:
-    - composite literal uses unkeyed fields
-  # Which dirs to exclude: issues from them won't be reported.
-  # Can use regexp here: `generated.*`, regexp is applied on full path,
-  # including the path prefix if one is set.
-  # Default dirs are skipped independently of this option's value (see exclude-dirs-use-default).
-  # "/" will be replaced by current OS file path separator to properly work on Windows.
-  # Default: []
-  exclude-dirs:
-    - genfiles$
-    - vendor$
-  # Which files to exclude: they will be analyzed, but issues from them won't be reported.
-  # There is no need to include all autogenerated files,
-  # we confidently recognize autogenerated files.
-  # If it's not, please let us know.
-  # "/" will be replaced by current OS file path separator to properly work on Windows.
-  # Default: []
-  exclude-files:
-    - ".*\\.pb\\.go"
-    - ".*\\.gen\\.go"
-  exclude-rules:
-    # Exclude some linters from running on test files.
-    - path: _test\.go$|^tests/|^samples/
-      linters:
-        - errcheck
-        - maligned
-    - path: _test\.go$
-      text: "dot-imports: should not use dot imports"
-    # We need to use the deprecated module since the jsonpb replacement is not backwards compatible.
-    - linters: [staticcheck]
-      text: "SA1019: package github.com/golang/protobuf/jsonpb"
-    - linters: [staticcheck]
-      text: 'SA1019: "github.com/golang/protobuf/jsonpb"'
-    # This is not helpful. The new function is not very usable and the current function will not be removed
-    - linters: [staticcheck]
-      text: 'SA1019: grpc.Dial is deprecated: use NewClient instead'
-    - linters: [staticcheck]
-      text: 'SA1019: grpc.DialContext is deprecated: use NewClient instead'
-    - linters: [staticcheck]
-      text: "SA1019: grpc.WithBlock is deprecated"
-    - linters: [staticcheck]
-      text: "SA1019: grpc.FailOnNonTempDialError"
-    - linters: [staticcheck]
-      text: "SA1019: grpc.WithReturnConnectionError"
-  # Independently from option `exclude` we use default exclude patterns,
-  # it can be disabled by this option. To list all
-  # excluded by default patterns execute `golangci-lint run --help`.
-  # Default value for this option is true.
-  exclude-use-default: true
-  # Maximum issues count per one linter.
-  # Set to 0 to disable.
-  # Default: 50
  max-issues-per-linter: 0
-  # Maximum count of issues with the same text. Set to 0 to disable. Default is 3.
  max-same-issues: 0
+formatters:
+  enable:
+    - gci
+    - gofumpt
+    - goimports
+  settings:
+    gci:
+      sections:
+        - standard
+        - default
+        - prefix(istio.io/)
+    goimports:
+      local-prefixes:
+        - istio.io/
+  exclusions:
+    generated: lax
+    paths:
+      - .*\.pb\.go
+      - .*\.gen\.go
+      - genfiles$
+      - vendor$
+      - third_party$
+      - builtin$
+      - examples$
--- a/common/config/license-lint.yml
+++ b/common/config/license-lint.yml
@ -125,4 +125,21 @@ allowlisted_modules:

 # Simplified BSD (BSD-2-Clause): https://github.com/russross/blackfriday/blob/master/LICENSE.txt
 - github.com/russross/blackfriday
- github.com/russross/blackfriday/v2
+- github.com/russross/blackfriday/v2
+
+# W3C Test Suite License, W3C 3-clause BSD License
+# gonum uses this for its some of its test files
+# gonum.org/v1/gonum/graph/formats/rdf/testdata/LICENSE.md
+- gonum.org/v1/gonum
+
+# BSD 3-clause: https://github.com/go-inf/inf/blob/v0.9.1/LICENSE
+- gopkg.in/inf.v0
+
+# BSD 3-clause: https://github.com/go-git/gcfg/blob/main/LICENSE
+- github.com/go-git/gcfg
+
+# Apache 2.0
+- github.com/aws/smithy-go
+
+# Simplified BSD License: https://github.com/gomarkdown/markdown/blob/master/LICENSE.txt
+- github.com/gomarkdown/markdown
--- a/common/scripts/format_go.sh
+++ b/common/scripts/format_go.sh
@ -21,4 +21,4 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-golangci-lint run --fix -c ./common/config/.golangci-format.yml
+golangci-lint run --fix -c ./common/config/.golangci.yml
--- a/common/scripts/kind_provisioner.sh
+++ b/common/scripts/kind_provisioner.sh
@ -32,10 +32,10 @@ set -x
 ####################################################################

 # DEFAULT_KIND_IMAGE is used to set the Kubernetes version for KinD unless overridden in params to setup_kind_cluster(s)
-DEFAULT_KIND_IMAGE="gcr.io/istio-testing/kind-node:v1.28.4"
+DEFAULT_KIND_IMAGE="gcr.io/istio-testing/kind-node:v1.33.1"

 # the default kind cluster should be ipv4 if not otherwise specified
-IP_FAMILY="${IP_FAMILY:-ipv4}"
+KIND_IP_FAMILY="${KIND_IP_FAMILY:-ipv4}"

 # COMMON_SCRIPTS contains the directory this file is in.
 COMMON_SCRIPTS=$(dirname "${BASH_SOURCE:-$0}")
@ -147,7 +147,7 @@ function setup_kind_cluster_retry() {
 # 1. NAME: Name of the Kind cluster (optional)
 # 2. IMAGE: Node image used by KinD (optional)
 # 3. CONFIG: KinD cluster configuration YAML file. If not specified then DEFAULT_CLUSTER_YAML is used
-# 4. NOMETALBINSTALL: Dont install matllb if set.
+# 4. NOMETALBINSTALL: Dont install metalb if set.
 # This function returns 0 when everything goes well, or 1 otherwise
 # If Kind cluster was already created then it would be cleaned up in case of errors
 function setup_kind_cluster() {
@ -186,16 +186,25 @@ function setup_kind_cluster() {

  # Create KinD cluster
  if ! (yq eval "${CONFIG}" --expression ".networking.disableDefaultCNI = ${KIND_DISABLE_CNI}" \
-    --expression ".networking.ipFamily = \"${IP_FAMILY}\"" | \
+    --expression ".networking.ipFamily = \"${KIND_IP_FAMILY}\"" | \
    kind create cluster --name="${NAME}" -v4 --retain --image "${IMAGE}" ${KIND_WAIT_FLAG:+"$KIND_WAIT_FLAG"} --config -); then
    echo "Could not setup KinD environment. Something wrong with KinD setup. Exporting logs."
    return 9
+    # kubectl config set clusters.kind-istio-testing.server https://istio-testing-control-plane:6443
  fi
+
+  if [[ -n "${DEVCONTAINER:-}" ]]; then
+    # identify our docker container id using proc and regex
+    containerid=$(grep 'resolv.conf' /proc/self/mountinfo | sed 's/.*\/docker\/containers\/\([0-9a-f]*\).*/\1/')
+    docker network connect kind "$containerid"
+    kind export kubeconfig --name="${NAME}" --internal
+  fi
+
  # Workaround kind issue causing taints to not be removed in 1.24
  kubectl taint nodes "${NAME}"-control-plane node-role.kubernetes.io/control-plane- 2>/dev/null || true

  # Determine what CNI to install
-  case "${KUBERNETES_CNI:-}" in 
+  case "${KUBERNETES_CNI:-}" in

    "calico")
      echo "Installing Calico CNI"
@ -230,7 +239,7 @@ function setup_kind_cluster() {
  # https://github.com/coredns/coredns/issues/2494#issuecomment-457215452
  # CoreDNS should handle those domains and answer with NXDOMAIN instead of SERVFAIL
  # otherwise pods stops trying to resolve the domain.
-  if [ "${IP_FAMILY}" = "ipv6" ] || [ "${IP_FAMILY}" = "dual" ]; then
+  if [ "${KIND_IP_FAMILY}" = "ipv6" ] || [ "${KIND_IP_FAMILY}" = "dual" ]; then
    # Get the current config
    original_coredns=$(kubectl get -oyaml -n=kube-system configmap/coredns)
    echo "Original CoreDNS config:"
@ -267,14 +276,14 @@ function cleanup_kind_clusters() {
 # setup_kind_clusters sets up a given number of kind clusters with given topology
 # as specified in cluster topology configuration file.
 # 1. IMAGE = docker image used as node by KinD
-# 2. IP_FAMILY = either ipv4 or ipv6
+# 2. KIND_IP_FAMILY = either ipv4 or ipv6 or dual
 #
 # NOTE: Please call load_cluster_topology before calling this method as it expects
 # cluster topology information to be loaded in advance
 function setup_kind_clusters() {
  IMAGE="${1:-"${DEFAULT_KIND_IMAGE}"}"
  KUBECONFIG_DIR="${ARTIFACTS:-$(mktemp -d)}/kubeconfig"
-  IP_FAMILY="${2:-ipv4}"
+  KIND_IP_FAMILY="${2:-ipv4}"

  check_default_cluster_yaml

--- a/common/scripts/lint_go.sh
+++ b/common/scripts/lint_go.sh
@ -21,8 +21,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+GOLANGCILINT_RUN_ARGS=(--output.text.path stdout --output.junit-xml.path "${ARTIFACTS}"/junit-lint.xml)
+
 if [[ "${ARTIFACTS}" != "" ]]; then
-  golangci-lint run -v -c ./common/config/.golangci.yml --out-format colored-line-number,junit-xml:"${ARTIFACTS}"/junit-lint.xml
+  golangci-lint run -v -c ./common/config/.golangci.yml "${GOLANGCILINT_RUN_ARGS[@]}"
 else
  golangci-lint run -v -c ./common/config/.golangci.yml
 fi
--- a/common/scripts/run.sh
+++ b/common/scripts/run.sh
@ -47,7 +47,9 @@ read -ra DOCKER_RUN_OPTIONS <<< "${DOCKER_RUN_OPTIONS:-}"
    "${DOCKER_RUN_OPTIONS[@]}" \
    --init \
    --sig-proxy=true \
+    --cap-add=SYS_ADMIN \
    ${DOCKER_SOCKET_MOUNT:--v /var/run/docker.sock:/var/run/docker.sock} \
+    -e DOCKER_HOST=${DOCKER_SOCKET_HOST:-unix:///var/run/docker.sock} \
    $CONTAINER_OPTIONS \
    --env-file <(env | grep -v ${ENV_BLOCKLIST}) \
    -e IN_BUILD_CONTAINER=1 \
--- a/common/scripts/setup_env.sh
+++ b/common/scripts/setup_env.sh
@ -75,7 +75,7 @@ fi
 TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io}
 PROJECT_ID=${PROJECT_ID:-istio-testing}
 if [[ "${IMAGE_VERSION:-}" == "" ]]; then
-  IMAGE_VERSION=master-4759bf88d40172234fc6a0b9e11a4c5f1ea58a90
+  IMAGE_VERSION=master-8e6480403f5cf4c9a4cd9d65174d01850e632e1a
 fi
 if [[ "${IMAGE_NAME:-}" == "" ]]; then
  IMAGE_NAME=build-tools
--- a/envoy/config/filter/http/alpn/v2alpha1/config.pb.go
+++ b/envoy/config/filter/http/alpn/v2alpha1/config.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.35.1
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: envoy/config/filter/http/alpn/v2alpha1/config.proto

@ -27,6 +27,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -88,12 +89,11 @@ func (FilterConfig_Protocol) EnumDescriptor() ([]byte, []int) {

 // FilterConfig is the config for Istio-specific filter.
 type FilterConfig struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Map from upstream protocol to list of ALPN
-	AlpnOverride []*FilterConfig_AlpnOverride `protobuf:"bytes,1,rep,name=alpn_override,json=alpnOverride,proto3" json:"alpn_override,omitempty"`
+	AlpnOverride  []*FilterConfig_AlpnOverride `protobuf:"bytes,1,rep,name=alpn_override,json=alpnOverride,proto3" json:"alpn_override,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *FilterConfig) Reset() {
@ -134,14 +134,13 @@ func (x *FilterConfig) GetAlpnOverride() []*FilterConfig_AlpnOverride {
 }

 type FilterConfig_AlpnOverride struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Upstream protocol
 	UpstreamProtocol FilterConfig_Protocol `protobuf:"varint,1,opt,name=upstream_protocol,json=upstreamProtocol,proto3,enum=istio.envoy.config.filter.http.alpn.v2alpha1.FilterConfig_Protocol" json:"upstream_protocol,omitempty"`
 	// A list of ALPN that will override the ALPN for upstream TLS connections.
-	AlpnOverride []string `protobuf:"bytes,2,rep,name=alpn_override,json=alpnOverride,proto3" json:"alpn_override,omitempty"`
+	AlpnOverride  []string `protobuf:"bytes,2,rep,name=alpn_override,json=alpnOverride,proto3" json:"alpn_override,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *FilterConfig_AlpnOverride) Reset() {
@ -190,49 +189,29 @@ func (x *FilterConfig_AlpnOverride) GetAlpnOverride() []string {

 var File_envoy_config_filter_http_alpn_v2alpha1_config_proto protoreflect.FileDescriptor

-var file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDesc = []byte{
-	0x0a, 0x33, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x66,
-	0x69, 0x6c, 0x74, 0x65, 0x72, 0x2f, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x61, 0x6c, 0x70, 0x6e, 0x2f,
-	0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x2c, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76,
-	0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72,
-	0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e, 0x61, 0x6c, 0x70, 0x6e, 0x2e, 0x76, 0x32, 0x61, 0x6c, 0x70,
-	0x68, 0x61, 0x31, 0x22, 0xd3, 0x02, 0x0a, 0x0c, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x43, 0x6f,
-	0x6e, 0x66, 0x69, 0x67, 0x12, 0x6c, 0x0a, 0x0d, 0x61, 0x6c, 0x70, 0x6e, 0x5f, 0x6f, 0x76, 0x65,
-	0x72, 0x72, 0x69, 0x64, 0x65, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x47, 0x2e, 0x69, 0x73,
-	0x74, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67,
-	0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e, 0x61, 0x6c, 0x70,
-	0x6e, 0x2e, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x46, 0x69, 0x6c, 0x74, 0x65,
-	0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x41, 0x6c, 0x70, 0x6e, 0x4f, 0x76, 0x65, 0x72,
-	0x72, 0x69, 0x64, 0x65, 0x52, 0x0c, 0x61, 0x6c, 0x70, 0x6e, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69,
-	0x64, 0x65, 0x1a, 0xa5, 0x01, 0x0a, 0x0c, 0x41, 0x6c, 0x70, 0x6e, 0x4f, 0x76, 0x65, 0x72, 0x72,
-	0x69, 0x64, 0x65, 0x12, 0x70, 0x0a, 0x11, 0x75, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x5f,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x43,
-	0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e,
-	0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e,
-	0x61, 0x6c, 0x70, 0x6e, 0x2e, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x46, 0x69,
-	0x6c, 0x74, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f,
-	0x63, 0x6f, 0x6c, 0x52, 0x10, 0x75, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x50, 0x72, 0x6f,
-	0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x23, 0x0a, 0x0d, 0x61, 0x6c, 0x70, 0x6e, 0x5f, 0x6f, 0x76,
-	0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x61, 0x6c,
-	0x70, 0x6e, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x22, 0x2d, 0x0a, 0x08, 0x50, 0x72,
-	0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x0a, 0x0a, 0x06, 0x48, 0x54, 0x54, 0x50, 0x31, 0x30,
-	0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x48, 0x54, 0x54, 0x50, 0x31, 0x31, 0x10, 0x01, 0x12, 0x09,
-	0x0a, 0x05, 0x48, 0x54, 0x54, 0x50, 0x32, 0x10, 0x02, 0x42, 0x35, 0x5a, 0x33, 0x69, 0x73, 0x74,
-	0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f,
-	0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2f, 0x68, 0x74,
-	0x74, 0x70, 0x2f, 0x61, 0x6c, 0x70, 0x6e, 0x2f, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31,
-	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+const file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDesc = "" +
+	"\n" +
+	"3envoy/config/filter/http/alpn/v2alpha1/config.proto\x12,istio.envoy.config.filter.http.alpn.v2alpha1\"\xd3\x02\n" +
+	"\fFilterConfig\x12l\n" +
+	"\ralpn_override\x18\x01 \x03(\v2G.istio.envoy.config.filter.http.alpn.v2alpha1.FilterConfig.AlpnOverrideR\falpnOverride\x1a\xa5\x01\n" +
+	"\fAlpnOverride\x12p\n" +
+	"\x11upstream_protocol\x18\x01 \x01(\x0e2C.istio.envoy.config.filter.http.alpn.v2alpha1.FilterConfig.ProtocolR\x10upstreamProtocol\x12#\n" +
+	"\ralpn_override\x18\x02 \x03(\tR\falpnOverride\"-\n" +
+	"\bProtocol\x12\n" +
+	"\n" +
+	"\x06HTTP10\x10\x00\x12\n" +
+	"\n" +
+	"\x06HTTP11\x10\x01\x12\t\n" +
+	"\x05HTTP2\x10\x02B5Z3istio.io/api/envoy/config/filter/http/alpn/v2alpha1b\x06proto3"

 var (
 	file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDescOnce sync.Once
-	file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDescData = file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDesc
+	file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDescData []byte
 )

 func file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDescGZIP() []byte {
 	file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDescOnce.Do(func() {
-		file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDescData)
+		file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDesc), len(file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDesc)))
 	})
 	return file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDescData
 }
@ -263,7 +242,7 @@ func file_envoy_config_filter_http_alpn_v2alpha1_config_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDesc), len(file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   2,
 			NumExtensions: 0,
@ -275,7 +254,6 @@ func file_envoy_config_filter_http_alpn_v2alpha1_config_proto_init() {
 		MessageInfos:      file_envoy_config_filter_http_alpn_v2alpha1_config_proto_msgTypes,
 	}.Build()
 	File_envoy_config_filter_http_alpn_v2alpha1_config_proto = out.File
-	file_envoy_config_filter_http_alpn_v2alpha1_config_proto_rawDesc = nil
 	file_envoy_config_filter_http_alpn_v2alpha1_config_proto_goTypes = nil
 	file_envoy_config_filter_http_alpn_v2alpha1_config_proto_depIdxs = nil
 }
--- a/envoy/config/filter/http/authn/v2alpha1/config.pb.go
+++ b/envoy/config/filter/http/authn/v2alpha1/config.pb.go
@ -1,242 +0,0 @@
-// Copyright 2018 Istio Authors
-//
-//   Licensed under the Apache License, Version 2.0 (the "License");
-//   you may not use this file except in compliance with the License.
-//   You may obtain a copy of the License at
-//
-//       http://www.apache.org/licenses/LICENSE-2.0
-//
-//   Unless required by applicable law or agreed to in writing, software
-//   distributed under the License is distributed on an "AS IS" BASIS,
-//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-//   See the License for the specific language governing permissions and
-//   limitations under the License.
-
-// Code generated by protoc-gen-go. DO NOT EDIT.
-// versions:
-// 	protoc-gen-go v1.35.1
-// 	protoc        (unknown)
-// source: envoy/config/filter/http/authn/v2alpha1/config.proto
-
-// $title: Internal API for authentication implementation on Envoy.
-
-package v2alpha1
-
-import (
-	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
-	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
-	v1alpha1 "istio.io/api/authentication/v1alpha1"
-	reflect "reflect"
-	sync "sync"
-)
-
-const (
-	// Verify that this generated code is sufficiently up-to-date.
-	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
-	// Verify that runtime/protoimpl is sufficiently up-to-date.
-	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
-)
-
-// FilterConfig is the config for Istio-specific filter that is used to enforce
-// authentication policy on Envoy.
-type FilterConfig struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	// Policy is the original copy of the policy.
-	Policy *v1alpha1.Policy `protobuf:"bytes,1,opt,name=policy,proto3" json:"policy,omitempty"`
-	// Map from issuer to location of the payload that is emitted by Jwt filter.
-	// This information is added by pilot when construct and add Jwt and
-	// authN filters.
-	JwtOutputPayloadLocations map[string]string `protobuf:"bytes,2,rep,name=jwt_output_payload_locations,json=jwtOutputPayloadLocations,proto3" json:"jwt_output_payload_locations,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	// Skips validating the peer's trust domain.
-	// By default, the istio authn filter will reject the request if the peer and
-	// the local service is not in the same trust domain.
-	// Set this field to true to skip the validation and allows peers from any
-	// trust domains.
-	// Note, the istio authn filter only validates the trust domain when mTLS is
-	// used, In other words, this field has no effect for plaintext traffic.
-	// TODO(incfly): deprecate this after allowed_trust_domains is shipped.
-	SkipValidateTrustDomain bool `protobuf:"varint,3,opt,name=skip_validate_trust_domain,json=skipValidateTrustDomain,proto3" json:"skip_validate_trust_domain,omitempty"`
-	// allowed_trust_domains contains a list of trust domains the authn
-	// filter should validate against. When configured, only requests with a
-	// peer from one of the allowed trust domain will be admitted.
-	// An empty list means all trust domains are allowed.
-	// When this field is set, the skip_validate_trust_domain field is ignored.
-	// This field has no effect for plaintext traffic.
-	AllowedTrustDomains []string `protobuf:"bytes,4,rep,name=allowed_trust_domains,json=allowedTrustDomains,proto3" json:"allowed_trust_domains,omitempty"`
-	// By default the authn filter will clear the route cache so that the validated
-	// JWT token claims can be used in routing.
-	// Advanced users can set this to true to disable the behavior if they do not
-	// want the authn filter to clear the route cache for any reasons.
-	// Warning: setting this to true will break the JWT claim based routing.
-	DisableClearRouteCache bool `protobuf:"varint,5,opt,name=disable_clear_route_cache,json=disableClearRouteCache,proto3" json:"disable_clear_route_cache,omitempty"`
-}
-
-func (x *FilterConfig) Reset() {
-	*x = FilterConfig{}
-	mi := &file_envoy_config_filter_http_authn_v2alpha1_config_proto_msgTypes[0]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *FilterConfig) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*FilterConfig) ProtoMessage() {}
-
-func (x *FilterConfig) ProtoReflect() protoreflect.Message {
-	mi := &file_envoy_config_filter_http_authn_v2alpha1_config_proto_msgTypes[0]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use FilterConfig.ProtoReflect.Descriptor instead.
-func (*FilterConfig) Descriptor() ([]byte, []int) {
-	return file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescGZIP(), []int{0}
-}
-
-func (x *FilterConfig) GetPolicy() *v1alpha1.Policy {
-	if x != nil {
-		return x.Policy
-	}
-	return nil
-}
-
-func (x *FilterConfig) GetJwtOutputPayloadLocations() map[string]string {
-	if x != nil {
-		return x.JwtOutputPayloadLocations
-	}
-	return nil
-}
-
-func (x *FilterConfig) GetSkipValidateTrustDomain() bool {
-	if x != nil {
-		return x.SkipValidateTrustDomain
-	}
-	return false
-}
-
-func (x *FilterConfig) GetAllowedTrustDomains() []string {
-	if x != nil {
-		return x.AllowedTrustDomains
-	}
-	return nil
-}
-
-func (x *FilterConfig) GetDisableClearRouteCache() bool {
-	if x != nil {
-		return x.DisableClearRouteCache
-	}
-	return false
-}
-
-var File_envoy_config_filter_http_authn_v2alpha1_config_proto protoreflect.FileDescriptor
-
-var file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDesc = []byte{
-	0x0a, 0x34, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x66,
-	0x69, 0x6c, 0x74, 0x65, 0x72, 0x2f, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x61, 0x75, 0x74, 0x68, 0x6e,
-	0x2f, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x2d, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x6e,
-	0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65,
-	0x72, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x6e, 0x2e, 0x76, 0x32, 0x61,
-	0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x24, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x70,
-	0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xe5, 0x03, 0x0a, 0x0c,
-	0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x3d, 0x0a, 0x06,
-	0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x69,
-	0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x6f, 0x6c,
-	0x69, 0x63, 0x79, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x9b, 0x01, 0x0a, 0x1c,
-	0x6a, 0x77, 0x74, 0x5f, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x5f, 0x70, 0x61, 0x79, 0x6c, 0x6f,
-	0x61, 0x64, 0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03,
-	0x28, 0x0b, 0x32, 0x5a, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79,
-	0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x68,
-	0x74, 0x74, 0x70, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x6e, 0x2e, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68,
-	0x61, 0x31, 0x2e, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e,
-	0x4a, 0x77, 0x74, 0x4f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64,
-	0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x19,
-	0x6a, 0x77, 0x74, 0x4f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64,
-	0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x3b, 0x0a, 0x1a, 0x73, 0x6b, 0x69,
-	0x70, 0x5f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x5f, 0x74, 0x72, 0x75, 0x73, 0x74,
-	0x5f, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x17, 0x73,
-	0x6b, 0x69, 0x70, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x54, 0x72, 0x75, 0x73, 0x74,
-	0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x32, 0x0a, 0x15, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65,
-	0x64, 0x5f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x5f, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x18,
-	0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x13, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x54, 0x72,
-	0x75, 0x73, 0x74, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x12, 0x39, 0x0a, 0x19, 0x64, 0x69,
-	0x73, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x63, 0x6c, 0x65, 0x61, 0x72, 0x5f, 0x72, 0x6f, 0x75, 0x74,
-	0x65, 0x5f, 0x63, 0x61, 0x63, 0x68, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x16, 0x64,
-	0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x43, 0x6c, 0x65, 0x61, 0x72, 0x52, 0x6f, 0x75, 0x74, 0x65,
-	0x43, 0x61, 0x63, 0x68, 0x65, 0x1a, 0x4c, 0x0a, 0x1e, 0x4a, 0x77, 0x74, 0x4f, 0x75, 0x74, 0x70,
-	0x75, 0x74, 0x50, 0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c,
-	0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a,
-	0x02, 0x38, 0x01, 0x42, 0x36, 0x5a, 0x34, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f,
-	0x61, 0x70, 0x69, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67,
-	0x2f, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2f, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x61, 0x75, 0x74,
-	0x68, 0x6e, 0x2f, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x33,
-}
-
-var (
-	file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescOnce sync.Once
-	file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescData = file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDesc
-)
-
-func file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescGZIP() []byte {
-	file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescOnce.Do(func() {
-		file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescData)
-	})
-	return file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDescData
-}
-
-var file_envoy_config_filter_http_authn_v2alpha1_config_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
-var file_envoy_config_filter_http_authn_v2alpha1_config_proto_goTypes = []any{
-	(*FilterConfig)(nil),    // 0: istio.envoy.config.filter.http.authn.v2alpha1.FilterConfig
-	nil,                     // 1: istio.envoy.config.filter.http.authn.v2alpha1.FilterConfig.JwtOutputPayloadLocationsEntry
-	(*v1alpha1.Policy)(nil), // 2: istio.authentication.v1alpha1.Policy
-}
-var file_envoy_config_filter_http_authn_v2alpha1_config_proto_depIdxs = []int32{
-	2, // 0: istio.envoy.config.filter.http.authn.v2alpha1.FilterConfig.policy:type_name -> istio.authentication.v1alpha1.Policy
-	1, // 1: istio.envoy.config.filter.http.authn.v2alpha1.FilterConfig.jwt_output_payload_locations:type_name -> istio.envoy.config.filter.http.authn.v2alpha1.FilterConfig.JwtOutputPayloadLocationsEntry
-	2, // [2:2] is the sub-list for method output_type
-	2, // [2:2] is the sub-list for method input_type
-	2, // [2:2] is the sub-list for extension type_name
-	2, // [2:2] is the sub-list for extension extendee
-	0, // [0:2] is the sub-list for field type_name
-}
-
-func init() { file_envoy_config_filter_http_authn_v2alpha1_config_proto_init() }
-func file_envoy_config_filter_http_authn_v2alpha1_config_proto_init() {
-	if File_envoy_config_filter_http_authn_v2alpha1_config_proto != nil {
-		return
-	}
-	type x struct{}
-	out := protoimpl.TypeBuilder{
-		File: protoimpl.DescBuilder{
-			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDesc,
-			NumEnums:      0,
-			NumMessages:   2,
-			NumExtensions: 0,
-			NumServices:   0,
-		},
-		GoTypes:           file_envoy_config_filter_http_authn_v2alpha1_config_proto_goTypes,
-		DependencyIndexes: file_envoy_config_filter_http_authn_v2alpha1_config_proto_depIdxs,
-		MessageInfos:      file_envoy_config_filter_http_authn_v2alpha1_config_proto_msgTypes,
-	}.Build()
-	File_envoy_config_filter_http_authn_v2alpha1_config_proto = out.File
-	file_envoy_config_filter_http_authn_v2alpha1_config_proto_rawDesc = nil
-	file_envoy_config_filter_http_authn_v2alpha1_config_proto_goTypes = nil
-	file_envoy_config_filter_http_authn_v2alpha1_config_proto_depIdxs = nil
-}
--- a/envoy/config/filter/http/authn/v2alpha1/config.proto
+++ b/envoy/config/filter/http/authn/v2alpha1/config.proto
@ -1,60 +0,0 @@
-// Copyright 2018 Istio Authors
-//
-//   Licensed under the Apache License, Version 2.0 (the "License");
-//   you may not use this file except in compliance with the License.
-//   You may obtain a copy of the License at
-//
-//       http://www.apache.org/licenses/LICENSE-2.0
-//
-//   Unless required by applicable law or agreed to in writing, software
-//   distributed under the License is distributed on an "AS IS" BASIS,
-//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-//   See the License for the specific language governing permissions and
-//   limitations under the License.
-
-syntax = "proto3";
-
-import "authentication/v1alpha1/policy.proto";
-
-// $title: Internal API for authentication implementation on Envoy.
-
-package istio.envoy.config.filter.http.authn.v2alpha1;
-
-option go_package = "istio.io/api/envoy/config/filter/http/authn/v2alpha1";
-
-// FilterConfig is the config for Istio-specific filter that is used to enforce
-// authentication policy on Envoy.
-message FilterConfig {
-  // Policy is the original copy of the policy.
-  istio.authentication.v1alpha1.Policy policy = 1;
-
-  // Map from issuer to location of the payload that is emitted by Jwt filter.
-  // This information is added by pilot when construct and add Jwt and
-  // authN filters.
-  map<string, string> jwt_output_payload_locations = 2;
-
-  // Skips validating the peer's trust domain.
-  // By default, the istio authn filter will reject the request if the peer and
-  // the local service is not in the same trust domain.
-  // Set this field to true to skip the validation and allows peers from any
-  // trust domains.
-  // Note, the istio authn filter only validates the trust domain when mTLS is
-  // used, In other words, this field has no effect for plaintext traffic.
-  // TODO(incfly): deprecate this after allowed_trust_domains is shipped.
-  bool skip_validate_trust_domain = 3;
-
-  // allowed_trust_domains contains a list of trust domains the authn
-  // filter should validate against. When configured, only requests with a
-  // peer from one of the allowed trust domain will be admitted.
-  // An empty list means all trust domains are allowed.
-  // When this field is set, the skip_validate_trust_domain field is ignored.
-  // This field has no effect for plaintext traffic.
-  repeated string allowed_trust_domains = 4;
-
-  // By default the authn filter will clear the route cache so that the validated
-  // JWT token claims can be used in routing.
-  // Advanced users can set this to true to disable the behavior if they do not
-  // want the authn filter to clear the route cache for any reasons.
-  // Warning: setting this to true will break the JWT claim based routing.
-  bool disable_clear_route_cache = 5;
-}
--- a/envoy/config/filter/http/jwt_auth/v2alpha1/config.pb.go
+++ b/envoy/config/filter/http/jwt_auth/v2alpha1/config.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.35.1
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: envoy/config/filter/http/jwt_auth/v2alpha1/config.proto

@ -26,6 +26,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -38,10 +39,7 @@ const (
 // Copied from @envoy/api/envoy/api/v2/core/http_uri.proto
 // Envoy external URI descriptor
 type HttpUri struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The HTTP server URI. It should be a full FQDN with protocol, host and path.
 	//
 	// Example:
@ -55,12 +53,14 @@ type HttpUri struct {
 	// inline DNS resolution. See `issue
 	// <https://github.com/envoyproxy/envoy/issues/1606>`_.
 	//
-	// Types that are assignable to HttpUpstreamType:
+	// Types that are valid to be assigned to HttpUpstreamType:
 	//
 	//	*HttpUri_Cluster
 	HttpUpstreamType isHttpUri_HttpUpstreamType `protobuf_oneof:"http_upstream_type"`
 	// Sets the maximum duration in milliseconds that a response can take to arrive upon request.
-	Timeout *duration.Duration `protobuf:"bytes,3,opt,name=timeout,proto3" json:"timeout,omitempty"`
+	Timeout       *duration.Duration `protobuf:"bytes,3,opt,name=timeout,proto3" json:"timeout,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *HttpUri) Reset() {
@ -100,16 +100,18 @@ func (x *HttpUri) GetUri() string {
 	return ""
 }

-func (m *HttpUri) GetHttpUpstreamType() isHttpUri_HttpUpstreamType {
-	if m != nil {
-		return m.HttpUpstreamType
+func (x *HttpUri) GetHttpUpstreamType() isHttpUri_HttpUpstreamType {
+	if x != nil {
+		return x.HttpUpstreamType
 	}
 	return nil
 }

 func (x *HttpUri) GetCluster() string {
-	if x, ok := x.GetHttpUpstreamType().(*HttpUri_Cluster); ok {
-		return x.Cluster
+	if x != nil {
+		if x, ok := x.HttpUpstreamType.(*HttpUri_Cluster); ok {
+			return x.Cluster
+		}
 	}
 	return ""
 }
@ -142,16 +144,15 @@ func (*HttpUri_Cluster) isHttpUri_HttpUpstreamType() {}
 // Copied from @envoy/api/envoy/api/v2/core/base.proto
 // Data source consisting of either a file or an inline value.
 type DataSource struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	// Types that are assignable to Specifier:
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Types that are valid to be assigned to Specifier:
 	//
 	//	*DataSource_Filename
 	//	*DataSource_InlineBytes
 	//	*DataSource_InlineString
-	Specifier isDataSource_Specifier `protobuf_oneof:"specifier"`
+	Specifier     isDataSource_Specifier `protobuf_oneof:"specifier"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *DataSource) Reset() {
@ -184,30 +185,36 @@ func (*DataSource) Descriptor() ([]byte, []int) {
 	return file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDescGZIP(), []int{1}
 }

-func (m *DataSource) GetSpecifier() isDataSource_Specifier {
-	if m != nil {
-		return m.Specifier
+func (x *DataSource) GetSpecifier() isDataSource_Specifier {
+	if x != nil {
+		return x.Specifier
 	}
 	return nil
 }

 func (x *DataSource) GetFilename() string {
-	if x, ok := x.GetSpecifier().(*DataSource_Filename); ok {
-		return x.Filename
+	if x != nil {
+		if x, ok := x.Specifier.(*DataSource_Filename); ok {
+			return x.Filename
+		}
 	}
 	return ""
 }

 func (x *DataSource) GetInlineBytes() []byte {
-	if x, ok := x.GetSpecifier().(*DataSource_InlineBytes); ok {
-		return x.InlineBytes
+	if x != nil {
+		if x, ok := x.Specifier.(*DataSource_InlineBytes); ok {
+			return x.InlineBytes
+		}
 	}
 	return nil
 }

 func (x *DataSource) GetInlineString() string {
-	if x, ok := x.GetSpecifier().(*DataSource_InlineString); ok {
-		return x.InlineString
+	if x != nil {
+		if x, ok := x.Specifier.(*DataSource_InlineString); ok {
+			return x.InlineString
+		}
 	}
 	return ""
 }
@ -259,10 +266,7 @@ func (*DataSource_InlineString) isDataSource_Specifier() {}
 //
 // ```
 type JwtRule struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Identifies the principal that issued the JWT. See `here
 	//
 	//	<https://tools.ietf.org/html/rfc7519#section-4.1.1>`_. Usually a URL or an email address.
@ -285,7 +289,7 @@ type JwtRule struct {
 	// `JSON Web Key Set <https://tools.ietf.org/html/rfc7517#appendix-A>`_ is needed. to validate
 	// signature of the JWT. This field specifies where to fetch JWKS.
 	//
-	// Types that are assignable to JwksSourceSpecifier:
+	// Types that are valid to be assigned to JwksSourceSpecifier:
 	//
 	//	*JwtRule_RemoteJwks
 	//	*JwtRule_LocalJwks
@ -328,6 +332,8 @@ type JwtRule struct {
 	// multiple JWTs from different issuers want to forward their payloads, their
 	// `forward_payload_header` should be different.
 	ForwardPayloadHeader string `protobuf:"bytes,8,opt,name=forward_payload_header,json=forwardPayloadHeader,proto3" json:"forward_payload_header,omitempty"`
+	unknownFields        protoimpl.UnknownFields
+	sizeCache            protoimpl.SizeCache
 }

 func (x *JwtRule) Reset() {
@ -374,23 +380,27 @@ func (x *JwtRule) GetAudiences() []string {
 	return nil
 }

-func (m *JwtRule) GetJwksSourceSpecifier() isJwtRule_JwksSourceSpecifier {
-	if m != nil {
-		return m.JwksSourceSpecifier
+func (x *JwtRule) GetJwksSourceSpecifier() isJwtRule_JwksSourceSpecifier {
+	if x != nil {
+		return x.JwksSourceSpecifier
 	}
 	return nil
 }

 func (x *JwtRule) GetRemoteJwks() *RemoteJwks {
-	if x, ok := x.GetJwksSourceSpecifier().(*JwtRule_RemoteJwks); ok {
-		return x.RemoteJwks
+	if x != nil {
+		if x, ok := x.JwksSourceSpecifier.(*JwtRule_RemoteJwks); ok {
+			return x.RemoteJwks
+		}
 	}
 	return nil
 }

 func (x *JwtRule) GetLocalJwks() *DataSource {
-	if x, ok := x.GetJwksSourceSpecifier().(*JwtRule_LocalJwks); ok {
-		return x.LocalJwks
+	if x != nil {
+		if x, ok := x.JwksSourceSpecifier.(*JwtRule_LocalJwks); ok {
+			return x.LocalJwks
+		}
 	}
 	return nil
 }
@ -470,10 +480,7 @@ func (*JwtRule_LocalJwks) isJwtRule_JwksSourceSpecifier() {}

 // This message specifies how to fetch JWKS from remote and how to cache it.
 type RemoteJwks struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The HTTP URI to fetch the JWKS. For example:
 	//
 	// .. code-block:: yaml
@ -485,6 +492,8 @@ type RemoteJwks struct {
 	// Duration after which the cached JWKS should be expired. If not specified, default cache
 	// duration is 5 minutes.
 	CacheDuration *duration.Duration `protobuf:"bytes,2,opt,name=cache_duration,json=cacheDuration,proto3" json:"cache_duration,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *RemoteJwks) Reset() {
@ -533,16 +542,15 @@ func (x *RemoteJwks) GetCacheDuration() *duration.Duration {

 // This message specifies a header location to extract JWT token.
 type JwtHeader struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The HTTP header name.
 	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
 	// The value prefix. The value format is "value_prefix<token>"
 	// For example, for "Authorization: Bearer <token>", value_prefix="Bearer " with a space at the
 	// end.
-	ValuePrefix string `protobuf:"bytes,2,opt,name=value_prefix,json=valuePrefix,proto3" json:"value_prefix,omitempty"`
+	ValuePrefix   string `protobuf:"bytes,2,opt,name=value_prefix,json=valuePrefix,proto3" json:"value_prefix,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *JwtHeader) Reset() {
@ -592,15 +600,14 @@ func (x *JwtHeader) GetValuePrefix() string {
 // This is the Envoy HTTP filter config for JWT authentication.
 // [#not-implemented-hide:]
 type JwtAuthentication struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// List of JWT rules to valide.
 	Rules []*JwtRule `protobuf:"bytes,1,rep,name=rules,proto3" json:"rules,omitempty"`
 	// If true, the request is allowed if JWT is missing or JWT verification fails.
 	// Default is false, a request without JWT or failed JWT verification is not allowed.
 	AllowMissingOrFailed bool `protobuf:"varint,2,opt,name=allow_missing_or_failed,json=allowMissingOrFailed,proto3" json:"allow_missing_or_failed,omitempty"`
+	unknownFields        protoimpl.UnknownFields
+	sizeCache            protoimpl.SizeCache
 }

 func (x *JwtAuthentication) Reset() {
@ -649,102 +656,52 @@ func (x *JwtAuthentication) GetAllowMissingOrFailed() bool {

 var File_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto protoreflect.FileDescriptor

-var file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDesc = []byte{
-	0x0a, 0x37, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x66,
-	0x69, 0x6c, 0x74, 0x65, 0x72, 0x2f, 0x68, 0x74, 0x74, 0x70, 0x2f, 0x6a, 0x77, 0x74, 0x5f, 0x61,
-	0x75, 0x74, 0x68, 0x2f, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x63, 0x6f, 0x6e,
-	0x66, 0x69, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x30, 0x69, 0x73, 0x74, 0x69, 0x6f,
-	0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69,
-	0x6c, 0x74, 0x65, 0x72, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e, 0x6a, 0x77, 0x74, 0x5f, 0x61, 0x75,
-	0x74, 0x68, 0x2e, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1e, 0x67, 0x6f, 0x6f,
-	0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x75, 0x72,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x82, 0x01, 0x0a, 0x07,
-	0x48, 0x74, 0x74, 0x70, 0x55, 0x72, 0x69, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x69, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x69, 0x12, 0x1a, 0x0a, 0x07, 0x63, 0x6c, 0x75,
-	0x73, 0x74, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x07, 0x63, 0x6c,
-	0x75, 0x73, 0x74, 0x65, 0x72, 0x12, 0x33, 0x0a, 0x07, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74,
-	0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x52, 0x07, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x42, 0x14, 0x0a, 0x12, 0x68, 0x74,
-	0x74, 0x70, 0x5f, 0x75, 0x70, 0x73, 0x74, 0x72, 0x65, 0x61, 0x6d, 0x5f, 0x74, 0x79, 0x70, 0x65,
-	0x22, 0x83, 0x01, 0x0a, 0x0a, 0x44, 0x61, 0x74, 0x61, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12,
-	0x1c, 0x0a, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x09, 0x48, 0x00, 0x52, 0x08, 0x66, 0x69, 0x6c, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x23, 0x0a,
-	0x0c, 0x69, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x0c, 0x48, 0x00, 0x52, 0x0b, 0x69, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x42, 0x79, 0x74,
-	0x65, 0x73, 0x12, 0x25, 0x0a, 0x0d, 0x69, 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x5f, 0x73, 0x74, 0x72,
-	0x69, 0x6e, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x0c, 0x69, 0x6e, 0x6c,
-	0x69, 0x6e, 0x65, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x42, 0x0b, 0x0a, 0x09, 0x73, 0x70, 0x65,
-	0x63, 0x69, 0x66, 0x69, 0x65, 0x72, 0x22, 0xe9, 0x03, 0x0a, 0x07, 0x4a, 0x77, 0x74, 0x52, 0x75,
-	0x6c, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x75,
-	0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x09, 0x61,
-	0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x12, 0x5f, 0x0a, 0x0b, 0x72, 0x65, 0x6d, 0x6f,
-	0x74, 0x65, 0x5f, 0x6a, 0x77, 0x6b, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3c, 0x2e,
-	0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e, 0x6a,
-	0x77, 0x74, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31,
-	0x2e, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x4a, 0x77, 0x6b, 0x73, 0x48, 0x00, 0x52, 0x0a, 0x72,
-	0x65, 0x6d, 0x6f, 0x74, 0x65, 0x4a, 0x77, 0x6b, 0x73, 0x12, 0x5d, 0x0a, 0x0a, 0x6c, 0x6f, 0x63,
-	0x61, 0x6c, 0x5f, 0x6a, 0x77, 0x6b, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3c, 0x2e,
-	0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e, 0x6a,
-	0x77, 0x74, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31,
-	0x2e, 0x44, 0x61, 0x74, 0x61, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x48, 0x00, 0x52, 0x09, 0x6c,
-	0x6f, 0x63, 0x61, 0x6c, 0x4a, 0x77, 0x6b, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x66, 0x6f, 0x72, 0x77,
-	0x61, 0x72, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x66, 0x6f, 0x72, 0x77, 0x61,
-	0x72, 0x64, 0x12, 0x5e, 0x0a, 0x0c, 0x66, 0x72, 0x6f, 0x6d, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65,
-	0x72, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x3b, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f,
-	0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69,
-	0x6c, 0x74, 0x65, 0x72, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e, 0x6a, 0x77, 0x74, 0x5f, 0x61, 0x75,
-	0x74, 0x68, 0x2e, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4a, 0x77, 0x74, 0x48,
-	0x65, 0x61, 0x64, 0x65, 0x72, 0x52, 0x0b, 0x66, 0x72, 0x6f, 0x6d, 0x48, 0x65, 0x61, 0x64, 0x65,
-	0x72, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x66, 0x72, 0x6f, 0x6d, 0x5f, 0x70, 0x61, 0x72, 0x61, 0x6d,
-	0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x66, 0x72, 0x6f, 0x6d, 0x50, 0x61, 0x72,
-	0x61, 0x6d, 0x73, 0x12, 0x34, 0x0a, 0x16, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x5f, 0x70,
-	0x61, 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x08, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x14, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x50, 0x61, 0x79, 0x6c,
-	0x6f, 0x61, 0x64, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x42, 0x17, 0x0a, 0x15, 0x6a, 0x77, 0x6b,
-	0x73, 0x5f, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x5f, 0x73, 0x70, 0x65, 0x63, 0x69, 0x66, 0x69,
-	0x65, 0x72, 0x22, 0xa4, 0x01, 0x0a, 0x0a, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x4a, 0x77, 0x6b,
-	0x73, 0x12, 0x54, 0x0a, 0x08, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x75, 0x72, 0x69, 0x18, 0x01, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x39, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f,
-	0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e,
-	0x68, 0x74, 0x74, 0x70, 0x2e, 0x6a, 0x77, 0x74, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x32,
-	0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x55, 0x72, 0x69, 0x52, 0x07,
-	0x68, 0x74, 0x74, 0x70, 0x55, 0x72, 0x69, 0x12, 0x40, 0x0a, 0x0e, 0x63, 0x61, 0x63, 0x68, 0x65,
-	0x5f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32,
-	0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
-	0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0d, 0x63, 0x61, 0x63, 0x68,
-	0x65, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x42, 0x0a, 0x09, 0x4a, 0x77, 0x74,
-	0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x21, 0x0a, 0x0c, 0x76, 0x61,
-	0x6c, 0x75, 0x65, 0x5f, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x0b, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x22, 0x9b, 0x01,
-	0x0a, 0x11, 0x4a, 0x77, 0x74, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x12, 0x4f, 0x0a, 0x05, 0x72, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03,
-	0x28, 0x0b, 0x32, 0x39, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79,
-	0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x68,
-	0x74, 0x74, 0x70, 0x2e, 0x6a, 0x77, 0x74, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x32, 0x61,
-	0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4a, 0x77, 0x74, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x05, 0x72,
-	0x75, 0x6c, 0x65, 0x73, 0x12, 0x35, 0x0a, 0x17, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x6d, 0x69,
-	0x73, 0x73, 0x69, 0x6e, 0x67, 0x5f, 0x6f, 0x72, 0x5f, 0x66, 0x61, 0x69, 0x6c, 0x65, 0x64, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x14, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x4d, 0x69, 0x73, 0x73,
-	0x69, 0x6e, 0x67, 0x4f, 0x72, 0x46, 0x61, 0x69, 0x6c, 0x65, 0x64, 0x42, 0x39, 0x5a, 0x37, 0x69,
-	0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x65, 0x6e, 0x76, 0x6f,
-	0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2f,
-	0x68, 0x74, 0x74, 0x70, 0x2f, 0x6a, 0x77, 0x74, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x2f, 0x76, 0x32,
-	0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+const file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDesc = "" +
+	"\n" +
+	"7envoy/config/filter/http/jwt_auth/v2alpha1/config.proto\x120istio.envoy.config.filter.http.jwt_auth.v2alpha1\x1a\x1egoogle/protobuf/duration.proto\"\x82\x01\n" +
+	"\aHttpUri\x12\x10\n" +
+	"\x03uri\x18\x01 \x01(\tR\x03uri\x12\x1a\n" +
+	"\acluster\x18\x02 \x01(\tH\x00R\acluster\x123\n" +
+	"\atimeout\x18\x03 \x01(\v2\x19.google.protobuf.DurationR\atimeoutB\x14\n" +
+	"\x12http_upstream_type\"\x83\x01\n" +
+	"\n" +
+	"DataSource\x12\x1c\n" +
+	"\bfilename\x18\x01 \x01(\tH\x00R\bfilename\x12#\n" +
+	"\finline_bytes\x18\x02 \x01(\fH\x00R\vinlineBytes\x12%\n" +
+	"\rinline_string\x18\x03 \x01(\tH\x00R\finlineStringB\v\n" +
+	"\tspecifier\"\xe9\x03\n" +
+	"\aJwtRule\x12\x16\n" +
+	"\x06issuer\x18\x01 \x01(\tR\x06issuer\x12\x1c\n" +
+	"\taudiences\x18\x02 \x03(\tR\taudiences\x12_\n" +
+	"\vremote_jwks\x18\x03 \x01(\v2<.istio.envoy.config.filter.http.jwt_auth.v2alpha1.RemoteJwksH\x00R\n" +
+	"remoteJwks\x12]\n" +
+	"\n" +
+	"local_jwks\x18\x04 \x01(\v2<.istio.envoy.config.filter.http.jwt_auth.v2alpha1.DataSourceH\x00R\tlocalJwks\x12\x18\n" +
+	"\aforward\x18\x05 \x01(\bR\aforward\x12^\n" +
+	"\ffrom_headers\x18\x06 \x03(\v2;.istio.envoy.config.filter.http.jwt_auth.v2alpha1.JwtHeaderR\vfromHeaders\x12\x1f\n" +
+	"\vfrom_params\x18\a \x03(\tR\n" +
+	"fromParams\x124\n" +
+	"\x16forward_payload_header\x18\b \x01(\tR\x14forwardPayloadHeaderB\x17\n" +
+	"\x15jwks_source_specifier\"\xa4\x01\n" +
+	"\n" +
+	"RemoteJwks\x12T\n" +
+	"\bhttp_uri\x18\x01 \x01(\v29.istio.envoy.config.filter.http.jwt_auth.v2alpha1.HttpUriR\ahttpUri\x12@\n" +
+	"\x0ecache_duration\x18\x02 \x01(\v2\x19.google.protobuf.DurationR\rcacheDuration\"B\n" +
+	"\tJwtHeader\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12!\n" +
+	"\fvalue_prefix\x18\x02 \x01(\tR\vvaluePrefix\"\x9b\x01\n" +
+	"\x11JwtAuthentication\x12O\n" +
+	"\x05rules\x18\x01 \x03(\v29.istio.envoy.config.filter.http.jwt_auth.v2alpha1.JwtRuleR\x05rules\x125\n" +
+	"\x17allow_missing_or_failed\x18\x02 \x01(\bR\x14allowMissingOrFailedB9Z7istio.io/api/envoy/config/filter/http/jwt_auth/v2alpha1b\x06proto3"

 var (
 	file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDescOnce sync.Once
-	file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDescData = file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDesc
+	file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDescData []byte
 )

 func file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDescGZIP() []byte {
 	file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDescOnce.Do(func() {
-		file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDescData)
+		file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDesc), len(file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDesc)))
 	})
 	return file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDescData
 }
@ -795,7 +752,7 @@ func file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDesc), len(file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   6,
 			NumExtensions: 0,
@ -806,7 +763,6 @@ func file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_init() {
 		MessageInfos:      file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_msgTypes,
 	}.Build()
 	File_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto = out.File
-	file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_rawDesc = nil
 	file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_goTypes = nil
 	file_envoy_config_filter_http_jwt_auth_v2alpha1_config_proto_depIdxs = nil
 }
--- a/envoy/config/filter/http/jwt_auth/v2alpha1/config.proto
+++ b/envoy/config/filter/http/jwt_auth/v2alpha1/config.proto
@ -14,10 +14,10 @@

 syntax = "proto3";

-import "google/protobuf/duration.proto";
-
 package istio.envoy.config.filter.http.jwt_auth.v2alpha1;

+import "google/protobuf/duration.proto";
+
 option go_package = "istio.io/api/envoy/config/filter/http/jwt_auth/v2alpha1";

 // Copied from @envoy/api/envoy/api/v2/core/http_uri.proto
--- a/envoy/config/filter/network/metadata_exchange/metadata_exchange.pb.go
+++ b/envoy/config/filter/network/metadata_exchange/metadata_exchange.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.35.1
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: envoy/config/filter/network/metadata_exchange/metadata_exchange.proto

@ -25,6 +25,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -37,15 +38,14 @@ const (
 // [#protodoc-title: MetadataExchange protocol match and data transfer]
 // MetadataExchange protocol match and data transfer
 type MetadataExchange struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Protocol that Alpn should support on the server.
 	// [#comment:TODO(GargNupur): Make it a list.]
 	Protocol string `protobuf:"bytes,1,opt,name=protocol,proto3" json:"protocol,omitempty"`
 	// If true, will attempt to use WDS in case the prefix peer metadata is not available.
 	EnableDiscovery bool `protobuf:"varint,2,opt,name=enable_discovery,json=enableDiscovery,proto3" json:"enable_discovery,omitempty"`
+	unknownFields   protoimpl.UnknownFields
+	sizeCache       protoimpl.SizeCache
 }

 func (x *MetadataExchange) Reset() {
@ -94,39 +94,22 @@ func (x *MetadataExchange) GetEnableDiscovery() bool {

 var File_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto protoreflect.FileDescriptor

-var file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDesc = []byte{
-	0x0a, 0x45, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x66,
-	0x69, 0x6c, 0x74, 0x65, 0x72, 0x2f, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2f, 0x6d, 0x65,
-	0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x2f,
-	0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x21, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x74,
-	0x63, 0x70, 0x2e, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x65, 0x78, 0x63, 0x68, 0x61,
-	0x6e, 0x67, 0x65, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x59, 0x0a, 0x10, 0x4d, 0x65,
-	0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x12, 0x1a,
-	0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x29, 0x0a, 0x10, 0x65, 0x6e,
-	0x61, 0x62, 0x6c, 0x65, 0x5f, 0x64, 0x69, 0x73, 0x63, 0x6f, 0x76, 0x65, 0x72, 0x79, 0x18, 0x02,
-	0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x44, 0x69, 0x73, 0x63,
-	0x6f, 0x76, 0x65, 0x72, 0x79, 0x42, 0x86, 0x01, 0x0a, 0x2f, 0x69, 0x6f, 0x2e, 0x65, 0x6e, 0x76,
-	0x6f, 0x79, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x74, 0x63,
-	0x70, 0x2e, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e,
-	0x67, 0x65, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x42, 0x15, 0x4d, 0x65, 0x74, 0x61, 0x64,
-	0x61, 0x74, 0x61, 0x45, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f,
-	0x50, 0x01, 0x5a, 0x3a, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69,
-	0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x66, 0x69,
-	0x6c, 0x74, 0x65, 0x72, 0x2f, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2f, 0x6d, 0x65, 0x74,
-	0x61, 0x64, 0x61, 0x74, 0x61, 0x5f, 0x65, 0x78, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x62, 0x06,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+const file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDesc = "" +
+	"\n" +
+	"Eenvoy/config/filter/network/metadata_exchange/metadata_exchange.proto\x12!envoy.tcp.metadataexchange.config\"Y\n" +
+	"\x10MetadataExchange\x12\x1a\n" +
+	"\bprotocol\x18\x01 \x01(\tR\bprotocol\x12)\n" +
+	"\x10enable_discovery\x18\x02 \x01(\bR\x0fenableDiscoveryB\x86\x01\n" +
+	"/io.envoyproxy.envoy.tcp.metadataexchange.configB\x15MetadataExchangeProtoP\x01Z:istio.io/api/envoy/config/filter/network/metadata_exchangeb\x06proto3"

 var (
 	file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDescOnce sync.Once
-	file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDescData = file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDesc
+	file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDescData []byte
 )

 func file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDescGZIP() []byte {
 	file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDescOnce.Do(func() {
-		file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDescData = protoimpl.X.CompressGZIP(file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDescData)
+		file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDesc), len(file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDesc)))
 	})
 	return file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDescData
 }
@ -152,7 +135,7 @@ func file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDesc), len(file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@ -163,7 +146,6 @@ func file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_
 		MessageInfos:      file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_msgTypes,
 	}.Build()
 	File_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto = out.File
-	file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_rawDesc = nil
 	file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_goTypes = nil
 	file_envoy_config_filter_network_metadata_exchange_metadata_exchange_proto_depIdxs = nil
 }
--- a/envoy/config/filter/network/metadata_exchange/metadata_exchange.proto
+++ b/envoy/config/filter/network/metadata_exchange/metadata_exchange.proto
@ -17,10 +17,10 @@ syntax = "proto3";

 package envoy.tcp.metadataexchange.config;

-option java_outer_classname = "MetadataExchangeProto";
-option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.tcp.metadataexchange.config";
 option go_package = "istio.io/api/envoy/config/filter/network/metadata_exchange";
+option java_multiple_files = true;
+option java_outer_classname = "MetadataExchangeProto";
+option java_package = "io.envoyproxy.envoy.tcp.metadataexchange.config";

 // [#protodoc-title: MetadataExchange protocol match and data transfer]
 // MetadataExchange protocol match and data transfer
--- a/envoy/config/filter/network/tcp_cluster_rewrite/v2alpha1/config.pb.go
+++ b/envoy/config/filter/network/tcp_cluster_rewrite/v2alpha1/config.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.35.1
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: envoy/config/filter/network/tcp_cluster_rewrite/v2alpha1/config.proto

@ -27,6 +27,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -38,14 +39,13 @@ const (

 // TcpClusterRewrite is the config for the TCP cluster rewrite filter.
 type TcpClusterRewrite struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Specifies the regex pattern to be matched in the cluster name.
 	ClusterPattern string `protobuf:"bytes,1,opt,name=cluster_pattern,json=clusterPattern,proto3" json:"cluster_pattern,omitempty"`
 	// Specifies the replacement for the matched cluster pattern.
 	ClusterReplacement string `protobuf:"bytes,2,opt,name=cluster_replacement,json=clusterReplacement,proto3" json:"cluster_replacement,omitempty"`
+	unknownFields      protoimpl.UnknownFields
+	sizeCache          protoimpl.SizeCache
 }

 func (x *TcpClusterRewrite) Reset() {
@ -94,38 +94,21 @@ func (x *TcpClusterRewrite) GetClusterReplacement() string {

 var File_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto protoreflect.FileDescriptor

-var file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDesc = []byte{
-	0x0a, 0x45, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x66,
-	0x69, 0x6c, 0x74, 0x65, 0x72, 0x2f, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2f, 0x74, 0x63,
-	0x70, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x72, 0x65, 0x77, 0x72, 0x69, 0x74,
-	0x65, 0x2f, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69,
-	0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x3e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65,
-	0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74,
-	0x65, 0x72, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x74, 0x63, 0x70, 0x5f, 0x63,
-	0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x72, 0x65, 0x77, 0x72, 0x69, 0x74, 0x65, 0x2e, 0x76,
-	0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x22, 0x6d, 0x0a, 0x11, 0x54, 0x63, 0x70, 0x43, 0x6c,
-	0x75, 0x73, 0x74, 0x65, 0x72, 0x52, 0x65, 0x77, 0x72, 0x69, 0x74, 0x65, 0x12, 0x27, 0x0a, 0x0f,
-	0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x70, 0x61, 0x74, 0x74, 0x65, 0x72, 0x6e, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x50, 0x61,
-	0x74, 0x74, 0x65, 0x72, 0x6e, 0x12, 0x2f, 0x0a, 0x13, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72,
-	0x5f, 0x72, 0x65, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x12, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x52, 0x65, 0x70, 0x6c, 0x61,
-	0x63, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x42, 0x47, 0x5a, 0x45, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e,
-	0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x63, 0x6f, 0x6e,
-	0x66, 0x69, 0x67, 0x2f, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2f, 0x6e, 0x65, 0x74, 0x77, 0x6f,
-	0x72, 0x6b, 0x2f, 0x74, 0x63, 0x70, 0x5f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x72,
-	0x65, 0x77, 0x72, 0x69, 0x74, 0x65, 0x2f, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62,
-	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+const file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDesc = "" +
+	"\n" +
+	"Eenvoy/config/filter/network/tcp_cluster_rewrite/v2alpha1/config.proto\x12>istio.envoy.config.filter.network.tcp_cluster_rewrite.v2alpha1\"m\n" +
+	"\x11TcpClusterRewrite\x12'\n" +
+	"\x0fcluster_pattern\x18\x01 \x01(\tR\x0eclusterPattern\x12/\n" +
+	"\x13cluster_replacement\x18\x02 \x01(\tR\x12clusterReplacementBGZEistio.io/api/envoy/config/filter/network/tcp_cluster_rewrite/v2alpha1b\x06proto3"

 var (
 	file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDescOnce sync.Once
-	file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDescData = file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDesc
+	file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDescData []byte
 )

 func file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDescGZIP() []byte {
 	file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDescOnce.Do(func() {
-		file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDescData)
+		file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDesc), len(file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDesc)))
 	})
 	return file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDescData
 }
@ -151,7 +134,7 @@ func file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDesc), len(file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@ -162,7 +145,6 @@ func file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_
 		MessageInfos:      file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_msgTypes,
 	}.Build()
 	File_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto = out.File
-	file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_rawDesc = nil
 	file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_goTypes = nil
 	file_envoy_config_filter_network_tcp_cluster_rewrite_v2alpha1_config_proto_depIdxs = nil
 }
--- a/envoy/extensions/stackdriver/config/v1alpha1/config.pb.go
+++ b/envoy/extensions/stackdriver/config/v1alpha1/config.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.35.1
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: envoy/extensions/stackdriver/config/v1alpha1/config.proto

@ -34,6 +34,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -101,18 +102,17 @@ func (PluginConfig_AccessLogging) EnumDescriptor() ([]byte, []int) {
 // Custom instance configuration overrides.
 // Provides a way to customize logs.
 type CustomConfig struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// (Optional) Collection of tag names and tag expressions to include in the
 	// instance. Conflicts are resolved by the tag name by overriding previously
 	// supplied values.
-	Dimensions map[string]string `protobuf:"bytes,1,rep,name=dimensions,proto3" json:"dimensions,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Dimensions map[string]string `protobuf:"bytes,1,rep,name=dimensions,proto3" json:"dimensions,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
 	// (Optional) A list of tags to remove.
 	// Not implemented yet.
 	// $hide_from_docs
-	TagsToRemove []string `protobuf:"bytes,2,rep,name=tags_to_remove,json=tagsToRemove,proto3" json:"tags_to_remove,omitempty"`
+	TagsToRemove  []string `protobuf:"bytes,2,rep,name=tags_to_remove,json=tagsToRemove,proto3" json:"tags_to_remove,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *CustomConfig) Reset() {
@ -161,10 +161,7 @@ func (x *CustomConfig) GetTagsToRemove() []string {

 // next id: 17
 type PluginConfig struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Optional. Controls whether to export server access log.
 	// This is deprecated in favor of AccessLogging enum.
 	//
@ -261,7 +258,9 @@ type PluginConfig struct {
 	// Optional. Allows altering metrics behavior.
 	// Metric names for specifying overloads drop the `istio.io/service` prefix.
 	// Examples: `server/request_count`, `client/roundtrip_latencies`
-	MetricsOverrides map[string]*MetricsOverride `protobuf:"bytes,16,rep,name=metrics_overrides,json=metricsOverrides,proto3" json:"metrics_overrides,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	MetricsOverrides map[string]*MetricsOverride `protobuf:"bytes,16,rep,name=metrics_overrides,json=metricsOverrides,proto3" json:"metrics_overrides,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	unknownFields    protoimpl.UnknownFields
+	sizeCache        protoimpl.SizeCache
 }

 func (x *PluginConfig) Reset() {
@ -419,17 +418,16 @@ func (x *PluginConfig) GetMetricsOverrides() map[string]*MetricsOverride {

 // Provides behavior modifications for Cloud Monitoring metrics.
 type MetricsOverride struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Optional. If true, no data for the associated metric will be collected or
 	// exported.
 	Drop bool `protobuf:"varint,1,opt,name=drop,proto3" json:"drop,omitempty"`
 	// Optional. Maps tag names to value expressions that will be used at
 	// reporting time. If the tag name does not match a well-known tag for the
 	// istio Cloud Monitoring metrics, the configuration will have no effect.
-	TagOverrides map[string]string `protobuf:"bytes,2,rep,name=tag_overrides,json=tagOverrides,proto3" json:"tag_overrides,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	TagOverrides  map[string]string `protobuf:"bytes,2,rep,name=tag_overrides,json=tagOverrides,proto3" json:"tag_overrides,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *MetricsOverride) Reset() {
@ -478,145 +476,58 @@ func (x *MetricsOverride) GetTagOverrides() map[string]string {

 var File_envoy_extensions_stackdriver_config_v1alpha1_config_proto protoreflect.FileDescriptor

-var file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDesc = []byte{
-	0x0a, 0x39, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
-	0x6e, 0x73, 0x2f, 0x73, 0x74, 0x61, 0x63, 0x6b, 0x64, 0x72, 0x69, 0x76, 0x65, 0x72, 0x2f, 0x63,
-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x63,
-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1b, 0x73, 0x74, 0x61,
-	0x63, 0x6b, 0x64, 0x72, 0x69, 0x76, 0x65, 0x72, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e,
-	0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
-	0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
-	0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65,
-	0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xce, 0x01, 0x0a, 0x0c, 0x43, 0x75, 0x73,
-	0x74, 0x6f, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x59, 0x0a, 0x0a, 0x64, 0x69, 0x6d,
-	0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x39, 0x2e,
-	0x73, 0x74, 0x61, 0x63, 0x6b, 0x64, 0x72, 0x69, 0x76, 0x65, 0x72, 0x2e, 0x63, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x43, 0x75, 0x73, 0x74,
-	0x6f, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x44, 0x69, 0x6d, 0x65, 0x6e, 0x73, 0x69,
-	0x6f, 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0a, 0x64, 0x69, 0x6d, 0x65, 0x6e, 0x73,
-	0x69, 0x6f, 0x6e, 0x73, 0x12, 0x24, 0x0a, 0x0e, 0x74, 0x61, 0x67, 0x73, 0x5f, 0x74, 0x6f, 0x5f,
-	0x72, 0x65, 0x6d, 0x6f, 0x76, 0x65, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x74, 0x61,
-	0x67, 0x73, 0x54, 0x6f, 0x52, 0x65, 0x6d, 0x6f, 0x76, 0x65, 0x1a, 0x3d, 0x0a, 0x0f, 0x44, 0x69,
-	0x6d, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a,
-	0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12,
-	0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
-	0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x80, 0x0b, 0x0a, 0x0c, 0x50, 0x6c,
-	0x75, 0x67, 0x69, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x45, 0x0a, 0x1d, 0x64, 0x69,
-	0x73, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x61, 0x63, 0x63,
-	0x65, 0x73, 0x73, 0x5f, 0x6c, 0x6f, 0x67, 0x67, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x08, 0x42, 0x02, 0x18, 0x01, 0x52, 0x1a, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x53, 0x65,
-	0x72, 0x76, 0x65, 0x72, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x67, 0x67, 0x69, 0x6e,
-	0x67, 0x12, 0x3b, 0x0a, 0x1b, 0x6d, 0x61, 0x78, 0x5f, 0x6c, 0x6f, 0x67, 0x5f, 0x62, 0x61, 0x74,
-	0x63, 0x68, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x5f, 0x69, 0x6e, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73,
-	0x18, 0x0c, 0x20, 0x01, 0x28, 0x05, 0x52, 0x16, 0x6d, 0x61, 0x78, 0x4c, 0x6f, 0x67, 0x42, 0x61,
-	0x74, 0x63, 0x68, 0x53, 0x69, 0x7a, 0x65, 0x49, 0x6e, 0x42, 0x79, 0x74, 0x65, 0x73, 0x12, 0x49,
-	0x0a, 0x13, 0x6c, 0x6f, 0x67, 0x5f, 0x72, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x64, 0x75, 0x72,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f,
-	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75,
-	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x11, 0x6c, 0x6f, 0x67, 0x52, 0x65, 0x70, 0x6f, 0x72,
-	0x74, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x28, 0x0a, 0x10, 0x65, 0x6e, 0x61,
-	0x62, 0x6c, 0x65, 0x5f, 0x61, 0x75, 0x64, 0x69, 0x74, 0x5f, 0x6c, 0x6f, 0x67, 0x18, 0x0b, 0x20,
-	0x01, 0x28, 0x08, 0x52, 0x0e, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x41, 0x75, 0x64, 0x69, 0x74,
-	0x4c, 0x6f, 0x67, 0x12, 0x38, 0x0a, 0x18, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x16, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x41, 0x0a,
-	0x1b, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x6d, 0x65, 0x73, 0x68, 0x5f, 0x65, 0x64, 0x67,
-	0x65, 0x73, 0x5f, 0x72, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x69, 0x6e, 0x67, 0x18, 0x03, 0x20, 0x01,
-	0x28, 0x08, 0x42, 0x02, 0x18, 0x01, 0x52, 0x18, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x4d, 0x65,
-	0x73, 0x68, 0x45, 0x64, 0x67, 0x65, 0x73, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x69, 0x6e, 0x67,
-	0x12, 0x60, 0x0a, 0x1d, 0x6d, 0x65, 0x73, 0x68, 0x5f, 0x65, 0x64, 0x67, 0x65, 0x73, 0x5f, 0x72,
-	0x65, 0x70, 0x6f, 0x72, 0x74, 0x69, 0x6e, 0x67, 0x5f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x42, 0x02, 0x18, 0x01, 0x52, 0x1a, 0x6d, 0x65, 0x73, 0x68, 0x45, 0x64, 0x67, 0x65,
-	0x73, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x69, 0x6e, 0x67, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x12, 0x2d, 0x0a, 0x13, 0x6d, 0x61, 0x78, 0x5f, 0x70, 0x65, 0x65, 0x72, 0x5f, 0x63,
-	0x61, 0x63, 0x68, 0x65, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x05, 0x52,
-	0x10, 0x6d, 0x61, 0x78, 0x50, 0x65, 0x65, 0x72, 0x43, 0x61, 0x63, 0x68, 0x65, 0x53, 0x69, 0x7a,
-	0x65, 0x12, 0x3f, 0x0a, 0x1c, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x68, 0x6f, 0x73,
-	0x74, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x5f, 0x66, 0x61, 0x6c, 0x6c, 0x62, 0x61, 0x63,
-	0x6b, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x19, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65,
-	0x48, 0x6f, 0x73, 0x74, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x46, 0x61, 0x6c, 0x6c, 0x62, 0x61,
-	0x63, 0x6b, 0x12, 0x2f, 0x0a, 0x14, 0x6d, 0x61, 0x78, 0x5f, 0x65, 0x64, 0x67, 0x65, 0x73, 0x5f,
-	0x62, 0x61, 0x74, 0x63, 0x68, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x05,
-	0x52, 0x11, 0x6d, 0x61, 0x78, 0x45, 0x64, 0x67, 0x65, 0x73, 0x42, 0x61, 0x74, 0x63, 0x68, 0x53,
-	0x69, 0x7a, 0x65, 0x12, 0x3d, 0x0a, 0x19, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x68,
-	0x74, 0x74, 0x70, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x5f, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73,
-	0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x42, 0x02, 0x18, 0x01, 0x52, 0x16, 0x64, 0x69, 0x73, 0x61,
-	0x62, 0x6c, 0x65, 0x48, 0x74, 0x74, 0x70, 0x53, 0x69, 0x7a, 0x65, 0x4d, 0x65, 0x74, 0x72, 0x69,
-	0x63, 0x73, 0x12, 0x50, 0x0a, 0x16, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x6c, 0x6f, 0x67,
-	0x5f, 0x63, 0x6f, 0x6d, 0x70, 0x72, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x09, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x14,
-	0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x4c, 0x6f, 0x67, 0x43, 0x6f, 0x6d, 0x70, 0x72, 0x65, 0x73,
-	0x73, 0x69, 0x6f, 0x6e, 0x12, 0x5e, 0x0a, 0x0e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6c,
-	0x6f, 0x67, 0x67, 0x69, 0x6e, 0x67, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x37, 0x2e, 0x73,
-	0x74, 0x61, 0x63, 0x6b, 0x64, 0x72, 0x69, 0x76, 0x65, 0x72, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69,
-	0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x6c, 0x75, 0x67, 0x69,
-	0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f,
-	0x67, 0x67, 0x69, 0x6e, 0x67, 0x52, 0x0d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x67,
-	0x67, 0x69, 0x6e, 0x67, 0x12, 0x47, 0x0a, 0x20, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6c,
-	0x6f, 0x67, 0x67, 0x69, 0x6e, 0x67, 0x5f, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x5f, 0x65, 0x78,
-	0x70, 0x72, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x11, 0x20, 0x01, 0x28, 0x09, 0x52, 0x1d,
-	0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x67, 0x67, 0x69, 0x6e, 0x67, 0x46, 0x69, 0x6c,
-	0x74, 0x65, 0x72, 0x45, 0x78, 0x70, 0x72, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x55, 0x0a,
-	0x11, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5f, 0x6c, 0x6f, 0x67, 0x5f, 0x63, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x73, 0x74, 0x61, 0x63, 0x6b,
-	0x64, 0x72, 0x69, 0x76, 0x65, 0x72, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x76, 0x31,
-	0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x43, 0x6f, 0x6e,
-	0x66, 0x69, 0x67, 0x52, 0x0f, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x4c, 0x6f, 0x67, 0x43, 0x6f,
-	0x6e, 0x66, 0x69, 0x67, 0x12, 0x4f, 0x0a, 0x16, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x5f, 0x65,
-	0x78, 0x70, 0x69, 0x72, 0x79, 0x5f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0f,
-	0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52,
-	0x14, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x45, 0x78, 0x70, 0x69, 0x72, 0x79, 0x44, 0x75, 0x72,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x6c, 0x0a, 0x11, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73,
-	0x5f, 0x6f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x73, 0x18, 0x10, 0x20, 0x03, 0x28, 0x0b,
-	0x32, 0x3f, 0x2e, 0x73, 0x74, 0x61, 0x63, 0x6b, 0x64, 0x72, 0x69, 0x76, 0x65, 0x72, 0x2e, 0x63,
-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50,
-	0x6c, 0x75, 0x67, 0x69, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x4d, 0x65, 0x74, 0x72,
-	0x69, 0x63, 0x73, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72,
-	0x79, 0x52, 0x10, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69,
-	0x64, 0x65, 0x73, 0x1a, 0x71, 0x0a, 0x15, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x4f, 0x76,
-	0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03,
-	0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x42,
-	0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e,
-	0x73, 0x74, 0x61, 0x63, 0x6b, 0x64, 0x72, 0x69, 0x76, 0x65, 0x72, 0x2e, 0x63, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x72,
-	0x69, 0x63, 0x73, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c,
-	0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x34, 0x0a, 0x0d, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73,
-	0x4c, 0x6f, 0x67, 0x67, 0x69, 0x6e, 0x67, 0x12, 0x08, 0x0a, 0x04, 0x4e, 0x4f, 0x4e, 0x45, 0x10,
-	0x00, 0x12, 0x08, 0x0a, 0x04, 0x46, 0x55, 0x4c, 0x4c, 0x10, 0x01, 0x12, 0x0f, 0x0a, 0x0b, 0x45,
-	0x52, 0x52, 0x4f, 0x52, 0x53, 0x5f, 0x4f, 0x4e, 0x4c, 0x59, 0x10, 0x02, 0x22, 0xcb, 0x01, 0x0a,
-	0x0f, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65,
-	0x12, 0x12, 0x0a, 0x04, 0x64, 0x72, 0x6f, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x04,
-	0x64, 0x72, 0x6f, 0x70, 0x12, 0x63, 0x0a, 0x0d, 0x74, 0x61, 0x67, 0x5f, 0x6f, 0x76, 0x65, 0x72,
-	0x72, 0x69, 0x64, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x3e, 0x2e, 0x73, 0x74,
-	0x61, 0x63, 0x6b, 0x64, 0x72, 0x69, 0x76, 0x65, 0x72, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67,
-	0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63,
-	0x73, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x2e, 0x54, 0x61, 0x67, 0x4f, 0x76, 0x65,
-	0x72, 0x72, 0x69, 0x64, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0c, 0x74, 0x61, 0x67,
-	0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x73, 0x1a, 0x3f, 0x0a, 0x11, 0x54, 0x61, 0x67,
-	0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10,
-	0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79,
-	0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x3b, 0x5a, 0x39, 0x69, 0x73,
-	0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79,
-	0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x73, 0x74, 0x61, 0x63,
-	0x6b, 0x64, 0x72, 0x69, 0x76, 0x65, 0x72, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x76,
-	0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+const file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDesc = "" +
+	"\n" +
+	"9envoy/extensions/stackdriver/config/v1alpha1/config.proto\x12\x1bstackdriver.config.v1alpha1\x1a\x1egoogle/protobuf/duration.proto\x1a\x1egoogle/protobuf/wrappers.proto\"\xce\x01\n" +
+	"\fCustomConfig\x12Y\n" +
+	"\n" +
+	"dimensions\x18\x01 \x03(\v29.stackdriver.config.v1alpha1.CustomConfig.DimensionsEntryR\n" +
+	"dimensions\x12$\n" +
+	"\x0etags_to_remove\x18\x02 \x03(\tR\ftagsToRemove\x1a=\n" +
+	"\x0fDimensionsEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"\x80\v\n" +
+	"\fPluginConfig\x12E\n" +
+	"\x1ddisable_server_access_logging\x18\x01 \x01(\bB\x02\x18\x01R\x1adisableServerAccessLogging\x12;\n" +
+	"\x1bmax_log_batch_size_in_bytes\x18\f \x01(\x05R\x16maxLogBatchSizeInBytes\x12I\n" +
+	"\x13log_report_duration\x18\r \x01(\v2\x19.google.protobuf.DurationR\x11logReportDuration\x12(\n" +
+	"\x10enable_audit_log\x18\v \x01(\bR\x0eenableAuditLog\x128\n" +
+	"\x18destination_service_name\x18\x02 \x01(\tR\x16destinationServiceName\x12A\n" +
+	"\x1benable_mesh_edges_reporting\x18\x03 \x01(\bB\x02\x18\x01R\x18enableMeshEdgesReporting\x12`\n" +
+	"\x1dmesh_edges_reporting_duration\x18\x04 \x01(\v2\x19.google.protobuf.DurationB\x02\x18\x01R\x1ameshEdgesReportingDuration\x12-\n" +
+	"\x13max_peer_cache_size\x18\x05 \x01(\x05R\x10maxPeerCacheSize\x12?\n" +
+	"\x1cdisable_host_header_fallback\x18\x06 \x01(\bR\x19disableHostHeaderFallback\x12/\n" +
+	"\x14max_edges_batch_size\x18\a \x01(\x05R\x11maxEdgesBatchSize\x12=\n" +
+	"\x19disable_http_size_metrics\x18\b \x01(\bB\x02\x18\x01R\x16disableHttpSizeMetrics\x12P\n" +
+	"\x16enable_log_compression\x18\t \x01(\v2\x1a.google.protobuf.BoolValueR\x14enableLogCompression\x12^\n" +
+	"\x0eaccess_logging\x18\n" +
+	" \x01(\x0e27.stackdriver.config.v1alpha1.PluginConfig.AccessLoggingR\raccessLogging\x12G\n" +
+	" access_logging_filter_expression\x18\x11 \x01(\tR\x1daccessLoggingFilterExpression\x12U\n" +
+	"\x11custom_log_config\x18\x0e \x01(\v2).stackdriver.config.v1alpha1.CustomConfigR\x0fcustomLogConfig\x12O\n" +
+	"\x16metric_expiry_duration\x18\x0f \x01(\v2\x19.google.protobuf.DurationR\x14metricExpiryDuration\x12l\n" +
+	"\x11metrics_overrides\x18\x10 \x03(\v2?.stackdriver.config.v1alpha1.PluginConfig.MetricsOverridesEntryR\x10metricsOverrides\x1aq\n" +
+	"\x15MetricsOverridesEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12B\n" +
+	"\x05value\x18\x02 \x01(\v2,.stackdriver.config.v1alpha1.MetricsOverrideR\x05value:\x028\x01\"4\n" +
+	"\rAccessLogging\x12\b\n" +
+	"\x04NONE\x10\x00\x12\b\n" +
+	"\x04FULL\x10\x01\x12\x0f\n" +
+	"\vERRORS_ONLY\x10\x02\"\xcb\x01\n" +
+	"\x0fMetricsOverride\x12\x12\n" +
+	"\x04drop\x18\x01 \x01(\bR\x04drop\x12c\n" +
+	"\rtag_overrides\x18\x02 \x03(\v2>.stackdriver.config.v1alpha1.MetricsOverride.TagOverridesEntryR\ftagOverrides\x1a?\n" +
+	"\x11TagOverridesEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B;Z9istio.io/api/envoy/extensions/stackdriver/config/v1alpha1b\x06proto3"

 var (
 	file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDescOnce sync.Once
-	file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDescData = file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDesc
+	file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDescData []byte
 )

 func file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDescGZIP() []byte {
 	file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDescOnce.Do(func() {
-		file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDescData)
+		file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDesc), len(file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDesc)))
 	})
 	return file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDescData
 }
@ -661,7 +572,7 @@ func file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDesc), len(file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDesc)),
 			NumEnums:      1,
 			NumMessages:   6,
 			NumExtensions: 0,
@ -673,7 +584,6 @@ func file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_init() {
 		MessageInfos:      file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_msgTypes,
 	}.Build()
 	File_envoy_extensions_stackdriver_config_v1alpha1_config_proto = out.File
-	file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_rawDesc = nil
 	file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_goTypes = nil
 	file_envoy_extensions_stackdriver_config_v1alpha1_config_proto_depIdxs = nil
 }
--- a/envoy/extensions/stackdriver/config/v1alpha1/config.proto
+++ b/envoy/extensions/stackdriver/config/v1alpha1/config.proto
@ -24,11 +24,11 @@ syntax = "proto3";

 package stackdriver.config.v1alpha1;

-option go_package = "istio.io/api/envoy/extensions/stackdriver/config/v1alpha1";
-
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";

+option go_package = "istio.io/api/envoy/extensions/stackdriver/config/v1alpha1";
+
 // Custom instance configuration overrides.
 // Provides a way to customize logs.
 message CustomConfig {
@ -55,11 +55,11 @@ message PluginConfig {
    // logs. A request is classified as error when `status>=400 or
    // response_flag != "-"`
    ERRORS_ONLY = 2;
-  };
+  }

  // Optional. Controls whether to export server access log.
  // This is deprecated in favor of AccessLogging enum.
-  bool disable_server_access_logging = 1 [ deprecated = true ];
+  bool disable_server_access_logging = 1 [deprecated = true];

  // Optional. Allows configuration of the size of the LogWrite request. The
  // size is in bytes, so that it allows for better performance. Default is 4MB.
@ -84,7 +84,7 @@ message PluginConfig {
  // service. This is disabled by default.
  // Deprecated -- Mesh edge reporting is no longer supported and this setting
  // is no-op.
-  bool enable_mesh_edges_reporting = 3 [ deprecated = true ];
+  bool enable_mesh_edges_reporting = 3 [deprecated = true];

  // Optional. Allows configuration of the time between calls out to the mesh
  // edges service to report *NEW* edges. The minimum configurable duration is
@ -95,8 +95,7 @@ message PluginConfig {
  // reporting every `10m`.
  // Deprecated -- Mesh edge reporting is no longer supported and this setting
  // is no-op.
-  google.protobuf.Duration mesh_edges_reporting_duration = 4
-      [ deprecated = true ];
+  google.protobuf.Duration mesh_edges_reporting_duration = 4 [deprecated = true];

  // maximum size of the peer metadata cache.
  // A long lived proxy that connects with many transient peers can build up a
@ -117,7 +116,7 @@ message PluginConfig {
  // metrics are enabled).
  // Deprecated -- use `metrics_overrides` instead.
  // if `metrics_overrides` is used, this value will be ignored.
-  bool disable_http_size_metrics = 8 [ deprecated = true ];
+  bool disable_http_size_metrics = 8 [deprecated = true];

  // Optional. Allows enabling log compression for stackdriver access logs.
  google.protobuf.BoolValue enable_log_compression = 9;
@ -128,18 +127,18 @@ message PluginConfig {
  // CEL expression for filtering access logging. If the expression evaluates
  // to true, an access log entry will be generated. Otherwise, no access log
  // entry will be generated. If there are any type errors, the CEL expression
-  // is evaluated as false. More details on type checking can be found 
+  // is evaluated as false. More details on type checking can be found
  // at https://kubernetes.io/docs/reference/using-api/cel/#type-checking.
  // A common error is referring to a non-existent field in the log entry.
  // It's crucial to note that in Envoy, the fields that appear in access log
  // entries can vary. This variation is influenced by several factors,
  // including the protocol in use (such as HTTP or TCP), the applied filters,
-  // and the specific configuration of the Envoy instance. Therefore, when 
+  // and the specific configuration of the Envoy instance. Therefore, when
  // using CEL expressions for filtering access logs, it's essential to ensure
  // that the expressions accurately refer to existing fields in the log entry.
-  // The has() macro in CEL may be used in CEL expressions to check if a field 
-  // is accessible before attempting to access the field's value. 
-  // You can also quickly test CEL expressions at the CEL Playground 
+  // The has() macro in CEL may be used in CEL expressions to check if a field
+  // is accessible before attempting to access the field's value.
+  // You can also quickly test CEL expressions at the CEL Playground
  // at https://playcel.undistro.io/.
  // NOTE: Audit logs ignore configured filters.
  string access_logging_filter_expression = 17;
--- a/envoy/extensions/stats/config.pb.go
+++ b/envoy/extensions/stats/config.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.35.1
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: envoy/extensions/stats/config.proto

@ -31,6 +31,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -146,14 +147,11 @@ func (Reporter) EnumDescriptor() ([]byte, []int) {
 // The customizations allow full configurability, at the cost of a "slower"
 // path.
 type MetricConfig struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// (Optional) Collection of tag names and tag expressions to include in the
 	// metric. Conflicts are resolved by the tag name by overriding previously
 	// supplied values.
-	Dimensions map[string]string `protobuf:"bytes,1,rep,name=dimensions,proto3" json:"dimensions,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Dimensions map[string]string `protobuf:"bytes,1,rep,name=dimensions,proto3" json:"dimensions,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
 	// (Optional) Metric name to restrict the override to a metric. If not
 	// specified, applies to all.
 	Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
@ -163,7 +161,9 @@ type MetricConfig struct {
 	Match string `protobuf:"bytes,4,opt,name=match,proto3" json:"match,omitempty"`
 	// (Optional) If this is set to true, the metric(s) selected by this
 	// configuration will not be generated or reported.
-	Drop bool `protobuf:"varint,5,opt,name=drop,proto3" json:"drop,omitempty"`
+	Drop          bool `protobuf:"varint,5,opt,name=drop,proto3" json:"drop,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *MetricConfig) Reset() {
@ -232,16 +232,15 @@ func (x *MetricConfig) GetDrop() bool {
 }

 type MetricDefinition struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Metric name.
 	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
 	// Metric value expression.
 	Value string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"`
 	// NOT IMPLEMENTED (Optional) Metric type.
-	Type MetricType `protobuf:"varint,3,opt,name=type,proto3,enum=stats.MetricType" json:"type,omitempty"`
+	Type          MetricType `protobuf:"varint,3,opt,name=type,proto3,enum=stats.MetricType" json:"type,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *MetricDefinition) Reset() {
@ -296,10 +295,7 @@ func (x *MetricDefinition) GetType() MetricType {
 }

 type PluginConfig struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// next id: 7
 	// The following settings should be rarely used.
 	// Enable debug for this filter.
@ -341,6 +337,8 @@ type PluginConfig struct {
 	// Defaults to 5m. Must be >=1s.
 	// $hide_from_docs
 	GracefulDeletionInterval *duration.Duration `protobuf:"bytes,12,opt,name=graceful_deletion_interval,json=gracefulDeletionInterval,proto3" json:"graceful_deletion_interval,omitempty"`
+	unknownFields            protoimpl.UnknownFields
+	sizeCache                protoimpl.SizeCache
 }

 func (x *PluginConfig) Reset() {
@ -459,95 +457,56 @@ func (x *PluginConfig) GetGracefulDeletionInterval() *duration.Duration {

 var File_envoy_extensions_stats_config_proto protoreflect.FileDescriptor

-var file_envoy_extensions_stats_config_proto_rawDesc = []byte{
-	0x0a, 0x23, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
-	0x6e, 0x73, 0x2f, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x05, 0x73, 0x74, 0x61, 0x74, 0x73, 0x1a, 0x1e, 0x67, 0x6f,
-	0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x75,
-	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xf6, 0x01, 0x0a,
-	0x0c, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x43, 0x0a,
-	0x0a, 0x64, 0x69, 0x6d, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28,
-	0x0b, 0x32, 0x23, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2e, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63,
-	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x44, 0x69, 0x6d, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e,
-	0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0a, 0x64, 0x69, 0x6d, 0x65, 0x6e, 0x73, 0x69, 0x6f,
-	0x6e, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x24, 0x0a, 0x0e, 0x74, 0x61, 0x67, 0x73, 0x5f, 0x74,
-	0x6f, 0x5f, 0x72, 0x65, 0x6d, 0x6f, 0x76, 0x65, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c,
-	0x74, 0x61, 0x67, 0x73, 0x54, 0x6f, 0x52, 0x65, 0x6d, 0x6f, 0x76, 0x65, 0x12, 0x14, 0x0a, 0x05,
-	0x6d, 0x61, 0x74, 0x63, 0x68, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6d, 0x61, 0x74,
-	0x63, 0x68, 0x12, 0x12, 0x0a, 0x04, 0x64, 0x72, 0x6f, 0x70, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08,
-	0x52, 0x04, 0x64, 0x72, 0x6f, 0x70, 0x1a, 0x3d, 0x0a, 0x0f, 0x44, 0x69, 0x6d, 0x65, 0x6e, 0x73,
-	0x69, 0x6f, 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76,
-	0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75,
-	0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x63, 0x0a, 0x10, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x44,
-	0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d,
-	0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x14, 0x0a,
-	0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61,
-	0x6c, 0x75, 0x65, 0x12, 0x25, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28,
-	0x0e, 0x32, 0x11, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2e, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63,
-	0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x22, 0x90, 0x05, 0x0a, 0x0c, 0x50,
-	0x6c, 0x75, 0x67, 0x69, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x14, 0x0a, 0x05, 0x64,
-	0x65, 0x62, 0x75, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x05, 0x64, 0x65, 0x62, 0x75,
-	0x67, 0x12, 0x2d, 0x0a, 0x13, 0x6d, 0x61, 0x78, 0x5f, 0x70, 0x65, 0x65, 0x72, 0x5f, 0x63, 0x61,
-	0x63, 0x68, 0x65, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x05, 0x52, 0x10,
-	0x6d, 0x61, 0x78, 0x50, 0x65, 0x65, 0x72, 0x43, 0x61, 0x63, 0x68, 0x65, 0x53, 0x69, 0x7a, 0x65,
-	0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x74, 0x61, 0x74, 0x5f, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18,
-	0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x74, 0x50, 0x72, 0x65, 0x66, 0x69,
-	0x78, 0x12, 0x27, 0x0a, 0x0f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x73, 0x65, 0x70, 0x61, 0x72,
-	0x61, 0x74, 0x6f, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x66, 0x69, 0x65, 0x6c,
-	0x64, 0x53, 0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x12, 0x27, 0x0a, 0x0f, 0x76, 0x61,
-	0x6c, 0x75, 0x65, 0x5f, 0x73, 0x65, 0x70, 0x61, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x18, 0x05, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x0e, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x53, 0x65, 0x70, 0x61, 0x72, 0x61,
-	0x74, 0x6f, 0x72, 0x12, 0x3f, 0x0a, 0x1c, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x68,
-	0x6f, 0x73, 0x74, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x5f, 0x66, 0x61, 0x6c, 0x6c, 0x62,
-	0x61, 0x63, 0x6b, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x19, 0x64, 0x69, 0x73, 0x61, 0x62,
-	0x6c, 0x65, 0x48, 0x6f, 0x73, 0x74, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x46, 0x61, 0x6c, 0x6c,
-	0x62, 0x61, 0x63, 0x6b, 0x12, 0x4f, 0x0a, 0x16, 0x74, 0x63, 0x70, 0x5f, 0x72, 0x65, 0x70, 0x6f,
-	0x72, 0x74, 0x69, 0x6e, 0x67, 0x5f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x07,
-	0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52,
-	0x14, 0x74, 0x63, 0x70, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x69, 0x6e, 0x67, 0x44, 0x75, 0x72,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x2d, 0x0a, 0x07, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73,
-	0x18, 0x08, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2e, 0x4d,
-	0x65, 0x74, 0x72, 0x69, 0x63, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x07, 0x6d, 0x65, 0x74,
-	0x72, 0x69, 0x63, 0x73, 0x12, 0x39, 0x0a, 0x0b, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69,
-	0x6f, 0x6e, 0x73, 0x18, 0x09, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x73, 0x74, 0x61, 0x74,
-	0x73, 0x2e, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x44, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69,
-	0x6f, 0x6e, 0x52, 0x0b, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12,
-	0x2b, 0x0a, 0x08, 0x72, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x72, 0x18, 0x0a, 0x20, 0x01, 0x28,
-	0x0e, 0x32, 0x0f, 0x2e, 0x73, 0x74, 0x61, 0x74, 0x73, 0x2e, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74,
-	0x65, 0x72, 0x52, 0x08, 0x72, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x72, 0x12, 0x46, 0x0a, 0x11,
-	0x72, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x76, 0x61,
-	0x6c, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x52, 0x10, 0x72, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x74, 0x65,
-	0x72, 0x76, 0x61, 0x6c, 0x12, 0x57, 0x0a, 0x1a, 0x67, 0x72, 0x61, 0x63, 0x65, 0x66, 0x75, 0x6c,
-	0x5f, 0x64, 0x65, 0x6c, 0x65, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x76,
-	0x61, 0x6c, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x52, 0x18, 0x67, 0x72, 0x61, 0x63, 0x65, 0x66, 0x75, 0x6c, 0x44, 0x65, 0x6c,
-	0x65, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x76, 0x61, 0x6c, 0x2a, 0x33, 0x0a,
-	0x0a, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x43,
-	0x4f, 0x55, 0x4e, 0x54, 0x45, 0x52, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x47, 0x41, 0x55, 0x47,
-	0x45, 0x10, 0x01, 0x12, 0x0d, 0x0a, 0x09, 0x48, 0x49, 0x53, 0x54, 0x4f, 0x47, 0x52, 0x41, 0x4d,
-	0x10, 0x02, 0x2a, 0x2f, 0x0a, 0x08, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x72, 0x12, 0x0f,
-	0x0a, 0x0b, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12,
-	0x12, 0x0a, 0x0e, 0x53, 0x45, 0x52, 0x56, 0x45, 0x52, 0x5f, 0x47, 0x41, 0x54, 0x45, 0x57, 0x41,
-	0x59, 0x10, 0x01, 0x42, 0x25, 0x5a, 0x23, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f,
-	0x61, 0x70, 0x69, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73,
-	0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x73, 0x74, 0x61, 0x74, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x33,
-}
+const file_envoy_extensions_stats_config_proto_rawDesc = "" +
+	"\n" +
+	"#envoy/extensions/stats/config.proto\x12\x05stats\x1a\x1egoogle/protobuf/duration.proto\"\xf6\x01\n" +
+	"\fMetricConfig\x12C\n" +
+	"\n" +
+	"dimensions\x18\x01 \x03(\v2#.stats.MetricConfig.DimensionsEntryR\n" +
+	"dimensions\x12\x12\n" +
+	"\x04name\x18\x02 \x01(\tR\x04name\x12$\n" +
+	"\x0etags_to_remove\x18\x03 \x03(\tR\ftagsToRemove\x12\x14\n" +
+	"\x05match\x18\x04 \x01(\tR\x05match\x12\x12\n" +
+	"\x04drop\x18\x05 \x01(\bR\x04drop\x1a=\n" +
+	"\x0fDimensionsEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"c\n" +
+	"\x10MetricDefinition\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value\x12%\n" +
+	"\x04type\x18\x03 \x01(\x0e2\x11.stats.MetricTypeR\x04type\"\x90\x05\n" +
+	"\fPluginConfig\x12\x14\n" +
+	"\x05debug\x18\x01 \x01(\bR\x05debug\x12-\n" +
+	"\x13max_peer_cache_size\x18\x02 \x01(\x05R\x10maxPeerCacheSize\x12\x1f\n" +
+	"\vstat_prefix\x18\x03 \x01(\tR\n" +
+	"statPrefix\x12'\n" +
+	"\x0ffield_separator\x18\x04 \x01(\tR\x0efieldSeparator\x12'\n" +
+	"\x0fvalue_separator\x18\x05 \x01(\tR\x0evalueSeparator\x12?\n" +
+	"\x1cdisable_host_header_fallback\x18\x06 \x01(\bR\x19disableHostHeaderFallback\x12O\n" +
+	"\x16tcp_reporting_duration\x18\a \x01(\v2\x19.google.protobuf.DurationR\x14tcpReportingDuration\x12-\n" +
+	"\ametrics\x18\b \x03(\v2\x13.stats.MetricConfigR\ametrics\x129\n" +
+	"\vdefinitions\x18\t \x03(\v2\x17.stats.MetricDefinitionR\vdefinitions\x12+\n" +
+	"\breporter\x18\n" +
+	" \x01(\x0e2\x0f.stats.ReporterR\breporter\x12F\n" +
+	"\x11rotation_interval\x18\v \x01(\v2\x19.google.protobuf.DurationR\x10rotationInterval\x12W\n" +
+	"\x1agraceful_deletion_interval\x18\f \x01(\v2\x19.google.protobuf.DurationR\x18gracefulDeletionInterval*3\n" +
+	"\n" +
+	"MetricType\x12\v\n" +
+	"\aCOUNTER\x10\x00\x12\t\n" +
+	"\x05GAUGE\x10\x01\x12\r\n" +
+	"\tHISTOGRAM\x10\x02*/\n" +
+	"\bReporter\x12\x0f\n" +
+	"\vUNSPECIFIED\x10\x00\x12\x12\n" +
+	"\x0eSERVER_GATEWAY\x10\x01B%Z#istio.io/api/envoy/extensions/statsb\x06proto3"

 var (
 	file_envoy_extensions_stats_config_proto_rawDescOnce sync.Once
-	file_envoy_extensions_stats_config_proto_rawDescData = file_envoy_extensions_stats_config_proto_rawDesc
+	file_envoy_extensions_stats_config_proto_rawDescData []byte
 )

 func file_envoy_extensions_stats_config_proto_rawDescGZIP() []byte {
 	file_envoy_extensions_stats_config_proto_rawDescOnce.Do(func() {
-		file_envoy_extensions_stats_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_envoy_extensions_stats_config_proto_rawDescData)
+		file_envoy_extensions_stats_config_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_envoy_extensions_stats_config_proto_rawDesc), len(file_envoy_extensions_stats_config_proto_rawDesc)))
 	})
 	return file_envoy_extensions_stats_config_proto_rawDescData
 }
@ -588,7 +547,7 @@ func file_envoy_extensions_stats_config_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_envoy_extensions_stats_config_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_envoy_extensions_stats_config_proto_rawDesc), len(file_envoy_extensions_stats_config_proto_rawDesc)),
 			NumEnums:      2,
 			NumMessages:   4,
 			NumExtensions: 0,
@ -600,7 +559,6 @@ func file_envoy_extensions_stats_config_proto_init() {
 		MessageInfos:      file_envoy_extensions_stats_config_proto_msgTypes,
 	}.Build()
 	File_envoy_extensions_stats_config_proto = out.File
-	file_envoy_extensions_stats_config_proto_rawDesc = nil
 	file_envoy_extensions_stats_config_proto_goTypes = nil
 	file_envoy_extensions_stats_config_proto_depIdxs = nil
 }
--- a/envoy/extensions/stats/config.proto
+++ b/envoy/extensions/stats/config.proto
@ -22,10 +22,10 @@ syntax = "proto3";

 package stats;

-option go_package = "istio.io/api/envoy/extensions/stats";
-
 import "google/protobuf/duration.proto";

+option go_package = "istio.io/api/envoy/extensions/stats";
+
 // Metric instance configuration overrides.
 // The metric value and the metric type are optional and permit changing the
 // reported value for an existing metric.
@ -95,14 +95,14 @@ message PluginConfig {

  // prefix to add to stats emitted by the plugin.
  // DEPRECATED.
-  string stat_prefix = 3;  // default: "istio_"
+  string stat_prefix = 3; // default: "istio_"

  // Stats api squashes dimensions in a single string.
  // The squashed string is parsed at prometheus scrape time to recover
  // dimensions. The following 2 fields set the field and value separators {key:
  // value} -->  key{value_separator}value{field_separator}
-  string field_separator = 4;  // default: ";;"
-  string value_separator = 5;  // default: "=="
+  string field_separator = 4; // default: ";;"
+  string value_separator = 5; // default: "=="

  // Optional: Disable using host header as a fallback if destination service is
  // not available from the controlplane. Disable the fallback if the host
--- a/extensions/v1alpha1/wasm.pb.go
+++ b/extensions/v1alpha1/wasm.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.35.1
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: extensions/v1alpha1/wasm.proto

@ -27,7 +27,7 @@
 // WasmPlugins provides a mechanism to extend the functionality provided by
 // the Istio proxy through WebAssembly filters.
 //
-// Order of execution (as part of Envoy's filter chain) is determined by
+// The order of execution (as part of Envoy's filter chain) is determined by
 // phase and priority settings, allowing the configuration of complex
 // interactions between user-supplied WasmPlugins and Istio's internal
 // filters.
@ -216,6 +216,7 @@ import (
 	v1beta1 "istio.io/api/type/v1beta1"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -417,7 +418,7 @@ type EnvValueSource int32
 const (
 	// Explicitly given key-value pairs to be injected to this VM
 	EnvValueSource_INLINE EnvValueSource = 0
-	// *Istio-proxy's* environment variables exposed to this VM.
+	// Proxy environment variables exposed to this VM.
 	EnvValueSource_HOST EnvValueSource = 1
 )

@ -471,6 +472,10 @@ const (
 	// binary, an exception, or abort() on the VM. This flag is not recommended
 	// for the authentication or the authorization plugins.
 	FailStrategy_FAIL_OPEN FailStrategy = 1
+	// New plugin instance will be created for the new request if the Wasm plugin
+	// has failed. This only applies for “proxy_wasm::FailState::RuntimeError“.
+	// For all other error types this will fallback to “FAIL_CLOSED“.
+	FailStrategy_FAIL_RELOAD FailStrategy = 2
 )

 // Enum value maps for FailStrategy.
@ -478,10 +483,12 @@ var (
 	FailStrategy_name = map[int32]string{
 		0: "FAIL_CLOSE",
 		1: "FAIL_OPEN",
+		2: "FAIL_RELOAD",
 	}
 	FailStrategy_value = map[string]int32{
-		"FAIL_CLOSE": 0,
-		"FAIL_OPEN":  1,
+		"FAIL_CLOSE":  0,
+		"FAIL_OPEN":   1,
+		"FAIL_RELOAD": 2,
 	}
 )

@ -512,7 +519,7 @@ func (FailStrategy) EnumDescriptor() ([]byte, []int) {
 	return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{4}
 }

-// WasmPlugins provides a mechanism to extend the functionality provided by
+// WasmPlugin provides a mechanism to extend the functionality provided by
 // the Istio proxy through WebAssembly filters.
 //
 // <!-- crd generation tags
@ -539,12 +546,9 @@ func (FailStrategy) EnumDescriptor() ([]byte, []int) {
 // +genclient
 // +k8s:deepcopy-gen=true
 // -->
-// +kubebuilder:validation:XValidation:message="only one of targetRefs or selector can be set",rule="(has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1"
+// +kubebuilder:validation:XValidation:message="only one of targetRefs or selector can be set",rule="oneof(self.selector, self.targetRef, self.targetRefs)"
 type WasmPlugin struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Criteria used to select the specific set of pods/VMs on which
 	// this plugin configuration should be applied. If omitted, this
 	// configuration will be applied to all workload instances in the same
@ -562,7 +566,9 @@ type WasmPlugin struct {
 	//
 	// Currently, the following resource attachment types are supported:
 	// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
+	// * `kind: GatewayClass` with `group: gateway.networking.k8s.io` in the root namespace.
 	// * `kind: Service` with `group: ""` or `group: "core"` in the same namespace. This type is only supported for waypoints.
+	// * `kind: ServiceEntry` with `group: networking.istio.io` in the same namespace.
 	//
 	// If not set, the policy is applied as defined by the selector.
 	// At most one of the selector and targetRefs can be set.
@ -652,7 +658,9 @@ type WasmPlugin struct {
 	// the traffic passes the WasmPlugin.
 	Match []*WasmPlugin_TrafficSelector `protobuf:"bytes,12,rep,name=match,proto3" json:"match,omitempty"`
 	// Specifies the type of Wasm Extension to be used.
-	Type PluginType `protobuf:"varint,14,opt,name=type,proto3,enum=istio.extensions.v1alpha1.PluginType" json:"type,omitempty"`
+	Type          PluginType `protobuf:"varint,14,opt,name=type,proto3,enum=istio.extensions.v1alpha1.PluginType" json:"type,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *WasmPlugin) Reset() {
@ -800,16 +808,15 @@ func (x *WasmPlugin) GetType() PluginType {
 // Configuration for a Wasm VM.
 // more details can be found [here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-vmconfig).
 type VmConfig struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Specifies environment variables to be injected to this VM.
 	// Note that if a key does not exist, it will be ignored.
 	// +kubebuilder:validation:MaxItems=256
 	// +listType=map
 	// +listMapKey=name
-	Env []*EnvVar `protobuf:"bytes,1,rep,name=env,proto3" json:"env,omitempty"`
+	Env           []*EnvVar `protobuf:"bytes,1,rep,name=env,proto3" json:"env,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *VmConfig) Reset() {
@ -849,12 +856,9 @@ func (x *VmConfig) GetEnv() []*EnvVar {
 	return nil
 }

-// +kubebuilder:validation:XValidation:message="value may only be set when valueFrom is INLINE",rule="(has(self.valueFrom) ? self.valueFrom : ”) != 'HOST' || !has(self.value)"
+// +kubebuilder:validation:XValidation:message="value may only be set when valueFrom is INLINE",rule="default(self.valueFrom, ”) != 'HOST' || !has(self.value)"
 type EnvVar struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Name of the environment variable.
 	// Must be a C_IDENTIFIER.
 	// +kubebuilder:validation:MaxLength=256
@ -866,7 +870,9 @@ type EnvVar struct {
 	// Only applicable if `valueFrom` is `HOST`.
 	// Defaults to "".
 	// +kubebuilder:validation:MaxLength=2048
-	Value string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"`
+	Value         string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *EnvVar) Reset() {
@ -925,10 +931,7 @@ func (x *EnvVar) GetValue() string {
 // When all the sub conditions in the TrafficSelector are satisfied, the
 // traffic will be selected.
 type WasmPlugin_TrafficSelector struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Criteria for selecting traffic by their direction.
 	// Note that `CLIENT` and `SERVER` are analogous to OUTBOUND and INBOUND,
 	// respectively.
@ -944,7 +947,9 @@ type WasmPlugin_TrafficSelector struct {
 	// If not specified, this condition is evaluated to true for any port.
 	// +listType=map
 	// +listMapKey=number
-	Ports []*v1beta1.PortSelector `protobuf:"bytes,2,rep,name=ports,proto3" json:"ports,omitempty"`
+	Ports         []*v1beta1.PortSelector `protobuf:"bytes,2,rep,name=ports,proto3" json:"ports,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *WasmPlugin_TrafficSelector) Reset() {
@ -993,129 +998,75 @@ func (x *WasmPlugin_TrafficSelector) GetPorts() []*v1beta1.PortSelector {

 var File_extensions_v1alpha1_wasm_proto protoreflect.FileDescriptor

-var file_extensions_v1alpha1_wasm_proto_rawDesc = []byte{
-	0x0a, 0x1e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x76, 0x31, 0x61,
-	0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x77, 0x61, 0x73, 0x6d, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x12, 0x19, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
-	0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1e, 0x67, 0x6f, 0x6f,
-	0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x77, 0x72, 0x61,
-	0x70, 0x70, 0x65, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1c, 0x67, 0x6f, 0x6f,
-	0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x73, 0x74, 0x72,
-	0x75, 0x63, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1b, 0x74, 0x79, 0x70, 0x65, 0x2f,
-	0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72,
-	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61,
-	0x70, 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f,
-	0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xab, 0x08, 0x0a, 0x0a, 0x57, 0x61, 0x73, 0x6d,
-	0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x12, 0x40, 0x0a, 0x08, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74,
-	0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f,
-	0x2e, 0x74, 0x79, 0x70, 0x65, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x57, 0x6f,
-	0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x52, 0x08,
-	0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x47, 0x0a, 0x09, 0x74, 0x61, 0x72, 0x67,
-	0x65, 0x74, 0x52, 0x65, 0x66, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x69, 0x73,
-	0x74, 0x69, 0x6f, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31,
-	0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x54, 0x61, 0x72, 0x67, 0x65, 0x74, 0x52, 0x65, 0x66,
-	0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x52, 0x09, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x52, 0x65,
-	0x66, 0x12, 0x49, 0x0a, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x52, 0x65, 0x66, 0x73, 0x18,
-	0x10, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x79,
-	0x70, 0x65, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63,
-	0x79, 0x54, 0x61, 0x72, 0x67, 0x65, 0x74, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65,
-	0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x52, 0x65, 0x66, 0x73, 0x12, 0x16, 0x0a, 0x03,
-	0x75, 0x72, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52,
-	0x03, 0x75, 0x72, 0x6c, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x68, 0x61, 0x32, 0x35, 0x36, 0x18, 0x03,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x68, 0x61, 0x32, 0x35, 0x36, 0x12, 0x51, 0x0a, 0x11,
-	0x69, 0x6d, 0x61, 0x67, 0x65, 0x5f, 0x70, 0x75, 0x6c, 0x6c, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63,
-	0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x25, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e,
-	0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70,
-	0x68, 0x61, 0x31, 0x2e, 0x50, 0x75, 0x6c, 0x6c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x0f,
-	0x69, 0x6d, 0x61, 0x67, 0x65, 0x50, 0x75, 0x6c, 0x6c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12,
-	0x2a, 0x0a, 0x11, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x5f, 0x70, 0x75, 0x6c, 0x6c, 0x5f, 0x73, 0x65,
-	0x63, 0x72, 0x65, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x69, 0x6d, 0x61, 0x67,
-	0x65, 0x50, 0x75, 0x6c, 0x6c, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x12, 0x29, 0x0a, 0x10, 0x76,
-	0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6b, 0x65, 0x79, 0x18,
-	0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x12, 0x3c, 0x0a, 0x0d, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e,
-	0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x53, 0x74, 0x72, 0x75, 0x63, 0x74, 0x52, 0x0c, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x43, 0x6f,
-	0x6e, 0x66, 0x69, 0x67, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x5f, 0x6e,
-	0x61, 0x6d, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x6c, 0x75, 0x67, 0x69,
-	0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x3c, 0x0a, 0x05, 0x70, 0x68, 0x61, 0x73, 0x65, 0x18, 0x09,
-	0x20, 0x01, 0x28, 0x0e, 0x32, 0x26, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x78, 0x74,
-	0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31,
-	0x2e, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x50, 0x68, 0x61, 0x73, 0x65, 0x52, 0x05, 0x70, 0x68,
-	0x61, 0x73, 0x65, 0x12, 0x37, 0x0a, 0x08, 0x70, 0x72, 0x69, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x18,
-	0x0a, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x49, 0x6e, 0x74, 0x33, 0x32, 0x56, 0x61, 0x6c,
-	0x75, 0x65, 0x52, 0x08, 0x70, 0x72, 0x69, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, 0x4c, 0x0a, 0x0d,
-	0x66, 0x61, 0x69, 0x6c, 0x5f, 0x73, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x18, 0x0d, 0x20,
-	0x01, 0x28, 0x0e, 0x32, 0x27, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x78, 0x74, 0x65,
-	0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e,
-	0x46, 0x61, 0x69, 0x6c, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x52, 0x0c, 0x66, 0x61,
-	0x69, 0x6c, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12, 0x40, 0x0a, 0x09, 0x76, 0x6d,
-	0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x23, 0x2e,
-	0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73,
-	0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x56, 0x6d, 0x43, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x52, 0x08, 0x76, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x4b, 0x0a, 0x05,
-	0x6d, 0x61, 0x74, 0x63, 0x68, 0x18, 0x0c, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x35, 0x2e, 0x69, 0x73,
-	0x74, 0x69, 0x6f, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76,
-	0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x57, 0x61, 0x73, 0x6d, 0x50, 0x6c, 0x75, 0x67,
-	0x69, 0x6e, 0x2e, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74,
-	0x6f, 0x72, 0x52, 0x05, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x12, 0x39, 0x0a, 0x04, 0x74, 0x79, 0x70,
-	0x65, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x25, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e,
-	0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70,
-	0x68, 0x61, 0x31, 0x2e, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04,
-	0x74, 0x79, 0x70, 0x65, 0x1a, 0x7f, 0x0a, 0x0f, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x53,
-	0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x34, 0x0a, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x20, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x79,
-	0x70, 0x65, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c,
-	0x6f, 0x61, 0x64, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x12, 0x36, 0x0a,
-	0x05, 0x70, 0x6f, 0x72, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x69,
-	0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61,
-	0x31, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x52, 0x05,
-	0x70, 0x6f, 0x72, 0x74, 0x73, 0x22, 0x3f, 0x0a, 0x08, 0x56, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69,
-	0x67, 0x12, 0x33, 0x0a, 0x03, 0x65, 0x6e, 0x76, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21,
-	0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e,
-	0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x6e, 0x76, 0x56, 0x61,
-	0x72, 0x52, 0x03, 0x65, 0x6e, 0x76, 0x22, 0x82, 0x01, 0x0a, 0x06, 0x45, 0x6e, 0x76, 0x56, 0x61,
-	0x72, 0x12, 0x18, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42,
-	0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x48, 0x0a, 0x0a, 0x76,
-	0x61, 0x6c, 0x75, 0x65, 0x5f, 0x66, 0x72, 0x6f, 0x6d, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32,
-	0x29, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f,
-	0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x6e, 0x76, 0x56,
-	0x61, 0x6c, 0x75, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x09, 0x76, 0x61, 0x6c, 0x75,
-	0x65, 0x46, 0x72, 0x6f, 0x6d, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x2a, 0x40, 0x0a, 0x0a, 0x50,
-	0x6c, 0x75, 0x67, 0x69, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1b, 0x0a, 0x17, 0x55, 0x4e, 0x53,
-	0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x5f, 0x50, 0x4c, 0x55, 0x47, 0x49, 0x4e, 0x5f,
-	0x54, 0x59, 0x50, 0x45, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x54, 0x54, 0x50, 0x10, 0x01,
-	0x12, 0x0b, 0x0a, 0x07, 0x4e, 0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x10, 0x02, 0x2a, 0x45, 0x0a,
-	0x0b, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x50, 0x68, 0x61, 0x73, 0x65, 0x12, 0x15, 0x0a, 0x11,
-	0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x5f, 0x50, 0x48, 0x41, 0x53,
-	0x45, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x55, 0x54, 0x48, 0x4e, 0x10, 0x01, 0x12, 0x09,
-	0x0a, 0x05, 0x41, 0x55, 0x54, 0x48, 0x5a, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, 0x53, 0x54, 0x41,
-	0x54, 0x53, 0x10, 0x03, 0x2a, 0x42, 0x0a, 0x0a, 0x50, 0x75, 0x6c, 0x6c, 0x50, 0x6f, 0x6c, 0x69,
-	0x63, 0x79, 0x12, 0x16, 0x0a, 0x12, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45,
-	0x44, 0x5f, 0x50, 0x4f, 0x4c, 0x49, 0x43, 0x59, 0x10, 0x00, 0x12, 0x10, 0x0a, 0x0c, 0x49, 0x66,
-	0x4e, 0x6f, 0x74, 0x50, 0x72, 0x65, 0x73, 0x65, 0x6e, 0x74, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06,
-	0x41, 0x6c, 0x77, 0x61, 0x79, 0x73, 0x10, 0x02, 0x2a, 0x26, 0x0a, 0x0e, 0x45, 0x6e, 0x76, 0x56,
-	0x61, 0x6c, 0x75, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x0a, 0x0a, 0x06, 0x49, 0x4e,
-	0x4c, 0x49, 0x4e, 0x45, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x4f, 0x53, 0x54, 0x10, 0x01,
-	0x2a, 0x2d, 0x0a, 0x0c, 0x46, 0x61, 0x69, 0x6c, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79,
-	0x12, 0x0e, 0x0a, 0x0a, 0x46, 0x41, 0x49, 0x4c, 0x5f, 0x43, 0x4c, 0x4f, 0x53, 0x45, 0x10, 0x00,
-	0x12, 0x0d, 0x0a, 0x09, 0x46, 0x41, 0x49, 0x4c, 0x5f, 0x4f, 0x50, 0x45, 0x4e, 0x10, 0x01, 0x42,
-	0x22, 0x5a, 0x20, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f,
-	0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70,
-	0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+const file_extensions_v1alpha1_wasm_proto_rawDesc = "" +
+	"\n" +
+	"\x1eextensions/v1alpha1/wasm.proto\x12\x19istio.extensions.v1alpha1\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1egoogle/protobuf/wrappers.proto\x1a\x1btype/v1beta1/selector.proto\"\xab\b\n" +
+	"\n" +
+	"WasmPlugin\x12@\n" +
+	"\bselector\x18\x01 \x01(\v2$.istio.type.v1beta1.WorkloadSelectorR\bselector\x12G\n" +
+	"\ttargetRef\x18\x0f \x01(\v2).istio.type.v1beta1.PolicyTargetReferenceR\ttargetRef\x12I\n" +
+	"\n" +
+	"targetRefs\x18\x10 \x03(\v2).istio.type.v1beta1.PolicyTargetReferenceR\n" +
+	"targetRefs\x12\x16\n" +
+	"\x03url\x18\x02 \x01(\tB\x04\xe2A\x01\x02R\x03url\x12\x16\n" +
+	"\x06sha256\x18\x03 \x01(\tR\x06sha256\x12Q\n" +
+	"\x11image_pull_policy\x18\x04 \x01(\x0e2%.istio.extensions.v1alpha1.PullPolicyR\x0fimagePullPolicy\x12*\n" +
+	"\x11image_pull_secret\x18\x05 \x01(\tR\x0fimagePullSecret\x12)\n" +
+	"\x10verification_key\x18\x06 \x01(\tR\x0fverificationKey\x12<\n" +
+	"\rplugin_config\x18\a \x01(\v2\x17.google.protobuf.StructR\fpluginConfig\x12\x1f\n" +
+	"\vplugin_name\x18\b \x01(\tR\n" +
+	"pluginName\x12<\n" +
+	"\x05phase\x18\t \x01(\x0e2&.istio.extensions.v1alpha1.PluginPhaseR\x05phase\x127\n" +
+	"\bpriority\x18\n" +
+	" \x01(\v2\x1b.google.protobuf.Int32ValueR\bpriority\x12L\n" +
+	"\rfail_strategy\x18\r \x01(\x0e2'.istio.extensions.v1alpha1.FailStrategyR\ffailStrategy\x12@\n" +
+	"\tvm_config\x18\v \x01(\v2#.istio.extensions.v1alpha1.VmConfigR\bvmConfig\x12K\n" +
+	"\x05match\x18\f \x03(\v25.istio.extensions.v1alpha1.WasmPlugin.TrafficSelectorR\x05match\x129\n" +
+	"\x04type\x18\x0e \x01(\x0e2%.istio.extensions.v1alpha1.PluginTypeR\x04type\x1a\x7f\n" +
+	"\x0fTrafficSelector\x124\n" +
+	"\x04mode\x18\x01 \x01(\x0e2 .istio.type.v1beta1.WorkloadModeR\x04mode\x126\n" +
+	"\x05ports\x18\x02 \x03(\v2 .istio.type.v1beta1.PortSelectorR\x05ports\"?\n" +
+	"\bVmConfig\x123\n" +
+	"\x03env\x18\x01 \x03(\v2!.istio.extensions.v1alpha1.EnvVarR\x03env\"\x82\x01\n" +
+	"\x06EnvVar\x12\x18\n" +
+	"\x04name\x18\x01 \x01(\tB\x04\xe2A\x01\x02R\x04name\x12H\n" +
+	"\n" +
+	"value_from\x18\x03 \x01(\x0e2).istio.extensions.v1alpha1.EnvValueSourceR\tvalueFrom\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value*@\n" +
+	"\n" +
+	"PluginType\x12\x1b\n" +
+	"\x17UNSPECIFIED_PLUGIN_TYPE\x10\x00\x12\b\n" +
+	"\x04HTTP\x10\x01\x12\v\n" +
+	"\aNETWORK\x10\x02*E\n" +
+	"\vPluginPhase\x12\x15\n" +
+	"\x11UNSPECIFIED_PHASE\x10\x00\x12\t\n" +
+	"\x05AUTHN\x10\x01\x12\t\n" +
+	"\x05AUTHZ\x10\x02\x12\t\n" +
+	"\x05STATS\x10\x03*B\n" +
+	"\n" +
+	"PullPolicy\x12\x16\n" +
+	"\x12UNSPECIFIED_POLICY\x10\x00\x12\x10\n" +
+	"\fIfNotPresent\x10\x01\x12\n" +
+	"\n" +
+	"\x06Always\x10\x02*&\n" +
+	"\x0eEnvValueSource\x12\n" +
+	"\n" +
+	"\x06INLINE\x10\x00\x12\b\n" +
+	"\x04HOST\x10\x01*>\n" +
+	"\fFailStrategy\x12\x0e\n" +
+	"\n" +
+	"FAIL_CLOSE\x10\x00\x12\r\n" +
+	"\tFAIL_OPEN\x10\x01\x12\x0f\n" +
+	"\vFAIL_RELOAD\x10\x02B\"Z istio.io/api/extensions/v1alpha1b\x06proto3"

 var (
 	file_extensions_v1alpha1_wasm_proto_rawDescOnce sync.Once
-	file_extensions_v1alpha1_wasm_proto_rawDescData = file_extensions_v1alpha1_wasm_proto_rawDesc
+	file_extensions_v1alpha1_wasm_proto_rawDescData []byte
 )

 func file_extensions_v1alpha1_wasm_proto_rawDescGZIP() []byte {
 	file_extensions_v1alpha1_wasm_proto_rawDescOnce.Do(func() {
-		file_extensions_v1alpha1_wasm_proto_rawDescData = protoimpl.X.CompressGZIP(file_extensions_v1alpha1_wasm_proto_rawDescData)
+		file_extensions_v1alpha1_wasm_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_extensions_v1alpha1_wasm_proto_rawDesc), len(file_extensions_v1alpha1_wasm_proto_rawDesc)))
 	})
 	return file_extensions_v1alpha1_wasm_proto_rawDescData
 }
@ -1171,7 +1122,7 @@ func file_extensions_v1alpha1_wasm_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_extensions_v1alpha1_wasm_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_extensions_v1alpha1_wasm_proto_rawDesc), len(file_extensions_v1alpha1_wasm_proto_rawDesc)),
 			NumEnums:      5,
 			NumMessages:   4,
 			NumExtensions: 0,
@ -1183,7 +1134,6 @@ func file_extensions_v1alpha1_wasm_proto_init() {
 		MessageInfos:      file_extensions_v1alpha1_wasm_proto_msgTypes,
 	}.Build()
 	File_extensions_v1alpha1_wasm_proto = out.File
-	file_extensions_v1alpha1_wasm_proto_rawDesc = nil
 	file_extensions_v1alpha1_wasm_proto_goTypes = nil
 	file_extensions_v1alpha1_wasm_proto_depIdxs = nil
 }
--- a/extensions/v1alpha1/wasm.pb.html
+++ b/extensions/v1alpha1/wasm.pb.html
@ -10,7 +10,7 @@ number_of_entries: 9
 ---
 <p>WasmPlugins provides a mechanism to extend the functionality provided by
 the Istio proxy through WebAssembly filters.</p>
-<p>Order of execution (as part of Envoy&rsquo;s filter chain) is determined by
+<p>The order of execution (as part of Envoy&rsquo;s filter chain) is determined by
 phase and priority settings, allowing the configuration of complex
 interactions between user-supplied WasmPlugins and Istio&rsquo;s internal
 filters.</p>
@ -169,22 +169,21 @@ spec:

 <h2 id="WasmPlugin">WasmPlugin</h2>
 <section>
-<p>WasmPlugins provides a mechanism to extend the functionality provided by
+<p>WasmPlugin provides a mechanism to extend the functionality provided by
 the Istio proxy through WebAssembly filters.</p>

 <table class="message-fields">
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="WasmPlugin-selector">
-<td><code>selector</code></td>
-<td><code><a href="https://istio.io/docs/reference/config/type/workload-selector.html#WorkloadSelector">WorkloadSelector</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-selector">selector</a></code></div>
+<div class="type"><a href="https://istio.io/docs/reference/config/type/workload-selector.html#WorkloadSelector">WorkloadSelector</a></div>
+</div></td>
 <td>
 <p>Criteria used to select the specific set of pods/VMs on which
 this plugin configuration should be applied. If omitted, this
@ -194,22 +193,22 @@ namespace, it will be applied to all applicable workloads in any
 namespace.</p>
 <p>At most, only one of <code>selector</code> or <code>targetRefs</code> can be set for a given policy.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-targetRefs">
-<td><code>targetRefs</code></td>
-<td><code><a href="https://istio.io/docs/reference/config/type/workload-selector.html#PolicyTargetReference">PolicyTargetReference[]</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-targetRefs">targetRefs</a></code></div>
+<div class="type"><a href="https://istio.io/docs/reference/config/type/workload-selector.html#PolicyTargetReference">PolicyTargetReference[]</a></div>
+</div></td>
 <td>
-<p>Optional. The targetRefs specifies a list of resources the policy should be
+<p>The targetRefs specifies a list of resources the policy should be
 applied to. The targeted resources specified will determine which workloads
 the policy applies to.</p>
 <p>Currently, the following resource attachment types are supported:</p>
 <ul>
 <li><code>kind: Gateway</code> with <code>group: gateway.networking.k8s.io</code> in the same namespace.</li>
+<li><code>kind: GatewayClass</code> with <code>group: gateway.networking.k8s.io</code> in the root namespace.</li>
 <li><code>kind: Service</code> with <code>group: &quot;&quot;</code> or <code>group: &quot;core&quot;</code> in the same namespace. This type is only supported for waypoints.</li>
+<li><code>kind: ServiceEntry</code> with <code>group: networking.istio.io</code> in the same namespace.</li>
 </ul>
 <p>If not set, the policy is applied as defined by the selector.
 At most one of the selector and targetRefs can be set.</p>
@ -219,14 +218,13 @@ This is to prevent proxies connected to older control planes (that don&rsquo;t k
 from misinterpreting the policy as namespace-wide during the upgrade process.</p>
 <p>NOTE: Waypoint proxies are required to use this field for policies to apply; <code>selector</code> policies will be ignored.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-url">
-<td><code>url</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-url">url</a></code></div>
+<div class="type">string</div>
+<div class="required">Required</div>
+</div></td>
 <td>
 <p>URL of a Wasm module or OCI container. If no scheme is present,
 defaults to <code>oci://</code>, referencing an OCI image. Other valid schemes
@ -234,14 +232,12 @@ are <code>file://</code> for referencing .wasm module files present locally
 within the proxy container, and <code>http[s]://</code> for <code>.wasm</code> module files
 hosted remotely.</p>

-</td>
-<td>
-Yes
 </td>
 </tr>
 <tr id="WasmPlugin-sha256">
-<td><code>sha256</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-sha256">sha256</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>SHA256 checksum that will be used to verify Wasm module or OCI container.
 If the <code>url</code> field already references a SHA256 (using the <code>@sha256:</code>
@ -249,14 +245,12 @@ notation), it must match the value of this field. If an OCI image is
 referenced by tag and this field is set, its checksum will be verified
 against the contents of this field after pulling.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-image_pull_policy">
-<td><code>imagePullPolicy</code></td>
-<td><code><a href="#PullPolicy">PullPolicy</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-image_pull_policy">imagePullPolicy</a></code></div>
+<div class="type"><a href="#PullPolicy">PullPolicy</a></div>
+</div></td>
 <td>
 <p>The pull behaviour to be applied when fetching Wasm module by either
 OCI image or <code>http/https</code>. Only relevant when referencing Wasm module without
@ -265,63 +259,53 @@ Defaults to <code>IfNotPresent</code>, except when an OCI image is referenced in
 and the <code>latest</code> tag is used, in which case <code>Always</code> is the default,
 mirroring Kubernetes behaviour.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-image_pull_secret">
-<td><code>imagePullSecret</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-image_pull_secret">imagePullSecret</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>Credentials to use for OCI image pulling.
 Name of a Kubernetes Secret in the same namespace as the <code>WasmPlugin</code> that
 contains a Docker pull secret which is to be used to authenticate
 against the registry when pulling the image.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-plugin_config">
-<td><code>pluginConfig</code></td>
-<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-plugin_config">pluginConfig</a></code></div>
+<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct</a></div>
+</div></td>
 <td>
 <p>The configuration that will be passed on to the plugin.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-plugin_name">
-<td><code>pluginName</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-plugin_name">pluginName</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>The plugin name to be used in the Envoy configuration (used to be called
 <code>rootID</code>). Some .wasm modules might require this value to select the Wasm
 plugin to execute.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-phase">
-<td><code>phase</code></td>
-<td><code><a href="#PluginPhase">PluginPhase</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-phase">phase</a></code></div>
+<div class="type"><a href="#PluginPhase">PluginPhase</a></div>
+</div></td>
 <td>
 <p>Determines where in the filter chain this <code>WasmPlugin</code> is to be injected.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-priority">
-<td><code>priority</code></td>
-<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#int32value">Int32Value</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-priority">priority</a></code></div>
+<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#int32value">Int32Value</a></div>
+</div></td>
 <td>
 <p>Determines ordering of <code>WasmPlugins</code> in the same <code>phase</code>.
 When multiple <code>WasmPlugins</code> are applied to the same workload in the
@ -330,56 +314,90 @@ If <code>priority</code> is not set, or two <code>WasmPlugins</code> exist with
 value, the ordering will be deterministically derived from name and
 namespace of the <code>WasmPlugins</code>. Defaults to <code>0</code>.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-fail_strategy">
-<td><code>failStrategy</code></td>
-<td><code><a href="#FailStrategy">FailStrategy</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-fail_strategy">failStrategy</a></code></div>
+<div class="type"><a href="#FailStrategy">FailStrategy</a></div>
+</div></td>
 <td>
 <p>Specifies the failure behavior for the plugin due to fatal errors.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-vm_config">
-<td><code>vmConfig</code></td>
-<td><code><a href="#VmConfig">VmConfig</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-vm_config">vmConfig</a></code></div>
+<div class="type"><a href="#VmConfig">VmConfig</a></div>
+</div></td>
 <td>
 <p>Configuration for a Wasm VM.
 More details can be found <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-vmconfig">here</a>.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-match">
-<td><code>match</code></td>
-<td><code><a href="#WasmPlugin-TrafficSelector">TrafficSelector[]</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-match">match</a></code></div>
+<div class="type"><a href="#WasmPlugin-TrafficSelector">TrafficSelector[]</a></div>
+</div></td>
 <td>
 <p>Specifies the criteria to determine which traffic is passed to WasmPlugin.
 If a traffic satisfies any of TrafficSelectors,
 the traffic passes the WasmPlugin.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WasmPlugin-type">
-<td><code>type</code></td>
-<td><code><a href="#PluginType">PluginType</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-type">type</a></code></div>
+<div class="type"><a href="#PluginType">PluginType</a></div>
+</div></td>
 <td>
 <p>Specifies the type of Wasm Extension to be used.</p>

 </td>
+</tr>
+</tbody>
+</table>
+</section>
+<h3 id="WasmPlugin-TrafficSelector">TrafficSelector</h3>
+<section>
+<p>TrafficSelector provides a mechanism to select a specific traffic flow
+for which this Wasm Plugin will be enabled.
+When all the sub conditions in the TrafficSelector are satisfied, the
+traffic will be selected.</p>
+
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="WasmPlugin-TrafficSelector-mode">
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-TrafficSelector-mode">mode</a></code></div>
+<div class="type"><a href="https://istio.io/docs/reference/config/type/workload-selector.html#WorkloadMode">WorkloadMode</a></div>
+</div></td>
 <td>
-No
+<p>Criteria for selecting traffic by their direction.
+Note that <code>CLIENT</code> and <code>SERVER</code> are analogous to OUTBOUND and INBOUND,
+respectively.
+For the gateway, the field should be <code>CLIENT</code> or <code>CLIENT_AND_SERVER</code>.
+If not specified, the default value is <code>CLIENT_AND_SERVER</code>.</p>
+
+</td>
+</tr>
+<tr id="WasmPlugin-TrafficSelector-ports">
+<td><div class="field"><div class="name"><code><a href="#WasmPlugin-TrafficSelector-ports">ports</a></code></div>
+<div class="type"><a href="https://istio.io/docs/reference/config/type/workload-selector.html#PortSelector">PortSelector[]</a></div>
+</div></td>
+<td>
+<p>Criteria for selecting traffic by their destination port.
+More specifically, for the outbound traffic, the destination port would be
+the port of the target service. On the other hand, for the inbound traffic,
+the destination port is the port bound by the server process in the same Pod.</p>
+<p>If one of the given <code>ports</code> is matched, this condition is evaluated to true.
+If not specified, this condition is evaluated to true for any port.</p>
+
 </td>
 </tr>
 </tbody>
@ -394,22 +412,18 @@ more details can be found <a href="https://www.envoyproxy.io/docs/envoy/latest/a
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="VmConfig-env">
-<td><code>env</code></td>
-<td><code><a href="#EnvVar">EnvVar[]</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#VmConfig-env">env</a></code></div>
+<div class="type"><a href="#EnvVar">EnvVar[]</a></div>
+</div></td>
 <td>
 <p>Specifies environment variables to be injected to this VM.
 Note that if a key does not exist, it will be ignored.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 </tbody>
@ -422,97 +436,39 @@ No
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="EnvVar-name">
-<td><code>name</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#EnvVar-name">name</a></code></div>
+<div class="type">string</div>
+<div class="required">Required</div>
+</div></td>
 <td>
 <p>Name of the environment variable.
 Must be a C_IDENTIFIER.</p>

-</td>
-<td>
-Yes
 </td>
 </tr>
 <tr id="EnvVar-value_from">
-<td><code>valueFrom</code></td>
-<td><code><a href="#EnvValueSource">EnvValueSource</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#EnvVar-value_from">valueFrom</a></code></div>
+<div class="type"><a href="#EnvValueSource">EnvValueSource</a></div>
+</div></td>
 <td>
 <p>Source for the environment variable&rsquo;s value.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="EnvVar-value">
-<td><code>value</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#EnvVar-value">value</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>Value for the environment variable.
 Only applicable if <code>valueFrom</code> is <code>HOST</code>.
 Defaults to &ldquo;&rdquo;.</p>

-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="WasmPlugin-TrafficSelector">WasmPlugin.TrafficSelector</h2>
-<section>
-<p>TrafficSelector provides a mechanism to select a specific traffic flow
-for which this Wasm Plugin will be enabled.
-When all the sub conditions in the TrafficSelector are satisfied, the
-traffic will be selected.</p>
-
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="WasmPlugin-TrafficSelector-mode">
-<td><code>mode</code></td>
-<td><code><a href="https://istio.io/docs/reference/config/type/workload-selector.html#WorkloadMode">WorkloadMode</a></code></td>
-<td>
-<p>Criteria for selecting traffic by their direction.
-Note that <code>CLIENT</code> and <code>SERVER</code> are analogous to OUTBOUND and INBOUND,
-respectively.
-For the gateway, the field should be <code>CLIENT</code> or <code>CLIENT_AND_SERVER</code>.
-If not specified, the default value is <code>CLIENT_AND_SERVER</code>.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="WasmPlugin-TrafficSelector-ports">
-<td><code>ports</code></td>
-<td><code><a href="https://istio.io/docs/reference/config/type/workload-selector.html#PortSelector">PortSelector[]</a></code></td>
-<td>
-<p>Criteria for selecting traffic by their destination port.
-More specifically, for the outbound traffic, the destination port would be
-the port of the target service. On the other hand, for the inbound traffic,
-the destination port is the port bound by the server process in the same Pod.</p>
-<p>If one of the given <code>ports</code> is matched, this condition is evaluated to true.
-If not specified, this condition is evaluated to true for any port.</p>
-
-</td>
-<td>
-No
 </td>
 </tr>
 </tbody>
@ -545,21 +501,21 @@ The detailed <code>NETWORK</code> interface can be found here:</p>
 </thead>
 <tbody>
 <tr id="PluginType-UNSPECIFIED_PLUGIN_TYPE">
-<td><code>UNSPECIFIED_PLUGIN_TYPE</code></td>
+<td><code><a href="#PluginType-UNSPECIFIED_PLUGIN_TYPE">UNSPECIFIED_PLUGIN_TYPE</a></code></td>
 <td>
 <p>Defaults to HTTP.</p>

 </td>
 </tr>
 <tr id="PluginType-HTTP">
-<td><code>HTTP</code></td>
+<td><code><a href="#PluginType-HTTP">HTTP</a></code></td>
 <td>
 <p>Use HTTP Wasm Extension.</p>

 </td>
 </tr>
 <tr id="PluginType-NETWORK">
-<td><code>NETWORK</code></td>
+<td><code><a href="#PluginType-NETWORK">NETWORK</a></code></td>
 <td>
 <p>Use Network Wasm Extension.</p>

@ -581,7 +537,7 @@ The detailed <code>NETWORK</code> interface can be found here:</p>
 </thead>
 <tbody>
 <tr id="PluginPhase-UNSPECIFIED_PHASE">
-<td><code>UNSPECIFIED_PHASE</code></td>
+<td><code><a href="#PluginPhase-UNSPECIFIED_PHASE">UNSPECIFIED_PHASE</a></code></td>
 <td>
 <p>Control plane decides where to insert the plugin. This will generally
 be at the end of the filter chain, right before the Router.
@ -590,21 +546,21 @@ Do not specify <code>PluginPhase</code> if the plugin is independent of others.<
 </td>
 </tr>
 <tr id="PluginPhase-AUTHN">
-<td><code>AUTHN</code></td>
+<td><code><a href="#PluginPhase-AUTHN">AUTHN</a></code></td>
 <td>
 <p>Insert plugin before Istio authentication filters.</p>

 </td>
 </tr>
 <tr id="PluginPhase-AUTHZ">
-<td><code>AUTHZ</code></td>
+<td><code><a href="#PluginPhase-AUTHZ">AUTHZ</a></code></td>
 <td>
 <p>Insert plugin before Istio authorization filters and after Istio authentication filters.</p>

 </td>
 </tr>
 <tr id="PluginPhase-STATS">
-<td><code>STATS</code></td>
+<td><code><a href="#PluginPhase-STATS">STATS</a></code></td>
 <td>
 <p>Insert plugin before Istio stats filters and after Istio authorization filters.</p>

@ -627,7 +583,7 @@ mirroring K8s behaviour.</p>
 </thead>
 <tbody>
 <tr id="PullPolicy-UNSPECIFIED_POLICY">
-<td><code>UNSPECIFIED_POLICY</code></td>
+<td><code><a href="#PullPolicy-UNSPECIFIED_POLICY">UNSPECIFIED_POLICY</a></code></td>
 <td>
 <p>Defaults to <code>IfNotPresent</code>, except for OCI images with tag <code>latest</code>, for which
 the default will be <code>Always</code>.</p>
@ -635,7 +591,7 @@ the default will be <code>Always</code>.</p>
 </td>
 </tr>
 <tr id="PullPolicy-IfNotPresent">
-<td><code>IfNotPresent</code></td>
+<td><code><a href="#PullPolicy-IfNotPresent">IfNotPresent</a></code></td>
 <td>
 <p>If an existing version of the image has been pulled before, that
 will be used. If no version of the image is present locally, we
@ -644,7 +600,7 @@ will pull the latest version.</p>
 </td>
 </tr>
 <tr id="PullPolicy-Always">
-<td><code>Always</code></td>
+<td><code><a href="#PullPolicy-Always">Always</a></code></td>
 <td>
 <p>We will always pull the latest version of an image when changing
 this plugin. Note that the change includes <code>metadata</code> field as well.</p>
@ -665,16 +621,16 @@ this plugin. Note that the change includes <code>metadata</code> field as well.<
 </thead>
 <tbody>
 <tr id="EnvValueSource-INLINE">
-<td><code>INLINE</code></td>
+<td><code><a href="#EnvValueSource-INLINE">INLINE</a></code></td>
 <td>
 <p>Explicitly given key-value pairs to be injected to this VM</p>

 </td>
 </tr>
 <tr id="EnvValueSource-HOST">
-<td><code>HOST</code></td>
+<td><code><a href="#EnvValueSource-HOST">HOST</a></code></td>
 <td>
-<p><em>Istio-proxy&rsquo;s</em> environment variables exposed to this VM.</p>
+<p>Proxy environment variables exposed to this VM.</p>

 </td>
 </tr>
@ -692,7 +648,7 @@ this plugin. Note that the change includes <code>metadata</code> field as well.<
 </thead>
 <tbody>
 <tr id="FailStrategy-FAIL_CLOSE">
-<td><code>FAIL_CLOSE</code></td>
+<td><code><a href="#FailStrategy-FAIL_CLOSE">FAIL_CLOSE</a></code></td>
 <td>
 <p>A fatal error in the binary fetching or during the plugin execution causes
 all subsequent requests to fail with 5xx.</p>
@ -700,13 +656,22 @@ all subsequent requests to fail with 5xx.</p>
 </td>
 </tr>
 <tr id="FailStrategy-FAIL_OPEN">
-<td><code>FAIL_OPEN</code></td>
+<td><code><a href="#FailStrategy-FAIL_OPEN">FAIL_OPEN</a></code></td>
 <td>
 <p>Enables the fail open behavior for the Wasm plugin fatal errors to bypass
 the plugin execution. A fatal error can be a failure to fetch the remote
 binary, an exception, or abort() on the VM. This flag is not recommended
 for the authentication or the authorization plugins.</p>

+</td>
+</tr>
+<tr id="FailStrategy-FAIL_RELOAD">
+<td><code><a href="#FailStrategy-FAIL_RELOAD">FAIL_RELOAD</a></code></td>
+<td>
+<p>New plugin instance will be created for the new request if the Wasm plugin
+has failed. This only applies for <code>proxy_wasm::FailState::RuntimeError</code>.
+For all other error types this will fallback to <code>FAIL_CLOSED</code>.</p>
+
 </td>
 </tr>
 </tbody>
--- a/extensions/v1alpha1/wasm.proto
+++ b/extensions/v1alpha1/wasm.proto
@ -14,11 +14,6 @@

 syntax = "proto3";

-import "google/protobuf/wrappers.proto";
-import "google/protobuf/struct.proto";
-import "type/v1beta1/selector.proto";
-import "google/api/field_behavior.proto";
-
 // $schema: istio.extensions.v1alpha1.WasmPlugin
 // $title: Wasm Plugin
 // $description: Extend the functionality provided by the Istio proxy through WebAssembly filters.
@ -28,7 +23,7 @@ import "google/api/field_behavior.proto";
 // WasmPlugins provides a mechanism to extend the functionality provided by
 // the Istio proxy through WebAssembly filters.
 //
-// Order of execution (as part of Envoy's filter chain) is determined by
+// The order of execution (as part of Envoy's filter chain) is determined by
 // phase and priority settings, allowing the configuration of complex
 // interactions between user-supplied WasmPlugins and Istio's internal
 // filters.
@ -207,9 +202,14 @@ import "google/api/field_behavior.proto";
 //
 package istio.extensions.v1alpha1;

-option go_package="istio.io/api/extensions/v1alpha1";
+import "google/api/field_behavior.proto";
+import "google/protobuf/struct.proto";
+import "google/protobuf/wrappers.proto";
+import "type/v1beta1/selector.proto";

-// WasmPlugins provides a mechanism to extend the functionality provided by
+option go_package = "istio.io/api/extensions/v1alpha1";
+
+// WasmPlugin provides a mechanism to extend the functionality provided by
 // the Istio proxy through WebAssembly filters.
 //
 // <!-- crd generation tags
@ -236,7 +236,7 @@ option go_package="istio.io/api/extensions/v1alpha1";
 // +genclient
 // +k8s:deepcopy-gen=true
 // -->
-// +kubebuilder:validation:XValidation:message="only one of targetRefs or selector can be set",rule="(has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1"
+// +kubebuilder:validation:XValidation:message="only one of targetRefs or selector can be set",rule="oneof(self.selector, self.targetRef, self.targetRefs)"
 message WasmPlugin {
  // Criteria used to select the specific set of pods/VMs on which
  // this plugin configuration should be applied. If omitted, this
@ -257,7 +257,9 @@ message WasmPlugin {
  //
  // Currently, the following resource attachment types are supported:
  // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
+  // * `kind: GatewayClass` with `group: gateway.networking.k8s.io` in the root namespace.
  // * `kind: Service` with `group: ""` or `group: "core"` in the same namespace. This type is only supported for waypoints.
+  // * `kind: ServiceEntry` with `group: networking.istio.io` in the same namespace.
  //
  // If not set, the policy is applied as defined by the selector.
  // At most one of the selector and targetRefs can be set.
@ -387,7 +389,6 @@ message WasmPlugin {
  PluginType type = 14;
 }

-
 // PluginType indicates the type of Wasm extension to be used.
 // There are two types of extensions: `HTTP` and `NETWORK`.
 //
@ -408,7 +409,7 @@ enum PluginType {

  // Use HTTP Wasm Extension.
  HTTP = 1;
-  
+
  // Use Network Wasm Extension.
  NETWORK = 2;
 }
@ -462,7 +463,7 @@ message VmConfig {
  repeated EnvVar env = 1;
 }

-// +kubebuilder:validation:XValidation:message="value may only be set when valueFrom is INLINE",rule="(has(self.valueFrom) ? self.valueFrom : '') != 'HOST' || !has(self.value)"
+// +kubebuilder:validation:XValidation:message="value may only be set when valueFrom is INLINE",rule="default(self.valueFrom, '') != 'HOST' || !has(self.value)"
 message EnvVar {
  // Name of the environment variable.
  // Must be a C_IDENTIFIER.
@ -484,7 +485,7 @@ enum EnvValueSource {
  // Explicitly given key-value pairs to be injected to this VM
  INLINE = 0;

-  // *Istio-proxy's* environment variables exposed to this VM.
+  // Proxy environment variables exposed to this VM.
  HOST = 1;
 }

@ -498,4 +499,9 @@ enum FailStrategy {
  // binary, an exception, or abort() on the VM. This flag is not recommended
  // for the authentication or the authorization plugins.
  FAIL_OPEN = 1;
+
+  // New plugin instance will be created for the new request if the Wasm plugin
+  // has failed. This only applies for ``proxy_wasm::FailState::RuntimeError``.
+  // For all other error types this will fallback to ``FAIL_CLOSED``.
+  FAIL_RELOAD = 2;
 }
--- a/gen.sh
+++ b/gen.sh
@ -36,3 +36,6 @@ buf generate --template buf.gen-noncrd.yaml \
 # These plugins are sent to Envoy, which uses golang/protobuf, so do not use gogo
 buf generate --template buf.gen-golang.yaml \
  --path envoy
+
+# Format Protobuf files
+buf format -w
--- a/go.mod
+++ b/go.mod
@ -1,17 +1,19 @@
 module istio.io/api

-go 1.22.0
+go 1.23.0
+
+toolchain go1.23.7

 require (
 	github.com/golang/protobuf v1.5.4
-	google.golang.org/genproto/googleapis/api v0.0.0-20240513163218-0867130af1f8
-	google.golang.org/grpc v1.64.1
-	google.golang.org/protobuf v1.34.1
+	google.golang.org/genproto/googleapis/api v0.0.0-20250324211829-b45e905df463
+	google.golang.org/grpc v1.71.0
+	google.golang.org/protobuf v1.36.6
 )

 require (
-	golang.org/x/net v0.26.0 // indirect
-	golang.org/x/sys v0.21.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240513163218-0867130af1f8 // indirect
+	golang.org/x/net v0.38.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -1,18 +1,36 @@
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
-golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
-google.golang.org/genproto/googleapis/api v0.0.0-20240513163218-0867130af1f8 h1:W5Xj/70xIA4x60O/IFyXivR5MGqblAb8R3w26pnD6No=
-google.golang.org/genproto/googleapis/api v0.0.0-20240513163218-0867130af1f8/go.mod h1:vPrPUTsDCYxXWjP7clS81mZ6/803D8K4iM9Ma27VKas=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240513163218-0867130af1f8 h1:mxSlqyb8ZAHsYDCfiXN1EDdNTdvjUJSLY+OnAUtYNYA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240513163218-0867130af1f8/go.mod h1:I7Y+G38R2bu5j1aLzfFmQfTcU/WnFuqDwLZAbvKTKpM=
-google.golang.org/grpc v1.64.1 h1:LKtvyfbX3UGVPFcGqJ9ItpVWW6oN/2XqTxfAnwRRXiA=
-google.golang.org/grpc v1.64.1/go.mod h1:hiQF4LFZelK2WKaP6W0L92zGHtiQdZxk8CrSdvyjeP0=
-google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
-google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY=
+go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI=
+go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ=
+go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
+go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
+go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
+go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
+go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
+go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
+go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
+google.golang.org/genproto/googleapis/api v0.0.0-20250324211829-b45e905df463 h1:hE3bRWtU6uceqlh4fhrSnUyjKHMKB9KrTLLG+bc0ddM=
+google.golang.org/genproto/googleapis/api v0.0.0-20250324211829-b45e905df463/go.mod h1:U90ffi8eUL9MwPcrJylN5+Mk2v3vuPDptd5yyNUiRR8=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463 h1:e0AIkUUhxyBKh6ssZNrAMeqhA7RKUj42346d1y02i2g=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg=
+google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
--- a/kubernetes/customresourcedefinitions.gen.yaml
+++ b/kubernetes/customresourcedefinitions.gen.yaml
--- a/label/labels.gen.go
+++ b/label/labels.gen.go
@ -131,7 +131,7 @@ var (
 Possible values: "ambient", "none".
 Note: users wishing to use sidecar mode should see the "istio-injection" label; there is no value on this label to configure sidecars.
 `,
-		FeatureStatus: Beta,
+		FeatureStatus: Stable,
 		Hidden:        false,
 		Deprecated:    false,
 		Resources: []ResourceTypes{
@ -172,9 +172,9 @@ The waypoint is assumed to be in the same namespace; for cross-namespace, see "i
 When set or a "Pod" or a "Service", this binds that specific resource to the waypoint.
 When set on a "Namespace", this applies to all "Pod"/"Service" in the namespace.

-Note: the waypoint must allow the type, see "stio.io/waypoint-for".
+Note: the waypoint must allow the type, see "istio.io/waypoint-for".
 `,
-		FeatureStatus: Beta,
+		FeatureStatus: Stable,
 		Hidden:        false,
 		Deprecated:    false,
 		Resources: []ResourceTypes{
@ -210,7 +210,7 @@ indicates the type of traffic this waypoint can handle.

 Valid options: "service", "workload", "all", and "none".
 `,
-		FeatureStatus: Beta,
+		FeatureStatus: Stable,
 		Hidden:        false,
 		Deprecated:    false,
 		Resources: []ResourceTypes{
@ -322,6 +322,20 @@ Valid options: "true", "false"
 		},
 	}

+	ServiceWorkloadName = Instance {
+		Name:          "service.istio.io/workload-name",
+		Description:   `The workload name of the application a workload belongs to. If unset, defaults to the detect parent resource.
+For example, a "Pod" resource may default to the "Deployment" name.
+`,
+		FeatureStatus: Alpha,
+		Hidden:        false,
+		Deprecated:    false,
+		Resources: []ResourceTypes{
+			Pod,
+			WorkloadEntry,
+		},
+	}
+
 	SidecarInject = Instance {
 		Name:          "sidecar.istio.io/inject",
 		Description:   "Specifies whether or not an Envoy sidecar should be "+
@ -433,6 +447,7 @@ func AllResourceLabels() []*Instance {
 		&SecurityTlsMode,
 		&ServiceCanonicalName,
 		&ServiceCanonicalRevision,
+		&ServiceWorkloadName,
 		&SidecarInject,
 		&TopologyCluster,
 		&TopologyNetwork,
--- a/label/labels.pb.html
+++ b/label/labels.pb.html
@ -62,7 +62,7 @@ Istio supports to control its behavior.
    </tr>
    <tr>
      <th>Feature Status</th>
-      <td>Beta</td>
+      <td>Stable</td>
    </tr>
    <tr>
      <th>Resource Types</th>
@ -130,7 +130,7 @@ Note: users wishing to use sidecar mode should see the <code>istio-injection</co
    </tr>
    <tr>
      <th>Feature Status</th>
-      <td>Beta</td>
+      <td>Stable</td>
    </tr>
    <tr>
      <th>Resource Types</th>
@ -144,7 +144,7 @@ The waypoint is assumed to be in the same namespace; for cross-namespace, see <c
 <p>When set or a <code>Pod</code> or a <code>Service</code>, this binds that specific resource to the waypoint.
 When set on a <code>Namespace</code>, this applies to all <code>Pod</code>/<code>Service</code> in the namespace.</p>

-<p>Note: the waypoint must allow the type, see <code>stio.io/waypoint-for</code>.</p>
+<p>Note: the waypoint must allow the type, see <code>istio.io/waypoint-for</code>.</p>
 </td>
    </tr>
  </tbody>
@ -181,7 +181,7 @@ This must be set in addition to <code>istio.io/use-waypoint</code>, when a cross
    </tr>
    <tr>
      <th>Feature Status</th>
-      <td>Beta</td>
+      <td>Stable</td>
    </tr>
    <tr>
      <th>Resource Types</th>
@ -287,6 +287,29 @@ indicates the type of traffic this waypoint can handle.</p>
    </tr>
  </tbody>
 </table>
+<h2 id="ServiceWorkloadName">service.istio.io/workload-name</h2>
+<table class="annotations">
+  <tbody>
+    <tr>
+      <th>Name</th>
+      <td><code>service.istio.io/workload-name</code></td>
+    </tr>
+    <tr>
+      <th>Feature Status</th>
+      <td>Alpha</td>
+    </tr>
+    <tr>
+      <th>Resource Types</th>
+      <td>[Pod WorkloadEntry]</td>
+    </tr>
+    <tr>
+      <th>Description</th>
+      <td><p>The workload name of the application a workload belongs to. If unset, defaults to the detect parent resource.
+For example, a <code>Pod</code> resource may default to the <code>Deployment</code> name.</p>
+</td>
+    </tr>
+  </tbody>
+</table>
 <h2 id="SidecarInject">sidecar.istio.io/inject</h2>
 <table class="annotations">
  <tbody>
--- a/label/labels.yaml
+++ b/label/labels.yaml
@ -49,6 +49,17 @@ labels:
    resources:
      - Pod

+  - name: service.istio.io/workload-name
+    featureStatus: Alpha
+    description: |
+      The workload name of the application a workload belongs to. If unset, defaults to the detect parent resource.
+      For example, a `Pod` resource may default to the `Deployment` name.
+    hidden: false
+    deprecated: false
+    resources:
+      - Pod
+      - WorkloadEntry
+
  - name: istio.io/rev
    featureStatus: Alpha
    description: Istio control plane revision associated with the resource; e.g. `canary`
@ -183,7 +194,7 @@ labels:
      - Service

  - name: istio.io/dataplane-mode
-    featureStatus: Beta
+    featureStatus: Stable
    description: |
      When set on a resource, indicates the [data plane mode](/docs/overview/dataplane-modes/) to use.
      Possible values: `ambient`, `none`.
@ -195,7 +206,7 @@ labels:
      - Namespace

  - name: istio.io/use-waypoint
-    featureStatus: Beta
+    featureStatus: Stable
    description: |
      When set on a resource, indicates the resource has an associated waypoint with the given name.
      The waypoint is assumed to be in the same namespace; for cross-namespace, see `istio.io/use-waypoint-namespace`.
@ -203,7 +214,7 @@ labels:
      When set or a `Pod` or a `Service`, this binds that specific resource to the waypoint.
      When set on a `Namespace`, this applies to all `Pod`/`Service` in the namespace.

-      Note: the waypoint must allow the type, see `stio.io/waypoint-for`.
+      Note: the waypoint must allow the type, see `istio.io/waypoint-for`.
    deprecated: false
    hidden: false
    resources:
@ -228,7 +239,7 @@ labels:
      - Namespace

  - name: istio.io/waypoint-for
-    featureStatus: Beta
+    featureStatus: Stable
    description: |
      When set on a waypoint (either by its specific `Gateway`, or for the entire collection on the `GatewayClass`),
      indicates the type of traffic this waypoint can handle.
--- a/licenses/golang.org/x/net/LICENSE
+++ b/licenses/golang.org/x/net/LICENSE
@ -1,4 +1,4 @@
-Copyright (c) 2009 The Go Authors. All rights reserved.
+Copyright 2009 The Go Authors.

 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@ -10,7 +10,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Google Inc. nor the names of its
+   * Neither the name of Google LLC nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.

--- a/licenses/golang.org/x/sys/LICENSE
+++ b/licenses/golang.org/x/sys/LICENSE
@ -1,4 +1,4 @@
-Copyright (c) 2009 The Go Authors. All rights reserved.
+Copyright 2009 The Go Authors.

 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@ -10,7 +10,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Google Inc. nor the names of its
+   * Neither the name of Google LLC nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.

--- a/licenses/golang.org/x/text/LICENSE
+++ b/licenses/golang.org/x/text/LICENSE
@ -1,4 +1,4 @@
-Copyright (c) 2009 The Go Authors. All rights reserved.
+Copyright 2009 The Go Authors.

 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@ -10,7 +10,7 @@ notice, this list of conditions and the following disclaimer.
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
-   * Neither the name of Google Inc. nor the names of its
+   * Neither the name of Google LLC nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.

--- a/mcp/v1alpha1/metadata.pb.go
+++ b/mcp/v1alpha1/metadata.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.35.1
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: mcp/v1alpha1/metadata.proto

@ -28,6 +28,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -39,10 +40,7 @@ const (

 // Metadata information that all resources within the Mesh Configuration Protocol must have.
 type Metadata struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Fully qualified name of the resource. Unique in context of a collection.
 	//
 	// The fully qualified name consists of a directory and basename. The directory identifies
@ -83,10 +81,12 @@ type Metadata struct {
 	Version string `protobuf:"bytes,3,opt,name=version,proto3" json:"version,omitempty"`
 	// Map of string keys and values that can be used to organize and categorize
 	// resources within a collection.
-	Labels map[string]string `protobuf:"bytes,4,rep,name=labels,proto3" json:"labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Labels map[string]string `protobuf:"bytes,4,rep,name=labels,proto3" json:"labels,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
 	// Map of string keys and values that can be used by source and sink to communicate
 	// arbitrary metadata about this resource.
-	Annotations map[string]string `protobuf:"bytes,5,rep,name=annotations,proto3" json:"annotations,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Annotations   map[string]string `protobuf:"bytes,5,rep,name=annotations,proto3" json:"annotations,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *Metadata) Reset() {
@ -156,49 +156,31 @@ func (x *Metadata) GetAnnotations() map[string]string {

 var File_mcp_v1alpha1_metadata_proto protoreflect.FileDescriptor

-var file_mcp_v1alpha1_metadata_proto_rawDesc = []byte{
-	0x0a, 0x1b, 0x6d, 0x63, 0x70, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x6d,
-	0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x12, 0x69,
-	0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6d, 0x63, 0x70, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
-	0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
-	0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x22, 0x83, 0x03, 0x0a, 0x08, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12,
-	0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e,
-	0x61, 0x6d, 0x65, 0x12, 0x3b, 0x0a, 0x0b, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x5f, 0x74, 0x69,
-	0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73,
-	0x74, 0x61, 0x6d, 0x70, 0x52, 0x0a, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x54, 0x69, 0x6d, 0x65,
-	0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x40, 0x0a, 0x06, 0x6c, 0x61,
-	0x62, 0x65, 0x6c, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x69, 0x73, 0x74,
-	0x69, 0x6f, 0x2e, 0x6d, 0x63, 0x70, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e,
-	0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x45,
-	0x6e, 0x74, 0x72, 0x79, 0x52, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x12, 0x4f, 0x0a, 0x0b,
-	0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28,
-	0x0b, 0x32, 0x2d, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6d, 0x63, 0x70, 0x2e, 0x76, 0x31,
-	0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x2e,
-	0x41, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79,
-	0x52, 0x0b, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x1a, 0x39, 0x0a,
-	0x0b, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03,
-	0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14,
-	0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76,
-	0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x3e, 0x0a, 0x10, 0x41, 0x6e, 0x6e, 0x6f,
-	0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03,
-	0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14,
-	0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76,
-	0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x1b, 0x5a, 0x19, 0x69, 0x73, 0x74, 0x69,
-	0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6d, 0x63, 0x70, 0x2f, 0x76, 0x31, 0x61,
-	0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+const file_mcp_v1alpha1_metadata_proto_rawDesc = "" +
+	"\n" +
+	"\x1bmcp/v1alpha1/metadata.proto\x12\x12istio.mcp.v1alpha1\x1a\x1fgoogle/protobuf/timestamp.proto\"\x83\x03\n" +
+	"\bMetadata\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12;\n" +
+	"\vcreate_time\x18\x02 \x01(\v2\x1a.google.protobuf.TimestampR\n" +
+	"createTime\x12\x18\n" +
+	"\aversion\x18\x03 \x01(\tR\aversion\x12@\n" +
+	"\x06labels\x18\x04 \x03(\v2(.istio.mcp.v1alpha1.Metadata.LabelsEntryR\x06labels\x12O\n" +
+	"\vannotations\x18\x05 \x03(\v2-.istio.mcp.v1alpha1.Metadata.AnnotationsEntryR\vannotations\x1a9\n" +
+	"\vLabelsEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\x1a>\n" +
+	"\x10AnnotationsEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\x1bZ\x19istio.io/api/mcp/v1alpha1b\x06proto3"

 var (
 	file_mcp_v1alpha1_metadata_proto_rawDescOnce sync.Once
-	file_mcp_v1alpha1_metadata_proto_rawDescData = file_mcp_v1alpha1_metadata_proto_rawDesc
+	file_mcp_v1alpha1_metadata_proto_rawDescData []byte
 )

 func file_mcp_v1alpha1_metadata_proto_rawDescGZIP() []byte {
 	file_mcp_v1alpha1_metadata_proto_rawDescOnce.Do(func() {
-		file_mcp_v1alpha1_metadata_proto_rawDescData = protoimpl.X.CompressGZIP(file_mcp_v1alpha1_metadata_proto_rawDescData)
+		file_mcp_v1alpha1_metadata_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_mcp_v1alpha1_metadata_proto_rawDesc), len(file_mcp_v1alpha1_metadata_proto_rawDesc)))
 	})
 	return file_mcp_v1alpha1_metadata_proto_rawDescData
 }
@ -230,7 +212,7 @@ func file_mcp_v1alpha1_metadata_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_mcp_v1alpha1_metadata_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_mcp_v1alpha1_metadata_proto_rawDesc), len(file_mcp_v1alpha1_metadata_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   3,
 			NumExtensions: 0,
@ -241,7 +223,6 @@ func file_mcp_v1alpha1_metadata_proto_init() {
 		MessageInfos:      file_mcp_v1alpha1_metadata_proto_msgTypes,
 	}.Build()
 	File_mcp_v1alpha1_metadata_proto = out.File
-	file_mcp_v1alpha1_metadata_proto_rawDesc = nil
 	file_mcp_v1alpha1_metadata_proto_goTypes = nil
 	file_mcp_v1alpha1_metadata_proto_depIdxs = nil
 }
--- a/mcp/v1alpha1/metadata.proto
+++ b/mcp/v1alpha1/metadata.proto
@ -20,7 +20,7 @@ package istio.mcp.v1alpha1;

 import "google/protobuf/timestamp.proto";

-option go_package="istio.io/api/mcp/v1alpha1";
+option go_package = "istio.io/api/mcp/v1alpha1";

 // Metadata information that all resources within the Mesh Configuration Protocol must have.
 message Metadata {
@ -67,9 +67,9 @@ message Metadata {

  // Map of string keys and values that can be used to organize and categorize
  // resources within a collection.
-  map<string,string> labels = 4;
+  map<string, string> labels = 4;

  // Map of string keys and values that can be used by source and sink to communicate
  // arbitrary metadata about this resource.
-  map<string,string> annotations = 5;
+  map<string, string> annotations = 5;
 }
--- a/mcp/v1alpha1/metadata_json.gen.go
+++ b/mcp/v1alpha1/metadata_json.gen.go
@ -0,0 +1,23 @@
+// Code generated by protoc-gen-jsonshim. DO NOT EDIT.
+package v1alpha1
+
+import (
+	bytes "bytes"
+	jsonpb "github.com/golang/protobuf/jsonpb"
+)
+
+// MarshalJSON is a custom marshaler for Metadata
+func (this *Metadata) MarshalJSON() ([]byte, error) {
+	str, err := MetadataMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Metadata
+func (this *Metadata) UnmarshalJSON(b []byte) error {
+	return MetadataUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+var (
+	MetadataMarshaler   = &jsonpb.Marshaler{}
+	MetadataUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true}
+)
--- a/mcp/v1alpha1/resource.pb.go
+++ b/mcp/v1alpha1/resource.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.35.1
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: mcp/v1alpha1/resource.proto

@ -30,6 +30,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -42,14 +43,13 @@ const (
 // Resource as transferred via the Mesh Configuration Protocol. Each
 // resource is made up of common metadata, and a type-specific resource payload.
 type Resource struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Common metadata describing the resource.
 	Metadata *Metadata `protobuf:"bytes,1,opt,name=metadata,proto3" json:"metadata,omitempty"`
 	// The primary payload for the resource.
-	Body *any1.Any `protobuf:"bytes,2,opt,name=body,proto3" json:"body,omitempty"`
+	Body          *any1.Any `protobuf:"bytes,2,opt,name=body,proto3" json:"body,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *Resource) Reset() {
@ -98,33 +98,21 @@ func (x *Resource) GetBody() *any1.Any {

 var File_mcp_v1alpha1_resource_proto protoreflect.FileDescriptor

-var file_mcp_v1alpha1_resource_proto_rawDesc = []byte{
-	0x0a, 0x1b, 0x6d, 0x63, 0x70, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x72,
-	0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x12, 0x69,
-	0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6d, 0x63, 0x70, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
-	0x31, 0x1a, 0x19, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
-	0x75, 0x66, 0x2f, 0x61, 0x6e, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1b, 0x6d, 0x63,
-	0x70, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x6d, 0x65, 0x74, 0x61, 0x64,
-	0x61, 0x74, 0x61, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x6e, 0x0a, 0x08, 0x52, 0x65, 0x73,
-	0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x38, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
-	0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e,
-	0x6d, 0x63, 0x70, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x65, 0x74,
-	0x61, 0x64, 0x61, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12,
-	0x28, 0x0a, 0x04, 0x62, 0x6f, 0x64, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x41, 0x6e, 0x79, 0x52, 0x04, 0x62, 0x6f, 0x64, 0x79, 0x42, 0x1b, 0x5a, 0x19, 0x69, 0x73, 0x74,
-	0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6d, 0x63, 0x70, 0x2f, 0x76, 0x31,
-	0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+const file_mcp_v1alpha1_resource_proto_rawDesc = "" +
+	"\n" +
+	"\x1bmcp/v1alpha1/resource.proto\x12\x12istio.mcp.v1alpha1\x1a\x19google/protobuf/any.proto\x1a\x1bmcp/v1alpha1/metadata.proto\"n\n" +
+	"\bResource\x128\n" +
+	"\bmetadata\x18\x01 \x01(\v2\x1c.istio.mcp.v1alpha1.MetadataR\bmetadata\x12(\n" +
+	"\x04body\x18\x02 \x01(\v2\x14.google.protobuf.AnyR\x04bodyB\x1bZ\x19istio.io/api/mcp/v1alpha1b\x06proto3"

 var (
 	file_mcp_v1alpha1_resource_proto_rawDescOnce sync.Once
-	file_mcp_v1alpha1_resource_proto_rawDescData = file_mcp_v1alpha1_resource_proto_rawDesc
+	file_mcp_v1alpha1_resource_proto_rawDescData []byte
 )

 func file_mcp_v1alpha1_resource_proto_rawDescGZIP() []byte {
 	file_mcp_v1alpha1_resource_proto_rawDescOnce.Do(func() {
-		file_mcp_v1alpha1_resource_proto_rawDescData = protoimpl.X.CompressGZIP(file_mcp_v1alpha1_resource_proto_rawDescData)
+		file_mcp_v1alpha1_resource_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_mcp_v1alpha1_resource_proto_rawDesc), len(file_mcp_v1alpha1_resource_proto_rawDesc)))
 	})
 	return file_mcp_v1alpha1_resource_proto_rawDescData
 }
@ -155,7 +143,7 @@ func file_mcp_v1alpha1_resource_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_mcp_v1alpha1_resource_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_mcp_v1alpha1_resource_proto_rawDesc), len(file_mcp_v1alpha1_resource_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   1,
 			NumExtensions: 0,
@ -166,7 +154,6 @@ func file_mcp_v1alpha1_resource_proto_init() {
 		MessageInfos:      file_mcp_v1alpha1_resource_proto_msgTypes,
 	}.Build()
 	File_mcp_v1alpha1_resource_proto = out.File
-	file_mcp_v1alpha1_resource_proto_rawDesc = nil
 	file_mcp_v1alpha1_resource_proto_goTypes = nil
 	file_mcp_v1alpha1_resource_proto_depIdxs = nil
 }
--- a/mcp/v1alpha1/resource.proto
+++ b/mcp/v1alpha1/resource.proto
@ -22,14 +22,14 @@ package istio.mcp.v1alpha1;
 import "google/protobuf/any.proto";
 import "mcp/v1alpha1/metadata.proto";

-option go_package="istio.io/api/mcp/v1alpha1";
+option go_package = "istio.io/api/mcp/v1alpha1";

 // Resource as transferred via the Mesh Configuration Protocol. Each
 // resource is made up of common metadata, and a type-specific resource payload.
 message Resource {
-    // Common metadata describing the resource.
-    istio.mcp.v1alpha1.Metadata metadata = 1;
+  // Common metadata describing the resource.
+  istio.mcp.v1alpha1.Metadata metadata = 1;

-    // The primary payload for the resource.
-    google.protobuf.Any body = 2;
+  // The primary payload for the resource.
+  google.protobuf.Any body = 2;
 }
--- a/mcp/v1alpha1/resource_json.gen.go
+++ b/mcp/v1alpha1/resource_json.gen.go
@ -0,0 +1,23 @@
+// Code generated by protoc-gen-jsonshim. DO NOT EDIT.
+package v1alpha1
+
+import (
+	bytes "bytes"
+	jsonpb "github.com/golang/protobuf/jsonpb"
+)
+
+// MarshalJSON is a custom marshaler for Resource
+func (this *Resource) MarshalJSON() ([]byte, error) {
+	str, err := ResourceMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Resource
+func (this *Resource) UnmarshalJSON(b []byte) error {
+	return ResourceUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+var (
+	ResourceMarshaler   = &jsonpb.Marshaler{}
+	ResourceUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true}
+)
--- a/mesh/v1alpha1/config.pb.go
+++ b/mesh/v1alpha1/config.pb.go
--- a/mesh/v1alpha1/config.proto
+++ b/mesh/v1alpha1/config.proto
@ -14,13 +14,6 @@

 syntax = "proto3";

-import "google/protobuf/duration.proto";
-import "google/protobuf/struct.proto";
-import "google/protobuf/wrappers.proto";
-import "mesh/v1alpha1/proxy.proto";
-import "networking/v1alpha3/destination_rule.proto";
-import "networking/v1alpha3/virtual_service.proto";
-
 // $title: Global Mesh Options
 // $description: Configuration affecting the service mesh as a whole.
 // $location: https://istio.io/docs/reference/config/istio.mesh.v1alpha1.html
@ -30,7 +23,14 @@ import "networking/v1alpha3/virtual_service.proto";
 // Configuration affecting the service mesh as a whole.
 package istio.mesh.v1alpha1;

-option go_package="istio.io/api/mesh/v1alpha1";
+import "google/protobuf/duration.proto";
+import "google/protobuf/struct.proto";
+import "google/protobuf/wrappers.proto";
+import "mesh/v1alpha1/proxy.proto";
+import "networking/v1alpha3/destination_rule.proto";
+import "networking/v1alpha3/virtual_service.proto";
+
+option go_package = "istio.io/api/mesh/v1alpha1";

 // MeshConfig defines mesh-wide settings for the Istio service mesh.
 message MeshConfig {
@ -45,7 +45,7 @@ message MeshConfig {
  // Port on which Envoy should listen for HTTP PROXY requests if set.
  int32 proxy_http_port = 5;

-  // Connection timeout used by Envoy. (MUST BE >=1ms)
+  // Connection timeout used by Envoy. (MUST be >=1ms)
  // Default timeout is 10s.
  google.protobuf.Duration connect_timeout = 6;

@ -58,7 +58,7 @@ message MeshConfig {
  // MongoDB, etc. Envoy will timeout on the protocol detection after
  // the specified period, defaulting to non mTLS plain TCP
  // traffic. Set this field to tweak the period that Envoy will wait
-  // for the client to send the first bits of data. (MUST BE >=1ms or
+  // for the client to send the first bits of data. (MUST be >=1ms or
  // 0s to disable). Default detection timeout is 0s (no timeout).
  //
  // Setting a timeout is not recommended nor safe. Even high timeouts (>5s) will be hit
@ -394,7 +394,7 @@ message MeshConfig {
  // Configure the provision of certificates.
  //
  // Note: Deprecated, please refer to Cert-Manager or other cert provisioning solutions to sign DNS certificates.
-  repeated Certificate certificates = 47 [deprecated=true];
+  repeated Certificate certificates = 47 [deprecated = true];

  reserved 49;
  reserved "thrift_config";
@ -413,6 +413,14 @@ message MeshConfig {
  //       - "*.foo.svc.cluster.local"
  //       - "bar.baz.svc.cluster.local"
  // ```
+  //
+  // When in ambient mode, if ServiceSettings are defined they will be considered in addition to the
+  // ServiceScopeConfigs. If a service is defined by ServiceSetting to be cluster local and matches a
+  // global service scope selector, the service will be considered cluster local. If a service is
+  // considered global by ServiceSettings and does not match a global service scope selector
+  // the serive will be considered local. Local scope takes precedence over global scope. Since
+  // ServiceScopeConfigs is local by default, all services are considered local unless it is considered
+  // global by ServiceSettings AND ServiceScopeConfigs.
  message ServiceSettings {
    // Settings for the selected services.
    message Settings {
@ -450,6 +458,54 @@ message MeshConfig {
  // Settings to be applied to select services.
  repeated ServiceSettings service_settings = 50;

+  // Configuration for ambient mode multicluster service scope. This setting allows mesh administrators
+  // to define the criteria by which the cluster's control plane determines which services in other
+  // clusters in the mesh are treated as global (accessible across multiple clusters) versus local
+  // (restricted to a single cluster). The configuration can be applied to services based on namespace
+  // and/or other matching criteria. This is particularly  useful in multicluster service mesh deployments
+  // to control service visibility and access across clusters. This API is not intended to enforce
+  // security policies. Resources like DestinationRules should be used to enforce authorization policies.
+  // If a service matches a global service scope selector, the service's endpoints will be globally
+  // exposed. If a service is locally scoped, its endpoints will only be exposed to local cluster
+  // services.
+  //
+  // For example, the following configures the scope of all services with the "istio.io/global" label
+  // in matching namespaces to be available globally:
+  //
+  // ```yaml
+  // serviceScopeConfigs:
+  //  - namespacesSelector:
+  //      matchExpressions:
+  //        - key: istio.io/global
+  //          operator: In
+  //          values: [true]
+  //    servicesSelector:
+  //      matchExpressions:
+  //        - key: istio.io/global
+  //          operator: Exists
+  //    scope: GLOBAL
+  // ```
+  message ServiceScopeConfigs {
+    // The scope of the matching service. Used to determine if the service is available locally
+    // (cluster local) or globally (mesh-wide).
+    enum Scope {
+      LOCAL = 0;
+      GLOBAL = 1;
+    }
+
+    // Match expression for namespaces.
+    LabelSelector namespace_selector = 1;
+
+    // Match expression for serivces.
+    LabelSelector services_selector = 2;
+
+    // Specifics the available scope for matching services.
+    Scope scope = 3;
+  }
+
+  // Scope to be applied to select services.
+  repeated ServiceScopeConfigs service_scope_configs = 67;
+
  // If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
  // and Istio agent. The sidecar injection will replace `prometheus.io` annotations present on the pod
  // and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
@ -481,8 +537,8 @@ message MeshConfig {
  // match either `x.y.com` or `*.y.com` for the SAN in the presented server certificate.
  // For wildcard host name in DestinationRule, client-side proxy will do a suffix match. For example,
  // if host is `*.x.y.com`, client-side proxy will verify the presented server certificate SAN matches
-  // ``.x.y.com` suffix.
-  google.protobuf.BoolValue verify_certificate_at_client = 54 [deprecated=true];
+  // `.x.y.com` suffix.
+  google.protobuf.BoolValue verify_certificate_at_client = 54 [deprecated = true];

  message CA {
    // REQUIRED. Address of the CA server implementing the Istio CA gRPC API.
@ -524,15 +580,16 @@ message MeshConfig {
      // $hide_from_docs
      // Configures a Lightstep tracing provider.
      // Deprecated: For Istio 1.15+, please use an OpenTelemetryTracingProvider instead, more details can be found at https://github.com/istio/istio/issues/40027
-      LightstepTracingProvider lightstep = 5 [deprecated=true];
+      LightstepTracingProvider lightstep = 5 [deprecated = true];
      // Configures a Datadog tracing provider.
      DatadogTracingProvider datadog = 6;
+      // $hide_from_docs
      // Configures a Stackdriver provider.
      StackdriverProvider stackdriver = 7;
      // $hide_from_docs
      // Configures an OpenCensusAgent tracing provider.
      // Deprecated: OpenCensus is deprecated, more details can be found at https://opentelemetry.io/blog/2023/sunsetting-opencensus/
-      OpenCensusAgentTracingProvider opencensus = 8 [deprecated=true];
+      OpenCensusAgentTracingProvider opencensus = 8 [deprecated = true];
      // Configures a Apache SkyWalking provider.
      SkyWalkingTracingProvider skywalking = 9;
      // Configures an OpenTelemetry tracing provider.
@ -547,9 +604,14 @@ message MeshConfig {
      EnvoyTcpGrpcV3LogProvider envoy_tcp_als = 13;
      // Configures an Envoy Open Telemetry Access Logging Service provider.
      EnvoyOpenTelemetryLogProvider envoy_otel_als = 14;
+      // Configures an Extension Provider for SDS. This can be used to
+      // configure an external SDS service to supply secrets for certain Gateways for example.
+      // This is useful for scenarios where the secrets are stored in an external secret store like Vault.
+      // The secret should be configured with sds://provider-name format.
+      SDSProvider sds = 16;

      // $hide_from_docs
-      // next id: 16
+      // next id: 17
    }

    message EnvoyExternalAuthorizationRequestBody {
@ -600,12 +662,17 @@ message MeshConfig {
      // Default is false and the request will be rejected with "Forbidden" response.
      bool fail_open = 4;

+      // If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions.
+      // If true, recalculate routes with the new ExtAuthZ added/removed headers.
+      // Default is false
+      bool clear_route_cache = 14;
+
      // Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
      // The default status is "403" (HTTP Forbidden).
      string status_on_error = 5;

      // DEPRECATED. Use includeRequestHeadersInCheck instead.
-      repeated string include_headers_in_check = 6 [deprecated=true];
+      repeated string include_headers_in_check = 6 [deprecated = true];

      // List of client request headers that should be included in the authorization request sent to the authorization service.
      // Note that in addition to the headers specified here following headers are included by default:
@ -673,7 +740,7 @@ message MeshConfig {
      repeated string headers_to_downstream_on_allow = 13;

      // $hide_from_docs
-      // Next available field number: 14
+      // Next available field number: 15
    }

    message EnvoyExternalAuthorizationGrpcProvider {
@ -698,6 +765,11 @@ message MeshConfig {
      // Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately.
      bool fail_open = 3;

+      // If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions.
+      // If true, recalculate routes with the new ExtAuthZ added/removed headers.
+      // Default is false
+      bool clear_route_cache = 7;
+
      // Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
      // The default status is "403" (HTTP Forbidden).
      string status_on_error = 4;
@ -706,7 +778,7 @@ message MeshConfig {
      EnvoyExternalAuthorizationRequestBody include_request_body_in_check = 6;

      // $hide_from_docs
-      // Next available field number: 7
+      // Next available field number: 8
    }

    // Defines configuration for a Zipkin tracer.
@ -801,19 +873,19 @@ message MeshConfig {
    message StackdriverProvider {
      // debug enables trace output to stdout.
      // $hide_from_docs
-      bool debug = 1 [deprecated=true];
+      bool debug = 1 [deprecated = true];
      // The global default max number of attributes per span.
      // default is 200.
      // $hide_from_docs
-      google.protobuf.Int64Value max_number_of_attributes = 2 [deprecated=true];
+      google.protobuf.Int64Value max_number_of_attributes = 2 [deprecated = true];
      // The global default max number of annotation events per span.
      // default is 200.
      // $hide_from_docs
-      google.protobuf.Int64Value max_number_of_annotations = 3 [deprecated=true];
+      google.protobuf.Int64Value max_number_of_annotations = 3 [deprecated = true];
      // The global default max number of message events per span.
      // default is 200.
      // $hide_from_docs
-      google.protobuf.Int64Value max_number_of_message_events = 4 [deprecated=true];
+      google.protobuf.Int64Value max_number_of_message_events = 4 [deprecated = true];

      // Optional. Controls the overall path length allowed in a reported span.
      // NOTE: currently only controls max length of the path tag.
@ -931,6 +1003,11 @@ message MeshConfig {

      // Optional. Allows overriding of the default access log format.
      LogFormat log_format = 2;
+
+      // Optional. If set to true, when command operators are evaluated to null,
+      // For text format, the output of the empty operator is changed from "-" to an empty string.
+      // For json format, the keys with null values are omitted in the output structure.
+      bool omit_empty_values = 3;
    }

    // Defines configuration for an Envoy [Access Logging Service](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto#grpc-access-log-service-als)
@ -1013,28 +1090,28 @@ message MeshConfig {
      LogFormat log_format = 4;

      message LogFormat {
-          // Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be
-          // used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings)
-          // provides more information.
-          // Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
-          // Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"`
-          string text = 1;
+        // Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be
+        // used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings)
+        // provides more information.
+        // Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
+        // Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"`
+        string text = 1;

-          // Optional. Additional attributes that describe the specific event occurrence.
-          // Structured format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
-          // can be used as values for fields within the Struct. Values are rendered
-          // as strings, numbers, or boolean values, as appropriate
-          // (see: [format dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is
-          // supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
-          // Alias to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
-          //
-          // Example:
-          // ```
-          // labels:
-          //   status: "%RESPONSE_CODE%"
-          //   message: "%LOCAL_REPLY_BODY%"
-          // ```
-          google.protobuf.Struct labels = 2;
+        // Optional. Additional attributes that describe the specific event occurrence.
+        // Structured format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
+        // can be used as values for fields within the Struct. Values are rendered
+        // as strings, numbers, or boolean values, as appropriate
+        // (see: [format dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is
+        // supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
+        // Alias to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
+        //
+        // Example:
+        // ```
+        // labels:
+        //   status: "%RESPONSE_CODE%"
+        //   message: "%LOCAL_REPLY_BODY%"
+        // ```
+        google.protobuf.Struct labels = 2;
      }
    }

@ -1162,7 +1239,6 @@ message MeshConfig {
      // Optional. Configure a [Sampler](https://opentelemetry.io/docs/specs/otel/trace/sdk/#sampler)
      // to be used by the OpenTelemetry Tracer.
      oneof sampling {
-
        // The Dynatrace adaptive traffic management (ATM) sampler.
        //
        // Example configuration:
@ -1230,6 +1306,23 @@ message MeshConfig {
      }
    }

+    // Defines configuration for an Gateway SDS provider.
+    message SDSProvider {
+      // REQUIRED. Specifies the name of the provider. This should be used to configure the Gateway SDS.
+      string name = 1;
+
+      // REQUIRED. Specifies the service that implements the  SDS service.
+      // The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
+      // to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
+      // service defined by the Kubernetes service or ServiceEntry.
+      //
+      // Example: "gateway-sds.foo.svc.cluster.local" or "bar/gateway-sds.example.com".
+      string service = 2;
+
+      // REQUIRED. Specifies the port of the service.
+      uint32 port = 3;
+    }
+
    // Defines configuration for an HTTP service that can be used by an Extension Provider.
    // that does communication via HTTP.
    message HttpService {
@ -1248,8 +1341,17 @@ message MeshConfig {
    message HttpHeader {
      // REQUIRED. The HTTP header name.
      string name = 1;
-      // REQUIRED. The HTTP header value.
-      string value = 2;
+      // The HTTP header value.
+      oneof header_value {
+        // The HTTP header value.
+        string value = 2;
+        // The HTTP header value from the environment variable.
+        //
+        // Warning:
+        // - The environment variable must be set in the istiod pod spec.
+        // - This is not a end-to-end secure.
+        string env_name = 3;
+      }
    }

    message ResourceDetectors {
@ -1262,14 +1364,14 @@ message MeshConfig {
      // and adds them to the OpenTelemetry resource.
      //
      // See: [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#specifying-resource-information-via-an-environment-variable)
-      message EnvironmentResourceDetector { }
+      message EnvironmentResourceDetector {}

      // Dynatrace Resource Detector.
      // The resource detector reads from the Dynatrace enrichment files
      // and adds host/process related attributes to the OpenTelemetry resource.
      //
      // See: [Enrich ingested data with Dynatrace-specific dimensions](https://docs.dynatrace.com/docs/shortlink/enrichment-files)
-      message DynatraceResourceDetector { }
+      message DynatraceResourceDetector {}
    }

    // Defines configuration for an GRPC service that can be used by an Extension Provider.
@ -1279,7 +1381,7 @@ message MeshConfig {
      google.protobuf.Duration timeout = 1;

      // Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for
-      // scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to
+      // scenarios in which additional ad hoc authorization headers (e.g. "x-foo-bar: baz-key") are to
      // be injected.
      repeated HttpHeader initial_metadata = 2;
    }
@ -1478,13 +1580,12 @@ message MeshConfig {
 }

 // Resource describes the source of configuration
- enum Resource {
-   // Set to only receive service entries that are generated by the platform.
-   // These auto generated service entries are combination of services and endpoints
-   // that are generated by a specific platform e.g. k8
-   SERVICE_REGISTRY = 0;
- }
-
+enum Resource {
+  // Set to only receive service entries that are generated by the platform.
+  // These auto generated service entries are combination of services and endpoints
+  // that are generated by a specific platform e.g. k8
+  SERVICE_REGISTRY = 0;
+}

 // A label selector requirement is a selector that contains values, a key, and an operator that
 // relates the key and values.
@ -1526,21 +1627,19 @@ message LabelSelectorRequirement {
 // mesh. A single control plane instance can interact with one or more data
 // sources.
 message ConfigSource {
- // Address of the server implementing the Istio Mesh Configuration
- // protocol (MCP). Can be IP address or a fully qualified DNS name.
- // Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or
- // fs:/// to specify a file-based backend with absolute path to the directory.
- string address = 1;
- // Use the tlsSettings to specify the tls mode to use. If the MCP server
- // uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
- // mode as `ISTIO_MUTUAL`.
- istio.networking.v1alpha3.ClientTLSSettings tls_settings = 2;
- // Describes the source of configuration, if nothing is specified default is MCP
- repeated Resource subscribed_resources = 3;
+  // Address of the server implementing the Istio Mesh Configuration
+  // protocol (MCP). Can be IP address or a fully qualified DNS name.
+  // Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or
+  // fs:/// to specify a file-based backend with absolute path to the directory.
+  string address = 1;
+  // Use the tlsSettings to specify the tls mode to use. If the MCP server
+  // uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
+  // mode as `ISTIO_MUTUAL`.
+  istio.networking.v1alpha3.ClientTLSSettings tls_settings = 2;
+  // Describes the source of configuration, if nothing is specified default is MCP
+  repeated Resource subscribed_resources = 3;
 }

-
-
 // $hide_from_docs
 // Certificate configures the provision of a certificate and its key.
 // Example 1: key and cert stored in a secret
--- a/mesh/v1alpha1/config_json.gen.go
+++ b/mesh/v1alpha1/config_json.gen.go
@ -0,0 +1,485 @@
+// Code generated by protoc-gen-jsonshim. DO NOT EDIT.
+package v1alpha1
+
+import (
+	bytes "bytes"
+	jsonpb "github.com/golang/protobuf/jsonpb"
+)
+
+// MarshalJSON is a custom marshaler for MeshConfig
+func (this *MeshConfig) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig
+func (this *MeshConfig) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_OutboundTrafficPolicy
+func (this *MeshConfig_OutboundTrafficPolicy) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_OutboundTrafficPolicy
+func (this *MeshConfig_OutboundTrafficPolicy) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_InboundTrafficPolicy
+func (this *MeshConfig_InboundTrafficPolicy) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_InboundTrafficPolicy
+func (this *MeshConfig_InboundTrafficPolicy) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_CertificateData
+func (this *MeshConfig_CertificateData) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_CertificateData
+func (this *MeshConfig_CertificateData) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ServiceSettings
+func (this *MeshConfig_ServiceSettings) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ServiceSettings
+func (this *MeshConfig_ServiceSettings) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ServiceSettings_Settings
+func (this *MeshConfig_ServiceSettings_Settings) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ServiceSettings_Settings
+func (this *MeshConfig_ServiceSettings_Settings) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ServiceScopeConfigs
+func (this *MeshConfig_ServiceScopeConfigs) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ServiceScopeConfigs
+func (this *MeshConfig_ServiceScopeConfigs) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_CA
+func (this *MeshConfig_CA) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_CA
+func (this *MeshConfig_CA) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider
+func (this *MeshConfig_ExtensionProvider) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider
+func (this *MeshConfig_ExtensionProvider) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody
+func (this *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody
+func (this *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider
+func (this *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider
+func (this *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider
+func (this *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider
+func (this *MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationGrpcProvider) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_ZipkinTracingProvider
+func (this *MeshConfig_ExtensionProvider_ZipkinTracingProvider) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_ZipkinTracingProvider
+func (this *MeshConfig_ExtensionProvider_ZipkinTracingProvider) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_LightstepTracingProvider
+func (this *MeshConfig_ExtensionProvider_LightstepTracingProvider) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_LightstepTracingProvider
+func (this *MeshConfig_ExtensionProvider_LightstepTracingProvider) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_DatadogTracingProvider
+func (this *MeshConfig_ExtensionProvider_DatadogTracingProvider) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_DatadogTracingProvider
+func (this *MeshConfig_ExtensionProvider_DatadogTracingProvider) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_SkyWalkingTracingProvider
+func (this *MeshConfig_ExtensionProvider_SkyWalkingTracingProvider) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_SkyWalkingTracingProvider
+func (this *MeshConfig_ExtensionProvider_SkyWalkingTracingProvider) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_StackdriverProvider
+func (this *MeshConfig_ExtensionProvider_StackdriverProvider) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_StackdriverProvider
+func (this *MeshConfig_ExtensionProvider_StackdriverProvider) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_StackdriverProvider_Logging
+func (this *MeshConfig_ExtensionProvider_StackdriverProvider_Logging) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_StackdriverProvider_Logging
+func (this *MeshConfig_ExtensionProvider_StackdriverProvider_Logging) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_OpenCensusAgentTracingProvider
+func (this *MeshConfig_ExtensionProvider_OpenCensusAgentTracingProvider) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_OpenCensusAgentTracingProvider
+func (this *MeshConfig_ExtensionProvider_OpenCensusAgentTracingProvider) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_PrometheusMetricsProvider
+func (this *MeshConfig_ExtensionProvider_PrometheusMetricsProvider) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_PrometheusMetricsProvider
+func (this *MeshConfig_ExtensionProvider_PrometheusMetricsProvider) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_EnvoyFileAccessLogProvider
+func (this *MeshConfig_ExtensionProvider_EnvoyFileAccessLogProvider) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_EnvoyFileAccessLogProvider
+func (this *MeshConfig_ExtensionProvider_EnvoyFileAccessLogProvider) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_EnvoyFileAccessLogProvider_LogFormat
+func (this *MeshConfig_ExtensionProvider_EnvoyFileAccessLogProvider_LogFormat) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_EnvoyFileAccessLogProvider_LogFormat
+func (this *MeshConfig_ExtensionProvider_EnvoyFileAccessLogProvider_LogFormat) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_EnvoyHttpGrpcV3LogProvider
+func (this *MeshConfig_ExtensionProvider_EnvoyHttpGrpcV3LogProvider) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_EnvoyHttpGrpcV3LogProvider
+func (this *MeshConfig_ExtensionProvider_EnvoyHttpGrpcV3LogProvider) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_EnvoyTcpGrpcV3LogProvider
+func (this *MeshConfig_ExtensionProvider_EnvoyTcpGrpcV3LogProvider) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_EnvoyTcpGrpcV3LogProvider
+func (this *MeshConfig_ExtensionProvider_EnvoyTcpGrpcV3LogProvider) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_EnvoyOpenTelemetryLogProvider
+func (this *MeshConfig_ExtensionProvider_EnvoyOpenTelemetryLogProvider) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_EnvoyOpenTelemetryLogProvider
+func (this *MeshConfig_ExtensionProvider_EnvoyOpenTelemetryLogProvider) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_EnvoyOpenTelemetryLogProvider_LogFormat
+func (this *MeshConfig_ExtensionProvider_EnvoyOpenTelemetryLogProvider_LogFormat) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_EnvoyOpenTelemetryLogProvider_LogFormat
+func (this *MeshConfig_ExtensionProvider_EnvoyOpenTelemetryLogProvider_LogFormat) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_OpenTelemetryTracingProvider
+func (this *MeshConfig_ExtensionProvider_OpenTelemetryTracingProvider) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_OpenTelemetryTracingProvider
+func (this *MeshConfig_ExtensionProvider_OpenTelemetryTracingProvider) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_OpenTelemetryTracingProvider_DynatraceSampler
+func (this *MeshConfig_ExtensionProvider_OpenTelemetryTracingProvider_DynatraceSampler) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_OpenTelemetryTracingProvider_DynatraceSampler
+func (this *MeshConfig_ExtensionProvider_OpenTelemetryTracingProvider_DynatraceSampler) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_OpenTelemetryTracingProvider_DynatraceSampler_DynatraceApi
+func (this *MeshConfig_ExtensionProvider_OpenTelemetryTracingProvider_DynatraceSampler_DynatraceApi) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_OpenTelemetryTracingProvider_DynatraceSampler_DynatraceApi
+func (this *MeshConfig_ExtensionProvider_OpenTelemetryTracingProvider_DynatraceSampler_DynatraceApi) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_SDSProvider
+func (this *MeshConfig_ExtensionProvider_SDSProvider) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_SDSProvider
+func (this *MeshConfig_ExtensionProvider_SDSProvider) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_HttpService
+func (this *MeshConfig_ExtensionProvider_HttpService) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_HttpService
+func (this *MeshConfig_ExtensionProvider_HttpService) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_HttpHeader
+func (this *MeshConfig_ExtensionProvider_HttpHeader) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_HttpHeader
+func (this *MeshConfig_ExtensionProvider_HttpHeader) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_ResourceDetectors
+func (this *MeshConfig_ExtensionProvider_ResourceDetectors) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_ResourceDetectors
+func (this *MeshConfig_ExtensionProvider_ResourceDetectors) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_ResourceDetectors_EnvironmentResourceDetector
+func (this *MeshConfig_ExtensionProvider_ResourceDetectors_EnvironmentResourceDetector) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_ResourceDetectors_EnvironmentResourceDetector
+func (this *MeshConfig_ExtensionProvider_ResourceDetectors_EnvironmentResourceDetector) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_ResourceDetectors_DynatraceResourceDetector
+func (this *MeshConfig_ExtensionProvider_ResourceDetectors_DynatraceResourceDetector) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_ResourceDetectors_DynatraceResourceDetector
+func (this *MeshConfig_ExtensionProvider_ResourceDetectors_DynatraceResourceDetector) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_GrpcService
+func (this *MeshConfig_ExtensionProvider_GrpcService) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_GrpcService
+func (this *MeshConfig_ExtensionProvider_GrpcService) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_DefaultProviders
+func (this *MeshConfig_DefaultProviders) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_DefaultProviders
+func (this *MeshConfig_DefaultProviders) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_ProxyPathNormalization
+func (this *MeshConfig_ProxyPathNormalization) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_ProxyPathNormalization
+func (this *MeshConfig_ProxyPathNormalization) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshConfig_TLSConfig
+func (this *MeshConfig_TLSConfig) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshConfig_TLSConfig
+func (this *MeshConfig_TLSConfig) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for LabelSelector
+func (this *LabelSelector) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for LabelSelector
+func (this *LabelSelector) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for LabelSelectorRequirement
+func (this *LabelSelectorRequirement) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for LabelSelectorRequirement
+func (this *LabelSelectorRequirement) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for ConfigSource
+func (this *ConfigSource) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for ConfigSource
+func (this *ConfigSource) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for Certificate
+func (this *Certificate) MarshalJSON() ([]byte, error) {
+	str, err := ConfigMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Certificate
+func (this *Certificate) UnmarshalJSON(b []byte) error {
+	return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+var (
+	ConfigMarshaler   = &jsonpb.Marshaler{}
+	ConfigUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true}
+)
--- a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
+++ b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
--- a/mesh/v1alpha1/network.pb.go
+++ b/mesh/v1alpha1/network.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.35.1
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: mesh/v1alpha1/network.proto

@ -26,6 +26,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -41,16 +42,15 @@ const (
 // endpoint. The endpoint locality will be obtained from the service
 // registry.
 type Network struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The list of endpoints in the network (obtained through the
 	// constituent service registries or from CIDR ranges). All endpoints in
 	// the network are directly accessible to one another.
 	Endpoints []*Network_NetworkEndpoints `protobuf:"bytes,2,rep,name=endpoints,proto3" json:"endpoints,omitempty"`
 	// Set of gateways associated with the network.
-	Gateways []*Network_IstioNetworkGateway `protobuf:"bytes,3,rep,name=gateways,proto3" json:"gateways,omitempty"`
+	Gateways      []*Network_IstioNetworkGateway `protobuf:"bytes,3,rep,name=gateways,proto3" json:"gateways,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *Network) Reset() {
@ -118,15 +118,29 @@ func (x *Network) GetGateways() []*Network_IstioNetworkGateway {
 //	    locality: us-east-1a
 //
 // ```
+//
+// If `ENABLE_HCM_INTERNAL_NETWORKS` is set to true, MeshNetworks can be used to
+// to explicitly define the networks in Envoy's internal address configuration.
+// Envoy uses the IPs in the `internalAddressConfig` to decide whether or not to sanitize
+// Envoy headers. If the IP address is listed an internal, the Envoy headers are not
+// sanitized. As of Envoy 1.33, the default value for `internalAddressConfig` is set to
+// an empty set. Previously, the default value was the set of all private IPs. Setting
+// the `internalAddressConfig` to all private IPs (via Envoy's previous default behavior
+// or via the MeshNetworks) will leave users with an Istio Ingress Gateway potentially
+// vulnerable to `x-envoy` header manipulation by external sources. More information about
+// this vulnerability can be found here:
+// https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf
+// To preserve headers, you must explicitly configure MeshNetworks and set
+// `ENABLE_HCM_INTERNAL_NETWORKS` to true. Envoy's `internalAddressConfig` will be set to
+// the endpointed specified by `fromCidr`.
 type MeshNetworks struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The set of networks inside this mesh. Each network should
 	// have a unique name and information about how to infer the endpoints in
 	// the network as well as the gateways associated with the network.
-	Networks map[string]*Network `protobuf:"bytes,1,rep,name=networks,proto3" json:"networks,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Networks      map[string]*Network `protobuf:"bytes,1,rep,name=networks,proto3" json:"networks,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *MeshNetworks) Reset() {
@ -187,15 +201,14 @@ func (x *MeshNetworks) GetNetworks() map[string]*Network {
 //
 // (2) will override (1) if both are present.
 type Network_NetworkEndpoints struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	// Types that are assignable to Ne:
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Types that are valid to be assigned to Ne:
 	//
 	//	*Network_NetworkEndpoints_FromCidr
 	//	*Network_NetworkEndpoints_FromRegistry
-	Ne isNetwork_NetworkEndpoints_Ne `protobuf_oneof:"ne"`
+	Ne            isNetwork_NetworkEndpoints_Ne `protobuf_oneof:"ne"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *Network_NetworkEndpoints) Reset() {
@ -228,23 +241,27 @@ func (*Network_NetworkEndpoints) Descriptor() ([]byte, []int) {
 	return file_mesh_v1alpha1_network_proto_rawDescGZIP(), []int{0, 0}
 }

-func (m *Network_NetworkEndpoints) GetNe() isNetwork_NetworkEndpoints_Ne {
-	if m != nil {
-		return m.Ne
+func (x *Network_NetworkEndpoints) GetNe() isNetwork_NetworkEndpoints_Ne {
+	if x != nil {
+		return x.Ne
 	}
 	return nil
 }

 func (x *Network_NetworkEndpoints) GetFromCidr() string {
-	if x, ok := x.GetNe().(*Network_NetworkEndpoints_FromCidr); ok {
-		return x.FromCidr
+	if x != nil {
+		if x, ok := x.Ne.(*Network_NetworkEndpoints_FromCidr); ok {
+			return x.FromCidr
+		}
 	}
 	return ""
 }

 func (x *Network_NetworkEndpoints) GetFromRegistry() string {
-	if x, ok := x.GetNe().(*Network_NetworkEndpoints_FromRegistry); ok {
-		return x.FromRegistry
+	if x != nil {
+		if x, ok := x.Ne.(*Network_NetworkEndpoints_FromRegistry); ok {
+			return x.FromRegistry
+		}
 	}
 	return ""
 }
@ -275,11 +292,8 @@ func (*Network_NetworkEndpoints_FromRegistry) isNetwork_NetworkEndpoints_Ne() {}
 // will arrive at the specified gateway:port. All incoming traffic must
 // use mTLS.
 type Network_IstioNetworkGateway struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	// Types that are assignable to Gw:
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// Types that are valid to be assigned to Gw:
 	//
 	//	*Network_IstioNetworkGateway_RegistryServiceName
 	//	*Network_IstioNetworkGateway_Address
@ -287,7 +301,9 @@ type Network_IstioNetworkGateway struct {
 	// The port associated with the gateway.
 	Port uint32 `protobuf:"varint,3,opt,name=port,proto3" json:"port,omitempty"`
 	// The locality associated with an explicitly specified gateway (i.e. ip)
-	Locality string `protobuf:"bytes,4,opt,name=locality,proto3" json:"locality,omitempty"`
+	Locality      string `protobuf:"bytes,4,opt,name=locality,proto3" json:"locality,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *Network_IstioNetworkGateway) Reset() {
@ -320,23 +336,27 @@ func (*Network_IstioNetworkGateway) Descriptor() ([]byte, []int) {
 	return file_mesh_v1alpha1_network_proto_rawDescGZIP(), []int{0, 1}
 }

-func (m *Network_IstioNetworkGateway) GetGw() isNetwork_IstioNetworkGateway_Gw {
-	if m != nil {
-		return m.Gw
+func (x *Network_IstioNetworkGateway) GetGw() isNetwork_IstioNetworkGateway_Gw {
+	if x != nil {
+		return x.Gw
 	}
 	return nil
 }

 func (x *Network_IstioNetworkGateway) GetRegistryServiceName() string {
-	if x, ok := x.GetGw().(*Network_IstioNetworkGateway_RegistryServiceName); ok {
-		return x.RegistryServiceName
+	if x != nil {
+		if x, ok := x.Gw.(*Network_IstioNetworkGateway_RegistryServiceName); ok {
+			return x.RegistryServiceName
+		}
 	}
 	return ""
 }

 func (x *Network_IstioNetworkGateway) GetAddress() string {
-	if x, ok := x.GetGw().(*Network_IstioNetworkGateway_Address); ok {
-		return x.Address
+	if x != nil {
+		if x, ok := x.Gw.(*Network_IstioNetworkGateway_Address); ok {
+			return x.Address
+		}
 	}
 	return ""
 }
@ -360,7 +380,7 @@ type isNetwork_IstioNetworkGateway_Gw interface {
 }

 type Network_IstioNetworkGateway_RegistryServiceName struct {
-	// A fully qualified domain name of the gateway service.  Pilot will
+	// A fully qualified domain name of the gateway service.  istiod will
 	// lookup the service from the service registries in the network and
 	// obtain the endpoint IPs of the gateway from the service
 	// registry. Note that while the service name is a fully qualified
@ -381,65 +401,36 @@ func (*Network_IstioNetworkGateway_Address) isNetwork_IstioNetworkGateway_Gw() {

 var File_mesh_v1alpha1_network_proto protoreflect.FileDescriptor

-var file_mesh_v1alpha1_network_proto_rawDesc = []byte{
-	0x0a, 0x1b, 0x6d, 0x65, 0x73, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f,
-	0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x13, 0x69,
-	0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68,
-	0x61, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x66,
-	0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x22, 0xb6, 0x03, 0x0a, 0x07, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x12,
-	0x51, 0x0a, 0x09, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03,
-	0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e,
-	0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b,
-	0x2e, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74,
-	0x73, 0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x09, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e,
-	0x74, 0x73, 0x12, 0x52, 0x0a, 0x08, 0x67, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x73, 0x18, 0x03,
-	0x20, 0x03, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6d, 0x65, 0x73,
-	0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4e, 0x65, 0x74, 0x77, 0x6f,
-	0x72, 0x6b, 0x2e, 0x49, 0x73, 0x74, 0x69, 0x6f, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x47,
-	0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x08, 0x67, 0x61,
-	0x74, 0x65, 0x77, 0x61, 0x79, 0x73, 0x1a, 0x5e, 0x0a, 0x10, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72,
-	0x6b, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x12, 0x1d, 0x0a, 0x09, 0x66, 0x72,
-	0x6f, 0x6d, 0x5f, 0x63, 0x69, 0x64, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52,
-	0x08, 0x66, 0x72, 0x6f, 0x6d, 0x43, 0x69, 0x64, 0x72, 0x12, 0x25, 0x0a, 0x0d, 0x66, 0x72, 0x6f,
-	0x6d, 0x5f, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
-	0x48, 0x00, 0x52, 0x0c, 0x66, 0x72, 0x6f, 0x6d, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79,
-	0x42, 0x04, 0x0a, 0x02, 0x6e, 0x65, 0x1a, 0xa3, 0x01, 0x0a, 0x13, 0x49, 0x73, 0x74, 0x69, 0x6f,
-	0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x12, 0x34,
-	0x0a, 0x15, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x69,
-	0x63, 0x65, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52,
-	0x13, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x79, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
-	0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73,
-	0x12, 0x18, 0x0a, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0d, 0x42, 0x04,
-	0xe2, 0x41, 0x01, 0x02, 0x52, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x6c, 0x6f,
-	0x63, 0x61, 0x6c, 0x69, 0x74, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x6c, 0x6f,
-	0x63, 0x61, 0x6c, 0x69, 0x74, 0x79, 0x42, 0x04, 0x0a, 0x02, 0x67, 0x77, 0x22, 0xbc, 0x01, 0x0a,
-	0x0c, 0x4d, 0x65, 0x73, 0x68, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x12, 0x51, 0x0a,
-	0x08, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32,
-	0x2f, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61,
-	0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72,
-	0x6b, 0x73, 0x2e, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79,
-	0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x08, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x73,
-	0x1a, 0x59, 0x0a, 0x0d, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x45, 0x6e, 0x74, 0x72,
-	0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
-	0x6b, 0x65, 0x79, 0x12, 0x32, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e,
-	0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b,
-	0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x1c, 0x5a, 0x1a, 0x69,
-	0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6d, 0x65, 0x73, 0x68,
-	0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x33,
-}
+const file_mesh_v1alpha1_network_proto_rawDesc = "" +
+	"\n" +
+	"\x1bmesh/v1alpha1/network.proto\x12\x13istio.mesh.v1alpha1\x1a\x1fgoogle/api/field_behavior.proto\"\xb6\x03\n" +
+	"\aNetwork\x12Q\n" +
+	"\tendpoints\x18\x02 \x03(\v2-.istio.mesh.v1alpha1.Network.NetworkEndpointsB\x04\xe2A\x01\x02R\tendpoints\x12R\n" +
+	"\bgateways\x18\x03 \x03(\v20.istio.mesh.v1alpha1.Network.IstioNetworkGatewayB\x04\xe2A\x01\x02R\bgateways\x1a^\n" +
+	"\x10NetworkEndpoints\x12\x1d\n" +
+	"\tfrom_cidr\x18\x01 \x01(\tH\x00R\bfromCidr\x12%\n" +
+	"\rfrom_registry\x18\x02 \x01(\tH\x00R\ffromRegistryB\x04\n" +
+	"\x02ne\x1a\xa3\x01\n" +
+	"\x13IstioNetworkGateway\x124\n" +
+	"\x15registry_service_name\x18\x01 \x01(\tH\x00R\x13registryServiceName\x12\x1a\n" +
+	"\aaddress\x18\x02 \x01(\tH\x00R\aaddress\x12\x18\n" +
+	"\x04port\x18\x03 \x01(\rB\x04\xe2A\x01\x02R\x04port\x12\x1a\n" +
+	"\blocality\x18\x04 \x01(\tR\blocalityB\x04\n" +
+	"\x02gw\"\xbc\x01\n" +
+	"\fMeshNetworks\x12Q\n" +
+	"\bnetworks\x18\x01 \x03(\v2/.istio.mesh.v1alpha1.MeshNetworks.NetworksEntryB\x04\xe2A\x01\x02R\bnetworks\x1aY\n" +
+	"\rNetworksEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x122\n" +
+	"\x05value\x18\x02 \x01(\v2\x1c.istio.mesh.v1alpha1.NetworkR\x05value:\x028\x01B\x1cZ\x1aistio.io/api/mesh/v1alpha1b\x06proto3"

 var (
 	file_mesh_v1alpha1_network_proto_rawDescOnce sync.Once
-	file_mesh_v1alpha1_network_proto_rawDescData = file_mesh_v1alpha1_network_proto_rawDesc
+	file_mesh_v1alpha1_network_proto_rawDescData []byte
 )

 func file_mesh_v1alpha1_network_proto_rawDescGZIP() []byte {
 	file_mesh_v1alpha1_network_proto_rawDescOnce.Do(func() {
-		file_mesh_v1alpha1_network_proto_rawDescData = protoimpl.X.CompressGZIP(file_mesh_v1alpha1_network_proto_rawDescData)
+		file_mesh_v1alpha1_network_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_mesh_v1alpha1_network_proto_rawDesc), len(file_mesh_v1alpha1_network_proto_rawDesc)))
 	})
 	return file_mesh_v1alpha1_network_proto_rawDescData
 }
@ -481,7 +472,7 @@ func file_mesh_v1alpha1_network_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_mesh_v1alpha1_network_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_mesh_v1alpha1_network_proto_rawDesc), len(file_mesh_v1alpha1_network_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   5,
 			NumExtensions: 0,
@ -492,7 +483,6 @@ func file_mesh_v1alpha1_network_proto_init() {
 		MessageInfos:      file_mesh_v1alpha1_network_proto_msgTypes,
 	}.Build()
 	File_mesh_v1alpha1_network_proto = out.File
-	file_mesh_v1alpha1_network_proto_rawDesc = nil
 	file_mesh_v1alpha1_network_proto_goTypes = nil
 	file_mesh_v1alpha1_network_proto_depIdxs = nil
 }
--- a/mesh/v1alpha1/network.proto
+++ b/mesh/v1alpha1/network.proto
@ -18,7 +18,7 @@ package istio.mesh.v1alpha1;

 import "google/api/field_behavior.proto";

-option go_package="istio.io/api/mesh/v1alpha1";
+option go_package = "istio.io/api/mesh/v1alpha1";

 // Network provides information about the endpoints in a routable L3
 // network. A single routable L3 network can have one or more service
@ -48,15 +48,15 @@ message Network {
  // (2) will override (1) if both are present.
  message NetworkEndpoints {
    oneof ne {
-    // A CIDR range for the set of endpoints in this network. The CIDR
-    // ranges for endpoints from different networks must not overlap.
-    string from_cidr = 1;
+      // A CIDR range for the set of endpoints in this network. The CIDR
+      // ranges for endpoints from different networks must not overlap.
+      string from_cidr = 1;

-    // Add all endpoints from the specified registry into this network.
-    // The names of the registries should correspond to the kubeconfig file name
-    // inside the secret that was used to configure the registry (Kubernetes
-    // multicluster) or supplied by MCP server.
-    string from_registry = 2;
+      // Add all endpoints from the specified registry into this network.
+      // The names of the registries should correspond to the kubeconfig file name
+      // inside the secret that was used to configure the registry (Kubernetes
+      // multicluster) or supplied by MCP server.
+      string from_registry = 2;
    }
  }

@ -70,7 +70,7 @@ message Network {
  // use mTLS.
  message IstioNetworkGateway {
    oneof gw {
-      // A fully qualified domain name of the gateway service.  Pilot will
+      // A fully qualified domain name of the gateway service.  istiod will
      // lookup the service from the service registries in the network and
      // obtain the endpoint IPs of the gateway from the service
      // registry. Note that while the service name is a fully qualified
@ -114,6 +114,21 @@ message Network {
 //       locality: us-east-1a
 // ```
 //
+// If `ENABLE_HCM_INTERNAL_NETWORKS` is set to true, MeshNetworks can be used to
+// to explicitly define the networks in Envoy's internal address configuration.
+// Envoy uses the IPs in the `internalAddressConfig` to decide whether or not to sanitize
+// Envoy headers. If the IP address is listed an internal, the Envoy headers are not
+// sanitized. As of Envoy 1.33, the default value for `internalAddressConfig` is set to
+// an empty set. Previously, the default value was the set of all private IPs. Setting
+// the `internalAddressConfig` to all private IPs (via Envoy's previous default behavior
+// or via the MeshNetworks) will leave users with an Istio Ingress Gateway potentially
+// vulnerable to `x-envoy` header manipulation by external sources. More information about
+// this vulnerability can be found here:
+// https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf
+// To preserve headers, you must explicitly configure MeshNetworks and set
+// `ENABLE_HCM_INTERNAL_NETWORKS` to true. Envoy's `internalAddressConfig` will be set to
+// the endpointed specified by `fromCidr`.
+//
 message MeshNetworks {
  // The set of networks inside this mesh. Each network should
  // have a unique name and information about how to infer the endpoints in
--- a/mesh/v1alpha1/network_json.gen.go
+++ b/mesh/v1alpha1/network_json.gen.go
@ -0,0 +1,56 @@
+// Code generated by protoc-gen-jsonshim. DO NOT EDIT.
+package v1alpha1
+
+import (
+	bytes "bytes"
+	jsonpb "github.com/golang/protobuf/jsonpb"
+)
+
+// MarshalJSON is a custom marshaler for Network
+func (this *Network) MarshalJSON() ([]byte, error) {
+	str, err := NetworkMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Network
+func (this *Network) UnmarshalJSON(b []byte) error {
+	return NetworkUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for Network_NetworkEndpoints
+func (this *Network_NetworkEndpoints) MarshalJSON() ([]byte, error) {
+	str, err := NetworkMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Network_NetworkEndpoints
+func (this *Network_NetworkEndpoints) UnmarshalJSON(b []byte) error {
+	return NetworkUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for Network_IstioNetworkGateway
+func (this *Network_IstioNetworkGateway) MarshalJSON() ([]byte, error) {
+	str, err := NetworkMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Network_IstioNetworkGateway
+func (this *Network_IstioNetworkGateway) UnmarshalJSON(b []byte) error {
+	return NetworkUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for MeshNetworks
+func (this *MeshNetworks) MarshalJSON() ([]byte, error) {
+	str, err := NetworkMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for MeshNetworks
+func (this *MeshNetworks) UnmarshalJSON(b []byte) error {
+	return NetworkUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+var (
+	NetworkMarshaler   = &jsonpb.Marshaler{}
+	NetworkUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true}
+)
--- a/mesh/v1alpha1/proxy.pb.go
+++ b/mesh/v1alpha1/proxy.pb.go
--- a/mesh/v1alpha1/proxy.proto
+++ b/mesh/v1alpha1/proxy.proto
@ -14,15 +14,15 @@

 syntax = "proto3";

+package istio.mesh.v1alpha1;
+
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 import "networking/v1alpha3/destination_rule.proto";
 import "networking/v1alpha3/workload_group.proto";
 import "networking/v1beta1/proxy_config.proto";

-package istio.mesh.v1alpha1;
-
-option go_package="istio.io/api/mesh/v1alpha1";
+option go_package = "istio.io/api/mesh/v1alpha1";

 // AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
 // It can be set for two different scopes, mesh-wide or set on a per-pod basis using the ProxyConfig annotation.
@ -41,7 +41,6 @@ enum AuthenticationPolicy {

 // Tracing defines configuration for the tracing performed by Envoy instances.
 message Tracing {
-
  // Zipkin defines configuration for a Zipkin tracer.
  message Zipkin {
    // Address of the Zipkin service (e.g. _zipkin:9411_).
@ -136,12 +135,15 @@ message Tracing {
    // Use a Lightstep tracer.
    // NOTE: For Istio 1.15+, this configuration option will result
    // in using OpenTelemetry-based Lightstep integration.
+    // $hide_from_docs
    Lightstep lightstep = 2;
    // Use a Datadog tracer.
    Datadog datadog = 3;
    // Use a Stackdriver tracer.
+    // $hide_from_docs
    Stackdriver stackdriver = 4;
    // Use an OpenCensus tracer exporting to an OpenCensus agent.
+    // $hide_from_docs
    OpenCensusAgent open_census_agent = 9;
  }

@ -217,13 +219,16 @@ message Tracing {
  double sampling = 7;

  // Use the tlsSettings to specify the tls mode to use. If the remote tracing service
-  // uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
+  // uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
  // mode as `ISTIO_MUTUAL`.
  istio.networking.v1alpha3.ClientTLSSettings tls_settings = 8;

-  // $hide_from_docs
-  // Next available field number: 10
+  // Determines whether or not trace spans generated by Envoy will include Istio specific tags.
+  // By default Istio specific tags are included in the trace spans.
+  google.protobuf.BoolValue enable_istio_tags = 10;

+  // $hide_from_docs
+  // Next available field number: 11
 }

 // SDS defines secret discovery service(SDS) configuration to be used by the proxy.
@ -264,8 +269,7 @@ message Topology {
  ForwardClientCertDetails forward_client_cert_details = 2;

  // PROXY protocol configuration.
-  message ProxyProtocolConfiguration {
-  }
+  message ProxyProtocolConfiguration {}

  // Enables [PROXY protocol](http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt) for
  // downstream connections on a gateway.
@ -301,7 +305,7 @@ enum ForwardClientCertDetails {
 }

 // PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured
-// mesh wide or individual per-workload basis.
+// mesh-wide or individual per-workload basis.
 message PrivateKeyProvider {
  // CryptoMb PrivateKeyProvider configuration
  message CryptoMb {
@ -342,7 +346,7 @@ message PrivateKeyProvider {

 // ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis
 // as well as by the mesh-wide defaults.
-// To set the mesh wide defaults, configure the `defaultConfig` section of `meshConfig`. For example:
+// To set the mesh-wide defaults, configure the `defaultConfig` section of `meshConfig`. For example:
 //
 // ```
 // meshConfig:
@ -419,11 +423,11 @@ message ProxyConfig {
  string discovery_address = 6;

  // $hide_from_docs
-  google.protobuf.Duration discovery_refresh_delay = 7 [deprecated=true];
+  google.protobuf.Duration discovery_refresh_delay = 7 [deprecated = true];

  // Address of the Zipkin service (e.g. _zipkin:9411_).
  // DEPRECATED: Use [tracing][istio.mesh.v1alpha1.ProxyConfig.tracing] instead.
-  string zipkin_address = 8 [deprecated=true];
+  string zipkin_address = 8 [deprecated = true];

  reserved "connect_timeout";
  reserved 9;
@ -432,20 +436,20 @@ message ProxyConfig {
  string statsd_udp_address = 10;

  // $hide_from_docs
-  string envoy_metrics_service_address = 20 [deprecated=true];
+  string envoy_metrics_service_address = 20 [deprecated = true];

  // Port on which Envoy should listen for administrative commands.
  // Default port is `15000`.
  int32 proxy_admin_port = 11;

  // $hide_from_docs
-  string availability_zone = 12 [deprecated=true];
+  string availability_zone = 12 [deprecated = true];

  // AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
  // Default is set to `MUTUAL_TLS`.
  AuthenticationPolicy control_plane_auth_policy = 13;
  // File path of custom proxy configuration, currently used by proxies
-  // in front of Mixer and Pilot.
+  // in front of istiod.
  string custom_config_file = 14;

  // Maximum length of name field in Envoy's metrics. The length of the name field
@ -489,7 +493,7 @@ message ProxyConfig {

  // Secret Discovery Service(SDS) configuration to be used by the proxy.
  // $hide_from_docs
-  SDS sds = 21 [deprecated=true];
+  SDS sds = 21 [deprecated = true];

  // Address of the service to which access logs from Envoys should be
  // sent. (e.g. `accesslog-service:15000`). See [Access Log
@ -504,11 +508,11 @@ message ProxyConfig {

  // Additional environment variables for the proxy.
  // Names starting with `ISTIO_META_` will be included in the generated bootstrap and sent to the XDS server.
-  map<string,string> proxy_metadata = 24;
+  map<string, string> proxy_metadata = 24;

  // Envoy [runtime configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/runtime) to set during bootstrapping.
  // This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.
-  map<string,string>  runtime_values = 37;
+  map<string, string> runtime_values = 37;

  // Port on which the agent should listen for administrative commands such as readiness probe.
  // Default is set to port `15020`.
@ -529,11 +533,11 @@ message ProxyConfig {
  Topology gateway_topology = 28;

  // The amount of time allowed for connections to complete on proxy shutdown.
-	// On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining,
-	// discouraging any new connections and allowing existing connections to complete. It then
+  // On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining,
+  // discouraging any new connections and allowing existing connections to complete. It then
  // sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes.
  // If not set, a default of `5s` will be applied.
-  google.protobuf.Duration  termination_drain_duration = 29;
+  google.protobuf.Duration termination_drain_duration = 29;

  // The unique identifier for the [service mesh](https://istio.io/docs/reference/glossary/#service-mesh)
  // All control planes running in the same service mesh should specify the same mesh ID.
@ -583,7 +587,6 @@ message ProxyConfig {
  // resource provision and configuration to reduce cardinality.
  ProxyStatsMatcher proxy_stats_matcher = 32;

-
  // Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior.
  // This feature adds hooks to delay application startup until the pod proxy
  // is ready to accept traffic, mitigating some startup race conditions.
@ -613,11 +616,20 @@ message ProxyConfig {
  // proxyHeaders:
  //   server:
  //     value: "my-custom-server"
-  //   requestId: {} // Explicitly enable Request IDs. As this is the default, this has no effect.
+  //   # Explicitly enable Request IDs.
+  //   # As this is the default, this has no effect.
+  //   requestId: {}
  //   attemptCount:
  //     disabled: true
  // ```
  //
+  // Below shows an example of preserving the header case for HTTP 1.x requests
+  //
+  // ```yaml
+  // proxyHeaders:
+  //   preserveHttp1HeaderCase: true
+  // ```
+  //
  // Some headers are enabled by default, and require explicitly disabling. See below for an example of disabling all default-enabled headers:
  //
  // ```yaml
@ -665,22 +677,22 @@ message ProxyConfig {
    message SetCurrentClientCertDetails {
      // Whether to forward the subject of the client cert. Defaults to true.
      google.protobuf.BoolValue subject = 1;
-  
+
      // Whether to forward the entire client cert in URL encoded PEM format. This will appear in the
      // XFCC header comma separated from other values with the value Cert="PEM".
      // Defaults to false.
      google.protobuf.BoolValue cert = 2;
-  
+
      // Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM
      // format. This will appear in the XFCC header comma separated from other values with the value
      // Chain="PEM".
      // Defaults to false.
      google.protobuf.BoolValue chain = 3;
-  
+
      // Whether to forward the DNS type Subject Alternative Names of the client cert.
      // Defaults to true.
      google.protobuf.BoolValue dns = 4;
-  
+
      // Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to
      // true.
      google.protobuf.BoolValue uri = 5;
@ -689,7 +701,7 @@ message ProxyConfig {
    // To disable the header, configure either `SANITIZE` (to always remove the header, if present) or `FORWARD_ONLY` (to leave the header as-is).
    // By default, `APPEND_FORWARD` will be used.
    ForwardClientCertDetails forwarded_client_cert = 1;
-    // This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET 
+    // This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET
    // and the client connection is mTLS. It specifies the fields in
    // the client certificate to be forwarded. Note that `Hash` is always set, and
    // `By` is always set when the client certificate presents the URI type Subject Alternative Name value.
@ -718,6 +730,16 @@ message ProxyConfig {
    // By default, the behavior is unspecified.
    // If IN_MESH, these headers will not be appended to outbound requests from sidecars to services not in-mesh.
    MetadataExchangeHeaders metadata_exchange_headers = 6;
+    // When true, the original case of HTTP/1.x headers will be preserved
+    // as they pass through the proxy, rather than normalizing them to lowercase.
+    // This field is particularly useful for applications that require case-sensitive
+    // headers for interoperability with downstream systems or APIs that expect specific
+    // casing.
+    // The preserve_http1_header_case option only applies to HTTP/1.x traffic, as HTTP/2 requires all headers
+    // to be lowercase per the protocol specification. Envoy will ignore this field for HTTP/2
+    // requests and automatically normalize headers to lowercase, ensuring compliance with HTTP/2
+    // standards.
+    google.protobuf.BoolValue preserve_http1_header_case = 40;
  }
 }

@ -728,7 +750,7 @@ message RemoteService {
  string address = 1;

  // Use the `tlsSettings` to specify the tls mode to use. If the remote service
-  // uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
+  // uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
  // mode as `ISTIO_MUTUAL`.
  istio.networking.v1alpha3.ClientTLSSettings tls_settings = 2;

--- a/mesh/v1alpha1/proxy_json.gen.go
+++ b/mesh/v1alpha1/proxy_json.gen.go
@ -0,0 +1,298 @@
+// Code generated by protoc-gen-jsonshim. DO NOT EDIT.
+package v1alpha1
+
+import (
+	bytes "bytes"
+	jsonpb "github.com/golang/protobuf/jsonpb"
+)
+
+// MarshalJSON is a custom marshaler for Tracing
+func (this *Tracing) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Tracing
+func (this *Tracing) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for Tracing_Zipkin
+func (this *Tracing_Zipkin) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Tracing_Zipkin
+func (this *Tracing_Zipkin) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for Tracing_Lightstep
+func (this *Tracing_Lightstep) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Tracing_Lightstep
+func (this *Tracing_Lightstep) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for Tracing_Datadog
+func (this *Tracing_Datadog) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Tracing_Datadog
+func (this *Tracing_Datadog) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for Tracing_Stackdriver
+func (this *Tracing_Stackdriver) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Tracing_Stackdriver
+func (this *Tracing_Stackdriver) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for Tracing_OpenCensusAgent
+func (this *Tracing_OpenCensusAgent) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Tracing_OpenCensusAgent
+func (this *Tracing_OpenCensusAgent) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for Tracing_CustomTag
+func (this *Tracing_CustomTag) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Tracing_CustomTag
+func (this *Tracing_CustomTag) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for Tracing_Literal
+func (this *Tracing_Literal) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Tracing_Literal
+func (this *Tracing_Literal) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for Tracing_Environment
+func (this *Tracing_Environment) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Tracing_Environment
+func (this *Tracing_Environment) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for Tracing_RequestHeader
+func (this *Tracing_RequestHeader) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Tracing_RequestHeader
+func (this *Tracing_RequestHeader) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for SDS
+func (this *SDS) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for SDS
+func (this *SDS) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for Topology
+func (this *Topology) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Topology
+func (this *Topology) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for Topology_ProxyProtocolConfiguration
+func (this *Topology_ProxyProtocolConfiguration) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Topology_ProxyProtocolConfiguration
+func (this *Topology_ProxyProtocolConfiguration) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for PrivateKeyProvider
+func (this *PrivateKeyProvider) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for PrivateKeyProvider
+func (this *PrivateKeyProvider) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for PrivateKeyProvider_CryptoMb
+func (this *PrivateKeyProvider_CryptoMb) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for PrivateKeyProvider_CryptoMb
+func (this *PrivateKeyProvider_CryptoMb) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for PrivateKeyProvider_QAT
+func (this *PrivateKeyProvider_QAT) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for PrivateKeyProvider_QAT
+func (this *PrivateKeyProvider_QAT) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for ProxyConfig
+func (this *ProxyConfig) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for ProxyConfig
+func (this *ProxyConfig) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for ProxyConfig_ProxyStatsMatcher
+func (this *ProxyConfig_ProxyStatsMatcher) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for ProxyConfig_ProxyStatsMatcher
+func (this *ProxyConfig_ProxyStatsMatcher) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for ProxyConfig_ProxyHeaders
+func (this *ProxyConfig_ProxyHeaders) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for ProxyConfig_ProxyHeaders
+func (this *ProxyConfig_ProxyHeaders) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for ProxyConfig_ProxyHeaders_Server
+func (this *ProxyConfig_ProxyHeaders_Server) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for ProxyConfig_ProxyHeaders_Server
+func (this *ProxyConfig_ProxyHeaders_Server) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for ProxyConfig_ProxyHeaders_RequestId
+func (this *ProxyConfig_ProxyHeaders_RequestId) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for ProxyConfig_ProxyHeaders_RequestId
+func (this *ProxyConfig_ProxyHeaders_RequestId) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for ProxyConfig_ProxyHeaders_AttemptCount
+func (this *ProxyConfig_ProxyHeaders_AttemptCount) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for ProxyConfig_ProxyHeaders_AttemptCount
+func (this *ProxyConfig_ProxyHeaders_AttemptCount) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for ProxyConfig_ProxyHeaders_EnvoyDebugHeaders
+func (this *ProxyConfig_ProxyHeaders_EnvoyDebugHeaders) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for ProxyConfig_ProxyHeaders_EnvoyDebugHeaders
+func (this *ProxyConfig_ProxyHeaders_EnvoyDebugHeaders) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for ProxyConfig_ProxyHeaders_MetadataExchangeHeaders
+func (this *ProxyConfig_ProxyHeaders_MetadataExchangeHeaders) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for ProxyConfig_ProxyHeaders_MetadataExchangeHeaders
+func (this *ProxyConfig_ProxyHeaders_MetadataExchangeHeaders) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for ProxyConfig_ProxyHeaders_SetCurrentClientCertDetails
+func (this *ProxyConfig_ProxyHeaders_SetCurrentClientCertDetails) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for ProxyConfig_ProxyHeaders_SetCurrentClientCertDetails
+func (this *ProxyConfig_ProxyHeaders_SetCurrentClientCertDetails) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for RemoteService
+func (this *RemoteService) MarshalJSON() ([]byte, error) {
+	str, err := ProxyMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for RemoteService
+func (this *RemoteService) UnmarshalJSON(b []byte) error {
+	return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+var (
+	ProxyMarshaler   = &jsonpb.Marshaler{}
+	ProxyUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true}
+)
--- a/meta/v1alpha1/status.pb.go
+++ b/meta/v1alpha1/status.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.35.1
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: meta/v1alpha1/status.proto

@ -31,6 +31,7 @@ import (
 	v1alpha1 "istio.io/api/analysis/v1alpha1"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -41,10 +42,7 @@ const (
 )

 type IstioStatus struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Current service state of the resource.
 	// More info: https://istio.io/docs/reference/config/config-status/
 	// +optional
@ -56,12 +54,16 @@ type IstioStatus struct {
 	// +patchMergeKey=type
 	// +patchStrategy=merge
 	ValidationMessages []*v1alpha1.AnalysisMessageBase `protobuf:"bytes,2,rep,name=validation_messages,json=validationMessages,proto3" json:"validation_messages,omitempty"`
+	// $hide_from_docs
+	// Deprecated. IstioCondition observed_generation will show the resource generation for which the condition was generated.
 	// Resource Generation to which the Reconciled Condition refers.
 	// When this value is not equal to the object's metadata generation, reconciled condition  calculation for the current
 	// generation is still in progress.  See https://istio.io/latest/docs/reference/config/config-status/ for more info.
 	// +optional
 	// +protoc-gen-crd:validation:XIntOrString
 	ObservedGeneration int64 `protobuf:"varint,3,opt,name=observed_generation,json=observedGeneration,proto3" json:"observed_generation,omitempty"`
+	unknownFields      protoimpl.UnknownFields
+	sizeCache          protoimpl.SizeCache
 }

 func (x *IstioStatus) Reset() {
@ -116,10 +118,7 @@ func (x *IstioStatus) GetObservedGeneration() int64 {
 }

 type IstioCondition struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Type is the type of the condition.
 	Type string `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"`
 	// Status is the status of the condition.
@ -137,6 +136,12 @@ type IstioCondition struct {
 	// Human-readable message indicating details about last transition.
 	// +optional
 	Message string `protobuf:"bytes,6,opt,name=message,proto3" json:"message,omitempty"`
+	// Resource Generation to which the Condition refers.
+	// +optional
+	// +protoc-gen-crd:validation:XIntOrString
+	ObservedGeneration int64 `protobuf:"varint,7,opt,name=observed_generation,json=observedGeneration,proto3" json:"observed_generation,omitempty"`
+	unknownFields      protoimpl.UnknownFields
+	sizeCache          protoimpl.SizeCache
 }

 func (x *IstioCondition) Reset() {
@ -211,60 +216,41 @@ func (x *IstioCondition) GetMessage() string {
 	return ""
 }

+func (x *IstioCondition) GetObservedGeneration() int64 {
+	if x != nil {
+		return x.ObservedGeneration
+	}
+	return 0
+}
+
 var File_meta_v1alpha1_status_proto protoreflect.FileDescriptor

-var file_meta_v1alpha1_status_proto_rawDesc = []byte{
-	0x0a, 0x1a, 0x6d, 0x65, 0x74, 0x61, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f,
-	0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x13, 0x69, 0x73,
-	0x74, 0x69, 0x6f, 0x2e, 0x6d, 0x65, 0x74, 0x61, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
-	0x31, 0x1a, 0x1f, 0x61, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x61, 0x6c,
-	0x70, 0x68, 0x61, 0x31, 0x2f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x2e, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x22, 0xe2, 0x01, 0x0a, 0x0b, 0x49, 0x73, 0x74, 0x69, 0x6f, 0x53, 0x74, 0x61,
-	0x74, 0x75, 0x73, 0x12, 0x43, 0x0a, 0x0a, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e,
-	0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x23, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e,
-	0x6d, 0x65, 0x74, 0x61, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x49, 0x73,
-	0x74, 0x69, 0x6f, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0a, 0x63, 0x6f,
-	0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x5d, 0x0a, 0x13, 0x76, 0x61, 0x6c, 0x69,
-	0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x73, 0x18,
-	0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x61, 0x6e,
-	0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e,
-	0x41, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42,
-	0x61, 0x73, 0x65, 0x52, 0x12, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d,
-	0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x73, 0x12, 0x2f, 0x0a, 0x13, 0x6f, 0x62, 0x73, 0x65, 0x72,
-	0x76, 0x65, 0x64, 0x5f, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03,
-	0x20, 0x01, 0x28, 0x03, 0x52, 0x12, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x64, 0x47, 0x65,
-	0x6e, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x80, 0x02, 0x0a, 0x0e, 0x49, 0x73, 0x74,
-	0x69, 0x6f, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x74,
-	0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12,
-	0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x42, 0x0a, 0x0f, 0x6c, 0x61, 0x73, 0x74, 0x5f,
-	0x70, 0x72, 0x6f, 0x62, 0x65, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b,
-	0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
-	0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0d, 0x6c, 0x61,
-	0x73, 0x74, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x4c, 0x0a, 0x14, 0x6c,
-	0x61, 0x73, 0x74, 0x5f, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x74,
-	0x69, 0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
-	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65,
-	0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x12, 0x6c, 0x61, 0x73, 0x74, 0x54, 0x72, 0x61, 0x6e, 0x73,
-	0x69, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x65, 0x61,
-	0x73, 0x6f, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x72, 0x65, 0x61, 0x73, 0x6f,
-	0x6e, 0x12, 0x18, 0x0a, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x06, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x42, 0x1c, 0x5a, 0x1a, 0x69,
-	0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6d, 0x65, 0x74, 0x61,
-	0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x33,
-}
+const file_meta_v1alpha1_status_proto_rawDesc = "" +
+	"\n" +
+	"\x1ameta/v1alpha1/status.proto\x12\x13istio.meta.v1alpha1\x1a\x1fanalysis/v1alpha1/message.proto\x1a\x1fgoogle/protobuf/timestamp.proto\"\xe2\x01\n" +
+	"\vIstioStatus\x12C\n" +
+	"\n" +
+	"conditions\x18\x01 \x03(\v2#.istio.meta.v1alpha1.IstioConditionR\n" +
+	"conditions\x12]\n" +
+	"\x13validation_messages\x18\x02 \x03(\v2,.istio.analysis.v1alpha1.AnalysisMessageBaseR\x12validationMessages\x12/\n" +
+	"\x13observed_generation\x18\x03 \x01(\x03R\x12observedGeneration\"\xb1\x02\n" +
+	"\x0eIstioCondition\x12\x12\n" +
+	"\x04type\x18\x01 \x01(\tR\x04type\x12\x16\n" +
+	"\x06status\x18\x02 \x01(\tR\x06status\x12B\n" +
+	"\x0flast_probe_time\x18\x03 \x01(\v2\x1a.google.protobuf.TimestampR\rlastProbeTime\x12L\n" +
+	"\x14last_transition_time\x18\x04 \x01(\v2\x1a.google.protobuf.TimestampR\x12lastTransitionTime\x12\x16\n" +
+	"\x06reason\x18\x05 \x01(\tR\x06reason\x12\x18\n" +
+	"\amessage\x18\x06 \x01(\tR\amessage\x12/\n" +
+	"\x13observed_generation\x18\a \x01(\x03R\x12observedGenerationB\x1cZ\x1aistio.io/api/meta/v1alpha1b\x06proto3"

 var (
 	file_meta_v1alpha1_status_proto_rawDescOnce sync.Once
-	file_meta_v1alpha1_status_proto_rawDescData = file_meta_v1alpha1_status_proto_rawDesc
+	file_meta_v1alpha1_status_proto_rawDescData []byte
 )

 func file_meta_v1alpha1_status_proto_rawDescGZIP() []byte {
 	file_meta_v1alpha1_status_proto_rawDescOnce.Do(func() {
-		file_meta_v1alpha1_status_proto_rawDescData = protoimpl.X.CompressGZIP(file_meta_v1alpha1_status_proto_rawDescData)
+		file_meta_v1alpha1_status_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_meta_v1alpha1_status_proto_rawDesc), len(file_meta_v1alpha1_status_proto_rawDesc)))
 	})
 	return file_meta_v1alpha1_status_proto_rawDescData
 }
@ -297,7 +283,7 @@ func file_meta_v1alpha1_status_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_meta_v1alpha1_status_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_meta_v1alpha1_status_proto_rawDesc), len(file_meta_v1alpha1_status_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   2,
 			NumExtensions: 0,
@ -308,7 +294,6 @@ func file_meta_v1alpha1_status_proto_init() {
 		MessageInfos:      file_meta_v1alpha1_status_proto_msgTypes,
 	}.Build()
 	File_meta_v1alpha1_status_proto = out.File
-	file_meta_v1alpha1_status_proto_rawDesc = nil
 	file_meta_v1alpha1_status_proto_goTypes = nil
 	file_meta_v1alpha1_status_proto_depIdxs = nil
 }
--- a/meta/v1alpha1/status.pb.html
+++ b/meta/v1alpha1/status.pb.html
@ -12,46 +12,27 @@ number_of_entries: 2
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="IstioStatus-conditions">
-<td><code>conditions</code></td>
-<td><code><a href="#IstioCondition">IstioCondition[]</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#IstioStatus-conditions">conditions</a></code></div>
+<div class="type"><a href="#IstioCondition">IstioCondition[]</a></div>
+</div></td>
 <td>
 <p>Current service state of the resource.
 More info: <a href="https://istio.io/docs/reference/config/config-status/">https://istio.io/docs/reference/config/config-status/</a></p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="IstioStatus-validation_messages">
-<td><code>validationMessages</code></td>
-<td><code><a href="https://istio.io/docs/reference/config/istio.analysis.v1alpha1.html#AnalysisMessageBase">AnalysisMessageBase[]</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#IstioStatus-validation_messages">validationMessages</a></code></div>
+<div class="type"><a href="https://istio.io/docs/reference/config/istio.analysis.v1alpha1.html#AnalysisMessageBase">AnalysisMessageBase[]</a></div>
+</div></td>
 <td>
 <p>Includes any errors or warnings detected by Istio&rsquo;s analyzers.</p>

-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="IstioStatus-observed_generation">
-<td><code>observedGeneration</code></td>
-<td><code>int64</code></td>
-<td>
-<p>Resource Generation to which the Reconciled Condition refers.
-When this value is not equal to the object&rsquo;s metadata generation, reconciled condition  calculation for the current
-generation is still in progress.  See <a href="https://istio.io/latest/docs/reference/config/config-status/">https://istio.io/latest/docs/reference/config/config-status/</a> for more info.</p>
-
-</td>
-<td>
-No
 </td>
 </tr>
 </tbody>
@ -63,77 +44,72 @@ No
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="IstioCondition-type">
-<td><code>type</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#IstioCondition-type">type</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>Type is the type of the condition.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="IstioCondition-status">
-<td><code>status</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#IstioCondition-status">status</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>Status is the status of the condition.
 Can be True, False, Unknown.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="IstioCondition-last_probe_time">
-<td><code>lastProbeTime</code></td>
-<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#timestamp">Timestamp</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#IstioCondition-last_probe_time">lastProbeTime</a></code></div>
+<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#timestamp">Timestamp</a></div>
+</div></td>
 <td>
 <p>Last time we probed the condition.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="IstioCondition-last_transition_time">
-<td><code>lastTransitionTime</code></td>
-<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#timestamp">Timestamp</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#IstioCondition-last_transition_time">lastTransitionTime</a></code></div>
+<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#timestamp">Timestamp</a></div>
+</div></td>
 <td>
 <p>Last time the condition transitioned from one status to another.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="IstioCondition-reason">
-<td><code>reason</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#IstioCondition-reason">reason</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>Unique, one-word, CamelCase reason for the condition&rsquo;s last transition.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="IstioCondition-message">
-<td><code>message</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#IstioCondition-message">message</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>Human-readable message indicating details about last transition.</p>

 </td>
+</tr>
+<tr id="IstioCondition-observed_generation">
+<td><div class="field"><div class="name"><code><a href="#IstioCondition-observed_generation">observedGeneration</a></code></div>
+<div class="type">int64</div>
+</div></td>
 <td>
-No
+<p>Resource Generation to which the Condition refers.</p>
+
 </td>
 </tr>
 </tbody>
--- a/meta/v1alpha1/status.proto
+++ b/meta/v1alpha1/status.proto
@ -13,17 +13,16 @@
 // limitations under the License.
 syntax = "proto3";

-import "analysis/v1alpha1/message.proto";
-
-import "google/protobuf/timestamp.proto";
-
 // $title: Istio Status
 // $description: Common status field for all istio collections.
 // $location: https://istio.io/docs/reference/config/meta/v1beta1/istio-status.html

 package istio.meta.v1alpha1;

-option go_package="istio.io/api/meta/v1alpha1";
+import "analysis/v1alpha1/message.proto";
+import "google/protobuf/timestamp.proto";
+
+option go_package = "istio.io/api/meta/v1alpha1";

 message IstioStatus {
  // Current service state of the resource.
@ -39,6 +38,8 @@ message IstioStatus {
  // +patchStrategy=merge
  repeated analysis.v1alpha1.AnalysisMessageBase validation_messages = 2;

+  // $hide_from_docs
+  // Deprecated. IstioCondition observed_generation will show the resource generation for which the condition was generated.
  // Resource Generation to which the Reconciled Condition refers.
  // When this value is not equal to the object's metadata generation, reconciled condition  calculation for the current
  // generation is still in progress.  See https://istio.io/latest/docs/reference/config/config-status/ for more info.
@ -70,4 +71,9 @@ message IstioCondition {
  // Human-readable message indicating details about last transition.
  // +optional
  string message = 6;
+
+  // Resource Generation to which the Condition refers.
+  // +optional
+  // +protoc-gen-crd:validation:XIntOrString
+  int64 observed_generation = 7;
 }
--- a/networking/v1/destination_rule_alias.gen.go
+++ b/networking/v1/destination_rule_alias.gen.go
@ -8,7 +8,7 @@ import "istio.io/api/networking/v1alpha3"
 //
 // <!-- crd generation tags
 // +cue-gen:DestinationRule:groupName:networking.istio.io
-// +cue-gen:DestinationRule:versions:v1beta1,v1alpha3,v1
+// +cue-gen:DestinationRule:versions:v1,v1beta1,v1alpha3
 // +cue-gen:DestinationRule:annotations:helm.sh/resource-policy=keep
 // +cue-gen:DestinationRule:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
 // +cue-gen:DestinationRule:subresource:status
@ -18,7 +18,7 @@ import "istio.io/api/networking/v1alpha3"
 // +cue-gen:DestinationRule:printerColumn:name=Age,type=date,JSONPath=.metadata.creationTimestamp,description="CreationTimestamp is a timestamp
 // representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations.
 // Clients may not set this value. It is represented in RFC3339 form and is in UTC.
-// Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
+// Populated by the system. Read-only. Null for lists. For more information, see [Kubernetes API Conventions](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)"
 // +cue-gen:DestinationRule:preserveUnknownFields:false
 // -->
 //
@ -46,6 +46,8 @@ const TrafficPolicy_ProxyProtocol_V1 TrafficPolicy_ProxyProtocol_VERSION = v1alp
 // ⁣PROXY protocol version 2. Binary format.
 const TrafficPolicy_ProxyProtocol_V2 TrafficPolicy_ProxyProtocol_VERSION = v1alpha3.TrafficPolicy_ProxyProtocol_V2

+type TrafficPolicy_RetryBudget = v1alpha3.TrafficPolicy_RetryBudget
+
 // A subset of endpoints of a service. Subsets can be used for scenarios
 // like A/B testing, or routing to a specific version of a service. Refer
 // to [VirtualService](https://istio.io/docs/reference/config/networking/virtual-service/#VirtualService) documentation for examples of using
@ -179,7 +181,7 @@ type LoadBalancerSettings_ConsistentHashLB_RingHash_ = v1alpha3.LoadBalancerSett
 // The Maglev load balancer implements consistent hashing to backend hosts.
 type LoadBalancerSettings_ConsistentHashLB_Maglev = v1alpha3.LoadBalancerSettings_ConsistentHashLB_Maglev

-// +kubebuilder:validation:XValidation:message="only one of warmupDurationSecs or warmup can be set",rule="(has(self.warmupDurationSecs)?1:0)+(has(self.warmup)?1:0)<=1"
+// +kubebuilder:validation:XValidation:message="only one of warmupDurationSecs or warmup can be set",rule="oneof(self.warmupDurationSecs, self.warmup)"
 // Standard load balancing algorithms that require no tuning.
 type LoadBalancerSettings_SimpleLB = v1alpha3.LoadBalancerSettings_SimpleLB

@ -284,7 +286,7 @@ const ConnectionPoolSettings_HTTPSettings_UPGRADE ConnectionPoolSettings_HTTPSet
 //
 // The following rule sets a connection pool size of 100 HTTP1 connections
 // with no more than 10 req/connection to the "reviews" service. In addition,
-// it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
+// it sets a limit of 1000 concurrent HTTP/2 requests and configures upstream
 // hosts to be scanned every 5 mins so that any host that fails 7 consecutive
 // times with a 502, 503, or 504 error code will be ejected for 15 minutes.
 //
@ -406,13 +408,13 @@ const ClientTLSSettings_ISTIO_MUTUAL ClientTLSSettings_TLSmode = v1alpha3.Client
 // [Locality Weight](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight)
 // The following example shows how to setup locality weights mesh-wide.
 //
-// Given a mesh with workloads and their service deployed to "us-west/zone1/*"
-// and "us-west/zone2/*". This example specifies that when traffic accessing a
-// service originates from workloads in "us-west/zone1/*", 80% of the traffic
-// will be sent to endpoints in "us-west/zone1/*", i.e the same zone, and the
-// remaining 20% will go to endpoints in "us-west/zone2/*". This setup is
+// Given a mesh with workloads and their service deployed to "us-west/zone1/\*"
+// and "us-west/zone2/\*". This example specifies that when traffic accessing a
+// service originates from workloads in "us-west/zone1/\*", 80% of the traffic
+// will be sent to endpoints in "us-west/zone1/\*", i.e the same zone, and the
+// remaining 20% will go to endpoints in "us-west/zone2/\*". This setup is
 // intended to favor routing traffic to endpoints in the same locality.
-// A similar setting is specified for traffic originating in "us-west/zone2/*".
+// A similar setting is specified for traffic originating in "us-west/zone2/\*".
 //
 // ```yaml
 //
@ -448,7 +450,6 @@ const ClientTLSSettings_ISTIO_MUTUAL ClientTLSSettings_TLSmode = v1alpha3.Client
 //	    to: us-east
 //
 // ```
-// Locality load balancing settings.
 type LocalityLoadBalancerSetting = v1alpha3.LocalityLoadBalancerSetting

 // Describes how traffic originating in the 'from' zone or sub-zone is
--- a/networking/v1/gateway_alias.gen.go
+++ b/networking/v1/gateway_alias.gen.go
@ -8,7 +8,7 @@ import "istio.io/api/networking/v1alpha3"
 //
 // <!-- crd generation tags
 // +cue-gen:Gateway:groupName:networking.istio.io
-// +cue-gen:Gateway:versions:v1beta1,v1alpha3,v1
+// +cue-gen:Gateway:versions:v1,v1beta1,v1alpha3
 // +cue-gen:Gateway:annotations:helm.sh/resource-policy=keep
 // +cue-gen:Gateway:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
 // +cue-gen:Gateway:subresource:status
@ -101,8 +101,15 @@ type Server = v1alpha3.Server

 // Port describes the properties of a specific port of a service.
 type Port = v1alpha3.Port
+
+// +kubebuilder:validation:XValidation:message="only one of credentialNames or tlsCertificates can be set",rule="oneof(self.tlsCertificates, self.credentialNames)"
+// +kubebuilder:validation:XValidation:message="only one of credentialName or credentialNames can be set",rule="oneof(self.credentialName, self.credentialNames)"
+// +kubebuilder:validation:XValidation:message="only one of credentialName or tlsCertificates can be set",rule="oneof(self.credentialNames, self.tlsCertificates)"
 type ServerTLSSettings = v1alpha3.ServerTLSSettings

+// TLSCertificate describes the server's TLS certificate.
+type ServerTLSSettings_TLSCertificate = v1alpha3.ServerTLSSettings_TLSCertificate
+
 // TLS modes enforced by the proxy
 type ServerTLSSettings_TLSmode = v1alpha3.ServerTLSSettings_TLSmode

--- a/networking/v1/service_entry_alias.gen.go
+++ b/networking/v1/service_entry_alias.gen.go
@ -8,7 +8,7 @@ import "istio.io/api/networking/v1alpha3"
 //
 // <!-- crd generation tags
 // +cue-gen:ServiceEntry:groupName:networking.istio.io
-// +cue-gen:ServiceEntry:versions:v1beta1,v1alpha3,v1
+// +cue-gen:ServiceEntry:versions:v1,v1beta1,v1alpha3
 // +cue-gen:ServiceEntry:annotations:helm.sh/resource-policy=keep
 // +cue-gen:ServiceEntry:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
 // +cue-gen:ServiceEntry:subresource:status
@ -34,18 +34,16 @@ import "istio.io/api/networking/v1alpha3"
 // +k8s:deepcopy-gen=true
 // istiostatus-override: ServiceEntryStatus: istio.io/api/networking/v1alpha3
 // -->
-// +kubebuilder:validation:XValidation:message="only one of WorkloadSelector or Endpoints can be set",rule="(has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1"
-// +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution != 'NONE'))"
-// +kubebuilder:validation:XValidation:message="NONE mode cannot set endpoints",rule="(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints) : true"
-// +kubebuilder:validation:XValidation:message="DNS_ROUND_ROBIN mode cannot have multiple endpoints",rule="(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN') ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
+// +kubebuilder:validation:XValidation:message="only one of WorkloadSelector or Endpoints can be set",rule="oneof(self.workloadSelector, self.endpoints)"
+// +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(default(self.addresses, []).exists(k, k.contains('/')) && !(default(self.resolution, 'NONE') in ['STATIC', 'NONE']))"
+// +kubebuilder:validation:XValidation:message="NONE mode cannot set endpoints",rule="default(self.resolution, 'NONE') == 'NONE' ? !has(self.endpoints) : true"
+// +kubebuilder:validation:XValidation:message="DNS_ROUND_ROBIN mode cannot have multiple endpoints",rule="default(self.resolution, ”) == 'DNS_ROUND_ROBIN' ? default(self.endpoints, []).size() <= 1 : true"
 type ServiceEntry = v1alpha3.ServiceEntry

 // Location specifies whether the service is part of Istio mesh or
 // outside the mesh.  Location determines the behavior of several
 // features, such as service-to-service mTLS authentication, policy
-// enforcement, etc. When communicating with services outside the mesh,
-// Istio's mTLS authentication is disabled, and policy enforcement is
-// performed on the client-side as opposed to server-side.
+// enforcement, etc.
 type ServiceEntry_Location = v1alpha3.ServiceEntry_Location

 // Signifies that the service is external to the mesh. Typically used
@ -106,5 +104,5 @@ const ServiceEntry_DNS_ROUND_ROBIN ServiceEntry_Resolution = v1alpha3.ServiceEnt
 type ServicePort = v1alpha3.ServicePort
 type ServiceEntryStatus = v1alpha3.ServiceEntryStatus

-// minor abstraction to allow for adding hostnames if relevant
+// A minor abstraction to allow for adding hostnames if relevant.
 type ServiceEntryAddress = v1alpha3.ServiceEntryAddress
--- a/networking/v1/sidecar_alias.gen.go
+++ b/networking/v1/sidecar_alias.gen.go
@ -9,7 +9,7 @@ import "istio.io/api/networking/v1alpha3"
 //
 // <!-- crd generation tags
 // +cue-gen:Sidecar:groupName:networking.istio.io
-// +cue-gen:Sidecar:versions:v1beta1,v1alpha3,v1
+// +cue-gen:Sidecar:versions:v1,v1beta1,v1alpha3
 // +cue-gen:Sidecar:annotations:helm.sh/resource-policy=keep
 // +cue-gen:Sidecar:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
 // +cue-gen:Sidecar:subresource:status
--- a/networking/v1/virtual_service_alias.gen.go
+++ b/networking/v1/virtual_service_alias.gen.go
@ -7,7 +7,7 @@ import "istio.io/api/networking/v1alpha3"
 //
 // <!-- crd generation tags
 // +cue-gen:VirtualService:groupName:networking.istio.io
-// +cue-gen:VirtualService:versions:v1beta1,v1alpha3,v1
+// +cue-gen:VirtualService:versions:v1,v1beta1,v1alpha3
 // +cue-gen:VirtualService:annotations:helm.sh/resource-policy=keep
 // +cue-gen:VirtualService:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
 // +cue-gen:VirtualService:subresource:status
--- a/networking/v1/workload_entry_alias.gen.go
+++ b/networking/v1/workload_entry_alias.gen.go
@ -7,7 +7,7 @@ import "istio.io/api/networking/v1alpha3"
 //
 // <!-- crd generation tags
 // +cue-gen:WorkloadEntry:groupName:networking.istio.io
-// +cue-gen:WorkloadEntry:versions:v1beta1,v1alpha3,v1
+// +cue-gen:WorkloadEntry:versions:v1,v1beta1,v1alpha3
 // +cue-gen:WorkloadEntry:annotations:helm.sh/resource-policy=keep
 // +cue-gen:WorkloadEntry:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
 // +cue-gen:WorkloadEntry:subresource:status
@ -29,5 +29,5 @@ import "istio.io/api/networking/v1alpha3"
 // +k8s:deepcopy-gen=true
 // -->
 // +kubebuilder:validation:XValidation:message="Address is required",rule="has(self.address) || has(self.network)"
-// +kubebuilder:validation:XValidation:message="UDS may not include ports",rule="(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports) : true"
+// +kubebuilder:validation:XValidation:message="UDS may not include ports",rule="(default(self.address, "").startsWith('unix://')) ? !has(self.ports) : true"
 type WorkloadEntry = v1alpha3.WorkloadEntry
--- a/networking/v1/workload_group_alias.gen.go
+++ b/networking/v1/workload_group_alias.gen.go
@ -11,7 +11,7 @@ import "istio.io/api/networking/v1alpha3"
 //
 // <!-- crd generation tags
 // +cue-gen:WorkloadGroup:groupName:networking.istio.io
-// +cue-gen:WorkloadGroup:versions:v1beta1,v1alpha3,v1
+// +cue-gen:WorkloadGroup:versions:v1,v1beta1,v1alpha3
 // +cue-gen:WorkloadGroup:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
 // +cue-gen:WorkloadGroup:subresource:status
 // +cue-gen:WorkloadGroup:scope:Namespaced
@ -46,7 +46,11 @@ type ReadinessProbe_TcpSocket = v1alpha3.ReadinessProbe_TcpSocket

 // Health is determined by how the command that is executed exited.
 type ReadinessProbe_Exec = v1alpha3.ReadinessProbe_Exec
+
+// GRPC call is made and response/error is used to determine health.
+type ReadinessProbe_Grpc = v1alpha3.ReadinessProbe_Grpc
 type HTTPHealthCheckConfig = v1alpha3.HTTPHealthCheckConfig
+type GrpcHealthCheckConfig = v1alpha3.GrpcHealthCheckConfig
 type HTTPHeader = v1alpha3.HTTPHeader
 type TCPHealthCheckConfig = v1alpha3.TCPHealthCheckConfig
 type ExecHealthCheckConfig = v1alpha3.ExecHealthCheckConfig
--- a/networking/v1alpha3/destination_rule.pb.go
+++ b/networking/v1alpha3/destination_rule.pb.go
--- a/networking/v1alpha3/destination_rule.pb.html
+++ b/networking/v1alpha3/destination_rule.pb.html
--- a/networking/v1alpha3/destination_rule.proto
+++ b/networking/v1alpha3/destination_rule.proto
@ -13,12 +13,6 @@
 //   limitations under the License.
 syntax = "proto3";

-import "google/api/field_behavior.proto";
-import "google/protobuf/duration.proto";
-import "google/protobuf/wrappers.proto";
-import "networking/v1alpha3/virtual_service.proto";
-import "type/v1beta1/selector.proto";
-
 // $schema: istio.networking.v1alpha3.DestinationRule
 // $title: Destination Rule
 // $description: Configuration affecting load balancing, outlier detection, etc.
@ -122,6 +116,12 @@ import "type/v1beta1/selector.proto";
 // ```
 package istio.networking.v1alpha3;

+import "google/api/field_behavior.proto";
+import "google/protobuf/duration.proto";
+import "google/protobuf/wrappers.proto";
+import "networking/v1alpha3/virtual_service.proto";
+import "type/v1beta1/selector.proto";
+
 option go_package = "istio.io/api/networking/v1alpha3";

 // DestinationRule defines policies that apply to traffic intended for a service
@ -129,7 +129,7 @@ option go_package = "istio.io/api/networking/v1alpha3";
 //
 // <!-- crd generation tags
 // +cue-gen:DestinationRule:groupName:networking.istio.io
-// +cue-gen:DestinationRule:versions:v1beta1,v1alpha3,v1
+// +cue-gen:DestinationRule:versions:v1,v1beta1,v1alpha3
 // +cue-gen:DestinationRule:annotations:helm.sh/resource-policy=keep
 // +cue-gen:DestinationRule:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
 // +cue-gen:DestinationRule:subresource:status
@ -139,7 +139,7 @@ option go_package = "istio.io/api/networking/v1alpha3";
 // +cue-gen:DestinationRule:printerColumn:name=Age,type=date,JSONPath=.metadata.creationTimestamp,description="CreationTimestamp is a timestamp
 // representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations.
 // Clients may not set this value. It is represented in RFC3339 form and is in UTC.
-// Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
+// Populated by the system. Read-only. Null for lists. For more information, see [Kubernetes API Conventions](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)"
 // +cue-gen:DestinationRule:preserveUnknownFields:false
 // -->
 //
@ -161,9 +161,9 @@ message DestinationRule {
  // the short name based on the namespace of the rule, not the service. A
  // rule in the "default" namespace containing a host "reviews" will be
  // interpreted as "reviews.default.svc.cluster.local", irrespective of
-  // the actual namespace associated with the reviews service. _To avoid
+  // the actual namespace associated with the reviews service. To avoid
  // potential misconfigurations, it is recommended to always use fully
-  // qualified domain names over short names._
+  // qualified domain names over short names.
  //
  // Note that the host field applies to both HTTP and TCP services.
  string host = 1 [(google.api.field_behavior) = REQUIRED];
@ -249,9 +249,11 @@ message TrafficPolicy {
  message TunnelSettings {
    // Specifies which protocol to use for tunneling the downstream connection.
    // Supported protocols are:
-    //   CONNECT - uses HTTP CONNECT;
-    //   POST - uses HTTP POST.
+    //   * CONNECT - uses HTTP CONNECT;
+    //   * POST - uses HTTP POST.
+    //
    // CONNECT is used by default if not specified.
+    //
    // HTTP version for upstream requests is determined by the service protocol defined for the proxy.
    string protocol = 1;

@ -275,14 +277,36 @@ message TrafficPolicy {

      // ⁣PROXY protocol version 2. Binary format.
      V2 = 1;
-    };
-    // The PROXY protocol version to use. See https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt for details.
+    }
+    // The PROXY protocol version to use. See [the protocol spec](https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt) for details.
    // By default it is `V1`.
    VERSION version = 1;
  }

  // The upstream PROXY protocol settings.
  ProxyProtocol proxy_protocol = 7;
+
+  message RetryBudget {
+    // Specifies the limit on concurrent retries as a percentage of
+    // the sum of active requests and active pending requests.
+    // Defaults to 20%.
+    //
+    // +kubebuilder:validation:Maximum=100
+    // +kubebuilder:validation:Minimum=0
+    google.protobuf.DoubleValue percent = 1;
+    // Specifies the minimum retry concurrency allowed for the retry budget.
+    // For example, a budget of 20% with a minimum retry concurrency of 3
+    // will allow 5 active retries while there are 25 active requests.
+    // If there are 2 active requests, there are still 3 active retries
+    // allowed because of the minimum retry concurrency.
+    //
+    // Defaults to 3.
+    //
+    uint32 min_retry_concurrency = 2;
+  }
+
+  // Specifies a limit on concurrent retries in relation to the number of active requests.
+  RetryBudget retry_budget = 8;
 }

 // A subset of endpoints of a service. Subsets can be used for scenarios
@ -377,7 +401,7 @@ message Subset {
 // ```
 //
 message LoadBalancerSettings {
-  // +kubebuilder:validation:XValidation:message="only one of warmupDurationSecs or warmup can be set",rule="(has(self.warmupDurationSecs)?1:0)+(has(self.warmup)?1:0)<=1"
+  // +kubebuilder:validation:XValidation:message="only one of warmupDurationSecs or warmup can be set",rule="oneof(self.warmupDurationSecs, self.warmup)"
  // Standard load balancing algorithms that require no tuning.
  enum SimpleLB {
    // No load balancing algorithm has been specified by the user. Istio
@ -385,7 +409,7 @@ message LoadBalancerSettings {
    UNSPECIFIED = 0;

    // Deprecated. Use LEAST_REQUEST instead.
-    LEAST_CONN = 1 [deprecated=true];
+    LEAST_CONN = 1 [deprecated = true];

    // The random load balancer selects a random healthy host. The random
    // load balancer generally performs better than round robin if no health
@ -410,7 +434,7 @@ message LoadBalancerSettings {
    // and outperforms ROUND_ROBIN in nearly all cases. Prefer to use
    // LEAST_REQUEST as a drop-in replacement for ROUND_ROBIN.
    LEAST_REQUEST = 5;
-  };
+  }

  // Consistent Hash-based load balancing can be used to provide soft
  // session affinity based on HTTP headers, cookies or other
@ -429,7 +453,6 @@ message LoadBalancerSettings {
  // and consistent hash will only work together when all proxies are in the same locality,
  // or a high level load balancer handles locality affinity.
  message ConsistentHashLB {
-
    message RingHash {
      // The minimum number of virtual nodes to use for the hash
      // ring. Defaults to 1024. Larger ring sizes result in more granular
@ -437,7 +460,7 @@ message LoadBalancerSettings {
      // pool is larger than the ring size, each host will be assigned a
      // single virtual node.
      uint64 minimum_ring_size = 1;
-    };
+    }

    message MagLev {
      // The table size for Maglev hashing. This helps in controlling the
@ -446,7 +469,7 @@ message LoadBalancerSettings {
      // The table size must be prime number less than 5000011.
      // If it is not specified, the default is 65537.
      uint64 table_size = 1;
-    };
+    }
    // Describes a HTTP cookie that will be used as the hash key for the
    // Consistent Hash load balancer.
    message HTTPCookie {
@ -455,11 +478,11 @@ message LoadBalancerSettings {
      // Path to set for the cookie.
      string path = 2;
      // Lifetime of the cookie. If specified, a cookie with the TTL will be
-      // generated if the cookie is not present. If the TTL is present and zero, 
+      // generated if the cookie is not present. If the TTL is present and zero,
      // the generated cookie will be a session cookie.
      // +protoc-gen-crd:duration-validation:none
      google.protobuf.Duration ttl = 3;
-    };
+    }

    // The hash key to use.
    oneof hash_key {
@ -475,27 +498,23 @@ message LoadBalancerSettings {

      // Hash based on a specific HTTP query parameter.
      string http_query_parameter_name = 5;
-    };
+    }

-        // The hash algorithm to use.
-        // Please refer to https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#ring-hash
-        // and https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#maglev for
-        // considerations on choosing an algorithm.
-        // Defaults to RingHash if not specified.
-        oneof hash_algorithm {
-          // The ring/modulo hash load balancer implements consistent hashing to backend hosts.
-          RingHash ring_hash = 6;
-          // The Maglev load balancer implements consistent hashing to backend hosts.
-          MagLev maglev = 7;
-        };
+    // The hash algorithm to use.
+    // Please refer to Envoy's [Ring Hash Load Balancer](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#ring-hash)
+    // and [Maglev Load Balancer](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#maglev) docs for
+    // considerations on choosing an algorithm.
+    // Defaults to RingHash if not specified.
+    oneof hash_algorithm {
+      // The ring/modulo hash load balancer implements consistent hashing to backend hosts.
+      RingHash ring_hash = 6;
+      // The Maglev load balancer implements consistent hashing to backend hosts.
+      MagLev maglev = 7;
+    }

    // Deprecated. Use RingHash instead.
-    uint64 minimum_ring_size = 4 [deprecated=true];
-  };
-
-  // (-- TODO: Enable Subset load balancing after moving to v2 API Also
-  // look into enabling Priotity based load balancing for spilling over
-  // from one priority pool to another. --)
+    uint64 minimum_ring_size = 4 [deprecated = true];
+  }

  // Upstream load balancing policy.
  oneof lb_policy {
@ -503,7 +522,7 @@ message LoadBalancerSettings {
    ConsistentHashLB consistent_hash = 2;
  }

-  // Locality load balancer settings, this will override mesh wide settings in entirety, meaning no merging would be performed
+  // Locality load balancer settings, this will override mesh-wide settings in entirety, meaning no merging would be performed
  // between this object and the object one in MeshConfig
  LocalityLoadBalancerSetting locality_lb_setting = 3;

@ -537,6 +556,7 @@ message WarmupConfiguration {
  // +kubebuilder:validation:Minimum=1
  google.protobuf.DoubleValue aggression = 3;
 }
+
 // Connection pool settings for an upstream host. The settings apply to
 // each individual host in the upstream service.  See Envoy's [circuit
 // breaker](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking)
@ -582,20 +602,20 @@ message ConnectionPoolSettings {
      // Default is to use the OS level configuration
      // (unless overridden, Linux defaults to 75s.)
      google.protobuf.Duration interval = 3;
-    };
+    }

    // Maximum number of HTTP1 /TCP connections to a destination host. Default 2^32-1.
    int32 max_connections = 1;

    // TCP connection timeout. format:
-    // 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.
+    // 1h/1m/1s/1ms. MUST be >=1ms. Default is 10s.
    google.protobuf.Duration connect_timeout = 2;

    // If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.
    TcpKeepalive tcp_keepalive = 3;

    // The maximum duration of a connection. The duration is defined as the period since a connection
-    // was established. If not set, there is no max duration. When max_connection_duration
+    // was established. If not set, there is no max duration. When `maxConnectionDuration`
    // is reached the connection will be closed. Duration must be at least 1ms.
    google.protobuf.Duration max_connection_duration = 4;

@ -607,20 +627,21 @@ message ConnectionPoolSettings {
    // because idleTimeout is a property of a listener, not a cluster. In that case, idleTimeout
    // specified in a destination rule for the first weighted route is configured in the listener,
    // which means also for all weighted routes.
+    // +protoc-gen-crd:duration-validation:none
    google.protobuf.Duration idle_timeout = 5;
-  };
+  }

  // Settings applicable to HTTP1.1/HTTP2/GRPC connections.
  message HTTPSettings {
    // Maximum number of requests that will be queued while waiting for
    // a ready connection pool connection. Default 2^32-1.
-    // Refer to https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking
-    // under which conditions a new connection is created for HTTP2.
-    // Please note that this is applicable to both HTTP/1.1 and HTTP2.
+    // Refer to [Envoy Circuit Breaking](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking)
+    // under which conditions a new connection is created for HTTP/2.
+    // Please note that this is applicable to both HTTP/1.1 and HTTP/2.
    int32 http1_max_pending_requests = 1;

    // Maximum number of active requests to a destination. Default 2^32-1.
-    // Please note that this is applicable to both HTTP/1.1 and HTTP2.
+    // Please note that this is applicable to both HTTP/1.1 and HTTP/2.
    int32 http2_max_requests = 2;

    // Maximum number of requests per connection to a backend. Setting this
@ -638,7 +659,7 @@ message ConnectionPoolSettings {
    // the connection will be closed. If the connection is an HTTP/2
    // connection a drain sequence will occur prior to closing the connection.
    // Note that request based timeouts mean that HTTP/2 PINGs will not
-    // keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.
+    // keep the connection alive. Applies to both HTTP/1.1 and HTTP/2 connections.
    google.protobuf.Duration idle_timeout = 5;

    // Policy for upgrading http1.1 connections to http2.
@ -651,19 +672,19 @@ message ConnectionPoolSettings {
      // Upgrade the connection to http2.
      // This opt-in option overrides the default.
      UPGRADE = 2;
-    };
+    }
    // Specify if http1.1 connection should be upgraded to http2 for the associated destination.
    H2UpgradePolicy h2_upgrade_policy = 6;

    // If set to true, client protocol will be preserved while initiating connection to backend.
-    // Note that when this is set to true, h2_upgrade_policy will be ineffective i.e. the client
+    // Note that when this is set to true, `h2UpgradePolicy` will be ineffective i.e. the client
    // connections will not be upgraded to http2.
    bool use_client_protocol = 7;

    // The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection.
-    // Defaults to 2^31-1. 
+    // Defaults to 2^31-1.
    int32 max_concurrent_streams = 8;
-  };
+  }

  // Settings common to both HTTP and TCP upstream connections.
  TCPSettings tcp = 1;
@ -683,7 +704,7 @@ message ConnectionPoolSettings {
 //
 // The following rule sets a connection pool size of 100 HTTP1 connections
 // with no more than 10 req/connection to the "reviews" service. In addition,
-// it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
+// it sets a limit of 1000 concurrent HTTP/2 requests and configures upstream
 // hosts to be scanned every 5 mins so that any host that fails 7 consecutive
 // times with a 502, 503, or 504 error code will be ejected for 15 minutes.
 //
@ -714,10 +735,10 @@ message OutlierDetection {
  // is accessed over an opaque TCP connection, connect timeouts and
  // connection error/failure events qualify as an error.
  // $hide_from_docs
-  int32 consecutive_errors = 1 [deprecated=true];
+  int32 consecutive_errors = 1 [deprecated = true];

  // Determines whether to distinguish local origin failures from external errors. If set to true
-  // consecutive_local_origin_failure is taken into account for outlier detection calculations.
+  // `consecutiveLocalOriginFailures` is taken into account for outlier detection calculations.
  // This should be used when you want to derive the outlier detection status based on the errors
  // seen locally such as failure to connect, timeout while connecting etc. rather than the status code
  // returned by upstream service. This is especially useful when the upstream service explicitly returns
@ -727,7 +748,7 @@ message OutlierDetection {
  bool split_external_local_origin_errors = 8;

  // The number of consecutive locally originated failures before ejection
-  // occurs. Defaults to 5. Parameter takes effect only when split_external_local_origin_errors
+  // occurs. Defaults to 5. Parameter takes effect only when `splitExternalLocalOriginErrors`
  // is set to true.
  google.protobuf.UInt32Value consecutive_local_origin_failures = 9;

@ -738,11 +759,11 @@ message OutlierDetection {
  // events qualify as a gateway error.
  // This feature is disabled by default or when set to the value 0.
  //
-  // Note that consecutive_gateway_errors and consecutive_5xx_errors can be
+  // Note that `consecutiveGatewayErrors` and `consecutive5xxErrors` can be
  // used separately or together. Because the errors counted by
-  // consecutive_gateway_errors are also included in consecutive_5xx_errors,
-  // if the value of consecutive_gateway_errors is greater than or equal to
-  // the value of consecutive_5xx_errors, consecutive_gateway_errors will have
+  // `consecutiveGatewayErrors` are also included in `consecutive5xxErrors`,
+  // if the value of `consecutiveGatewayErrors` is greater than or equal to
+  // the value of `consecutive5xxErrors`, `consecutiveGatewayErrors` will have
  // no effect.
  google.protobuf.UInt32Value consecutive_gateway_errors = 6;

@ -752,23 +773,23 @@ message OutlierDetection {
  // 5xx error.
  // This feature defaults to 5 but can be disabled by setting the value to 0.
  //
-  // Note that consecutive_gateway_errors and consecutive_5xx_errors can be
+  // Note that `consecutiveGatewayErrors` and `consecutive5xxErrors` can be
  // used separately or together. Because the errors counted by
-  // consecutive_gateway_errors are also included in consecutive_5xx_errors,
-  // if the value of consecutive_gateway_errors is greater than or equal to
-  // the value of consecutive_5xx_errors, consecutive_gateway_errors will have
+  // `consecutiveGatewayErrors` are also included in `consecutive5xxErrors`,
+  // if the value of `consecutiveGatewayErrors` is greater than or equal to
+  // the value of `consecutive5xxErrors`, `consecutiveGatewayErrors` will have
  // no effect.
  google.protobuf.UInt32Value consecutive_5xx_errors = 7;

  // Time interval between ejection sweep analysis. format:
-  // 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.
+  // 1h/1m/1s/1ms. MUST be >=1ms. Default is 10s.
  google.protobuf.Duration interval = 2;

  // Minimum ejection duration. A host will remain ejected for a period
  // equal to the product of minimum ejection duration and the number of
  // times the host has been ejected. This technique allows the system to
  // automatically increase the ejection period for unhealthy upstream
-  // servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.
+  // servers. format: 1h/1m/1s/1ms. MUST be >=1ms. Default is 30s.
  google.protobuf.Duration base_ejection_time = 3;

  // Maximum % of hosts in the load balancing pool for the upstream
@ -776,7 +797,7 @@ message OutlierDetection {
  int32 max_ejection_percent = 4;

  // Outlier detection will be enabled as long as the associated load balancing
-  // pool has at least min_health_percent hosts in healthy mode. When the
+  // pool has at least `minHealthPercent` hosts in healthy mode. When the
  // percentage of healthy hosts in the load balancing pool drops below this
  // threshold, outlier detection will be disabled and the proxy will load balance
  // across all hosts in the pool (healthy and unhealthy). The threshold can be
@ -856,7 +877,7 @@ message ClientTLSSettings {
    // automatically by Istio for mTLS authentication. When this mode is
    // used, all other fields in `ClientTLSSettings` should be empty.
    ISTIO_MUTUAL = 3;
-  };
+  }

  // Indicates whether connections to this port should be secured
  // using TLS. The value of this field determines how TLS is enforced.
@ -903,8 +924,8 @@ message ClientTLSSettings {
  // A list of alternate names to verify the subject identity in the
  // certificate. If specified, the proxy will verify that the server
  // certificate's subject alt name matches one of the specified values.
-  // If specified, this list overrides the value of subject_alt_names
-  // from the ServiceEntry. If unspecified, automatic validation of upstream
+  // If specified, this list overrides the value of `subjectAltNames`
+  // from the `ServiceEntry`. If unspecified, automatic validation of upstream
  // presented certificate for new upstream connections will be done based on the
  // downstream HTTP host/authority header.
  repeated string subject_alt_names = 5;
@ -936,13 +957,13 @@ message ClientTLSSettings {
 // [Locality Weight](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight)
 // The following example shows how to setup locality weights mesh-wide.
 //
-// Given a mesh with workloads and their service deployed to "us-west/zone1/*"
-// and "us-west/zone2/*". This example specifies that when traffic accessing a
-// service originates from workloads in "us-west/zone1/*", 80% of the traffic
-// will be sent to endpoints in "us-west/zone1/*", i.e the same zone, and the
-// remaining 20% will go to endpoints in "us-west/zone2/*". This setup is
+// Given a mesh with workloads and their service deployed to "us-west/zone1/\*"
+// and "us-west/zone2/\*". This example specifies that when traffic accessing a
+// service originates from workloads in "us-west/zone1/\*", 80% of the traffic
+// will be sent to endpoints in "us-west/zone1/\*", i.e the same zone, and the
+// remaining 20% will go to endpoints in "us-west/zone2/\*". This setup is
 // intended to favor routing traffic to endpoints in the same locality.
-// A similar setting is specified for traffic originating in "us-west/zone2/*".
+// A similar setting is specified for traffic originating in "us-west/zone2/\*".
 //
 // ```yaml
 //   distribute:
@ -974,119 +995,118 @@ message ClientTLSSettings {
 //    - from: us-west
 //      to: us-east
 // ```
-// Locality load balancing settings.
-message LocalityLoadBalancerSetting{
-    // Describes how traffic originating in the 'from' zone or sub-zone is
-    // distributed over a set of 'to' zones. Syntax for specifying a zone is
-    // {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
-    // segment of the specification. Examples:
-    //
-    // `*` - matches all localities
-    //
-    // `us-west/*` - all zones and sub-zones within the us-west region
-    //
-    // `us-west/zone-1/*` - all sub-zones within us-west/zone-1
-    message Distribute{
-        // Originating locality, '/' separated, e.g. 'region/zone/sub_zone'.
-        string from = 1;
+message LocalityLoadBalancerSetting {
+  // Describes how traffic originating in the 'from' zone or sub-zone is
+  // distributed over a set of 'to' zones. Syntax for specifying a zone is
+  // {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
+  // segment of the specification. Examples:
+  //
+  // `*` - matches all localities
+  //
+  // `us-west/*` - all zones and sub-zones within the us-west region
+  //
+  // `us-west/zone-1/*` - all sub-zones within us-west/zone-1
+  message Distribute {
+    // Originating locality, '/' separated, e.g. 'region/zone/sub_zone'.
+    string from = 1;

-        // Map of upstream localities to traffic distribution weights. The sum of
-        // all weights should be 100. Any locality not present will
-        // receive no traffic.
-        map<string, uint32> to = 2;
-    };
+    // Map of upstream localities to traffic distribution weights. The sum of
+    // all weights should be 100. Any locality not present will
+    // receive no traffic.
+    map<string, uint32> to = 2;
+  }

-    // Specify the traffic failover policy across regions. Since zone and sub-zone
-    // failover is supported by default this only needs to be specified for
-    // regions when the operator needs to constrain traffic failover so that
-    // the default behavior of failing over to any endpoint globally does not
-    // apply. This is useful when failing over traffic across regions would not
-    // improve service health or may need to be restricted for other reasons
-    // like regulatory controls.
-    message Failover{
-        // Originating region.
-        string from = 1;
+  // Specify the traffic failover policy across regions. Since zone and sub-zone
+  // failover is supported by default this only needs to be specified for
+  // regions when the operator needs to constrain traffic failover so that
+  // the default behavior of failing over to any endpoint globally does not
+  // apply. This is useful when failing over traffic across regions would not
+  // improve service health or may need to be restricted for other reasons
+  // like regulatory controls.
+  message Failover {
+    // Originating region.
+    string from = 1;

-        // Destination region the traffic will fail over to when endpoints in
-        // the 'from' region becomes unhealthy.
-        string to = 2;
-    };
+    // Destination region the traffic will fail over to when endpoints in
+    // the 'from' region becomes unhealthy.
+    string to = 2;
+  }

-    // Optional: only one of distribute, failover or failoverPriority can be set.
-    // Explicitly specify loadbalancing weight across different zones and geographical locations.
-    // Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight)
-    // If empty, the locality weight is set according to the endpoints number within it.
-    repeated Distribute distribute = 1;
+  // Optional: only one of distribute, failover or failoverPriority can be set.
+  // Explicitly specify loadbalancing weight across different zones and geographical locations.
+  // Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight)
+  // If empty, the locality weight is set according to the endpoints number within it.
+  repeated Distribute distribute = 1;

-    // Optional: only one of distribute, failover or failoverPriority can be set.
-    // Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.
-    // Should be used together with OutlierDetection to detect unhealthy endpoints.
-    // Note: if no OutlierDetection specified, this will not take effect.
-    repeated Failover failover = 2;
+  // Optional: only one of distribute, failover or failoverPriority can be set.
+  // Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.
+  // Should be used together with OutlierDetection to detect unhealthy endpoints.
+  // Note: if no OutlierDetection specified, this will not take effect.
+  repeated Failover failover = 2;

-    // failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing.
-    // This is to support traffic failover across different groups of endpoints.
-    // Two kinds of labels can be specified:
-    // - Specify only label keys `[key1, key2, key3]`, istio would compare the label values of client with endpoints.
-    //   Suppose there are total N label keys `[key1, key2, key3, ...keyN]` specified:
-    //
-    //   1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority.
-    //   2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority.
-    //   3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority.
-    //   4. All the other endpoints have priority P(N) i.e. lowest priority.
-    //
-    // - Specify labels with key and value `[key1=value1, key2=value2, key3=value3]`, istio would compare the labels with endpoints.
-    //   Suppose there are total N labels `[key1=value1, key2=value2, key3=value3, ...keyN=valueN]` specified:
-    //
-    //   1. Endpoints matching all N labels have priority P(0) i.e. the highest priority.
-    //   2. Endpoints matching the first N-1 labels have priority P(1) i.e. second highest priority.
-    //   3. By extension of this logic, endpoints matching only the first label has priority P(N-1) i.e. second lowest priority.
-    //   4. All the other endpoints have priority P(N) i.e. lowest priority.
-    //
-    // Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match.
-    //
-    // It can be any label specified on both client and server workloads.
-    // The following labels which have special semantic meaning are also supported:
-    //
-    //   - `topology.istio.io/network` is used to match the network metadata of an endpoint, which can be specified by pod/namespace label `topology.istio.io/network`, sidecar env `ISTIO_META_NETWORK` or MeshNetworks.
-    //   - `topology.istio.io/cluster` is used to match the clusterID of an endpoint, which can be specified by pod label `topology.istio.io/cluster` or pod env `ISTIO_META_CLUSTER_ID`.
-    //   - `topology.kubernetes.io/region` is used to match the region metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/region` or the deprecated label `failure-domain.beta.kubernetes.io/region`.
-    //   - `topology.kubernetes.io/zone` is used to match the zone metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/zone` or the deprecated label `failure-domain.beta.kubernetes.io/zone`.
-    //   - `topology.istio.io/subzone` is used to match the subzone metadata of an endpoint, which maps to Istio node label `topology.istio.io/subzone`.
-    //   - `kubernetes.io/hostname` is used to match the current node of an endpoint, which maps to Kubernetes node label `kubernetes.io/hostname`.
-    //
-    // The below topology config indicates the following priority levels:
-    //
-    // ```yaml
-    // failoverPriority:
-    // - "topology.istio.io/network"
-    // - "topology.kubernetes.io/region"
-    // - "topology.kubernetes.io/zone"
-    // - "topology.istio.io/subzone"
-    // ```
-    //
-    // 1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority.
-    // 2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority.
-    // 3. endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority.
-    // 4. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority.
-    // 5. all the other endpoints have the same lowest priority.
-    //
-    // Suppose a service associated endpoints reside in multi clusters, the below example represents:
-    // 1. endpoints in `clusterA` and has `version=v1` label have P(0) priority.
-    // 2. endpoints not in `clusterA` but has `version=v1` label have P(1) priority.
-    // 2. all the other endpoints have P(2) priority.
-    //
-    // ```yaml
-    // failoverPriority:
-    // - "version=v1"
-    // - "topology.istio.io/cluster=clusterA"
-    // ```
-    //
-    // Optional: only one of distribute, failover or failoverPriority can be set.
-    // And it should be used together with `OutlierDetection` to detect unhealthy endpoints, otherwise has no effect.
-    repeated string failover_priority = 4;
+  // failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing.
+  // This is to support traffic failover across different groups of endpoints.
+  // Two kinds of labels can be specified:
+  // - Specify only label keys `[key1, key2, key3]`, istio would compare the label values of client with endpoints.
+  //   Suppose there are total N label keys `[key1, key2, key3, ...keyN]` specified:
+  //
+  //   1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority.
+  //   2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority.
+  //   3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority.
+  //   4. All the other endpoints have priority P(N) i.e. lowest priority.
+  //
+  // - Specify labels with key and value `[key1=value1, key2=value2, key3=value3]`, istio would compare the labels with endpoints.
+  //   Suppose there are total N labels `[key1=value1, key2=value2, key3=value3, ...keyN=valueN]` specified:
+  //
+  //   1. Endpoints matching all N labels have priority P(0) i.e. the highest priority.
+  //   2. Endpoints matching the first N-1 labels have priority P(1) i.e. second highest priority.
+  //   3. By extension of this logic, endpoints matching only the first label has priority P(N-1) i.e. second lowest priority.
+  //   4. All the other endpoints have priority P(N) i.e. lowest priority.
+  //
+  // Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match.
+  //
+  // It can be any label specified on both client and server workloads.
+  // The following labels which have special semantic meaning are also supported:
+  //
+  //   - `topology.istio.io/network` is used to match the network metadata of an endpoint, which can be specified by pod/namespace label `topology.istio.io/network`, sidecar env `ISTIO_META_NETWORK` or MeshNetworks.
+  //   - `topology.istio.io/cluster` is used to match the clusterID of an endpoint, which can be specified by pod label `topology.istio.io/cluster` or pod env `ISTIO_META_CLUSTER_ID`.
+  //   - `topology.kubernetes.io/region` is used to match the region metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/region` or the deprecated label `failure-domain.beta.kubernetes.io/region`.
+  //   - `topology.kubernetes.io/zone` is used to match the zone metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/zone` or the deprecated label `failure-domain.beta.kubernetes.io/zone`.
+  //   - `topology.istio.io/subzone` is used to match the subzone metadata of an endpoint, which maps to Istio node label `topology.istio.io/subzone`.
+  //   - `kubernetes.io/hostname` is used to match the current node of an endpoint, which maps to Kubernetes node label `kubernetes.io/hostname`.
+  //
+  // The below topology config indicates the following priority levels:
+  //
+  // ```yaml
+  // failoverPriority:
+  // - "topology.istio.io/network"
+  // - "topology.kubernetes.io/region"
+  // - "topology.kubernetes.io/zone"
+  // - "topology.istio.io/subzone"
+  // ```
+  //
+  // 1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority.
+  // 2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority.
+  // 3. endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority.
+  // 4. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority.
+  // 5. all the other endpoints have the same lowest priority.
+  //
+  // Suppose a service associated endpoints reside in multi clusters, the below example represents:
+  // 1. endpoints in `clusterA` and has `version=v1` label have P(0) priority.
+  // 2. endpoints not in `clusterA` but has `version=v1` label have P(1) priority.
+  // 2. all the other endpoints have P(2) priority.
+  //
+  // ```yaml
+  // failoverPriority:
+  // - "version=v1"
+  // - "topology.istio.io/cluster=clusterA"
+  // ```
+  //
+  // Optional: only one of distribute, failover or failoverPriority can be set.
+  // And it should be used together with `OutlierDetection` to detect unhealthy endpoints, otherwise has no effect.
+  repeated string failover_priority = 4;

-    // enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.
-    // e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is.
-    google.protobuf.BoolValue enabled = 3;
+  // Enable locality load balancing. This is DestinationRule-level and will override mesh-wide settings in entirety.
+  // e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh-wide settings is.
+  google.protobuf.BoolValue enabled = 3;
 }
--- a/networking/v1alpha3/destination_rule_deepcopy.gen.go
+++ b/networking/v1alpha3/destination_rule_deepcopy.gen.go
@ -110,6 +110,27 @@ func (in *TrafficPolicy_ProxyProtocol) DeepCopyInterface() interface{} {
 	return in.DeepCopy()
 }

+// DeepCopyInto supports using TrafficPolicy_RetryBudget within kubernetes types, where deepcopy-gen is used.
+func (in *TrafficPolicy_RetryBudget) DeepCopyInto(out *TrafficPolicy_RetryBudget) {
+	p := proto.Clone(in).(*TrafficPolicy_RetryBudget)
+	*out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrafficPolicy_RetryBudget. Required by controller-gen.
+func (in *TrafficPolicy_RetryBudget) DeepCopy() *TrafficPolicy_RetryBudget {
+	if in == nil {
+		return nil
+	}
+	out := new(TrafficPolicy_RetryBudget)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new TrafficPolicy_RetryBudget. Required by controller-gen.
+func (in *TrafficPolicy_RetryBudget) DeepCopyInterface() interface{} {
+	return in.DeepCopy()
+}
+
 // DeepCopyInto supports using Subset within kubernetes types, where deepcopy-gen is used.
 func (in *Subset) DeepCopyInto(out *Subset) {
 	p := proto.Clone(in).(*Subset)
--- a/networking/v1alpha3/destination_rule_json.gen.go
+++ b/networking/v1alpha3/destination_rule_json.gen.go
@ -61,6 +61,17 @@ func (this *TrafficPolicy_ProxyProtocol) UnmarshalJSON(b []byte) error {
 	return DestinationRuleUnmarshaler.Unmarshal(bytes.NewReader(b), this)
 }

+// MarshalJSON is a custom marshaler for TrafficPolicy_RetryBudget
+func (this *TrafficPolicy_RetryBudget) MarshalJSON() ([]byte, error) {
+	str, err := DestinationRuleMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for TrafficPolicy_RetryBudget
+func (this *TrafficPolicy_RetryBudget) UnmarshalJSON(b []byte) error {
+	return DestinationRuleUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
 // MarshalJSON is a custom marshaler for Subset
 func (this *Subset) MarshalJSON() ([]byte, error) {
 	str, err := DestinationRuleMarshaler.MarshalToString(this)
--- a/networking/v1alpha3/envoy_filter.pb.go
+++ b/networking/v1alpha3/envoy_filter.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.35.1
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: networking/v1alpha3/envoy_filter.proto

@ -25,7 +25,7 @@
 // $aliases: [/docs/reference/config/networking/v1alpha3/envoy-filter]

 // `EnvoyFilter` provides a mechanism to customize the Envoy
-// configuration generated by Istio Pilot. Use EnvoyFilter to modify
+// configuration generated by istiod. Use EnvoyFilter to modify
 // values for certain fields, add specific filters, or even add
 // entirely new listeners, clusters, etc. This feature must be used
 // with care, as incorrect configurations could potentially
@ -395,6 +395,35 @@
 //         name: "envoy.filters.listener.proxy_protocol"
 //         typed_config:
 //           "@type": "type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol"
+// ```
+//
+// The following example configures ratelimits for the domain `foo.com`.
+//
+// ```yaml
+// apiVersion: networking.istio.io/v1alpha3
+// kind: EnvoyFilter
+// metadata:
+//   name: domain-match-example
+//   namespace: myns
+// spec:
+//   configPatches:
+//   - applyTo: VIRTUAL_HOST
+//     match:
+//       context: GATEWAY
+//       routeConfiguration:
+//         vhost:
+//           domainName: 'foo.com'
+//     patch:
+//       operation: MERGE
+//       value:
+//         rate_limits:
+//           actions:
+//             - request_headers:
+//                 header_name: "authorization"
+//                 descriptor_key: "jwt"
+//             - request_headers:
+//                 header_name: ":path"
+//                 descriptor_key: "path"

 package v1alpha3

@ -405,6 +434,7 @@ import (
 	v1beta1 "istio.io/api/type/v1beta1"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -801,7 +831,7 @@ func (EnvoyFilter_Patch_FilterClass) EnumDescriptor() ([]byte, []int) {
 }

 // EnvoyFilter provides a mechanism to customize the Envoy configuration
-// generated by Istio Pilot.
+// generated by istiod.
 //
 // <!-- crd generation tags
 // +cue-gen:EnvoyFilter:groupName:networking.istio.io
@ -822,12 +852,9 @@ func (EnvoyFilter_Patch_FilterClass) EnumDescriptor() ([]byte, []int) {
 // +genclient
 // +k8s:deepcopy-gen=true
 // -->
-// +kubebuilder:validation:XValidation:message="only one of targetRefs or workloadSelector can be set",rule="(has(self.workloadSelector)?1:0)+(has(self.targetRefs)?1:0)<=1"
+// +kubebuilder:validation:XValidation:message="only one of targetRefs or workloadSelector can be set",rule="oneof(self.workloadSelector, self.targetRefs)"
 type EnvoyFilter struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Criteria used to select the specific set of pods/VMs on which
 	// this patch configuration should be applied. If omitted, the set
 	// of patches in this configuration will be applied to all workload
@ -841,7 +868,9 @@ type EnvoyFilter struct {
 	//
 	// Currently, the following resource attachment types are supported:
 	// * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
+	// * `kind: GatewayClass` with `group: gateway.networking.k8s.io` in the root namespace.
 	// * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
+	// * `kind: ServiceEntry` with `group: networking.istio.io` in the same namespace.
 	//
 	// If not set, the policy is applied as defined by the selector.
 	// At most one of the selector and targetRefs can be set.
@ -872,7 +901,9 @@ type EnvoyFilter struct {
 	//
 	// Patch sets are sorted in the following ascending key order:
 	// priority, creation time, fully qualified resource name.
-	Priority int32 `protobuf:"varint,5,opt,name=priority,proto3" json:"priority,omitempty"`
+	Priority      int32 `protobuf:"varint,5,opt,name=priority,proto3" json:"priority,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *EnvoyFilter) Reset() {
@ -935,26 +966,25 @@ func (x *EnvoyFilter) GetPriority() int32 {

 // One or more properties of the proxy to match on.
 type EnvoyFilter_ProxyMatch struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// A regular expression in golang regex format (RE2) that can be
 	// used to select proxies using a specific version of istio
 	// proxy. The Istio version for a given proxy is obtained from the
 	// node metadata field `ISTIO_VERSION` supplied by the proxy when
-	// connecting to Pilot. This value is embedded as an environment
+	// connecting to istiod. This value is embedded as an environment
 	// variable (`ISTIO_META_ISTIO_VERSION`) in the Istio proxy docker
 	// image. Custom proxy implementations should provide this metadata
 	// variable to take advantage of the Istio version check option.
 	ProxyVersion string `protobuf:"bytes,1,opt,name=proxy_version,json=proxyVersion,proto3" json:"proxy_version,omitempty"`
 	// Match on the node metadata supplied by a proxy when connecting
-	// to Istio Pilot. Note that while Envoy's node metadata is of
+	// to istiod. Note that while Envoy's node metadata is of
 	// type Struct, only string key-value pairs are processed by
-	// Pilot. All keys specified in the metadata must match with exact
+	// istiod. All keys specified in the metadata must match with exact
 	// values. The match will fail if any of the specified keys are
 	// absent or the values fail to match.
-	Metadata map[string]string `protobuf:"bytes,2,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Metadata      map[string]string `protobuf:"bytes,2,rep,name=metadata,proto3" json:"metadata,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *EnvoyFilter_ProxyMatch) Reset() {
@ -1004,10 +1034,7 @@ func (x *EnvoyFilter_ProxyMatch) GetMetadata() map[string]string {
 // Conditions specified in `ClusterMatch` must be met for the patch
 // to be applied to a cluster.
 type EnvoyFilter_ClusterMatch struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The service port for which this cluster was generated.  If
 	// omitted, applies to clusters for any port.
 	// **Note:** for inbound cluster, it is the service target port.
@ -1025,7 +1052,9 @@ type EnvoyFilter_ClusterMatch struct {
 	// cluster by name, such as the internally generated `Passthrough`
 	// cluster, leave all fields in clusterMatch empty, except the
 	// name.
-	Name string `protobuf:"bytes,4,opt,name=name,proto3" json:"name,omitempty"`
+	Name          string `protobuf:"bytes,4,opt,name=name,proto3" json:"name,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *EnvoyFilter_ClusterMatch) Reset() {
@ -1090,10 +1119,7 @@ func (x *EnvoyFilter_ClusterMatch) GetName() string {
 // the patch to be applied to a route configuration object or a
 // specific virtual host within the route configuration.
 type EnvoyFilter_RouteConfigurationMatch struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The service port number or gateway server port number for which
 	// this route configuration was generated. If omitted, applies to
 	// route configurations for all ports.
@ -1114,7 +1140,9 @@ type EnvoyFilter_RouteConfigurationMatch struct {
 	// Route configuration name to match on. Can be used to match a
 	// specific route configuration by name, such as the internally
 	// generated `http_proxy` route configuration for all sidecars.
-	Name string `protobuf:"bytes,5,opt,name=name,proto3" json:"name,omitempty"`
+	Name          string `protobuf:"bytes,5,opt,name=name,proto3" json:"name,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *EnvoyFilter_RouteConfigurationMatch) Reset() {
@ -1186,10 +1214,7 @@ func (x *EnvoyFilter_RouteConfigurationMatch) GetName() string {
 // patch to be applied to a specific listener across all filter
 // chains, or a specific filter chain inside the listener.
 type EnvoyFilter_ListenerMatch struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The service port/gateway port to which traffic is being
 	// sent/received. If not specified, matches all listeners. Even though
 	// inbound listeners are generated for the instance/pod ports, only
@ -1210,8 +1235,10 @@ type EnvoyFilter_ListenerMatch struct {
 	// patch will be applied to the listener filter.
 	ListenerFilter string `protobuf:"bytes,5,opt,name=listener_filter,json=listenerFilter,proto3" json:"listener_filter,omitempty"`
 	// Match a specific listener by its name. The listeners generated
-	// by Pilot are typically named as IP:Port.
-	Name string `protobuf:"bytes,4,opt,name=name,proto3" json:"name,omitempty"`
+	// by istiod are typically named as IP:Port.
+	Name          string `protobuf:"bytes,4,opt,name=name,proto3" json:"name,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *EnvoyFilter_ListenerMatch) Reset() {
@ -1281,17 +1308,16 @@ func (x *EnvoyFilter_ListenerMatch) GetName() string {

 // Patch specifies how the selected object should be modified.
 type EnvoyFilter_Patch struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Determines how the patch should be applied.
 	Operation EnvoyFilter_Patch_Operation `protobuf:"varint,1,opt,name=operation,proto3,enum=istio.networking.v1alpha3.EnvoyFilter_Patch_Operation" json:"operation,omitempty"`
 	// The JSON config of the object being patched. This will be merged using
 	// proto merge semantics with the existing proto in the path.
 	Value *_struct.Struct `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"`
 	// Determines the filter insertion order.
-	FilterClass EnvoyFilter_Patch_FilterClass `protobuf:"varint,3,opt,name=filter_class,json=filterClass,proto3,enum=istio.networking.v1alpha3.EnvoyFilter_Patch_FilterClass" json:"filter_class,omitempty"`
+	FilterClass   EnvoyFilter_Patch_FilterClass `protobuf:"varint,3,opt,name=filter_class,json=filterClass,proto3,enum=istio.networking.v1alpha3.EnvoyFilter_Patch_FilterClass" json:"filter_class,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *EnvoyFilter_Patch) Reset() {
@ -1348,22 +1374,21 @@ func (x *EnvoyFilter_Patch) GetFilterClass() EnvoyFilter_Patch_FilterClass {
 // One or more match conditions to be met before a patch is applied
 // to the generated configuration for a given proxy.
 type EnvoyFilter_EnvoyConfigObjectMatch struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	// The specific config generation context to match on. Istio Pilot
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// The specific config generation context to match on. istiod
 	// generates envoy configuration in the context of a gateway,
 	// inbound traffic to sidecar and outbound traffic from sidecar.
 	Context EnvoyFilter_PatchContext `protobuf:"varint,1,opt,name=context,proto3,enum=istio.networking.v1alpha3.EnvoyFilter_PatchContext" json:"context,omitempty"`
 	// Match on properties associated with a proxy.
 	Proxy *EnvoyFilter_ProxyMatch `protobuf:"bytes,2,opt,name=proxy,proto3" json:"proxy,omitempty"`
-	// Types that are assignable to ObjectTypes:
+	// Types that are valid to be assigned to ObjectTypes:
 	//
 	//	*EnvoyFilter_EnvoyConfigObjectMatch_Listener
 	//	*EnvoyFilter_EnvoyConfigObjectMatch_RouteConfiguration
 	//	*EnvoyFilter_EnvoyConfigObjectMatch_Cluster
-	ObjectTypes isEnvoyFilter_EnvoyConfigObjectMatch_ObjectTypes `protobuf_oneof:"object_types"`
+	ObjectTypes   isEnvoyFilter_EnvoyConfigObjectMatch_ObjectTypes `protobuf_oneof:"object_types"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *EnvoyFilter_EnvoyConfigObjectMatch) Reset() {
@ -1410,30 +1435,36 @@ func (x *EnvoyFilter_EnvoyConfigObjectMatch) GetProxy() *EnvoyFilter_ProxyMatch
 	return nil
 }

-func (m *EnvoyFilter_EnvoyConfigObjectMatch) GetObjectTypes() isEnvoyFilter_EnvoyConfigObjectMatch_ObjectTypes {
-	if m != nil {
-		return m.ObjectTypes
+func (x *EnvoyFilter_EnvoyConfigObjectMatch) GetObjectTypes() isEnvoyFilter_EnvoyConfigObjectMatch_ObjectTypes {
+	if x != nil {
+		return x.ObjectTypes
 	}
 	return nil
 }

 func (x *EnvoyFilter_EnvoyConfigObjectMatch) GetListener() *EnvoyFilter_ListenerMatch {
-	if x, ok := x.GetObjectTypes().(*EnvoyFilter_EnvoyConfigObjectMatch_Listener); ok {
-		return x.Listener
+	if x != nil {
+		if x, ok := x.ObjectTypes.(*EnvoyFilter_EnvoyConfigObjectMatch_Listener); ok {
+			return x.Listener
+		}
 	}
 	return nil
 }

 func (x *EnvoyFilter_EnvoyConfigObjectMatch) GetRouteConfiguration() *EnvoyFilter_RouteConfigurationMatch {
-	if x, ok := x.GetObjectTypes().(*EnvoyFilter_EnvoyConfigObjectMatch_RouteConfiguration); ok {
-		return x.RouteConfiguration
+	if x != nil {
+		if x, ok := x.ObjectTypes.(*EnvoyFilter_EnvoyConfigObjectMatch_RouteConfiguration); ok {
+			return x.RouteConfiguration
+		}
 	}
 	return nil
 }

 func (x *EnvoyFilter_EnvoyConfigObjectMatch) GetCluster() *EnvoyFilter_ClusterMatch {
-	if x, ok := x.GetObjectTypes().(*EnvoyFilter_EnvoyConfigObjectMatch_Cluster); ok {
-		return x.Cluster
+	if x != nil {
+		if x, ok := x.ObjectTypes.(*EnvoyFilter_EnvoyConfigObjectMatch_Cluster); ok {
+			return x.Cluster
+		}
 	}
 	return nil
 }
@ -1468,10 +1499,7 @@ func (*EnvoyFilter_EnvoyConfigObjectMatch_Cluster) isEnvoyFilter_EnvoyConfigObje

 // Changes to be made to various envoy config objects.
 type EnvoyFilter_EnvoyConfigObjectPatch struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Specifies where in the Envoy configuration, the patch should be
 	// applied.  The match is expected to select the appropriate
 	// object based on applyTo.  For example, an applyTo with
@ -1485,7 +1513,9 @@ type EnvoyFilter_EnvoyConfigObjectPatch struct {
 	// Match on listener/route configuration/cluster.
 	Match *EnvoyFilter_EnvoyConfigObjectMatch `protobuf:"bytes,2,opt,name=match,proto3" json:"match,omitempty"`
 	// The patch to apply along with the operation.
-	Patch *EnvoyFilter_Patch `protobuf:"bytes,3,opt,name=patch,proto3" json:"patch,omitempty"`
+	Patch         *EnvoyFilter_Patch `protobuf:"bytes,3,opt,name=patch,proto3" json:"patch,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *EnvoyFilter_EnvoyConfigObjectPatch) Reset() {
@ -1541,17 +1571,16 @@ func (x *EnvoyFilter_EnvoyConfigObjectPatch) GetPatch() *EnvoyFilter_Patch {

 // Match a specific route inside a virtual host in a route configuration.
 type EnvoyFilter_RouteConfigurationMatch_RouteMatch struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The Route objects generated by default are named as
 	// default.  Route objects generated using a virtual service
 	// will carry the name used in the virtual service's HTTP
 	// routes.
 	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
 	// Match a route with specific action type.
-	Action EnvoyFilter_RouteConfigurationMatch_RouteMatch_Action `protobuf:"varint,2,opt,name=action,proto3,enum=istio.networking.v1alpha3.EnvoyFilter_RouteConfigurationMatch_RouteMatch_Action" json:"action,omitempty"`
+	Action        EnvoyFilter_RouteConfigurationMatch_RouteMatch_Action `protobuf:"varint,2,opt,name=action,proto3,enum=istio.networking.v1alpha3.EnvoyFilter_RouteConfigurationMatch_RouteMatch_Action" json:"action,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *EnvoyFilter_RouteConfigurationMatch_RouteMatch) Reset() {
@ -1600,17 +1629,20 @@ func (x *EnvoyFilter_RouteConfigurationMatch_RouteMatch) GetAction() EnvoyFilter

 // Match a specific virtual host inside a route configuration.
 type EnvoyFilter_RouteConfigurationMatch_VirtualHostMatch struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The VirtualHosts objects generated by Istio are named as
 	// host:port, where the host typically corresponds to the
 	// VirtualService's host field or the hostname of a service in the
 	// registry.
 	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	// Match a domain name in a virtual host. If this domain name is part of
+	// the list of domains that the virtual host serves, the patch will be
+	// applied.
+	DomainName string `protobuf:"bytes,3,opt,name=domain_name,json=domainName,proto3" json:"domain_name,omitempty"`
 	// Match a specific route within the virtual host.
-	Route *EnvoyFilter_RouteConfigurationMatch_RouteMatch `protobuf:"bytes,2,opt,name=route,proto3" json:"route,omitempty"`
+	Route         *EnvoyFilter_RouteConfigurationMatch_RouteMatch `protobuf:"bytes,2,opt,name=route,proto3" json:"route,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *EnvoyFilter_RouteConfigurationMatch_VirtualHostMatch) Reset() {
@ -1650,6 +1682,13 @@ func (x *EnvoyFilter_RouteConfigurationMatch_VirtualHostMatch) GetName() string
 	return ""
 }

+func (x *EnvoyFilter_RouteConfigurationMatch_VirtualHostMatch) GetDomainName() string {
+	if x != nil {
+		return x.DomainName
+	}
+	return ""
+}
+
 func (x *EnvoyFilter_RouteConfigurationMatch_VirtualHostMatch) GetRoute() *EnvoyFilter_RouteConfigurationMatch_RouteMatch {
 	if x != nil {
 		return x.Route
@ -1662,10 +1701,7 @@ func (x *EnvoyFilter_RouteConfigurationMatch_VirtualHostMatch) GetRoute() *Envoy
 // with multiple SNI matches), the filter chain match can be used
 // to select a specific filter chain to patch.
 type EnvoyFilter_ListenerMatch_FilterChainMatch struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The name assigned to the filter chain.
 	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
 	// The SNI value used by a filter chain's match condition.  This
@ -1698,6 +1734,8 @@ type EnvoyFilter_ListenerMatch_FilterChainMatch struct {
 	// The destination_port value used by a filter chain's match condition.
 	// This condition will evaluate to false if the filter chain has no destination_port match.
 	DestinationPort uint32 `protobuf:"varint,6,opt,name=destination_port,json=destinationPort,proto3" json:"destination_port,omitempty"`
+	unknownFields   protoimpl.UnknownFields
+	sizeCache       protoimpl.SizeCache
 }

 func (x *EnvoyFilter_ListenerMatch_FilterChainMatch) Reset() {
@ -1774,10 +1812,7 @@ func (x *EnvoyFilter_ListenerMatch_FilterChainMatch) GetDestinationPort() uint32

 // Conditions to match a specific filter within a filter chain.
 type EnvoyFilter_ListenerMatch_FilterMatch struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The filter name to match on.
 	// For standard Envoy filters, [canonical filter](https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.14.0#deprecated)
 	// names should be used.
@ -1785,7 +1820,9 @@ type EnvoyFilter_ListenerMatch_FilterMatch struct {
 	// The next level filter within this filter to match
 	// upon. Typically used for HTTP Connection Manager filters and
 	// Thrift filters.
-	SubFilter *EnvoyFilter_ListenerMatch_SubFilterMatch `protobuf:"bytes,2,opt,name=sub_filter,json=subFilter,proto3" json:"sub_filter,omitempty"`
+	SubFilter     *EnvoyFilter_ListenerMatch_SubFilterMatch `protobuf:"bytes,2,opt,name=sub_filter,json=subFilter,proto3" json:"sub_filter,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *EnvoyFilter_ListenerMatch_FilterMatch) Reset() {
@ -1837,12 +1874,11 @@ func (x *EnvoyFilter_ListenerMatch_FilterMatch) GetSubFilter() *EnvoyFilter_List
 // inside the `envoy.filters.network.http_connection_manager` network filter.
 // This could also be applicable for thrift filters.
 type EnvoyFilter_ListenerMatch_SubFilterMatch struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The filter name to match on.
-	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	Name          string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *EnvoyFilter_ListenerMatch_SubFilterMatch) Reset() {
@ -1884,245 +1920,129 @@ func (x *EnvoyFilter_ListenerMatch_SubFilterMatch) GetName() string {

 var File_networking_v1alpha3_envoy_filter_proto protoreflect.FileDescriptor

-var file_networking_v1alpha3_envoy_filter_proto_rawDesc = []byte{
-	0x0a, 0x26, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x61,
-	0x6c, 0x70, 0x68, 0x61, 0x33, 0x2f, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x5f, 0x66, 0x69, 0x6c, 0x74,
-	0x65, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x19, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e,
-	0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70,
-	0x68, 0x61, 0x33, 0x1a, 0x1c, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x62, 0x75, 0x66, 0x2f, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x1a, 0x21, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31,
-	0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2f, 0x73, 0x69, 0x64, 0x65, 0x63, 0x61, 0x72, 0x2e, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1b, 0x74, 0x79, 0x70, 0x65, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74,
-	0x61, 0x31, 0x2f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x22, 0xe5, 0x1a, 0x0a, 0x0b, 0x45, 0x6e, 0x76, 0x6f, 0x79, 0x46, 0x69, 0x6c, 0x74, 0x65,
-	0x72, 0x12, 0x58, 0x0a, 0x11, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x73, 0x65,
-	0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x69,
-	0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e,
-	0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61,
-	0x64, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x52, 0x10, 0x77, 0x6f, 0x72, 0x6b, 0x6c,
-	0x6f, 0x61, 0x64, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x49, 0x0a, 0x0a, 0x74,
-	0x61, 0x72, 0x67, 0x65, 0x74, 0x52, 0x65, 0x66, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, 0x32,
-	0x29, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x2e, 0x76, 0x31, 0x62,
-	0x65, 0x74, 0x61, 0x31, 0x2e, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x54, 0x61, 0x72, 0x67, 0x65,
-	0x74, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67,
-	0x65, 0x74, 0x52, 0x65, 0x66, 0x73, 0x12, 0x64, 0x0a, 0x0e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67,
-	0x5f, 0x70, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x3d,
-	0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e,
-	0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x45, 0x6e, 0x76, 0x6f, 0x79,
-	0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x45, 0x6e, 0x76, 0x6f, 0x79, 0x43, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x50, 0x61, 0x74, 0x63, 0x68, 0x52, 0x0d, 0x63,
-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x50, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x12, 0x1a, 0x0a, 0x08,
-	0x70, 0x72, 0x69, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x18, 0x05, 0x20, 0x01, 0x28, 0x05, 0x52, 0x08,
-	0x70, 0x72, 0x69, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x1a, 0xcb, 0x01, 0x0a, 0x0a, 0x50, 0x72, 0x6f,
-	0x78, 0x79, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x12, 0x23, 0x0a, 0x0d, 0x70, 0x72, 0x6f, 0x78, 0x79,
-	0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c,
-	0x70, 0x72, 0x6f, 0x78, 0x79, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x5b, 0x0a, 0x08,
-	0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x3f,
-	0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e,
-	0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x45, 0x6e, 0x76, 0x6f, 0x79,
-	0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x4d, 0x61, 0x74, 0x63,
-	0x68, 0x2e, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52,
-	0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x1a, 0x3b, 0x0a, 0x0d, 0x4d, 0x65, 0x74,
-	0x61, 0x64, 0x61, 0x74, 0x61, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65,
-	0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05,
-	0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c,
-	0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x75, 0x0a, 0x0c, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65,
-	0x72, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x6e,
-	0x75, 0x6d, 0x62, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0a, 0x70, 0x6f, 0x72,
-	0x74, 0x4e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x12, 0x18, 0x0a, 0x07, 0x73, 0x65, 0x72, 0x76, 0x69,
-	0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63,
-	0x65, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x75, 0x62, 0x73, 0x65, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x06, 0x73, 0x75, 0x62, 0x73, 0x65, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d,
-	0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x1a, 0xc4, 0x04,
-	0x0a, 0x17, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x6f, 0x72,
-	0x74, 0x5f, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0a,
-	0x70, 0x6f, 0x72, 0x74, 0x4e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x6f,
-	0x72, 0x74, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70,
-	0x6f, 0x72, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x67, 0x61, 0x74, 0x65, 0x77,
-	0x61, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x67, 0x61, 0x74, 0x65, 0x77, 0x61,
-	0x79, 0x12, 0x65, 0x0a, 0x05, 0x76, 0x68, 0x6f, 0x73, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b,
-	0x32, 0x4f, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b,
-	0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x45, 0x6e, 0x76,
-	0x6f, 0x79, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x43, 0x6f,
-	0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x74, 0x63, 0x68,
-	0x2e, 0x56, 0x69, 0x72, 0x74, 0x75, 0x61, 0x6c, 0x48, 0x6f, 0x73, 0x74, 0x4d, 0x61, 0x74, 0x63,
-	0x68, 0x52, 0x05, 0x76, 0x68, 0x6f, 0x73, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65,
-	0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x1a, 0xcb, 0x01, 0x0a,
-	0x0a, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x12, 0x12, 0x0a, 0x04, 0x6e,
-	0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12,
-	0x68, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32,
-	0x50, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69,
-	0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x45, 0x6e, 0x76, 0x6f,
-	0x79, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x43, 0x6f, 0x6e,
-	0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x2e,
-	0x52, 0x6f, 0x75, 0x74, 0x65, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x2e, 0x41, 0x63, 0x74, 0x69, 0x6f,
-	0x6e, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x3f, 0x0a, 0x06, 0x41, 0x63, 0x74,
-	0x69, 0x6f, 0x6e, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x4e, 0x59, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05,
-	0x52, 0x4f, 0x55, 0x54, 0x45, 0x10, 0x01, 0x12, 0x0c, 0x0a, 0x08, 0x52, 0x45, 0x44, 0x49, 0x52,
-	0x45, 0x43, 0x54, 0x10, 0x02, 0x12, 0x13, 0x0a, 0x0f, 0x44, 0x49, 0x52, 0x45, 0x43, 0x54, 0x5f,
-	0x52, 0x45, 0x53, 0x50, 0x4f, 0x4e, 0x53, 0x45, 0x10, 0x03, 0x1a, 0x87, 0x01, 0x0a, 0x10, 0x56,
-	0x69, 0x72, 0x74, 0x75, 0x61, 0x6c, 0x48, 0x6f, 0x73, 0x74, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x12,
-	0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e,
-	0x61, 0x6d, 0x65, 0x12, 0x5f, 0x0a, 0x05, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x18, 0x02, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x49, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f,
-	0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x45,
-	0x6e, 0x76, 0x6f, 0x79, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65,
-	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x74,
-	0x63, 0x68, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x52, 0x05, 0x72,
-	0x6f, 0x75, 0x74, 0x65, 0x1a, 0xc6, 0x05, 0x0a, 0x0d, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65,
-	0x72, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x6e,
-	0x75, 0x6d, 0x62, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0a, 0x70, 0x6f, 0x72,
-	0x74, 0x4e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x12, 0x1b, 0x0a, 0x09, 0x70, 0x6f, 0x72, 0x74, 0x5f,
-	0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x6f, 0x72, 0x74,
-	0x4e, 0x61, 0x6d, 0x65, 0x12, 0x68, 0x0a, 0x0c, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x5f, 0x63,
-	0x68, 0x61, 0x69, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x45, 0x2e, 0x69, 0x73, 0x74,
-	0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31,
-	0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x45, 0x6e, 0x76, 0x6f, 0x79, 0x46, 0x69, 0x6c, 0x74,
-	0x65, 0x72, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x4d, 0x61, 0x74, 0x63, 0x68,
-	0x2e, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x4d, 0x61, 0x74, 0x63,
-	0x68, 0x52, 0x0b, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x12, 0x27,
-	0x0a, 0x0f, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x5f, 0x66, 0x69, 0x6c, 0x74, 0x65,
-	0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65,
-	0x72, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18,
-	0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x1a, 0xa1, 0x02, 0x0a, 0x10,
-	0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x4d, 0x61, 0x74, 0x63, 0x68,
-	0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
-	0x6e, 0x61, 0x6d, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x73, 0x6e, 0x69, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x03, 0x73, 0x6e, 0x69, 0x12, 0x2d, 0x0a, 0x12, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70,
-	0x6f, 0x72, 0x74, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x11, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x50, 0x72, 0x6f,
-	0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x33, 0x0a, 0x15, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x73, 0x18, 0x04,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x14, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x73, 0x12, 0x58, 0x0a, 0x06, 0x66, 0x69,
-	0x6c, 0x74, 0x65, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x40, 0x2e, 0x69, 0x73, 0x74,
-	0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31,
-	0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x45, 0x6e, 0x76, 0x6f, 0x79, 0x46, 0x69, 0x6c, 0x74,
-	0x65, 0x72, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x4d, 0x61, 0x74, 0x63, 0x68,
-	0x2e, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x52, 0x06, 0x66, 0x69,
-	0x6c, 0x74, 0x65, 0x72, 0x12, 0x29, 0x0a, 0x10, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x0f,
-	0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x6f, 0x72, 0x74, 0x1a,
-	0x85, 0x01, 0x0a, 0x0b, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x12,
-	0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e,
-	0x61, 0x6d, 0x65, 0x12, 0x62, 0x0a, 0x0a, 0x73, 0x75, 0x62, 0x5f, 0x66, 0x69, 0x6c, 0x74, 0x65,
-	0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x43, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e,
-	0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70,
-	0x68, 0x61, 0x33, 0x2e, 0x45, 0x6e, 0x76, 0x6f, 0x79, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e,
-	0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x2e, 0x53, 0x75,
-	0x62, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x52, 0x09, 0x73, 0x75,
-	0x62, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x1a, 0x24, 0x0a, 0x0e, 0x53, 0x75, 0x62, 0x46, 0x69,
-	0x6c, 0x74, 0x65, 0x72, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d,
-	0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x1a, 0xa8, 0x03,
-	0x0a, 0x05, 0x50, 0x61, 0x74, 0x63, 0x68, 0x12, 0x54, 0x0a, 0x09, 0x6f, 0x70, 0x65, 0x72, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x36, 0x2e, 0x69, 0x73, 0x74,
-	0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31,
-	0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x45, 0x6e, 0x76, 0x6f, 0x79, 0x46, 0x69, 0x6c, 0x74,
-	0x65, 0x72, 0x2e, 0x50, 0x61, 0x74, 0x63, 0x68, 0x2e, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x52, 0x09, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x2d, 0x0a,
-	0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x67,
-	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53,
-	0x74, 0x72, 0x75, 0x63, 0x74, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x5b, 0x0a, 0x0c,
-	0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x5f, 0x63, 0x6c, 0x61, 0x73, 0x73, 0x18, 0x03, 0x20, 0x01,
-	0x28, 0x0e, 0x32, 0x38, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f,
-	0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x45,
-	0x6e, 0x76, 0x6f, 0x79, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x50, 0x61, 0x74, 0x63, 0x68,
-	0x2e, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x52, 0x0b, 0x66, 0x69,
-	0x6c, 0x74, 0x65, 0x72, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x22, 0x7c, 0x0a, 0x09, 0x4f, 0x70, 0x65,
-	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x0b, 0x0a, 0x07, 0x49, 0x4e, 0x56, 0x41, 0x4c, 0x49,
-	0x44, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x4d, 0x45, 0x52, 0x47, 0x45, 0x10, 0x01, 0x12, 0x07,
-	0x0a, 0x03, 0x41, 0x44, 0x44, 0x10, 0x02, 0x12, 0x0a, 0x0a, 0x06, 0x52, 0x45, 0x4d, 0x4f, 0x56,
-	0x45, 0x10, 0x03, 0x12, 0x11, 0x0a, 0x0d, 0x49, 0x4e, 0x53, 0x45, 0x52, 0x54, 0x5f, 0x42, 0x45,
-	0x46, 0x4f, 0x52, 0x45, 0x10, 0x04, 0x12, 0x10, 0x0a, 0x0c, 0x49, 0x4e, 0x53, 0x45, 0x52, 0x54,
-	0x5f, 0x41, 0x46, 0x54, 0x45, 0x52, 0x10, 0x05, 0x12, 0x10, 0x0a, 0x0c, 0x49, 0x4e, 0x53, 0x45,
-	0x52, 0x54, 0x5f, 0x46, 0x49, 0x52, 0x53, 0x54, 0x10, 0x06, 0x12, 0x0b, 0x0a, 0x07, 0x52, 0x45,
-	0x50, 0x4c, 0x41, 0x43, 0x45, 0x10, 0x07, 0x22, 0x3f, 0x0a, 0x0b, 0x46, 0x69, 0x6c, 0x74, 0x65,
-	0x72, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x12, 0x0f, 0x0a, 0x0b, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43,
-	0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x55, 0x54, 0x48, 0x4e,
-	0x10, 0x01, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x55, 0x54, 0x48, 0x5a, 0x10, 0x02, 0x12, 0x09, 0x0a,
-	0x05, 0x53, 0x54, 0x41, 0x54, 0x53, 0x10, 0x03, 0x1a, 0xd8, 0x03, 0x0a, 0x16, 0x45, 0x6e, 0x76,
-	0x6f, 0x79, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61,
-	0x74, 0x63, 0x68, 0x12, 0x4d, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x0e, 0x32, 0x33, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74,
-	0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33,
-	0x2e, 0x45, 0x6e, 0x76, 0x6f, 0x79, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x50, 0x61, 0x74,
-	0x63, 0x68, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65,
-	0x78, 0x74, 0x12, 0x47, 0x0a, 0x05, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x0b, 0x32, 0x31, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72,
-	0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x45, 0x6e,
-	0x76, 0x6f, 0x79, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x4d,
-	0x61, 0x74, 0x63, 0x68, 0x52, 0x05, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x12, 0x52, 0x0a, 0x08, 0x6c,
-	0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x34, 0x2e,
-	0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67,
-	0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x45, 0x6e, 0x76, 0x6f, 0x79, 0x46,
-	0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x4d, 0x61,
-	0x74, 0x63, 0x68, 0x48, 0x00, 0x52, 0x08, 0x6c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x12,
-	0x71, 0x0a, 0x13, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75,
-	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3e, 0x2e, 0x69,
-	0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e,
-	0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x45, 0x6e, 0x76, 0x6f, 0x79, 0x46, 0x69,
-	0x6c, 0x74, 0x65, 0x72, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
-	0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x48, 0x00, 0x52, 0x12,
-	0x72, 0x6f, 0x75, 0x74, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x12, 0x4f, 0x0a, 0x07, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x18, 0x05, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x33, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77,
-	0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e,
-	0x45, 0x6e, 0x76, 0x6f, 0x79, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x43, 0x6c, 0x75, 0x73,
-	0x74, 0x65, 0x72, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x48, 0x00, 0x52, 0x07, 0x63, 0x6c, 0x75, 0x73,
-	0x74, 0x65, 0x72, 0x42, 0x0e, 0x0a, 0x0c, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x74, 0x79,
-	0x70, 0x65, 0x73, 0x1a, 0xfc, 0x01, 0x0a, 0x16, 0x45, 0x6e, 0x76, 0x6f, 0x79, 0x43, 0x6f, 0x6e,
-	0x66, 0x69, 0x67, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x50, 0x61, 0x74, 0x63, 0x68, 0x12, 0x49,
-	0x0a, 0x08, 0x61, 0x70, 0x70, 0x6c, 0x79, 0x5f, 0x74, 0x6f, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e,
-	0x32, 0x2e, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b,
-	0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x45, 0x6e, 0x76,
-	0x6f, 0x79, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x41, 0x70, 0x70, 0x6c, 0x79, 0x54, 0x6f,
-	0x52, 0x07, 0x61, 0x70, 0x70, 0x6c, 0x79, 0x54, 0x6f, 0x12, 0x53, 0x0a, 0x05, 0x6d, 0x61, 0x74,
-	0x63, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3d, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f,
-	0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c,
-	0x70, 0x68, 0x61, 0x33, 0x2e, 0x45, 0x6e, 0x76, 0x6f, 0x79, 0x46, 0x69, 0x6c, 0x74, 0x65, 0x72,
-	0x2e, 0x45, 0x6e, 0x76, 0x6f, 0x79, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x4f, 0x62, 0x6a, 0x65,
-	0x63, 0x74, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x52, 0x05, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x12, 0x42,
-	0x0a, 0x05, 0x70, 0x61, 0x74, 0x63, 0x68, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e,
-	0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67,
-	0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x45, 0x6e, 0x76, 0x6f, 0x79, 0x46,
-	0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x50, 0x61, 0x74, 0x63, 0x68, 0x52, 0x05, 0x70, 0x61, 0x74,
-	0x63, 0x68, 0x22, 0xdd, 0x01, 0x0a, 0x07, 0x41, 0x70, 0x70, 0x6c, 0x79, 0x54, 0x6f, 0x12, 0x0b,
-	0x0a, 0x07, 0x49, 0x4e, 0x56, 0x41, 0x4c, 0x49, 0x44, 0x10, 0x00, 0x12, 0x0c, 0x0a, 0x08, 0x4c,
-	0x49, 0x53, 0x54, 0x45, 0x4e, 0x45, 0x52, 0x10, 0x01, 0x12, 0x10, 0x0a, 0x0c, 0x46, 0x49, 0x4c,
-	0x54, 0x45, 0x52, 0x5f, 0x43, 0x48, 0x41, 0x49, 0x4e, 0x10, 0x02, 0x12, 0x12, 0x0a, 0x0e, 0x4e,
-	0x45, 0x54, 0x57, 0x4f, 0x52, 0x4b, 0x5f, 0x46, 0x49, 0x4c, 0x54, 0x45, 0x52, 0x10, 0x03, 0x12,
-	0x0f, 0x0a, 0x0b, 0x48, 0x54, 0x54, 0x50, 0x5f, 0x46, 0x49, 0x4c, 0x54, 0x45, 0x52, 0x10, 0x04,
-	0x12, 0x17, 0x0a, 0x13, 0x52, 0x4f, 0x55, 0x54, 0x45, 0x5f, 0x43, 0x4f, 0x4e, 0x46, 0x49, 0x47,
-	0x55, 0x52, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x10, 0x05, 0x12, 0x10, 0x0a, 0x0c, 0x56, 0x49, 0x52,
-	0x54, 0x55, 0x41, 0x4c, 0x5f, 0x48, 0x4f, 0x53, 0x54, 0x10, 0x06, 0x12, 0x0e, 0x0a, 0x0a, 0x48,
-	0x54, 0x54, 0x50, 0x5f, 0x52, 0x4f, 0x55, 0x54, 0x45, 0x10, 0x07, 0x12, 0x0b, 0x0a, 0x07, 0x43,
-	0x4c, 0x55, 0x53, 0x54, 0x45, 0x52, 0x10, 0x08, 0x12, 0x14, 0x0a, 0x10, 0x45, 0x58, 0x54, 0x45,
-	0x4e, 0x53, 0x49, 0x4f, 0x4e, 0x5f, 0x43, 0x4f, 0x4e, 0x46, 0x49, 0x47, 0x10, 0x09, 0x12, 0x0d,
-	0x0a, 0x09, 0x42, 0x4f, 0x4f, 0x54, 0x53, 0x54, 0x52, 0x41, 0x50, 0x10, 0x0a, 0x12, 0x13, 0x0a,
-	0x0f, 0x4c, 0x49, 0x53, 0x54, 0x45, 0x4e, 0x45, 0x52, 0x5f, 0x46, 0x49, 0x4c, 0x54, 0x45, 0x52,
-	0x10, 0x0b, 0x22, 0x4f, 0x0a, 0x0c, 0x50, 0x61, 0x74, 0x63, 0x68, 0x43, 0x6f, 0x6e, 0x74, 0x65,
-	0x78, 0x74, 0x12, 0x07, 0x0a, 0x03, 0x41, 0x4e, 0x59, 0x10, 0x00, 0x12, 0x13, 0x0a, 0x0f, 0x53,
-	0x49, 0x44, 0x45, 0x43, 0x41, 0x52, 0x5f, 0x49, 0x4e, 0x42, 0x4f, 0x55, 0x4e, 0x44, 0x10, 0x01,
-	0x12, 0x14, 0x0a, 0x10, 0x53, 0x49, 0x44, 0x45, 0x43, 0x41, 0x52, 0x5f, 0x4f, 0x55, 0x54, 0x42,
-	0x4f, 0x55, 0x4e, 0x44, 0x10, 0x02, 0x12, 0x0b, 0x0a, 0x07, 0x47, 0x41, 0x54, 0x45, 0x57, 0x41,
-	0x59, 0x10, 0x03, 0x4a, 0x04, 0x08, 0x01, 0x10, 0x02, 0x4a, 0x04, 0x08, 0x02, 0x10, 0x03, 0x52,
-	0x07, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x73, 0x52, 0x0f, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f,
-	0x61, 0x64, 0x5f, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x42, 0x22, 0x5a, 0x20, 0x69, 0x73, 0x74,
-	0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72,
-	0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x62, 0x06, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+const file_networking_v1alpha3_envoy_filter_proto_rawDesc = "" +
+	"\n" +
+	"&networking/v1alpha3/envoy_filter.proto\x12\x19istio.networking.v1alpha3\x1a\x1cgoogle/protobuf/struct.proto\x1a!networking/v1alpha3/sidecar.proto\x1a\x1btype/v1beta1/selector.proto\"\x86\x1b\n" +
+	"\vEnvoyFilter\x12X\n" +
+	"\x11workload_selector\x18\x03 \x01(\v2+.istio.networking.v1alpha3.WorkloadSelectorR\x10workloadSelector\x12I\n" +
+	"\n" +
+	"targetRefs\x18\x06 \x03(\v2).istio.type.v1beta1.PolicyTargetReferenceR\n" +
+	"targetRefs\x12d\n" +
+	"\x0econfig_patches\x18\x04 \x03(\v2=.istio.networking.v1alpha3.EnvoyFilter.EnvoyConfigObjectPatchR\rconfigPatches\x12\x1a\n" +
+	"\bpriority\x18\x05 \x01(\x05R\bpriority\x1a\xcb\x01\n" +
+	"\n" +
+	"ProxyMatch\x12#\n" +
+	"\rproxy_version\x18\x01 \x01(\tR\fproxyVersion\x12[\n" +
+	"\bmetadata\x18\x02 \x03(\v2?.istio.networking.v1alpha3.EnvoyFilter.ProxyMatch.MetadataEntryR\bmetadata\x1a;\n" +
+	"\rMetadataEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\x1au\n" +
+	"\fClusterMatch\x12\x1f\n" +
+	"\vport_number\x18\x01 \x01(\rR\n" +
+	"portNumber\x12\x18\n" +
+	"\aservice\x18\x02 \x01(\tR\aservice\x12\x16\n" +
+	"\x06subset\x18\x03 \x01(\tR\x06subset\x12\x12\n" +
+	"\x04name\x18\x04 \x01(\tR\x04name\x1a\xe5\x04\n" +
+	"\x17RouteConfigurationMatch\x12\x1f\n" +
+	"\vport_number\x18\x01 \x01(\rR\n" +
+	"portNumber\x12\x1b\n" +
+	"\tport_name\x18\x02 \x01(\tR\bportName\x12\x18\n" +
+	"\agateway\x18\x03 \x01(\tR\agateway\x12e\n" +
+	"\x05vhost\x18\x04 \x01(\v2O.istio.networking.v1alpha3.EnvoyFilter.RouteConfigurationMatch.VirtualHostMatchR\x05vhost\x12\x12\n" +
+	"\x04name\x18\x05 \x01(\tR\x04name\x1a\xcb\x01\n" +
+	"\n" +
+	"RouteMatch\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12h\n" +
+	"\x06action\x18\x02 \x01(\x0e2P.istio.networking.v1alpha3.EnvoyFilter.RouteConfigurationMatch.RouteMatch.ActionR\x06action\"?\n" +
+	"\x06Action\x12\a\n" +
+	"\x03ANY\x10\x00\x12\t\n" +
+	"\x05ROUTE\x10\x01\x12\f\n" +
+	"\bREDIRECT\x10\x02\x12\x13\n" +
+	"\x0fDIRECT_RESPONSE\x10\x03\x1a\xa8\x01\n" +
+	"\x10VirtualHostMatch\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12\x1f\n" +
+	"\vdomain_name\x18\x03 \x01(\tR\n" +
+	"domainName\x12_\n" +
+	"\x05route\x18\x02 \x01(\v2I.istio.networking.v1alpha3.EnvoyFilter.RouteConfigurationMatch.RouteMatchR\x05route\x1a\xc6\x05\n" +
+	"\rListenerMatch\x12\x1f\n" +
+	"\vport_number\x18\x01 \x01(\rR\n" +
+	"portNumber\x12\x1b\n" +
+	"\tport_name\x18\x02 \x01(\tR\bportName\x12h\n" +
+	"\ffilter_chain\x18\x03 \x01(\v2E.istio.networking.v1alpha3.EnvoyFilter.ListenerMatch.FilterChainMatchR\vfilterChain\x12'\n" +
+	"\x0flistener_filter\x18\x05 \x01(\tR\x0elistenerFilter\x12\x12\n" +
+	"\x04name\x18\x04 \x01(\tR\x04name\x1a\xa1\x02\n" +
+	"\x10FilterChainMatch\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12\x10\n" +
+	"\x03sni\x18\x02 \x01(\tR\x03sni\x12-\n" +
+	"\x12transport_protocol\x18\x03 \x01(\tR\x11transportProtocol\x123\n" +
+	"\x15application_protocols\x18\x04 \x01(\tR\x14applicationProtocols\x12X\n" +
+	"\x06filter\x18\x05 \x01(\v2@.istio.networking.v1alpha3.EnvoyFilter.ListenerMatch.FilterMatchR\x06filter\x12)\n" +
+	"\x10destination_port\x18\x06 \x01(\rR\x0fdestinationPort\x1a\x85\x01\n" +
+	"\vFilterMatch\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x12b\n" +
+	"\n" +
+	"sub_filter\x18\x02 \x01(\v2C.istio.networking.v1alpha3.EnvoyFilter.ListenerMatch.SubFilterMatchR\tsubFilter\x1a$\n" +
+	"\x0eSubFilterMatch\x12\x12\n" +
+	"\x04name\x18\x01 \x01(\tR\x04name\x1a\xa8\x03\n" +
+	"\x05Patch\x12T\n" +
+	"\toperation\x18\x01 \x01(\x0e26.istio.networking.v1alpha3.EnvoyFilter.Patch.OperationR\toperation\x12-\n" +
+	"\x05value\x18\x02 \x01(\v2\x17.google.protobuf.StructR\x05value\x12[\n" +
+	"\ffilter_class\x18\x03 \x01(\x0e28.istio.networking.v1alpha3.EnvoyFilter.Patch.FilterClassR\vfilterClass\"|\n" +
+	"\tOperation\x12\v\n" +
+	"\aINVALID\x10\x00\x12\t\n" +
+	"\x05MERGE\x10\x01\x12\a\n" +
+	"\x03ADD\x10\x02\x12\n" +
+	"\n" +
+	"\x06REMOVE\x10\x03\x12\x11\n" +
+	"\rINSERT_BEFORE\x10\x04\x12\x10\n" +
+	"\fINSERT_AFTER\x10\x05\x12\x10\n" +
+	"\fINSERT_FIRST\x10\x06\x12\v\n" +
+	"\aREPLACE\x10\a\"?\n" +
+	"\vFilterClass\x12\x0f\n" +
+	"\vUNSPECIFIED\x10\x00\x12\t\n" +
+	"\x05AUTHN\x10\x01\x12\t\n" +
+	"\x05AUTHZ\x10\x02\x12\t\n" +
+	"\x05STATS\x10\x03\x1a\xd8\x03\n" +
+	"\x16EnvoyConfigObjectMatch\x12M\n" +
+	"\acontext\x18\x01 \x01(\x0e23.istio.networking.v1alpha3.EnvoyFilter.PatchContextR\acontext\x12G\n" +
+	"\x05proxy\x18\x02 \x01(\v21.istio.networking.v1alpha3.EnvoyFilter.ProxyMatchR\x05proxy\x12R\n" +
+	"\blistener\x18\x03 \x01(\v24.istio.networking.v1alpha3.EnvoyFilter.ListenerMatchH\x00R\blistener\x12q\n" +
+	"\x13route_configuration\x18\x04 \x01(\v2>.istio.networking.v1alpha3.EnvoyFilter.RouteConfigurationMatchH\x00R\x12routeConfiguration\x12O\n" +
+	"\acluster\x18\x05 \x01(\v23.istio.networking.v1alpha3.EnvoyFilter.ClusterMatchH\x00R\aclusterB\x0e\n" +
+	"\fobject_types\x1a\xfc\x01\n" +
+	"\x16EnvoyConfigObjectPatch\x12I\n" +
+	"\bapply_to\x18\x01 \x01(\x0e2..istio.networking.v1alpha3.EnvoyFilter.ApplyToR\aapplyTo\x12S\n" +
+	"\x05match\x18\x02 \x01(\v2=.istio.networking.v1alpha3.EnvoyFilter.EnvoyConfigObjectMatchR\x05match\x12B\n" +
+	"\x05patch\x18\x03 \x01(\v2,.istio.networking.v1alpha3.EnvoyFilter.PatchR\x05patch\"\xdd\x01\n" +
+	"\aApplyTo\x12\v\n" +
+	"\aINVALID\x10\x00\x12\f\n" +
+	"\bLISTENER\x10\x01\x12\x10\n" +
+	"\fFILTER_CHAIN\x10\x02\x12\x12\n" +
+	"\x0eNETWORK_FILTER\x10\x03\x12\x0f\n" +
+	"\vHTTP_FILTER\x10\x04\x12\x17\n" +
+	"\x13ROUTE_CONFIGURATION\x10\x05\x12\x10\n" +
+	"\fVIRTUAL_HOST\x10\x06\x12\x0e\n" +
+	"\n" +
+	"HTTP_ROUTE\x10\a\x12\v\n" +
+	"\aCLUSTER\x10\b\x12\x14\n" +
+	"\x10EXTENSION_CONFIG\x10\t\x12\r\n" +
+	"\tBOOTSTRAP\x10\n" +
+	"\x12\x13\n" +
+	"\x0fLISTENER_FILTER\x10\v\"O\n" +
+	"\fPatchContext\x12\a\n" +
+	"\x03ANY\x10\x00\x12\x13\n" +
+	"\x0fSIDECAR_INBOUND\x10\x01\x12\x14\n" +
+	"\x10SIDECAR_OUTBOUND\x10\x02\x12\v\n" +
+	"\aGATEWAY\x10\x03J\x04\b\x01\x10\x02J\x04\b\x02\x10\x03R\afiltersR\x0fworkload_labelsB\"Z istio.io/api/networking/v1alpha3b\x06proto3"

 var (
 	file_networking_v1alpha3_envoy_filter_proto_rawDescOnce sync.Once
-	file_networking_v1alpha3_envoy_filter_proto_rawDescData = file_networking_v1alpha3_envoy_filter_proto_rawDesc
+	file_networking_v1alpha3_envoy_filter_proto_rawDescData []byte
 )

 func file_networking_v1alpha3_envoy_filter_proto_rawDescGZIP() []byte {
 	file_networking_v1alpha3_envoy_filter_proto_rawDescOnce.Do(func() {
-		file_networking_v1alpha3_envoy_filter_proto_rawDescData = protoimpl.X.CompressGZIP(file_networking_v1alpha3_envoy_filter_proto_rawDescData)
+		file_networking_v1alpha3_envoy_filter_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_networking_v1alpha3_envoy_filter_proto_rawDesc), len(file_networking_v1alpha3_envoy_filter_proto_rawDesc)))
 	})
 	return file_networking_v1alpha3_envoy_filter_proto_rawDescData
 }
@ -2197,7 +2117,7 @@ func file_networking_v1alpha3_envoy_filter_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_networking_v1alpha3_envoy_filter_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_networking_v1alpha3_envoy_filter_proto_rawDesc), len(file_networking_v1alpha3_envoy_filter_proto_rawDesc)),
 			NumEnums:      5,
 			NumMessages:   14,
 			NumExtensions: 0,
@ -2209,7 +2129,6 @@ func file_networking_v1alpha3_envoy_filter_proto_init() {
 		MessageInfos:      file_networking_v1alpha3_envoy_filter_proto_msgTypes,
 	}.Build()
 	File_networking_v1alpha3_envoy_filter_proto = out.File
-	file_networking_v1alpha3_envoy_filter_proto_rawDesc = nil
 	file_networking_v1alpha3_envoy_filter_proto_goTypes = nil
 	file_networking_v1alpha3_envoy_filter_proto_depIdxs = nil
 }
--- a/networking/v1alpha3/envoy_filter.pb.html
+++ b/networking/v1alpha3/envoy_filter.pb.html
--- a/networking/v1alpha3/envoy_filter.proto
+++ b/networking/v1alpha3/envoy_filter.proto
@ -14,10 +14,6 @@

 syntax = "proto3";

-import "google/protobuf/struct.proto";
-import "networking/v1alpha3/sidecar.proto";
-import "type/v1beta1/selector.proto";
-
 // $schema: istio.networking.v1alpha3.EnvoyFilter
 // $title: Envoy Filter
 // $description: Customizing Envoy configuration generated by Istio.
@ -25,7 +21,7 @@ import "type/v1beta1/selector.proto";
 // $aliases: [/docs/reference/config/networking/v1alpha3/envoy-filter]

 // `EnvoyFilter` provides a mechanism to customize the Envoy
-// configuration generated by Istio Pilot. Use EnvoyFilter to modify
+// configuration generated by istiod. Use EnvoyFilter to modify
 // values for certain fields, add specific filters, or even add
 // entirely new listeners, clusters, etc. This feature must be used
 // with care, as incorrect configurations could potentially
@ -395,12 +391,45 @@ import "type/v1beta1/selector.proto";
 //         name: "envoy.filters.listener.proxy_protocol"
 //         typed_config:
 //           "@type": "type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol"
+// ```
+//
+// The following example configures ratelimits for the domain `foo.com`.
+//
+// ```yaml
+// apiVersion: networking.istio.io/v1alpha3
+// kind: EnvoyFilter
+// metadata:
+//   name: domain-match-example
+//   namespace: myns
+// spec:
+//   configPatches:
+//   - applyTo: VIRTUAL_HOST
+//     match:
+//       context: GATEWAY
+//       routeConfiguration:
+//         vhost:
+//           domainName: 'foo.com'
+//     patch:
+//       operation: MERGE
+//       value:
+//         rate_limits:
+//           actions:
+//             - request_headers:
+//                 header_name: "authorization"
+//                 descriptor_key: "jwt"
+//             - request_headers:
+//                 header_name: ":path"
+//                 descriptor_key: "path"
 package istio.networking.v1alpha3;

+import "google/protobuf/struct.proto";
+import "networking/v1alpha3/sidecar.proto";
+import "type/v1beta1/selector.proto";
+
 option go_package = "istio.io/api/networking/v1alpha3";

 // EnvoyFilter provides a mechanism to customize the Envoy configuration
-// generated by Istio Pilot.
+// generated by istiod.
 //
 // <!-- crd generation tags
 // +cue-gen:EnvoyFilter:groupName:networking.istio.io
@ -421,11 +450,10 @@ option go_package = "istio.io/api/networking/v1alpha3";
 // +genclient
 // +k8s:deepcopy-gen=true
 // -->
-// +kubebuilder:validation:XValidation:message="only one of targetRefs or workloadSelector can be set",rule="(has(self.workloadSelector)?1:0)+(has(self.targetRefs)?1:0)<=1"
+// +kubebuilder:validation:XValidation:message="only one of targetRefs or workloadSelector can be set",rule="oneof(self.workloadSelector, self.targetRefs)"
 message EnvoyFilter {
  // `ApplyTo` specifies where in the Envoy configuration, the given patch should be applied.
  enum ApplyTo {
-
    INVALID = 0;

    // Applies the patch to the listener.
@ -468,7 +496,7 @@ message EnvoyFilter {

    // Applies the patch to the listener filter.
    LISTENER_FILTER = 11;
-  };
+  }

  // PatchContext selects a class of configurations based on the
  // traffic flow direction and workload type.
@ -484,7 +512,7 @@ message EnvoyFilter {

    // Gateway listener/route/cluster.
    GATEWAY = 3;
-  };
+  }

  // One or more properties of the proxy to match on.
  message ProxyMatch {
@ -492,20 +520,20 @@ message EnvoyFilter {
    // used to select proxies using a specific version of istio
    // proxy. The Istio version for a given proxy is obtained from the
    // node metadata field `ISTIO_VERSION` supplied by the proxy when
-    // connecting to Pilot. This value is embedded as an environment
+    // connecting to istiod. This value is embedded as an environment
    // variable (`ISTIO_META_ISTIO_VERSION`) in the Istio proxy docker
    // image. Custom proxy implementations should provide this metadata
    // variable to take advantage of the Istio version check option.
    string proxy_version = 1;

    // Match on the node metadata supplied by a proxy when connecting
-    // to Istio Pilot. Note that while Envoy's node metadata is of
+    // to istiod. Note that while Envoy's node metadata is of
    // type Struct, only string key-value pairs are processed by
-    // Pilot. All keys specified in the metadata must match with exact
+    // istiod. All keys specified in the metadata must match with exact
    // values. The match will fail if any of the specified keys are
    // absent or the values fail to match.
    map<string, string> metadata = 2;
-  };
+  }

  // Conditions specified in `ClusterMatch` must be met for the patch
  // to be applied to a cluster.
@ -531,7 +559,7 @@ message EnvoyFilter {
    // cluster, leave all fields in clusterMatch empty, except the
    // name.
    string name = 4;
-  };
+  }

  // Conditions specified in RouteConfigurationMatch must be met for
  // the patch to be applied to a route configuration object or a
@ -547,15 +575,15 @@ message EnvoyFilter {

      // Action refers to the route action taken by Envoy when a http route matches.
      enum Action {
-	// All three route actions
-	ANY = 0;
-	// Route traffic to a cluster / weighted clusters.
-	ROUTE = 1;
-	// Redirect request.
-	REDIRECT = 2;
-	// directly respond to a request with specific payload.
-	DIRECT_RESPONSE = 3;
-      };
+        // All three route actions
+        ANY = 0;
+        // Route traffic to a cluster / weighted clusters.
+        ROUTE = 1;
+        // Redirect request.
+        REDIRECT = 2;
+        // directly respond to a request with specific payload.
+        DIRECT_RESPONSE = 3;
+      }

      // Match a route with specific action type.
      Action action = 2;
@ -569,6 +597,11 @@ message EnvoyFilter {
      // registry.
      string name = 1;

+      // Match a domain name in a virtual host. If this domain name is part of
+      // the list of domains that the virtual host serves, the patch will be
+      // applied.
+      string domain_name = 3;
+
      // Match a specific route within the virtual host.
      RouteMatch route = 2;
    }
@ -598,7 +631,7 @@ message EnvoyFilter {
    // specific route configuration by name, such as the internally
    // generated `http_proxy` route configuration for all sidecars.
    string name = 5;
-  };
+  }

  // Conditions specified in a listener match must be met for the
  // patch to be applied to a specific listener across all filter
@ -643,10 +676,10 @@ message EnvoyFilter {
      // patch to the HTTP connection manager.
      FilterMatch filter = 5;

-       // The destination_port value used by a filter chain's match condition.
-       // This condition will evaluate to false if the filter chain has no destination_port match.
-       uint32 destination_port = 6;
-    };
+      // The destination_port value used by a filter chain's match condition.
+      // This condition will evaluate to false if the filter chain has no destination_port match.
+      uint32 destination_port = 6;
+    }

    // Conditions to match a specific filter within a filter chain.
    message FilterMatch {
@ -658,7 +691,7 @@ message EnvoyFilter {
      // upon. Typically used for HTTP Connection Manager filters and
      // Thrift filters.
      SubFilterMatch sub_filter = 2;
-    };
+    }

    // Conditions to match a specific filter within another
    // filter. This field is typically useful to match a HTTP filter
@ -667,7 +700,7 @@ message EnvoyFilter {
    message SubFilterMatch {
      // The filter name to match on.
      string name = 1;
-    };
+    }

    // The service port/gateway port to which traffic is being
    // sent/received. If not specified, matches all listeners. Even though
@ -693,13 +726,12 @@ message EnvoyFilter {
    string listener_filter = 5;

    // Match a specific listener by its name. The listeners generated
-    // by Pilot are typically named as IP:Port.
+    // by istiod are typically named as IP:Port.
    string name = 4;
-  };
+  }

  // Patch specifies how the selected object should be modified.
  message Patch {
-
    // Operation denotes how the patch should be applied to the selected
    // configuration.
    enum Operation {
@ -792,16 +824,16 @@ message EnvoyFilter {

      // Insert filter before Istio stats filters.
      STATS = 3;
-    };
+    }

    // Determines the filter insertion order.
    FilterClass filter_class = 3;
-  };
+  }

  // One or more match conditions to be met before a patch is applied
  // to the generated configuration for a given proxy.
  message EnvoyConfigObjectMatch {
-    // The specific config generation context to match on. Istio Pilot
+    // The specific config generation context to match on. istiod
    // generates envoy configuration in the context of a gateway,
    // inbound traffic to sidecar and outbound traffic from sidecar.
    PatchContext context = 1;
@ -817,7 +849,7 @@ message EnvoyFilter {
      // Match on envoy cluster attributes.
      ClusterMatch cluster = 5;
    }
-  };
+  }

  // Changes to be made to various envoy config objects.
  message EnvoyConfigObjectPatch {
@ -856,7 +888,9 @@ message EnvoyFilter {
  //
  // Currently, the following resource attachment types are supported:
  // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace.
+  // * `kind: GatewayClass` with `group: gateway.networking.k8s.io` in the root namespace.
  // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints.
+  // * `kind: ServiceEntry` with `group: networking.istio.io` in the same namespace.
  //
  // If not set, the policy is applied as defined by the selector.
  // At most one of the selector and targetRefs can be set.
--- a/networking/v1alpha3/gateway.pb.go
+++ b/networking/v1alpha3/gateway.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.35.1
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: networking/v1alpha3/gateway.proto

@ -203,6 +203,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -369,7 +370,7 @@ func (ServerTLSSettings_TLSProtocol) EnumDescriptor() ([]byte, []int) {
 //
 // <!-- crd generation tags
 // +cue-gen:Gateway:groupName:networking.istio.io
-// +cue-gen:Gateway:versions:v1beta1,v1alpha3,v1
+// +cue-gen:Gateway:versions:v1,v1beta1,v1alpha3
 // +cue-gen:Gateway:annotations:helm.sh/resource-policy=keep
 // +cue-gen:Gateway:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
 // +cue-gen:Gateway:subresource:status
@ -385,10 +386,7 @@ func (ServerTLSSettings_TLSProtocol) EnumDescriptor() ([]byte, []int) {
 // +k8s:deepcopy-gen=true
 // -->
 type Gateway struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// A list of server specifications.
 	Servers []*Server `protobuf:"bytes,1,rep,name=servers,proto3" json:"servers,omitempty"`
 	// One or more labels that indicate a specific set of pods/VMs
@ -403,7 +401,9 @@ type Gateway struct {
 	// resource must reside in the same namespace as the gateway workload
 	// instance.
 	// If selector is nil, the Gateway will be applied to all workloads.
-	Selector map[string]string `protobuf:"bytes,2,rep,name=selector,proto3" json:"selector,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Selector      map[string]string `protobuf:"bytes,2,rep,name=selector,proto3" json:"selector,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *Gateway) Reset() {
@ -523,10 +523,7 @@ func (x *Gateway) GetSelector() map[string]string {
 //
 // ```
 type Server struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The Port on which the proxy should listen for incoming
 	// connections.
 	Port *Port `protobuf:"bytes,1,opt,name=port,proto3" json:"port,omitempty"`
@ -582,7 +579,9 @@ type Server struct {
 	// An optional name of the server, when set must be unique across all servers.
 	// This will be used for variety of purposes like prefixing stats generated with
 	// this name etc.
-	Name string `protobuf:"bytes,6,opt,name=name,proto3" json:"name,omitempty"`
+	Name          string `protobuf:"bytes,6,opt,name=name,proto3" json:"name,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *Server) Reset() {
@ -659,14 +658,11 @@ func (x *Server) GetName() string {

 // Port describes the properties of a specific port of a service.
 type Port struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// A valid non-negative integer port number.
 	Number uint32 `protobuf:"varint,1,opt,name=number,proto3" json:"number,omitempty"`
 	// The protocol exposed on the port.
-	// MUST BE one of HTTP|HTTPS|GRPC|GRPC-WEB|HTTP2|MONGO|TCP|TLS.
+	// MUST be one of HTTP|HTTPS|GRPC|GRPC-WEB|HTTP2|MONGO|TCP|TLS.
 	// TLS can be either used to terminate non-HTTP based connections on a specific port
 	// or to route traffic based on SNI header to the destination without terminating the TLS connection.
 	Protocol string `protobuf:"bytes,2,opt,name=protocol,proto3" json:"protocol,omitempty"`
@ -677,7 +673,9 @@ type Port struct {
 	// $hide_from_docs
 	//
 	// Deprecated: Marked as deprecated in networking/v1alpha3/gateway.proto.
-	TargetPort uint32 `protobuf:"varint,4,opt,name=target_port,json=targetPort,proto3" json:"target_port,omitempty"`
+	TargetPort    uint32 `protobuf:"varint,4,opt,name=target_port,json=targetPort,proto3" json:"target_port,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *Port) Reset() {
@ -739,11 +737,11 @@ func (x *Port) GetTargetPort() uint32 {
 	return 0
 }

+// +kubebuilder:validation:XValidation:message="only one of credentialNames or tlsCertificates can be set",rule="oneof(self.tlsCertificates, self.credentialNames)"
+// +kubebuilder:validation:XValidation:message="only one of credentialName or credentialNames can be set",rule="oneof(self.credentialName, self.credentialNames)"
+// +kubebuilder:validation:XValidation:message="only one of credentialName or tlsCertificates can be set",rule="oneof(self.credentialNames, self.tlsCertificates)"
 type ServerTLSSettings struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// If set to true, the load balancer will send a 301 redirect for
 	// all http connections, asking the clients to use HTTPS.
 	HttpsRedirect bool `protobuf:"varint,1,opt,name=https_redirect,json=httpsRedirect,proto3" json:"https_redirect,omitempty"`
@ -780,8 +778,22 @@ type ServerTLSSettings struct {
 	// Only one of server certificates and CA certificate
 	// or credentialName can be specified.
 	CredentialName string `protobuf:"bytes,10,opt,name=credential_name,json=credentialName,proto3" json:"credential_name,omitempty"`
+	// Same as CredentialName but for multiple certificates. Mainly used for specifying
+	// RSA and ECDSA certificates for the same server.
+	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:MinItems=1
+	CredentialNames []string `protobuf:"bytes,14,rep,name=credential_names,json=credentialNames,proto3" json:"credential_names,omitempty"`
+	// Only one of `server_certificate`, `private_key` or `credential_name`
+	// or `credential_names` or `tls_certificates` should be specified.
+	// This is mainly used for specifying RSA and ECDSA certificates for the same server.
+	// +kubebuilder:validation:MaxItems=2
+	// +kubebuilder:validation:MinItems=1
+	TlsCertificates []*ServerTLSSettings_TLSCertificate `protobuf:"bytes,15,rep,name=tls_certificates,json=tlsCertificates,proto3" json:"tls_certificates,omitempty"`
 	// A list of alternate names to verify the subject identity in the
 	// certificate presented by the client.
+	// Requires TLS mode to be set to `MUTUAL`.
+	// When multiple certificates are provided via `credential_names` or `tls_certificates`,
+	// the subject alternate names are validated against the selected certificate.
 	SubjectAltNames []string `protobuf:"bytes,6,rep,name=subject_alt_names,json=subjectAltNames,proto3" json:"subject_alt_names,omitempty"`
 	// An optional list of base64-encoded SHA-256 hashes of the SPKIs of
 	// authorized client certificates.
@ -823,7 +835,9 @@ type ServerTLSSettings struct {
 	// * `AES128-SHA`
 	// * `AES256-SHA`
 	// * `DES-CBC3-SHA`
-	CipherSuites []string `protobuf:"bytes,9,rep,name=cipher_suites,json=cipherSuites,proto3" json:"cipher_suites,omitempty"`
+	CipherSuites  []string `protobuf:"bytes,9,rep,name=cipher_suites,json=cipherSuites,proto3" json:"cipher_suites,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *ServerTLSSettings) Reset() {
@ -905,6 +919,20 @@ func (x *ServerTLSSettings) GetCredentialName() string {
 	return ""
 }

+func (x *ServerTLSSettings) GetCredentialNames() []string {
+	if x != nil {
+		return x.CredentialNames
+	}
+	return nil
+}
+
+func (x *ServerTLSSettings) GetTlsCertificates() []*ServerTLSSettings_TLSCertificate {
+	if x != nil {
+		return x.TlsCertificates
+	}
+	return nil
+}
+
 func (x *ServerTLSSettings) GetSubjectAltNames() []string {
 	if x != nil {
 		return x.SubjectAltNames
@ -947,137 +975,162 @@ func (x *ServerTLSSettings) GetCipherSuites() []string {
 	return nil
 }

+// TLSCertificate describes the server's TLS certificate.
+type ServerTLSSettings_TLSCertificate struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
+	// holding the server-side TLS certificate to use.
+	ServerCertificate string `protobuf:"bytes,1,opt,name=server_certificate,json=serverCertificate,proto3" json:"server_certificate,omitempty"`
+	// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
+	// holding the server's private key.
+	PrivateKey string `protobuf:"bytes,2,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
+	// $hide_from_docs
+	// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. The path to a file
+	// containing certificate authority certificates to use in verifying a presented
+	// client side certificate.
+	// $hide_from_docs
+	CaCertificates string `protobuf:"bytes,3,opt,name=ca_certificates,json=caCertificates,proto3" json:"ca_certificates,omitempty"`
+	unknownFields  protoimpl.UnknownFields
+	sizeCache      protoimpl.SizeCache
+}
+
+func (x *ServerTLSSettings_TLSCertificate) Reset() {
+	*x = ServerTLSSettings_TLSCertificate{}
+	mi := &file_networking_v1alpha3_gateway_proto_msgTypes[5]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ServerTLSSettings_TLSCertificate) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ServerTLSSettings_TLSCertificate) ProtoMessage() {}
+
+func (x *ServerTLSSettings_TLSCertificate) ProtoReflect() protoreflect.Message {
+	mi := &file_networking_v1alpha3_gateway_proto_msgTypes[5]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ServerTLSSettings_TLSCertificate.ProtoReflect.Descriptor instead.
+func (*ServerTLSSettings_TLSCertificate) Descriptor() ([]byte, []int) {
+	return file_networking_v1alpha3_gateway_proto_rawDescGZIP(), []int{3, 0}
+}
+
+func (x *ServerTLSSettings_TLSCertificate) GetServerCertificate() string {
+	if x != nil {
+		return x.ServerCertificate
+	}
+	return ""
+}
+
+func (x *ServerTLSSettings_TLSCertificate) GetPrivateKey() string {
+	if x != nil {
+		return x.PrivateKey
+	}
+	return ""
+}
+
+func (x *ServerTLSSettings_TLSCertificate) GetCaCertificates() string {
+	if x != nil {
+		return x.CaCertificates
+	}
+	return ""
+}
+
 var File_networking_v1alpha3_gateway_proto protoreflect.FileDescriptor

-var file_networking_v1alpha3_gateway_proto_rawDesc = []byte{
-	0x0a, 0x21, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x61,
-	0x6c, 0x70, 0x68, 0x61, 0x33, 0x2f, 0x67, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x2e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x12, 0x19, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f,
-	0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x1a, 0x1f,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64,
-	0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22,
-	0xd1, 0x01, 0x0a, 0x07, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x12, 0x3b, 0x0a, 0x07, 0x73,
-	0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x69,
-	0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e,
-	0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52,
-	0x07, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0x4c, 0x0a, 0x08, 0x73, 0x65, 0x6c, 0x65,
-	0x63, 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x69, 0x73, 0x74,
-	0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31,
-	0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x2e, 0x53,
-	0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x73, 0x65,
-	0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x1a, 0x3b, 0x0a, 0x0d, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74,
-	0x6f, 0x72, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c,
-	0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a,
-	0x02, 0x38, 0x01, 0x22, 0xf2, 0x01, 0x0a, 0x06, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x39,
-	0x0a, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x69,
-	0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e,
-	0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x42, 0x04, 0xe2,
-	0x41, 0x01, 0x02, 0x52, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x62, 0x69, 0x6e,
-	0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x62, 0x69, 0x6e, 0x64, 0x12, 0x1a, 0x0a,
-	0x05, 0x68, 0x6f, 0x73, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x42, 0x04, 0xe2, 0x41,
-	0x01, 0x02, 0x52, 0x05, 0x68, 0x6f, 0x73, 0x74, 0x73, 0x12, 0x3e, 0x0a, 0x03, 0x74, 0x6c, 0x73,
-	0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e,
-	0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68,
-	0x61, 0x33, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74,
-	0x69, 0x6e, 0x67, 0x73, 0x52, 0x03, 0x74, 0x6c, 0x73, 0x12, 0x29, 0x0a, 0x10, 0x64, 0x65, 0x66,
-	0x61, 0x75, 0x6c, 0x74, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x05, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x0f, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x45, 0x6e, 0x64, 0x70,
-	0x6f, 0x69, 0x6e, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x06, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x22, 0x85, 0x01, 0x0a, 0x04, 0x50, 0x6f, 0x72,
-	0x74, 0x12, 0x1c, 0x0a, 0x06, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x0d, 0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x06, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x12,
-	0x20, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x09, 0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
-	0x6c, 0x12, 0x18, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x42,
-	0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x23, 0x0a, 0x0b, 0x74,
-	0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0d,
-	0x42, 0x02, 0x18, 0x01, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x50, 0x6f, 0x72, 0x74,
-	0x22, 0x98, 0x07, 0x0a, 0x11, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65,
-	0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x68, 0x74, 0x74, 0x70, 0x73, 0x5f,
-	0x72, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d,
-	0x68, 0x74, 0x74, 0x70, 0x73, 0x52, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x12, 0x48, 0x0a,
-	0x04, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x34, 0x2e, 0x69, 0x73,
-	0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76,
-	0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c,
-	0x53, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e, 0x54, 0x4c, 0x53, 0x6d, 0x6f, 0x64,
-	0x65, 0x52, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x12, 0x2d, 0x0a, 0x12, 0x73, 0x65, 0x72, 0x76, 0x65,
-	0x72, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x18, 0x03, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x11, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x69,
-	0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74,
-	0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, 0x69,
-	0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x27, 0x0a, 0x0f, 0x63, 0x61, 0x5f, 0x63, 0x65,
-	0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x0e, 0x63, 0x61, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73,
-	0x12, 0x15, 0x0a, 0x06, 0x63, 0x61, 0x5f, 0x63, 0x72, 0x6c, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x05, 0x63, 0x61, 0x43, 0x72, 0x6c, 0x12, 0x27, 0x0a, 0x0f, 0x63, 0x72, 0x65, 0x64, 0x65,
-	0x6e, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x0e, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x4e, 0x61, 0x6d, 0x65,
-	0x12, 0x2a, 0x0a, 0x11, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x61, 0x6c, 0x74, 0x5f,
-	0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, 0x73, 0x75, 0x62,
-	0x6a, 0x65, 0x63, 0x74, 0x41, 0x6c, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x36, 0x0a, 0x17,
-	0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
-	0x74, 0x65, 0x5f, 0x73, 0x70, 0x6b, 0x69, 0x18, 0x0b, 0x20, 0x03, 0x28, 0x09, 0x52, 0x15, 0x76,
-	0x65, 0x72, 0x69, 0x66, 0x79, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
-	0x53, 0x70, 0x6b, 0x69, 0x12, 0x36, 0x0a, 0x17, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x5f, 0x63,
-	0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x68, 0x61, 0x73, 0x68, 0x18,
-	0x0c, 0x20, 0x03, 0x28, 0x09, 0x52, 0x15, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x43, 0x65, 0x72,
-	0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x48, 0x61, 0x73, 0x68, 0x12, 0x6a, 0x0a, 0x14,
-	0x6d, 0x69, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x5f, 0x76, 0x65, 0x72,
-	0x73, 0x69, 0x6f, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x38, 0x2e, 0x69, 0x73, 0x74,
-	0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31,
-	0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53,
-	0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e, 0x54, 0x4c, 0x53, 0x50, 0x72, 0x6f, 0x74,
-	0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x12, 0x6d, 0x69, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
-	0x6c, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x6a, 0x0a, 0x14, 0x6d, 0x61, 0x78, 0x5f,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e,
-	0x18, 0x08, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x38, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e,
-	0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68,
-	0x61, 0x33, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74,
-	0x69, 0x6e, 0x67, 0x73, 0x2e, 0x54, 0x4c, 0x53, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c,
-	0x52, 0x12, 0x6d, 0x61, 0x78, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x56, 0x65, 0x72,
-	0x73, 0x69, 0x6f, 0x6e, 0x12, 0x23, 0x0a, 0x0d, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x5f, 0x73,
-	0x75, 0x69, 0x74, 0x65, 0x73, 0x18, 0x09, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x63, 0x69, 0x70,
-	0x68, 0x65, 0x72, 0x53, 0x75, 0x69, 0x74, 0x65, 0x73, 0x22, 0x6f, 0x0a, 0x07, 0x54, 0x4c, 0x53,
-	0x6d, 0x6f, 0x64, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x50, 0x41, 0x53, 0x53, 0x54, 0x48, 0x52, 0x4f,
-	0x55, 0x47, 0x48, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x53, 0x49, 0x4d, 0x50, 0x4c, 0x45, 0x10,
-	0x01, 0x12, 0x0a, 0x0a, 0x06, 0x4d, 0x55, 0x54, 0x55, 0x41, 0x4c, 0x10, 0x02, 0x12, 0x14, 0x0a,
-	0x10, 0x41, 0x55, 0x54, 0x4f, 0x5f, 0x50, 0x41, 0x53, 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55, 0x47,
-	0x48, 0x10, 0x03, 0x12, 0x10, 0x0a, 0x0c, 0x49, 0x53, 0x54, 0x49, 0x4f, 0x5f, 0x4d, 0x55, 0x54,
-	0x55, 0x41, 0x4c, 0x10, 0x04, 0x12, 0x13, 0x0a, 0x0f, 0x4f, 0x50, 0x54, 0x49, 0x4f, 0x4e, 0x41,
-	0x4c, 0x5f, 0x4d, 0x55, 0x54, 0x55, 0x41, 0x4c, 0x10, 0x05, 0x22, 0x4f, 0x0a, 0x0b, 0x54, 0x4c,
-	0x53, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x0c, 0x0a, 0x08, 0x54, 0x4c, 0x53,
-	0x5f, 0x41, 0x55, 0x54, 0x4f, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31,
-	0x5f, 0x30, 0x10, 0x01, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x31, 0x10,
-	0x02, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x32, 0x10, 0x03, 0x12, 0x0b,
-	0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x33, 0x10, 0x04, 0x42, 0x22, 0x5a, 0x20, 0x69,
-	0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6e, 0x65, 0x74, 0x77,
-	0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x62,
-	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+const file_networking_v1alpha3_gateway_proto_rawDesc = "" +
+	"\n" +
+	"!networking/v1alpha3/gateway.proto\x12\x19istio.networking.v1alpha3\x1a\x1fgoogle/api/field_behavior.proto\"\xd1\x01\n" +
+	"\aGateway\x12;\n" +
+	"\aservers\x18\x01 \x03(\v2!.istio.networking.v1alpha3.ServerR\aservers\x12L\n" +
+	"\bselector\x18\x02 \x03(\v20.istio.networking.v1alpha3.Gateway.SelectorEntryR\bselector\x1a;\n" +
+	"\rSelectorEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"\xf2\x01\n" +
+	"\x06Server\x129\n" +
+	"\x04port\x18\x01 \x01(\v2\x1f.istio.networking.v1alpha3.PortB\x04\xe2A\x01\x02R\x04port\x12\x12\n" +
+	"\x04bind\x18\x04 \x01(\tR\x04bind\x12\x1a\n" +
+	"\x05hosts\x18\x02 \x03(\tB\x04\xe2A\x01\x02R\x05hosts\x12>\n" +
+	"\x03tls\x18\x03 \x01(\v2,.istio.networking.v1alpha3.ServerTLSSettingsR\x03tls\x12)\n" +
+	"\x10default_endpoint\x18\x05 \x01(\tR\x0fdefaultEndpoint\x12\x12\n" +
+	"\x04name\x18\x06 \x01(\tR\x04name\"\x85\x01\n" +
+	"\x04Port\x12\x1c\n" +
+	"\x06number\x18\x01 \x01(\rB\x04\xe2A\x01\x02R\x06number\x12 \n" +
+	"\bprotocol\x18\x02 \x01(\tB\x04\xe2A\x01\x02R\bprotocol\x12\x18\n" +
+	"\x04name\x18\x03 \x01(\tB\x04\xe2A\x01\x02R\x04name\x12#\n" +
+	"\vtarget_port\x18\x04 \x01(\rB\x02\x18\x01R\n" +
+	"targetPort\"\xb7\t\n" +
+	"\x11ServerTLSSettings\x12%\n" +
+	"\x0ehttps_redirect\x18\x01 \x01(\bR\rhttpsRedirect\x12H\n" +
+	"\x04mode\x18\x02 \x01(\x0e24.istio.networking.v1alpha3.ServerTLSSettings.TLSmodeR\x04mode\x12-\n" +
+	"\x12server_certificate\x18\x03 \x01(\tR\x11serverCertificate\x12\x1f\n" +
+	"\vprivate_key\x18\x04 \x01(\tR\n" +
+	"privateKey\x12'\n" +
+	"\x0fca_certificates\x18\x05 \x01(\tR\x0ecaCertificates\x12\x15\n" +
+	"\x06ca_crl\x18\r \x01(\tR\x05caCrl\x12'\n" +
+	"\x0fcredential_name\x18\n" +
+	" \x01(\tR\x0ecredentialName\x12)\n" +
+	"\x10credential_names\x18\x0e \x03(\tR\x0fcredentialNames\x12f\n" +
+	"\x10tls_certificates\x18\x0f \x03(\v2;.istio.networking.v1alpha3.ServerTLSSettings.TLSCertificateR\x0ftlsCertificates\x12*\n" +
+	"\x11subject_alt_names\x18\x06 \x03(\tR\x0fsubjectAltNames\x126\n" +
+	"\x17verify_certificate_spki\x18\v \x03(\tR\x15verifyCertificateSpki\x126\n" +
+	"\x17verify_certificate_hash\x18\f \x03(\tR\x15verifyCertificateHash\x12j\n" +
+	"\x14min_protocol_version\x18\a \x01(\x0e28.istio.networking.v1alpha3.ServerTLSSettings.TLSProtocolR\x12minProtocolVersion\x12j\n" +
+	"\x14max_protocol_version\x18\b \x01(\x0e28.istio.networking.v1alpha3.ServerTLSSettings.TLSProtocolR\x12maxProtocolVersion\x12#\n" +
+	"\rcipher_suites\x18\t \x03(\tR\fcipherSuites\x1a\x89\x01\n" +
+	"\x0eTLSCertificate\x12-\n" +
+	"\x12server_certificate\x18\x01 \x01(\tR\x11serverCertificate\x12\x1f\n" +
+	"\vprivate_key\x18\x02 \x01(\tR\n" +
+	"privateKey\x12'\n" +
+	"\x0fca_certificates\x18\x03 \x01(\tR\x0ecaCertificates\"o\n" +
+	"\aTLSmode\x12\x0f\n" +
+	"\vPASSTHROUGH\x10\x00\x12\n" +
+	"\n" +
+	"\x06SIMPLE\x10\x01\x12\n" +
+	"\n" +
+	"\x06MUTUAL\x10\x02\x12\x14\n" +
+	"\x10AUTO_PASSTHROUGH\x10\x03\x12\x10\n" +
+	"\fISTIO_MUTUAL\x10\x04\x12\x13\n" +
+	"\x0fOPTIONAL_MUTUAL\x10\x05\"O\n" +
+	"\vTLSProtocol\x12\f\n" +
+	"\bTLS_AUTO\x10\x00\x12\v\n" +
+	"\aTLSV1_0\x10\x01\x12\v\n" +
+	"\aTLSV1_1\x10\x02\x12\v\n" +
+	"\aTLSV1_2\x10\x03\x12\v\n" +
+	"\aTLSV1_3\x10\x04B\"Z istio.io/api/networking/v1alpha3b\x06proto3"

 var (
 	file_networking_v1alpha3_gateway_proto_rawDescOnce sync.Once
-	file_networking_v1alpha3_gateway_proto_rawDescData = file_networking_v1alpha3_gateway_proto_rawDesc
+	file_networking_v1alpha3_gateway_proto_rawDescData []byte
 )

 func file_networking_v1alpha3_gateway_proto_rawDescGZIP() []byte {
 	file_networking_v1alpha3_gateway_proto_rawDescOnce.Do(func() {
-		file_networking_v1alpha3_gateway_proto_rawDescData = protoimpl.X.CompressGZIP(file_networking_v1alpha3_gateway_proto_rawDescData)
+		file_networking_v1alpha3_gateway_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_networking_v1alpha3_gateway_proto_rawDesc), len(file_networking_v1alpha3_gateway_proto_rawDesc)))
 	})
 	return file_networking_v1alpha3_gateway_proto_rawDescData
 }

 var file_networking_v1alpha3_gateway_proto_enumTypes = make([]protoimpl.EnumInfo, 2)
-var file_networking_v1alpha3_gateway_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
+var file_networking_v1alpha3_gateway_proto_msgTypes = make([]protoimpl.MessageInfo, 6)
 var file_networking_v1alpha3_gateway_proto_goTypes = []any{
-	(ServerTLSSettings_TLSmode)(0),     // 0: istio.networking.v1alpha3.ServerTLSSettings.TLSmode
-	(ServerTLSSettings_TLSProtocol)(0), // 1: istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol
-	(*Gateway)(nil),                    // 2: istio.networking.v1alpha3.Gateway
-	(*Server)(nil),                     // 3: istio.networking.v1alpha3.Server
-	(*Port)(nil),                       // 4: istio.networking.v1alpha3.Port
-	(*ServerTLSSettings)(nil),          // 5: istio.networking.v1alpha3.ServerTLSSettings
-	nil,                                // 6: istio.networking.v1alpha3.Gateway.SelectorEntry
+	(ServerTLSSettings_TLSmode)(0),           // 0: istio.networking.v1alpha3.ServerTLSSettings.TLSmode
+	(ServerTLSSettings_TLSProtocol)(0),       // 1: istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol
+	(*Gateway)(nil),                          // 2: istio.networking.v1alpha3.Gateway
+	(*Server)(nil),                           // 3: istio.networking.v1alpha3.Server
+	(*Port)(nil),                             // 4: istio.networking.v1alpha3.Port
+	(*ServerTLSSettings)(nil),                // 5: istio.networking.v1alpha3.ServerTLSSettings
+	nil,                                      // 6: istio.networking.v1alpha3.Gateway.SelectorEntry
+	(*ServerTLSSettings_TLSCertificate)(nil), // 7: istio.networking.v1alpha3.ServerTLSSettings.TLSCertificate
 }
 var file_networking_v1alpha3_gateway_proto_depIdxs = []int32{
 	3, // 0: istio.networking.v1alpha3.Gateway.servers:type_name -> istio.networking.v1alpha3.Server
@ -1085,13 +1138,14 @@ var file_networking_v1alpha3_gateway_proto_depIdxs = []int32{
 	4, // 2: istio.networking.v1alpha3.Server.port:type_name -> istio.networking.v1alpha3.Port
 	5, // 3: istio.networking.v1alpha3.Server.tls:type_name -> istio.networking.v1alpha3.ServerTLSSettings
 	0, // 4: istio.networking.v1alpha3.ServerTLSSettings.mode:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSmode
-	1, // 5: istio.networking.v1alpha3.ServerTLSSettings.min_protocol_version:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol
-	1, // 6: istio.networking.v1alpha3.ServerTLSSettings.max_protocol_version:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol
-	7, // [7:7] is the sub-list for method output_type
-	7, // [7:7] is the sub-list for method input_type
-	7, // [7:7] is the sub-list for extension type_name
-	7, // [7:7] is the sub-list for extension extendee
-	0, // [0:7] is the sub-list for field type_name
+	7, // 5: istio.networking.v1alpha3.ServerTLSSettings.tls_certificates:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSCertificate
+	1, // 6: istio.networking.v1alpha3.ServerTLSSettings.min_protocol_version:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol
+	1, // 7: istio.networking.v1alpha3.ServerTLSSettings.max_protocol_version:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol
+	8, // [8:8] is the sub-list for method output_type
+	8, // [8:8] is the sub-list for method input_type
+	8, // [8:8] is the sub-list for extension type_name
+	8, // [8:8] is the sub-list for extension extendee
+	0, // [0:8] is the sub-list for field type_name
 }

 func init() { file_networking_v1alpha3_gateway_proto_init() }
@ -1103,9 +1157,9 @@ func file_networking_v1alpha3_gateway_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_networking_v1alpha3_gateway_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_networking_v1alpha3_gateway_proto_rawDesc), len(file_networking_v1alpha3_gateway_proto_rawDesc)),
 			NumEnums:      2,
-			NumMessages:   5,
+			NumMessages:   6,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
@ -1115,7 +1169,6 @@ func file_networking_v1alpha3_gateway_proto_init() {
 		MessageInfos:      file_networking_v1alpha3_gateway_proto_msgTypes,
 	}.Build()
 	File_networking_v1alpha3_gateway_proto = out.File
-	file_networking_v1alpha3_gateway_proto_rawDesc = nil
 	file_networking_v1alpha3_gateway_proto_goTypes = nil
 	file_networking_v1alpha3_gateway_proto_depIdxs = nil
 }
--- a/networking/v1alpha3/gateway.pb.html
+++ b/networking/v1alpha3/gateway.pb.html
@ -6,7 +6,7 @@ layout: protoc-gen-docs
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.Gateway
 aliases: [/docs/reference/config/networking/v1alpha3/gateway]
-number_of_entries: 6
+number_of_entries: 7
 ---
 <p><code>Gateway</code> describes a load balancer operating at the edge of the mesh
 receiving incoming or outgoing HTTP/TCP connections. The specification
@ -173,26 +173,23 @@ receiving incoming or outgoing HTTP/TCP connections.</p>
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="Gateway-servers">
-<td><code>servers</code></td>
-<td><code><a href="#Server">Server[]</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#Gateway-servers">servers</a></code></div>
+<div class="type"><a href="#Server">Server[]</a></div>
+</div></td>
 <td>
 <p>A list of server specifications.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="Gateway-selector">
-<td><code>selector</code></td>
-<td><code>map&lt;string,&nbsp;string&gt;</code></td>
+<td><div class="field"><div class="name"><code><a href="#Gateway-selector">selector</a></code></div>
+<div class="type">map&lt;string,&nbsp;string&gt;</div>
+</div></td>
 <td>
 <p>One or more labels that indicate a specific set of pods/VMs
 on which this gateway configuration should be applied.
@ -207,9 +204,6 @@ resource must reside in the same namespace as the gateway workload
 instance.
 If selector is nil, the Gateway will be applied to all workloads.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 </tbody>
@ -274,27 +268,25 @@ spec:
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="Server-port">
-<td><code>port</code></td>
-<td><code><a href="#Port">Port</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#Server-port">port</a></code></div>
+<div class="type"><a href="#Port">Port</a></div>
+<div class="required">Required</div>
+</div></td>
 <td>
 <p>The Port on which the proxy should listen for incoming
 connections.</p>

-</td>
-<td>
-Yes
 </td>
 </tr>
 <tr id="Server-bind">
-<td><code>bind</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#Server-bind">bind</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>The ip or the Unix domain socket to which the listener should be bound
 to. Format: <code>x.x.x.x</code> or <code>unix:///path/to/uds</code> or <code>unix://@foobar</code>
@ -305,14 +297,13 @@ This is typically used when a gateway needs to communicate to another mesh servi
 e.g. publishing metrics. In such case, the server created with the
 specified bind will not be available to external gateway clients.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="Server-hosts">
-<td><code>hosts</code></td>
-<td><code>string[]</code></td>
+<td><div class="field"><div class="name"><code><a href="#Server-hosts">hosts</a></code></div>
+<div class="type">string[]</div>
+<div class="required">Required</div>
+</div></td>
 <td>
 <p>One or more hosts exposed by this gateway.
 While typically applicable to
@ -341,35 +332,28 @@ Private configurations (e.g., <code>exportTo</code> set to <code>.</code>) will
 available. Refer to the <code>exportTo</code> setting in <code>VirtualService</code>,
 <code>DestinationRule</code>, and <code>ServiceEntry</code> configurations for details.</p>

-</td>
-<td>
-Yes
 </td>
 </tr>
 <tr id="Server-tls">
-<td><code>tls</code></td>
-<td><code><a href="#ServerTLSSettings">ServerTLSSettings</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#Server-tls">tls</a></code></div>
+<div class="type"><a href="#ServerTLSSettings">ServerTLSSettings</a></div>
+</div></td>
 <td>
 <p>Set of TLS related options that govern the server&rsquo;s behavior. Use
 these options to control if all http requests should be redirected to
 https, and the TLS modes to use.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="Server-name">
-<td><code>name</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#Server-name">name</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>An optional name of the server, when set must be unique across all servers.
 This will be used for variety of purposes like prefixing stats generated with
 this name etc.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 </tbody>
@ -383,46 +367,41 @@ No
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="Port-number">
-<td><code>number</code></td>
-<td><code>uint32</code></td>
+<td><div class="field"><div class="name"><code><a href="#Port-number">number</a></code></div>
+<div class="type">uint32</div>
+<div class="required">Required</div>
+</div></td>
 <td>
 <p>A valid non-negative integer port number.</p>

-</td>
-<td>
-Yes
 </td>
 </tr>
 <tr id="Port-protocol">
-<td><code>protocol</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#Port-protocol">protocol</a></code></div>
+<div class="type">string</div>
+<div class="required">Required</div>
+</div></td>
 <td>
 <p>The protocol exposed on the port.
-MUST BE one of HTTP|HTTPS|GRPC|GRPC-WEB|HTTP2|MONGO|TCP|TLS.
+MUST be one of HTTP|HTTPS|GRPC|GRPC-WEB|HTTP2|MONGO|TCP|TLS.
 TLS can be either used to terminate non-HTTP based connections on a specific port
 or to route traffic based on SNI header to the destination without terminating the TLS connection.</p>

-</td>
-<td>
-Yes
 </td>
 </tr>
 <tr id="Port-name">
-<td><code>name</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#Port-name">name</a></code></div>
+<div class="type">string</div>
+<div class="required">Required</div>
+</div></td>
 <td>
 <p>Label assigned to the port.</p>

-</td>
-<td>
-Yes
 </td>
 </tr>
 </tbody>
@ -430,81 +409,71 @@ Yes
 </section>
 <h2 id="ServerTLSSettings">ServerTLSSettings</h2>
 <section>
+
 <table class="message-fields">
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="ServerTLSSettings-https_redirect">
-<td><code>httpsRedirect</code></td>
-<td><code>bool</code></td>
+<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-https_redirect">httpsRedirect</a></code></div>
+<div class="type">bool</div>
+</div></td>
 <td>
 <p>If set to true, the load balancer will send a 301 redirect for
 all http connections, asking the clients to use HTTPS.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="ServerTLSSettings-mode">
-<td><code>mode</code></td>
-<td><code><a href="#ServerTLSSettings-TLSmode">TLSmode</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-mode">mode</a></code></div>
+<div class="type"><a href="#ServerTLSSettings-TLSmode">TLSmode</a></div>
+</div></td>
 <td>
-<p>Optional: Indicates whether connections to this port should be
+<p>Indicates whether connections to this port should be
 secured using TLS. The value of this field determines how TLS is
 enforced.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="ServerTLSSettings-server_certificate">
-<td><code>serverCertificate</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-server_certificate">serverCertificate</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>REQUIRED if mode is <code>SIMPLE</code> or <code>MUTUAL</code>. The path to the file
 holding the server-side TLS certificate to use.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="ServerTLSSettings-private_key">
-<td><code>privateKey</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-private_key">privateKey</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>REQUIRED if mode is <code>SIMPLE</code> or <code>MUTUAL</code>. The path to the file
 holding the server&rsquo;s private key.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="ServerTLSSettings-ca_certificates">
-<td><code>caCertificates</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-ca_certificates">caCertificates</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>REQUIRED if mode is <code>MUTUAL</code> or <code>OPTIONAL_MUTUAL</code>. The path to a file
 containing certificate authority certificates to use in verifying a presented
 client side certificate.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="ServerTLSSettings-ca_crl">
-<td><code>caCrl</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-ca_crl">caCrl</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>OPTIONAL: The path to the file containing the certificate revocation list (CRL)
 to use in verifying a presented client side certificate. <code>CRL</code> is a list of certificates
@ -512,14 +481,12 @@ that have been revoked by the CA (Certificate Authority) before their scheduled
 If specified, the proxy will verify if the presented certificate is part of the revoked list of certificates.
 If omitted, the proxy will not verify the certificate against the <code>crl</code>.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="ServerTLSSettings-credential_name">
-<td><code>credentialName</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-credential_name">credentialName</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>For gateways running on Kubernetes, the name of the secret that
 holds the TLS certs including the CA certificates. Applicable
@ -535,25 +502,45 @@ Only one of server certificates and CA certificate
 or credentialName can be specified.</p>

 </td>
+</tr>
+<tr id="ServerTLSSettings-credential_names">
+<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-credential_names">credentialNames</a></code></div>
+<div class="type">string[]</div>
+</div></td>
 <td>
-No
+<p>Same as CredentialName but for multiple certificates. Mainly used for specifying
+RSA and ECDSA certificates for the same server.</p>
+
+</td>
+</tr>
+<tr id="ServerTLSSettings-tls_certificates">
+<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-tls_certificates">tlsCertificates</a></code></div>
+<div class="type"><a href="#ServerTLSSettings-TLSCertificate">TLSCertificate[]</a></div>
+</div></td>
+<td>
+<p>Only one of <code>server_certificate</code>, <code>private_key</code> or <code>credential_name</code>
+or <code>credential_names</code> or <code>tls_certificates</code> should be specified.
+This is mainly used for specifying RSA and ECDSA certificates for the same server.</p>
+
 </td>
 </tr>
 <tr id="ServerTLSSettings-subject_alt_names">
-<td><code>subjectAltNames</code></td>
-<td><code>string[]</code></td>
+<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-subject_alt_names">subjectAltNames</a></code></div>
+<div class="type">string[]</div>
+</div></td>
 <td>
 <p>A list of alternate names to verify the subject identity in the
-certificate presented by the client.</p>
+certificate presented by the client.
+Requires TLS mode to be set to <code>MUTUAL</code>.
+When multiple certificates are provided via <code>credential_names</code> or <code>tls_certificates</code>,
+the subject alternate names are validated against the selected certificate.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="ServerTLSSettings-verify_certificate_spki">
-<td><code>verifyCertificateSpki</code></td>
-<td><code>string[]</code></td>
+<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-verify_certificate_spki">verifyCertificateSpki</a></code></div>
+<div class="type">string[]</div>
+</div></td>
 <td>
 <p>An optional list of base64-encoded SHA-256 hashes of the SPKIs of
 authorized client certificates.
@ -561,14 +548,12 @@ Note: When both verify_certificate_hash and verify_certificate_spki
 are specified, a hash matching either value will result in the
 certificate being accepted.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="ServerTLSSettings-verify_certificate_hash">
-<td><code>verifyCertificateHash</code></td>
-<td><code>string[]</code></td>
+<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-verify_certificate_hash">verifyCertificateHash</a></code></div>
+<div class="type">string[]</div>
+</div></td>
 <td>
 <p>An optional list of hex-encoded SHA-256 hashes of the
 authorized client certificates. Both simple and colon separated
@ -577,41 +562,35 @@ Note: When both verify_certificate_hash and verify_certificate_spki
 are specified, a hash matching either value will result in the
 certificate being accepted.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="ServerTLSSettings-min_protocol_version">
-<td><code>minProtocolVersion</code></td>
-<td><code><a href="#ServerTLSSettings-TLSProtocol">TLSProtocol</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-min_protocol_version">minProtocolVersion</a></code></div>
+<div class="type"><a href="#ServerTLSSettings-TLSProtocol">TLSProtocol</a></div>
+</div></td>
 <td>
-<p>Optional: Minimum TLS protocol version. By default, it is <code>TLSV1_2</code>.
+<p>Minimum TLS protocol version. By default, it is <code>TLSV1_2</code>.
 TLS protocol versions below TLSV1_2 require setting compatible ciphers with the
 <code>cipherSuites</code> setting as they no longer include compatible ciphers.</p>
 <p>Note: Using TLS protocol versions below TLSV1_2 has serious security risks.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="ServerTLSSettings-max_protocol_version">
-<td><code>maxProtocolVersion</code></td>
-<td><code><a href="#ServerTLSSettings-TLSProtocol">TLSProtocol</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-max_protocol_version">maxProtocolVersion</a></code></div>
+<div class="type"><a href="#ServerTLSSettings-TLSProtocol">TLSProtocol</a></div>
+</div></td>
 <td>
-<p>Optional: Maximum TLS protocol version.</p>
+<p>Maximum TLS protocol version.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="ServerTLSSettings-cipher_suites">
-<td><code>cipherSuites</code></td>
-<td><code>string[]</code></td>
+<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-cipher_suites">cipherSuites</a></code></div>
+<div class="type">string[]</div>
+</div></td>
 <td>
-<p>Optional: If specified, only support the specified cipher list.
+<p>If specified, only support the specified cipher list.
 Otherwise default to the default cipher list supported by Envoy
 as specified <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto">here</a>.
 The supported list of ciphers are:</p>
@ -634,14 +613,46 @@ The supported list of ciphers are:</p>
 </ul>

 </td>
+</tr>
+</tbody>
+</table>
+</section>
+<h3 id="ServerTLSSettings-TLSCertificate">TLSCertificate</h3>
+<section>
+<p>TLSCertificate describes the server&rsquo;s TLS certificate.</p>
+
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="ServerTLSSettings-TLSCertificate-server_certificate">
+<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-TLSCertificate-server_certificate">serverCertificate</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
-No
+<p>REQUIRED if mode is <code>SIMPLE</code> or <code>MUTUAL</code>. The path to the file
+holding the server-side TLS certificate to use.</p>
+
+</td>
+</tr>
+<tr id="ServerTLSSettings-TLSCertificate-private_key">
+<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-TLSCertificate-private_key">privateKey</a></code></div>
+<div class="type">string</div>
+</div></td>
+<td>
+<p>REQUIRED if mode is <code>SIMPLE</code> or <code>MUTUAL</code>. The path to the file
+holding the server&rsquo;s private key.</p>
+
 </td>
 </tr>
 </tbody>
 </table>
 </section>
-<h2 id="ServerTLSSettings-TLSmode">ServerTLSSettings.TLSmode</h2>
+<h3 id="ServerTLSSettings-TLSmode">TLSmode</h3>
 <section>
 <p>TLS modes enforced by the proxy</p>

@ -654,7 +665,7 @@ No
 </thead>
 <tbody>
 <tr id="ServerTLSSettings-TLSmode-PASSTHROUGH">
-<td><code>PASSTHROUGH</code></td>
+<td><code><a href="#ServerTLSSettings-TLSmode-PASSTHROUGH">PASSTHROUGH</a></code></td>
 <td>
 <p>The SNI string presented by the client will be used as the
 match criterion in a VirtualService TLS route to determine
@ -663,7 +674,7 @@ the destination service from the service registry.</p>
 </td>
 </tr>
 <tr id="ServerTLSSettings-TLSmode-SIMPLE">
-<td><code>SIMPLE</code></td>
+<td><code><a href="#ServerTLSSettings-TLSmode-SIMPLE">SIMPLE</a></code></td>
 <td>
 <p>Secure connections with standard TLS semantics. In this mode
 client certificate is not requested during handshake.</p>
@ -671,7 +682,7 @@ client certificate is not requested during handshake.</p>
 </td>
 </tr>
 <tr id="ServerTLSSettings-TLSmode-MUTUAL">
-<td><code>MUTUAL</code></td>
+<td><code><a href="#ServerTLSSettings-TLSmode-MUTUAL">MUTUAL</a></code></td>
 <td>
 <p>Secure connections to the downstream using mutual TLS by
 presenting server certificates for authentication.
@ -681,7 +692,7 @@ at least one valid certificate is required to be sent by the client.</p>
 </td>
 </tr>
 <tr id="ServerTLSSettings-TLSmode-AUTO_PASSTHROUGH">
-<td><code>AUTO_PASSTHROUGH</code></td>
+<td><code><a href="#ServerTLSSettings-TLSmode-AUTO_PASSTHROUGH">AUTO_PASSTHROUGH</a></code></td>
 <td>
 <p>Similar to the passthrough mode, except servers with this TLS
 mode do not require an associated VirtualService to map from
@ -698,7 +709,7 @@ the destination are using Istio mTLS to secure traffic.</p>
 </td>
 </tr>
 <tr id="ServerTLSSettings-TLSmode-ISTIO_MUTUAL">
-<td><code>ISTIO_MUTUAL</code></td>
+<td><code><a href="#ServerTLSSettings-TLSmode-ISTIO_MUTUAL">ISTIO_MUTUAL</a></code></td>
 <td>
 <p>Secure connections from the downstream using mutual TLS by
 presenting server certificates for authentication.  Compared
@ -710,7 +721,7 @@ fields in <code>TLSOptions</code> should be empty.</p>
 </td>
 </tr>
 <tr id="ServerTLSSettings-TLSmode-OPTIONAL_MUTUAL">
-<td><code>OPTIONAL_MUTUAL</code></td>
+<td><code><a href="#ServerTLSSettings-TLSmode-OPTIONAL_MUTUAL">OPTIONAL_MUTUAL</a></code></td>
 <td>
 <p>Similar to MUTUAL mode, except that the client certificate
 is optional. Unlike SIMPLE mode, A client certificate will
@ -724,7 +735,7 @@ be specified for validating client certificates.</p>
 </tbody>
 </table>
 </section>
-<h2 id="ServerTLSSettings-TLSProtocol">ServerTLSSettings.TLSProtocol</h2>
+<h3 id="ServerTLSSettings-TLSProtocol">TLSProtocol</h3>
 <section>
 <p>TLS protocol versions.</p>

@ -737,35 +748,35 @@ be specified for validating client certificates.</p>
 </thead>
 <tbody>
 <tr id="ServerTLSSettings-TLSProtocol-TLS_AUTO">
-<td><code>TLS_AUTO</code></td>
+<td><code><a href="#ServerTLSSettings-TLSProtocol-TLS_AUTO">TLS_AUTO</a></code></td>
 <td>
 <p>Automatically choose the optimal TLS version.</p>

 </td>
 </tr>
 <tr id="ServerTLSSettings-TLSProtocol-TLSV1_0">
-<td><code>TLSV1_0</code></td>
+<td><code><a href="#ServerTLSSettings-TLSProtocol-TLSV1_0">TLSV1_0</a></code></td>
 <td>
 <p>TLS version 1.0</p>

 </td>
 </tr>
 <tr id="ServerTLSSettings-TLSProtocol-TLSV1_1">
-<td><code>TLSV1_1</code></td>
+<td><code><a href="#ServerTLSSettings-TLSProtocol-TLSV1_1">TLSV1_1</a></code></td>
 <td>
 <p>TLS version 1.1</p>

 </td>
 </tr>
 <tr id="ServerTLSSettings-TLSProtocol-TLSV1_2">
-<td><code>TLSV1_2</code></td>
+<td><code><a href="#ServerTLSSettings-TLSProtocol-TLSV1_2">TLSV1_2</a></code></td>
 <td>
 <p>TLS version 1.2</p>

 </td>
 </tr>
 <tr id="ServerTLSSettings-TLSProtocol-TLSV1_3">
-<td><code>TLSV1_3</code></td>
+<td><code><a href="#ServerTLSSettings-TLSProtocol-TLSV1_3">TLSV1_3</a></code></td>
 <td>
 <p>TLS version 1.3</p>

--- a/networking/v1alpha3/gateway.proto
+++ b/networking/v1alpha3/gateway.proto
@ -14,8 +14,6 @@

 syntax = "proto3";

-import "google/api/field_behavior.proto";
-
 // $schema: istio.networking.v1alpha3.Gateway
 // $title: Gateway
 // $description: Configuration affecting edge load balancer.
@ -194,6 +192,8 @@ import "google/api/field_behavior.proto";
 //
 package istio.networking.v1alpha3;

+import "google/api/field_behavior.proto";
+
 option go_package = "istio.io/api/networking/v1alpha3";

 // Gateway describes a load balancer operating at the edge of the mesh
@ -201,7 +201,7 @@ option go_package = "istio.io/api/networking/v1alpha3";
 //
 // <!-- crd generation tags
 // +cue-gen:Gateway:groupName:networking.istio.io
-// +cue-gen:Gateway:versions:v1beta1,v1alpha3,v1
+// +cue-gen:Gateway:versions:v1,v1beta1,v1alpha3
 // +cue-gen:Gateway:annotations:helm.sh/resource-policy=keep
 // +cue-gen:Gateway:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
 // +cue-gen:Gateway:subresource:status
@ -366,7 +366,7 @@ message Port {
  uint32 number = 1 [(google.api.field_behavior) = REQUIRED];

  // The protocol exposed on the port.
-  // MUST BE one of HTTP|HTTPS|GRPC|GRPC-WEB|HTTP2|MONGO|TCP|TLS.
+  // MUST be one of HTTP|HTTPS|GRPC|GRPC-WEB|HTTP2|MONGO|TCP|TLS.
  // TLS can be either used to terminate non-HTTP based connections on a specific port
  // or to route traffic based on SNI header to the destination without terminating the TLS connection.
  string protocol = 2 [(google.api.field_behavior) = REQUIRED];
@ -377,9 +377,12 @@ message Port {
  // The port number on the endpoint where the traffic will be
  // received. Applicable only when used with ServiceEntries.
  // $hide_from_docs
-  uint32 target_port = 4 [deprecated=true];
+  uint32 target_port = 4 [deprecated = true];
 }

+// +kubebuilder:validation:XValidation:message="only one of credentialNames or tlsCertificates can be set",rule="oneof(self.tlsCertificates, self.credentialNames)"
+// +kubebuilder:validation:XValidation:message="only one of credentialName or credentialNames can be set",rule="oneof(self.credentialName, self.credentialNames)"
+// +kubebuilder:validation:XValidation:message="only one of credentialName or tlsCertificates can be set",rule="oneof(self.credentialNames, self.tlsCertificates)"
 message ServerTLSSettings {
  // If set to true, the load balancer will send a 301 redirect for
  // all http connections, asking the clients to use HTTPS.
@ -393,12 +396,12 @@ message ServerTLSSettings {
    PASSTHROUGH = 0;

    // Secure connections with standard TLS semantics. In this mode
-    // client certificate is not requested during handshake. 
+    // client certificate is not requested during handshake.
    SIMPLE = 1;

    // Secure connections to the downstream using mutual TLS by
    // presenting server certificates for authentication.
-    // A client certificate will also be requested during the handshake and 
+    // A client certificate will also be requested during the handshake and
    // at least one valid certificate is required to be sent by the client.
    MUTUAL = 2;

@ -424,13 +427,13 @@ message ServerTLSSettings {
    ISTIO_MUTUAL = 4;

    // Similar to MUTUAL mode, except that the client certificate
-    // is optional. Unlike SIMPLE mode, A client certificate will 
-    // still be explicitly requested during handshake, but the client 
-    // is not required to send a certificate. If a client certificate 
+    // is optional. Unlike SIMPLE mode, A client certificate will
+    // still be explicitly requested during handshake, but the client
+    // is not required to send a certificate. If a client certificate
    // is presented, it will be validated. ca_certificates should
    // be specified for validating client certificates.
    OPTIONAL_MUTUAL = 5;
-  };
+  }

  // Optional: Indicates whether connections to this port should be
  // secured using TLS. The value of this field determines how TLS is
@ -471,8 +474,42 @@ message ServerTLSSettings {
  // or credentialName can be specified.
  string credential_name = 10;

+  // Same as CredentialName but for multiple certificates. Mainly used for specifying
+  // RSA and ECDSA certificates for the same server.
+  // +kubebuilder:validation:MaxItems=2
+  // +kubebuilder:validation:MinItems=1
+  repeated string credential_names = 14;
+
+  // TLSCertificate describes the server's TLS certificate.
+  message TLSCertificate {
+    // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
+    // holding the server-side TLS certificate to use.
+    string server_certificate = 1;
+
+    // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
+    // holding the server's private key.
+    string private_key = 2;
+
+    // $hide_from_docs
+    // REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. The path to a file
+    // containing certificate authority certificates to use in verifying a presented
+    // client side certificate.
+    // $hide_from_docs
+    string ca_certificates = 3;
+  }
+
+  // Only one of `server_certificate`, `private_key` or `credential_name`
+  // or `credential_names` or `tls_certificates` should be specified.
+  // This is mainly used for specifying RSA and ECDSA certificates for the same server.
+  // +kubebuilder:validation:MaxItems=2
+  // +kubebuilder:validation:MinItems=1
+  repeated TLSCertificate tls_certificates = 15;
+
  // A list of alternate names to verify the subject identity in the
  // certificate presented by the client.
+  // Requires TLS mode to be set to `MUTUAL`.
+  // When multiple certificates are provided via `credential_names` or `tls_certificates`,
+  // the subject alternate names are validated against the selected certificate.
  repeated string subject_alt_names = 6;

  // An optional list of base64-encoded SHA-256 hashes of the SPKIs of
--- a/networking/v1alpha3/gateway_deepcopy.gen.go
+++ b/networking/v1alpha3/gateway_deepcopy.gen.go
@ -88,3 +88,24 @@ func (in *ServerTLSSettings) DeepCopy() *ServerTLSSettings {
 func (in *ServerTLSSettings) DeepCopyInterface() interface{} {
 	return in.DeepCopy()
 }
+
+// DeepCopyInto supports using ServerTLSSettings_TLSCertificate within kubernetes types, where deepcopy-gen is used.
+func (in *ServerTLSSettings_TLSCertificate) DeepCopyInto(out *ServerTLSSettings_TLSCertificate) {
+	p := proto.Clone(in).(*ServerTLSSettings_TLSCertificate)
+	*out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerTLSSettings_TLSCertificate. Required by controller-gen.
+func (in *ServerTLSSettings_TLSCertificate) DeepCopy() *ServerTLSSettings_TLSCertificate {
+	if in == nil {
+		return nil
+	}
+	out := new(ServerTLSSettings_TLSCertificate)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new ServerTLSSettings_TLSCertificate. Required by controller-gen.
+func (in *ServerTLSSettings_TLSCertificate) DeepCopyInterface() interface{} {
+	return in.DeepCopy()
+}
--- a/networking/v1alpha3/gateway_json.gen.go
+++ b/networking/v1alpha3/gateway_json.gen.go
@ -50,6 +50,17 @@ func (this *ServerTLSSettings) UnmarshalJSON(b []byte) error {
 	return GatewayUnmarshaler.Unmarshal(bytes.NewReader(b), this)
 }

+// MarshalJSON is a custom marshaler for ServerTLSSettings_TLSCertificate
+func (this *ServerTLSSettings_TLSCertificate) MarshalJSON() ([]byte, error) {
+	str, err := GatewayMarshaler.MarshalToString(this)
+	return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for ServerTLSSettings_TLSCertificate
+func (this *ServerTLSSettings_TLSCertificate) UnmarshalJSON(b []byte) error {
+	return GatewayUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
 var (
 	GatewayMarshaler   = &jsonpb.Marshaler{}
 	GatewayUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true}
--- a/networking/v1alpha3/service_entry.pb.go
+++ b/networking/v1alpha3/service_entry.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.35.1
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: networking/v1alpha3/service_entry.proto

@ -164,7 +164,7 @@
 // kind: ServiceEntry
 // metadata:
 //   name: external-svc-httpbin
-//   namespace : egress
+//   namespace: egress
 // spec:
 //   hosts:
 //   - example.com
@ -327,7 +327,7 @@
 // kind: ServiceEntry
 // metadata:
 //   name: httpbin
-//   namespace : httpbin-ns
+//   namespace: httpbin-ns
 // spec:
 //   hosts:
 //   - example.com
@ -410,6 +410,7 @@ import (
 	v1alpha1 "istio.io/api/meta/v1alpha1"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -422,9 +423,7 @@ const (
 // Location specifies whether the service is part of Istio mesh or
 // outside the mesh.  Location determines the behavior of several
 // features, such as service-to-service mTLS authentication, policy
-// enforcement, etc. When communicating with services outside the mesh,
-// Istio's mTLS authentication is disabled, and policy enforcement is
-// performed on the client-side as opposed to server-side.
+// enforcement, etc.
 type ServiceEntry_Location int32

 const (
@ -568,7 +567,7 @@ func (ServiceEntry_Resolution) EnumDescriptor() ([]byte, []int) {
 //
 // <!-- crd generation tags
 // +cue-gen:ServiceEntry:groupName:networking.istio.io
-// +cue-gen:ServiceEntry:versions:v1beta1,v1alpha3,v1
+// +cue-gen:ServiceEntry:versions:v1,v1beta1,v1alpha3
 // +cue-gen:ServiceEntry:annotations:helm.sh/resource-policy=keep
 // +cue-gen:ServiceEntry:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
 // +cue-gen:ServiceEntry:subresource:status
@ -594,15 +593,12 @@ func (ServiceEntry_Resolution) EnumDescriptor() ([]byte, []int) {
 // +k8s:deepcopy-gen=true
 // istiostatus-override: ServiceEntryStatus: istio.io/api/networking/v1alpha3
 // -->
-// +kubebuilder:validation:XValidation:message="only one of WorkloadSelector or Endpoints can be set",rule="(has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1"
-// +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution != 'NONE'))"
-// +kubebuilder:validation:XValidation:message="NONE mode cannot set endpoints",rule="(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints) : true"
-// +kubebuilder:validation:XValidation:message="DNS_ROUND_ROBIN mode cannot have multiple endpoints",rule="(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN') ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
+// +kubebuilder:validation:XValidation:message="only one of WorkloadSelector or Endpoints can be set",rule="oneof(self.workloadSelector, self.endpoints)"
+// +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(default(self.addresses, []).exists(k, k.contains('/')) && !(default(self.resolution, 'NONE') in ['STATIC', 'NONE']))"
+// +kubebuilder:validation:XValidation:message="NONE mode cannot set endpoints",rule="default(self.resolution, 'NONE') == 'NONE' ? !has(self.endpoints) : true"
+// +kubebuilder:validation:XValidation:message="DNS_ROUND_ROBIN mode cannot have multiple endpoints",rule="default(self.resolution, ”) == 'DNS_ROUND_ROBIN' ? default(self.endpoints, []).size() <= 1 : true"
 type ServiceEntry struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The hosts associated with the ServiceEntry. Could be a DNS
 	// name with wildcard prefix.
 	//
@ -700,6 +696,8 @@ type ServiceEntry struct {
 	// to derive the additional subject alternate names that should be
 	// verified.
 	SubjectAltNames []string `protobuf:"bytes,8,rep,name=subject_alt_names,json=subjectAltNames,proto3" json:"subject_alt_names,omitempty"`
+	unknownFields   protoimpl.UnknownFields
+	sizeCache       protoimpl.SizeCache
 }

 func (x *ServiceEntry) Reset() {
@ -797,15 +795,12 @@ func (x *ServiceEntry) GetSubjectAltNames() []string {

 // ServicePort describes the properties of a specific port of a service.
 type ServicePort struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// A valid non-negative integer port number.
 	// +kubebuilder:validation:XValidation:message="port must be between 1-65535",rule="0 < self && self <= 65535"
 	Number uint32 `protobuf:"varint,1,opt,name=number,proto3" json:"number,omitempty"`
 	// The protocol exposed on the port.
-	// MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
+	// MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
 	// TLS implies the connection will be routed based on the SNI header to
 	// the destination without terminating the TLS connection.
 	// +kubebuilder:validation:MaxLength=256
@ -816,7 +811,9 @@ type ServicePort struct {
 	// The port number on the endpoint where the traffic will be
 	// received. If unset, default to `number`.
 	// +kubebuilder:validation:XValidation:message="port must be between 1-65535",rule="0 < self && self <= 65535"
-	TargetPort uint32 `protobuf:"varint,4,opt,name=target_port,json=targetPort,proto3" json:"target_port,omitempty"`
+	TargetPort    uint32 `protobuf:"varint,4,opt,name=target_port,json=targetPort,proto3" json:"target_port,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *ServicePort) Reset() {
@ -878,10 +875,7 @@ func (x *ServicePort) GetTargetPort() uint32 {
 }

 type ServiceEntryStatus struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Current service state of ServiceEntry.
 	// More info: https://istio.io/docs/reference/config/config-status/
 	// +optional
@ -900,7 +894,9 @@ type ServiceEntryStatus struct {
 	ObservedGeneration int64 `protobuf:"varint,3,opt,name=observed_generation,json=observedGeneration,proto3" json:"observed_generation,omitempty"`
 	// List of addresses which were assigned to this ServiceEntry.
 	// +optional
-	Addresses []*ServiceEntryAddress `protobuf:"bytes,10,rep,name=addresses,proto3" json:"addresses,omitempty"`
+	Addresses     []*ServiceEntryAddress `protobuf:"bytes,10,rep,name=addresses,proto3" json:"addresses,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *ServiceEntryStatus) Reset() {
@ -961,16 +957,15 @@ func (x *ServiceEntryStatus) GetAddresses() []*ServiceEntryAddress {
 	return nil
 }

-// minor abstraction to allow for adding hostnames if relevant
+// A minor abstraction to allow for adding hostnames if relevant.
 type ServiceEntryAddress struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	// Value is the address (192.168.0.2)
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// The address (e.g. 192.168.0.2)
 	Value string `protobuf:"bytes,1,opt,name=value,proto3" json:"value,omitempty"`
-	// Host is the name associated with this address
-	Host string `protobuf:"bytes,2,opt,name=host,proto3" json:"host,omitempty"`
+	// The host name associated with this address
+	Host          string `protobuf:"bytes,2,opt,name=host,proto3" json:"host,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *ServiceEntryAddress) Reset() {
@ -1019,108 +1014,57 @@ func (x *ServiceEntryAddress) GetHost() string {

 var File_networking_v1alpha3_service_entry_proto protoreflect.FileDescriptor

-var file_networking_v1alpha3_service_entry_proto_rawDesc = []byte{
-	0x0a, 0x27, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x61,
-	0x6c, 0x70, 0x68, 0x61, 0x33, 0x2f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x5f, 0x65, 0x6e,
-	0x74, 0x72, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x19, 0x69, 0x73, 0x74, 0x69, 0x6f,
-	0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c,
-	0x70, 0x68, 0x61, 0x33, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69,
-	0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x21, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e,
-	0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2f, 0x73, 0x69, 0x64, 0x65, 0x63,
-	0x61, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x28, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72,
-	0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2f, 0x77, 0x6f,
-	0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x2e, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x1a, 0x1f, 0x61, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x2f, 0x76, 0x31, 0x61,
-	0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x2e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x1a, 0x1a, 0x6d, 0x65, 0x74, 0x61, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68,
-	0x61, 0x31, 0x2f, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22,
-	0x87, 0x05, 0x0a, 0x0c, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79,
-	0x12, 0x1a, 0x0a, 0x05, 0x68, 0x6f, 0x73, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x42,
-	0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x05, 0x68, 0x6f, 0x73, 0x74, 0x73, 0x12, 0x1c, 0x0a, 0x09,
-	0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52,
-	0x09, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x65, 0x73, 0x12, 0x3c, 0x0a, 0x05, 0x70, 0x6f,
-	0x72, 0x74, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x69, 0x73, 0x74, 0x69,
-	0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61,
-	0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x50, 0x6f, 0x72,
-	0x74, 0x52, 0x05, 0x70, 0x6f, 0x72, 0x74, 0x73, 0x12, 0x4c, 0x0a, 0x08, 0x6c, 0x6f, 0x63, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x30, 0x2e, 0x69, 0x73, 0x74,
-	0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31,
-	0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x45, 0x6e,
-	0x74, 0x72, 0x79, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x08, 0x6c, 0x6f,
-	0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x52, 0x0a, 0x0a, 0x72, 0x65, 0x73, 0x6f, 0x6c, 0x75,
-	0x74, 0x69, 0x6f, 0x6e, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x32, 0x2e, 0x69, 0x73, 0x74,
-	0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31,
-	0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x45, 0x6e,
-	0x74, 0x72, 0x79, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x6c, 0x75, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0a,
-	0x72, 0x65, 0x73, 0x6f, 0x6c, 0x75, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x46, 0x0a, 0x09, 0x65, 0x6e,
-	0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x28, 0x2e,
-	0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67,
-	0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f,
-	0x61, 0x64, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x09, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e,
-	0x74, 0x73, 0x12, 0x58, 0x0a, 0x11, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x73,
-	0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e,
-	0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67,
-	0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f,
-	0x61, 0x64, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x52, 0x10, 0x77, 0x6f, 0x72, 0x6b,
-	0x6c, 0x6f, 0x61, 0x64, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x1b, 0x0a, 0x09,
-	0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x74, 0x6f, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52,
-	0x08, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x54, 0x6f, 0x12, 0x2a, 0x0a, 0x11, 0x73, 0x75, 0x62,
-	0x6a, 0x65, 0x63, 0x74, 0x5f, 0x61, 0x6c, 0x74, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x08,
-	0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x41, 0x6c, 0x74,
-	0x4e, 0x61, 0x6d, 0x65, 0x73, 0x22, 0x30, 0x0a, 0x08, 0x4c, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x12, 0x11, 0x0a, 0x0d, 0x4d, 0x45, 0x53, 0x48, 0x5f, 0x45, 0x58, 0x54, 0x45, 0x52, 0x4e,
-	0x41, 0x4c, 0x10, 0x00, 0x12, 0x11, 0x0a, 0x0d, 0x4d, 0x45, 0x53, 0x48, 0x5f, 0x49, 0x4e, 0x54,
-	0x45, 0x52, 0x4e, 0x41, 0x4c, 0x10, 0x01, 0x22, 0x40, 0x0a, 0x0a, 0x52, 0x65, 0x73, 0x6f, 0x6c,
-	0x75, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x08, 0x0a, 0x04, 0x4e, 0x4f, 0x4e, 0x45, 0x10, 0x00, 0x12,
-	0x0a, 0x0a, 0x06, 0x53, 0x54, 0x41, 0x54, 0x49, 0x43, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x44,
-	0x4e, 0x53, 0x10, 0x02, 0x12, 0x13, 0x0a, 0x0f, 0x44, 0x4e, 0x53, 0x5f, 0x52, 0x4f, 0x55, 0x4e,
-	0x44, 0x5f, 0x52, 0x4f, 0x42, 0x49, 0x4e, 0x10, 0x03, 0x22, 0x82, 0x01, 0x0a, 0x0b, 0x53, 0x65,
-	0x72, 0x76, 0x69, 0x63, 0x65, 0x50, 0x6f, 0x72, 0x74, 0x12, 0x1c, 0x0a, 0x06, 0x6e, 0x75, 0x6d,
-	0x62, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52,
-	0x06, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x63, 0x6f, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x63, 0x6f, 0x6c, 0x12, 0x18, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28,
-	0x09, 0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1f, 0x0a,
-	0x0b, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01,
-	0x28, 0x0d, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x50, 0x6f, 0x72, 0x74, 0x22, 0xb7,
-	0x02, 0x0a, 0x12, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x53,
-	0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x43, 0x0a, 0x0a, 0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69,
-	0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x23, 0x2e, 0x69, 0x73, 0x74, 0x69,
-	0x6f, 0x2e, 0x6d, 0x65, 0x74, 0x61, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e,
-	0x49, 0x73, 0x74, 0x69, 0x6f, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0a,
-	0x63, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x5d, 0x0a, 0x13, 0x76, 0x61,
-	0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
-	0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e,
-	0x61, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
-	0x31, 0x2e, 0x41, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67,
-	0x65, 0x42, 0x61, 0x73, 0x65, 0x52, 0x12, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x73, 0x12, 0x2f, 0x0a, 0x13, 0x6f, 0x62, 0x73,
-	0x65, 0x72, 0x76, 0x65, 0x64, 0x5f, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
-	0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x12, 0x6f, 0x62, 0x73, 0x65, 0x72, 0x76, 0x65, 0x64,
-	0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x4c, 0x0a, 0x09, 0x61, 0x64,
-	0x64, 0x72, 0x65, 0x73, 0x73, 0x65, 0x73, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2e, 0x2e,
-	0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67,
-	0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63,
-	0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x52, 0x09, 0x61,
-	0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x65, 0x73, 0x22, 0x3f, 0x0a, 0x13, 0x53, 0x65, 0x72, 0x76,
-	0x69, 0x63, 0x65, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12,
-	0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
-	0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x68, 0x6f, 0x73, 0x74, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x04, 0x68, 0x6f, 0x73, 0x74, 0x42, 0x22, 0x5a, 0x20, 0x69, 0x73, 0x74,
-	0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72,
-	0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x62, 0x06, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+const file_networking_v1alpha3_service_entry_proto_rawDesc = "" +
+	"\n" +
+	"'networking/v1alpha3/service_entry.proto\x12\x19istio.networking.v1alpha3\x1a\x1fanalysis/v1alpha1/message.proto\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1ameta/v1alpha1/status.proto\x1a!networking/v1alpha3/sidecar.proto\x1a(networking/v1alpha3/workload_entry.proto\"\x87\x05\n" +
+	"\fServiceEntry\x12\x1a\n" +
+	"\x05hosts\x18\x01 \x03(\tB\x04\xe2A\x01\x02R\x05hosts\x12\x1c\n" +
+	"\taddresses\x18\x02 \x03(\tR\taddresses\x12<\n" +
+	"\x05ports\x18\x03 \x03(\v2&.istio.networking.v1alpha3.ServicePortR\x05ports\x12L\n" +
+	"\blocation\x18\x04 \x01(\x0e20.istio.networking.v1alpha3.ServiceEntry.LocationR\blocation\x12R\n" +
+	"\n" +
+	"resolution\x18\x05 \x01(\x0e22.istio.networking.v1alpha3.ServiceEntry.ResolutionR\n" +
+	"resolution\x12F\n" +
+	"\tendpoints\x18\x06 \x03(\v2(.istio.networking.v1alpha3.WorkloadEntryR\tendpoints\x12X\n" +
+	"\x11workload_selector\x18\t \x01(\v2+.istio.networking.v1alpha3.WorkloadSelectorR\x10workloadSelector\x12\x1b\n" +
+	"\texport_to\x18\a \x03(\tR\bexportTo\x12*\n" +
+	"\x11subject_alt_names\x18\b \x03(\tR\x0fsubjectAltNames\"0\n" +
+	"\bLocation\x12\x11\n" +
+	"\rMESH_EXTERNAL\x10\x00\x12\x11\n" +
+	"\rMESH_INTERNAL\x10\x01\"@\n" +
+	"\n" +
+	"Resolution\x12\b\n" +
+	"\x04NONE\x10\x00\x12\n" +
+	"\n" +
+	"\x06STATIC\x10\x01\x12\a\n" +
+	"\x03DNS\x10\x02\x12\x13\n" +
+	"\x0fDNS_ROUND_ROBIN\x10\x03\"\x82\x01\n" +
+	"\vServicePort\x12\x1c\n" +
+	"\x06number\x18\x01 \x01(\rB\x04\xe2A\x01\x02R\x06number\x12\x1a\n" +
+	"\bprotocol\x18\x02 \x01(\tR\bprotocol\x12\x18\n" +
+	"\x04name\x18\x03 \x01(\tB\x04\xe2A\x01\x02R\x04name\x12\x1f\n" +
+	"\vtarget_port\x18\x04 \x01(\rR\n" +
+	"targetPort\"\xb7\x02\n" +
+	"\x12ServiceEntryStatus\x12C\n" +
+	"\n" +
+	"conditions\x18\x01 \x03(\v2#.istio.meta.v1alpha1.IstioConditionR\n" +
+	"conditions\x12]\n" +
+	"\x13validation_messages\x18\x02 \x03(\v2,.istio.analysis.v1alpha1.AnalysisMessageBaseR\x12validationMessages\x12/\n" +
+	"\x13observed_generation\x18\x03 \x01(\x03R\x12observedGeneration\x12L\n" +
+	"\taddresses\x18\n" +
+	" \x03(\v2..istio.networking.v1alpha3.ServiceEntryAddressR\taddresses\"?\n" +
+	"\x13ServiceEntryAddress\x12\x14\n" +
+	"\x05value\x18\x01 \x01(\tR\x05value\x12\x12\n" +
+	"\x04host\x18\x02 \x01(\tR\x04hostB\"Z istio.io/api/networking/v1alpha3b\x06proto3"

 var (
 	file_networking_v1alpha3_service_entry_proto_rawDescOnce sync.Once
-	file_networking_v1alpha3_service_entry_proto_rawDescData = file_networking_v1alpha3_service_entry_proto_rawDesc
+	file_networking_v1alpha3_service_entry_proto_rawDescData []byte
 )

 func file_networking_v1alpha3_service_entry_proto_rawDescGZIP() []byte {
 	file_networking_v1alpha3_service_entry_proto_rawDescOnce.Do(func() {
-		file_networking_v1alpha3_service_entry_proto_rawDescData = protoimpl.X.CompressGZIP(file_networking_v1alpha3_service_entry_proto_rawDescData)
+		file_networking_v1alpha3_service_entry_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_networking_v1alpha3_service_entry_proto_rawDesc), len(file_networking_v1alpha3_service_entry_proto_rawDesc)))
 	})
 	return file_networking_v1alpha3_service_entry_proto_rawDescData
 }
@ -1166,7 +1110,7 @@ func file_networking_v1alpha3_service_entry_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_networking_v1alpha3_service_entry_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_networking_v1alpha3_service_entry_proto_rawDesc), len(file_networking_v1alpha3_service_entry_proto_rawDesc)),
 			NumEnums:      2,
 			NumMessages:   4,
 			NumExtensions: 0,
@ -1178,7 +1122,6 @@ func file_networking_v1alpha3_service_entry_proto_init() {
 		MessageInfos:      file_networking_v1alpha3_service_entry_proto_msgTypes,
 	}.Build()
 	File_networking_v1alpha3_service_entry_proto = out.File
-	file_networking_v1alpha3_service_entry_proto_rawDesc = nil
 	file_networking_v1alpha3_service_entry_proto_goTypes = nil
 	file_networking_v1alpha3_service_entry_proto_depIdxs = nil
 }
--- a/networking/v1alpha3/service_entry.pb.html
+++ b/networking/v1alpha3/service_entry.pb.html
@ -129,7 +129,7 @@ namespaces.</p>
 kind: ServiceEntry
 metadata:
  name: external-svc-httpbin
-  namespace : egress
+  namespace: egress
 spec:
  hosts:
  - example.com
@ -273,7 +273,7 @@ whose format conforms to the <a href="https://github.com/spiffe/spiffe/blob/mast
 kind: ServiceEntry
 metadata:
  name: httpbin
-  namespace : httpbin-ns
+  namespace: httpbin-ns
 spec:
  hosts:
  - example.com
@ -349,15 +349,15 @@ service registry.</p>
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="ServiceEntry-hosts">
-<td><code>hosts</code></td>
-<td><code>string[]</code></td>
+<td><div class="field"><div class="name"><code><a href="#ServiceEntry-hosts">hosts</a></code></div>
+<div class="type">string[]</div>
+<div class="required">Required</div>
+</div></td>
 <td>
 <p>The hosts associated with the ServiceEntry. Could be a DNS
 name with wildcard prefix.</p>
@ -383,14 +383,12 @@ service accounts associated with the pods of the service, the
 SANs specified here will also be verified.</li>
 </ol>

-</td>
-<td>
-Yes
 </td>
 </tr>
 <tr id="ServiceEntry-addresses">
-<td><code>addresses</code></td>
-<td><code>string[]</code></td>
+<td><div class="field"><div class="name"><code><a href="#ServiceEntry-addresses">addresses</a></code></div>
+<div class="type">string[]</div>
+</div></td>
 <td>
 <p>The virtual IP addresses associated with the service. Could be CIDR
 prefix. For HTTP traffic, generated route configurations will include http route
@ -407,65 +405,55 @@ simple TCP proxy, forwarding incoming traffic on a specified port to
 the specified destination endpoint IP/host. Unix domain socket
 addresses are not supported in this field.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="ServiceEntry-ports">
-<td><code>ports</code></td>
-<td><code><a href="#ServicePort">ServicePort[]</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#ServiceEntry-ports">ports</a></code></div>
+<div class="type"><a href="#ServicePort">ServicePort[]</a></div>
+</div></td>
 <td>
 <p>The ports associated with the external service. If the
 Endpoints are Unix domain socket addresses, there must be exactly one
 port.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="ServiceEntry-location">
-<td><code>location</code></td>
-<td><code><a href="#ServiceEntry-Location">Location</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#ServiceEntry-location">location</a></code></div>
+<div class="type"><a href="#ServiceEntry-Location">Location</a></div>
+</div></td>
 <td>
 <p>Specify whether the service should be considered external to the mesh
 or part of the mesh.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="ServiceEntry-resolution">
-<td><code>resolution</code></td>
-<td><code><a href="#ServiceEntry-Resolution">Resolution</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#ServiceEntry-resolution">resolution</a></code></div>
+<div class="type"><a href="#ServiceEntry-Resolution">Resolution</a></div>
+</div></td>
 <td>
 <p>Service resolution mode for the hosts. Care must be taken
 when setting the resolution mode to NONE for a TCP port without
 accompanying IP addresses. In such cases, traffic to any IP on
 said port will be allowed (i.e. <code>0.0.0.0:&lt;port&gt;</code>).</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="ServiceEntry-endpoints">
-<td><code>endpoints</code></td>
-<td><code><a href="https://istio.io/docs/reference/config/networking/workload-entry.html#WorkloadEntry">WorkloadEntry[]</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#ServiceEntry-endpoints">endpoints</a></code></div>
+<div class="type"><a href="https://istio.io/docs/reference/config/networking/workload-entry.html#WorkloadEntry">WorkloadEntry[]</a></div>
+</div></td>
 <td>
 <p>One or more endpoints associated with the service. Only one of
 <code>endpoints</code> or <code>workloadSelector</code> can be specified.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="ServiceEntry-workload_selector">
-<td><code>workloadSelector</code></td>
-<td><code><a href="https://istio.io/docs/reference/config/networking/sidecar.html#WorkloadSelector">WorkloadSelector</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#ServiceEntry-workload_selector">workloadSelector</a></code></div>
+<div class="type"><a href="https://istio.io/docs/reference/config/networking/sidecar.html#WorkloadSelector">WorkloadSelector</a></div>
+</div></td>
 <td>
 <p>Applicable only for MESH_INTERNAL services. Only one of
 <code>endpoints</code> or <code>workloadSelector</code> can be specified. Selects one
@ -474,14 +462,12 @@ or more Kubernetes pods or VM workloads (specified using
 representing the VMs should be defined in the same namespace as
 the ServiceEntry.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="ServiceEntry-export_to">
-<td><code>exportTo</code></td>
-<td><code>string[]</code></td>
+<td><div class="field"><div class="name"><code><a href="#ServiceEntry-export_to">exportTo</a></code></div>
+<div class="type">string[]</div>
+</div></td>
 <td>
 <p>A list of namespaces to which this service is exported. Exporting a service
 allows it to be used by sidecars, gateways and virtual services defined in
@ -497,14 +483,12 @@ defines an export to all namespaces.</p>
 the annotation &ldquo;networking.istio.io/exportTo&rdquo; to a comma-separated list
 of namespace names.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="ServiceEntry-subject_alt_names">
-<td><code>subjectAltNames</code></td>
-<td><code>string[]</code></td>
+<td><div class="field"><div class="name"><code><a href="#ServiceEntry-subject_alt_names">subjectAltNames</a></code></div>
+<div class="type">string[]</div>
+</div></td>
 <td>
 <p>If specified, the proxy will verify that the server certificate&rsquo;s
 subject alternate name matches one of the specified values.</p>
@ -513,188 +497,17 @@ service account specified in the workloadEntry will also be used
 to derive the additional subject alternate names that should be
 verified.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 </tbody>
 </table>
 </section>
-<h2 id="ServicePort">ServicePort</h2>
-<section>
-<p>ServicePort describes the properties of a specific port of a service.</p>
-
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="ServicePort-number">
-<td><code>number</code></td>
-<td><code>uint32</code></td>
-<td>
-<p>A valid non-negative integer port number.</p>
-
-</td>
-<td>
-Yes
-</td>
-</tr>
-<tr id="ServicePort-protocol">
-<td><code>protocol</code></td>
-<td><code>string</code></td>
-<td>
-<p>The protocol exposed on the port.
-MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
-TLS implies the connection will be routed based on the SNI header to
-the destination without terminating the TLS connection.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="ServicePort-name">
-<td><code>name</code></td>
-<td><code>string</code></td>
-<td>
-<p>Label assigned to the port.</p>
-
-</td>
-<td>
-Yes
-</td>
-</tr>
-<tr id="ServicePort-target_port">
-<td><code>targetPort</code></td>
-<td><code>uint32</code></td>
-<td>
-<p>The port number on the endpoint where the traffic will be
-received. If unset, default to <code>number</code>.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="ServiceEntryStatus">ServiceEntryStatus</h2>
-<section>
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="ServiceEntryStatus-conditions">
-<td><code>conditions</code></td>
-<td><code><a href="https://istio.io/docs/reference/config/meta/v1beta1/istio-status.html#IstioCondition">IstioCondition[]</a></code></td>
-<td>
-<p>Current service state of ServiceEntry.
-More info: <a href="https://istio.io/docs/reference/config/config-status/">https://istio.io/docs/reference/config/config-status/</a></p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="ServiceEntryStatus-validation_messages">
-<td><code>validationMessages</code></td>
-<td><code><a href="https://istio.io/docs/reference/config/istio.analysis.v1alpha1.html#AnalysisMessageBase">AnalysisMessageBase[]</a></code></td>
-<td>
-<p>Includes any errors or warnings detected by Istio&rsquo;s analyzers.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="ServiceEntryStatus-observed_generation">
-<td><code>observedGeneration</code></td>
-<td><code>int64</code></td>
-<td>
-<p>Resource Generation to which the Reconciled Condition refers.
-When this value is not equal to the object&rsquo;s metadata generation, reconciled condition  calculation for the current
-generation is still in progress.  See <a href="https://istio.io/latest/docs/reference/config/config-status/">https://istio.io/latest/docs/reference/config/config-status/</a> for more info.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="ServiceEntryStatus-addresses">
-<td><code>addresses</code></td>
-<td><code><a href="#ServiceEntryAddress">ServiceEntryAddress[]</a></code></td>
-<td>
-<p>List of addresses which were assigned to this ServiceEntry.</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="ServiceEntryAddress">ServiceEntryAddress</h2>
-<section>
-<p>minor abstraction to allow for adding hostnames if relevant</p>
-
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-<th>Required</th>
-</tr>
-</thead>
-<tbody>
-<tr id="ServiceEntryAddress-value">
-<td><code>value</code></td>
-<td><code>string</code></td>
-<td>
-<p>Value is the address (192.168.0.2)</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-<tr id="ServiceEntryAddress-host">
-<td><code>host</code></td>
-<td><code>string</code></td>
-<td>
-<p>Host is the name associated with this address</p>
-
-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="ServiceEntry-Location">ServiceEntry.Location</h2>
+<h3 id="ServiceEntry-Location">Location</h3>
 <section>
 <p>Location specifies whether the service is part of Istio mesh or
 outside the mesh.  Location determines the behavior of several
 features, such as service-to-service mTLS authentication, policy
-enforcement, etc. When communicating with services outside the mesh,
-Istio&rsquo;s mTLS authentication is disabled, and policy enforcement is
-performed on the client-side as opposed to server-side.</p>
+enforcement, etc.</p>

 <table class="enum-values">
 <thead>
@ -705,7 +518,7 @@ performed on the client-side as opposed to server-side.</p>
 </thead>
 <tbody>
 <tr id="ServiceEntry-Location-MESH_EXTERNAL">
-<td><code>MESH_EXTERNAL</code></td>
+<td><code><a href="#ServiceEntry-Location-MESH_EXTERNAL">MESH_EXTERNAL</a></code></td>
 <td>
 <p>Signifies that the service is external to the mesh. Typically used
 to indicate external services consumed through APIs.</p>
@ -713,7 +526,7 @@ to indicate external services consumed through APIs.</p>
 </td>
 </tr>
 <tr id="ServiceEntry-Location-MESH_INTERNAL">
-<td><code>MESH_INTERNAL</code></td>
+<td><code><a href="#ServiceEntry-Location-MESH_INTERNAL">MESH_INTERNAL</a></code></td>
 <td>
 <p>Signifies that the service is part of the mesh. Typically used to
 indicate services added explicitly as part of expanding the service
@ -725,7 +538,7 @@ Kubernetes based service mesh).</p>
 </tbody>
 </table>
 </section>
-<h2 id="ServiceEntry-Resolution">ServiceEntry.Resolution</h2>
+<h3 id="ServiceEntry-Resolution">Resolution</h3>
 <section>
 <p>Resolution determines how the proxy will resolve the IP addresses of
 the network endpoints associated with the service, so that it can
@ -746,7 +559,7 @@ talk to these services.</p>
 </thead>
 <tbody>
 <tr id="ServiceEntry-Resolution-NONE">
-<td><code>NONE</code></td>
+<td><code><a href="#ServiceEntry-Resolution-NONE">NONE</a></code></td>
 <td>
 <p>Assume that incoming connections have already been resolved (to a
 specific destination IP address). Such connections are typically
@ -758,7 +571,7 @@ connection was bound.</p>
 </td>
 </tr>
 <tr id="ServiceEntry-Resolution-STATIC">
-<td><code>STATIC</code></td>
+<td><code><a href="#ServiceEntry-Resolution-STATIC">STATIC</a></code></td>
 <td>
 <p>Use the static IP addresses specified in endpoints (see below) as the
 backing instances associated with the service.</p>
@ -766,7 +579,7 @@ backing instances associated with the service.</p>
 </td>
 </tr>
 <tr id="ServiceEntry-Resolution-DNS">
-<td><code>DNS</code></td>
+<td><code><a href="#ServiceEntry-Resolution-DNS">DNS</a></code></td>
 <td>
 <p>Attempt to resolve the IP address by querying the ambient DNS,
 asynchronously. If no endpoints are specified, the proxy
@ -779,7 +592,7 @@ domain socket endpoints.</p>
 </td>
 </tr>
 <tr id="ServiceEntry-Resolution-DNS_ROUND_ROBIN">
-<td><code>DNS_ROUND_ROBIN</code></td>
+<td><code><a href="#ServiceEntry-Resolution-DNS_ROUND_ROBIN">DNS_ROUND_ROBIN</a></code></td>
 <td>
 <p>Attempt to resolve the IP address by querying the ambient DNS,
 asynchronously. Unlike <code>DNS</code>, <code>DNS_ROUND_ROBIN</code> only uses the
@ -797,3 +610,145 @@ cannot be used with Unix domain socket endpoints.</p>
 </tbody>
 </table>
 </section>
+<h2 id="ServicePort">ServicePort</h2>
+<section>
+<p>ServicePort describes the properties of a specific port of a service.</p>
+
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="ServicePort-number">
+<td><div class="field"><div class="name"><code><a href="#ServicePort-number">number</a></code></div>
+<div class="type">uint32</div>
+<div class="required">Required</div>
+</div></td>
+<td>
+<p>A valid non-negative integer port number.</p>
+
+</td>
+</tr>
+<tr id="ServicePort-protocol">
+<td><div class="field"><div class="name"><code><a href="#ServicePort-protocol">protocol</a></code></div>
+<div class="type">string</div>
+</div></td>
+<td>
+<p>The protocol exposed on the port.
+MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
+TLS implies the connection will be routed based on the SNI header to
+the destination without terminating the TLS connection.</p>
+
+</td>
+</tr>
+<tr id="ServicePort-name">
+<td><div class="field"><div class="name"><code><a href="#ServicePort-name">name</a></code></div>
+<div class="type">string</div>
+<div class="required">Required</div>
+</div></td>
+<td>
+<p>Label assigned to the port.</p>
+
+</td>
+</tr>
+<tr id="ServicePort-target_port">
+<td><div class="field"><div class="name"><code><a href="#ServicePort-target_port">targetPort</a></code></div>
+<div class="type">uint32</div>
+</div></td>
+<td>
+<p>The port number on the endpoint where the traffic will be
+received. If unset, default to <code>number</code>.</p>
+
+</td>
+</tr>
+</tbody>
+</table>
+</section>
+<h2 id="ServiceEntryStatus">ServiceEntryStatus</h2>
+<section>
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="ServiceEntryStatus-conditions">
+<td><div class="field"><div class="name"><code><a href="#ServiceEntryStatus-conditions">conditions</a></code></div>
+<div class="type"><a href="https://istio.io/docs/reference/config/meta/v1beta1/istio-status.html#IstioCondition">IstioCondition[]</a></div>
+</div></td>
+<td>
+<p>Current service state of ServiceEntry.
+More info: <a href="https://istio.io/docs/reference/config/config-status/">https://istio.io/docs/reference/config/config-status/</a></p>
+
+</td>
+</tr>
+<tr id="ServiceEntryStatus-validation_messages">
+<td><div class="field"><div class="name"><code><a href="#ServiceEntryStatus-validation_messages">validationMessages</a></code></div>
+<div class="type"><a href="https://istio.io/docs/reference/config/istio.analysis.v1alpha1.html#AnalysisMessageBase">AnalysisMessageBase[]</a></div>
+</div></td>
+<td>
+<p>Includes any errors or warnings detected by Istio&rsquo;s analyzers.</p>
+
+</td>
+</tr>
+<tr id="ServiceEntryStatus-observed_generation">
+<td><div class="field"><div class="name"><code><a href="#ServiceEntryStatus-observed_generation">observedGeneration</a></code></div>
+<div class="type">int64</div>
+</div></td>
+<td>
+<p>Resource Generation to which the Reconciled Condition refers.
+When this value is not equal to the object&rsquo;s metadata generation, reconciled condition  calculation for the current
+generation is still in progress.  See <a href="https://istio.io/latest/docs/reference/config/config-status/">https://istio.io/latest/docs/reference/config/config-status/</a> for more info.</p>
+
+</td>
+</tr>
+<tr id="ServiceEntryStatus-addresses">
+<td><div class="field"><div class="name"><code><a href="#ServiceEntryStatus-addresses">addresses</a></code></div>
+<div class="type"><a href="#ServiceEntryAddress">ServiceEntryAddress[]</a></div>
+</div></td>
+<td>
+<p>List of addresses which were assigned to this ServiceEntry.</p>
+
+</td>
+</tr>
+</tbody>
+</table>
+</section>
+<h2 id="ServiceEntryAddress">ServiceEntryAddress</h2>
+<section>
+<p>A minor abstraction to allow for adding hostnames if relevant.</p>
+
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="ServiceEntryAddress-value">
+<td><div class="field"><div class="name"><code><a href="#ServiceEntryAddress-value">value</a></code></div>
+<div class="type">string</div>
+</div></td>
+<td>
+<p>The address (e.g. 192.168.0.2)</p>
+
+</td>
+</tr>
+<tr id="ServiceEntryAddress-host">
+<td><div class="field"><div class="name"><code><a href="#ServiceEntryAddress-host">host</a></code></div>
+<div class="type">string</div>
+</div></td>
+<td>
+<p>The host name associated with this address</p>
+
+</td>
+</tr>
+</tbody>
+</table>
+</section>
--- a/networking/v1alpha3/service_entry.proto
+++ b/networking/v1alpha3/service_entry.proto
@ -14,12 +14,6 @@

 syntax = "proto3";

-import "google/api/field_behavior.proto";
-import "networking/v1alpha3/sidecar.proto";
-import "networking/v1alpha3/workload_entry.proto";
-import "analysis/v1alpha1/message.proto";
-import "meta/v1alpha1/status.proto";
-
 // $schema: istio.networking.v1alpha3.ServiceEntry
 // $title: Service Entry
 // $description: Configuration affecting service registry.
@ -166,7 +160,7 @@ import "meta/v1alpha1/status.proto";
 // kind: ServiceEntry
 // metadata:
 //   name: external-svc-httpbin
-//   namespace : egress
+//   namespace: egress
 // spec:
 //   hosts:
 //   - example.com
@ -329,7 +323,7 @@ import "meta/v1alpha1/status.proto";
 // kind: ServiceEntry
 // metadata:
 //   name: httpbin
-//   namespace : httpbin-ns
+//   namespace: httpbin-ns
 // spec:
 //   hosts:
 //   - example.com
@ -403,15 +397,20 @@ import "meta/v1alpha1/status.proto";
 // ```
 package istio.networking.v1alpha3;

-option go_package = "istio.io/api/networking/v1alpha3";
+import "analysis/v1alpha1/message.proto";
+import "google/api/field_behavior.proto";
+import "meta/v1alpha1/status.proto";
+import "networking/v1alpha3/sidecar.proto";
+import "networking/v1alpha3/workload_entry.proto";

+option go_package = "istio.io/api/networking/v1alpha3";

 // ServiceEntry enables adding additional entries into Istio's internal
 // service registry.
 //
 // <!-- crd generation tags
 // +cue-gen:ServiceEntry:groupName:networking.istio.io
-// +cue-gen:ServiceEntry:versions:v1beta1,v1alpha3,v1
+// +cue-gen:ServiceEntry:versions:v1,v1beta1,v1alpha3
 // +cue-gen:ServiceEntry:annotations:helm.sh/resource-policy=keep
 // +cue-gen:ServiceEntry:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
 // +cue-gen:ServiceEntry:subresource:status
@ -437,10 +436,10 @@ option go_package = "istio.io/api/networking/v1alpha3";
 // +k8s:deepcopy-gen=true
 // istiostatus-override: ServiceEntryStatus: istio.io/api/networking/v1alpha3
 // -->
-// +kubebuilder:validation:XValidation:message="only one of WorkloadSelector or Endpoints can be set",rule="(has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1"
-// +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution != 'NONE'))"
-// +kubebuilder:validation:XValidation:message="NONE mode cannot set endpoints",rule="(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints) : true"
-// +kubebuilder:validation:XValidation:message="DNS_ROUND_ROBIN mode cannot have multiple endpoints",rule="(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN') ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
+// +kubebuilder:validation:XValidation:message="only one of WorkloadSelector or Endpoints can be set",rule="oneof(self.workloadSelector, self.endpoints)"
+// +kubebuilder:validation:XValidation:message="CIDR addresses are allowed only for NONE/STATIC resolution types",rule="!(default(self.addresses, []).exists(k, k.contains('/')) && !(default(self.resolution, 'NONE') in ['STATIC', 'NONE']))"
+// +kubebuilder:validation:XValidation:message="NONE mode cannot set endpoints",rule="default(self.resolution, 'NONE') == 'NONE' ? !has(self.endpoints) : true"
+// +kubebuilder:validation:XValidation:message="DNS_ROUND_ROBIN mode cannot have multiple endpoints",rule="default(self.resolution, '') == 'DNS_ROUND_ROBIN' ? default(self.endpoints, []).size() <= 1 : true"
 message ServiceEntry {
  // The hosts associated with the ServiceEntry. Could be a DNS
  // name with wildcard prefix.
@ -500,9 +499,7 @@ message ServiceEntry {
  // Location specifies whether the service is part of Istio mesh or
  // outside the mesh.  Location determines the behavior of several
  // features, such as service-to-service mTLS authentication, policy
-  // enforcement, etc. When communicating with services outside the mesh,
-  // Istio's mTLS authentication is disabled, and policy enforcement is
-  // performed on the client-side as opposed to server-side.
+  // enforcement, etc.
  enum Location {
    // Signifies that the service is external to the mesh. Typically used
    // to indicate external services consumed through APIs.
@ -513,7 +510,7 @@ message ServiceEntry {
    // mesh to include unmanaged infrastructure (e.g., VMs added to a
    // Kubernetes based service mesh).
    MESH_INTERNAL = 1;
-  };
+  }

  // Specify whether the service should be considered external to the mesh
  // or part of the mesh.
@ -561,7 +558,7 @@ message ServiceEntry {
    // specified in the hosts field, if wildcards are not used. DNS resolution
    // cannot be used with Unix domain socket endpoints.
    DNS_ROUND_ROBIN = 3;
-  };
+  }

  // Service resolution mode for the hosts. Care must be taken
  // when setting the resolution mode to NONE for a TCP port without
@ -617,7 +614,7 @@ message ServicePort {
  uint32 number = 1 [(google.api.field_behavior) = REQUIRED];

  // The protocol exposed on the port.
-  // MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
+  // MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
  // TLS implies the connection will be routed based on the SNI header to
  // the destination without terminating the TLS connection.
  // +kubebuilder:validation:MaxLength=256
@ -660,12 +657,11 @@ message ServiceEntryStatus {
  repeated ServiceEntryAddress addresses = 10;
 }

-// minor abstraction to allow for adding hostnames if relevant
-message ServiceEntryAddress{
-  // Value is the address (192.168.0.2)
+// A minor abstraction to allow for adding hostnames if relevant.
+message ServiceEntryAddress {
+  // The address (e.g. 192.168.0.2)
  string value = 1;

-  // Host is the name associated with this address
+  // The host name associated with this address
  string host = 2;
 }
-
--- a/networking/v1alpha3/sidecar.pb.go
+++ b/networking/v1alpha3/sidecar.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.35.1
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: networking/v1alpha3/sidecar.proto

@ -38,7 +38,7 @@
 // out unneeded configuration, to improve scalability of the mesh.
 // A common misunderstanding is that restricting the configuration amounts to *blocking* the traffic.
 // If requests are sent to destinations not included in the scoping, the traffic will be treated as
-// [unmatched traffic](docs/ops/configuration/traffic-management/traffic-routing/#unmatched-traffic), which is often still allowed.
+// [unmatched traffic](/docs/ops/configuration/traffic-management/traffic-routing/#unmatched-traffic), which is often still allowed.
 // The sidecar is not able to enforce an outbound traffic restriction (see [Egress Gateways](/docs/tasks/traffic-management/egress/egress-gateway/) for how to achieve this).
 //
 // Services and configuration in a mesh are organized into one or more
@ -358,6 +358,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -487,7 +488,7 @@ func (OutboundTrafficPolicy_Mode) EnumDescriptor() ([]byte, []int) {
 //
 // <!-- crd generation tags
 // +cue-gen:Sidecar:groupName:networking.istio.io
-// +cue-gen:Sidecar:versions:v1beta1,v1alpha3,v1
+// +cue-gen:Sidecar:versions:v1,v1beta1,v1alpha3
 // +cue-gen:Sidecar:annotations:helm.sh/resource-policy=keep
 // +cue-gen:Sidecar:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
 // +cue-gen:Sidecar:subresource:status
@ -503,10 +504,7 @@ func (OutboundTrafficPolicy_Mode) EnumDescriptor() ([]byte, []int) {
 // +k8s:deepcopy-gen=true
 // -->
 type Sidecar struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Criteria used to select the specific set of pods/VMs on which this
 	// `Sidecar` configuration should be applied. If omitted, the `Sidecar`
 	// configuration will be applied to all workload instances in the same namespace.
@ -553,6 +551,8 @@ type Sidecar struct {
 	//
 	// Default mode is `ALLOW_ANY`, which means outbound traffic to unknown destinations will be allowed.
 	OutboundTrafficPolicy *OutboundTrafficPolicy `protobuf:"bytes,4,opt,name=outbound_traffic_policy,json=outboundTrafficPolicy,proto3" json:"outbound_traffic_policy,omitempty"`
+	unknownFields         protoimpl.UnknownFields
+	sizeCache             protoimpl.SizeCache
 }

 func (x *Sidecar) Reset() {
@ -623,10 +623,7 @@ func (x *Sidecar) GetOutboundTrafficPolicy() *OutboundTrafficPolicy {
 // `IstioIngressListener` specifies the properties of an inbound
 // traffic listener on the sidecar proxy attached to a workload instance.
 type IstioIngressListener struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The port associated with the listener.
 	Port *SidecarPort `protobuf:"bytes,1,opt,name=port,proto3" json:"port,omitempty"`
 	// The IP(IPv4 or IPv6) to which the listener should be bound.
@ -660,6 +657,8 @@ type IstioIngressListener struct {
 	// overriding both the `Sidecar`'s top level `InboundConnectionPool` as well as any
 	// connection pooling settings from the `DestinationRule`.
 	ConnectionPool *ConnectionPoolSettings `protobuf:"bytes,8,opt,name=connection_pool,json=connectionPool,proto3" json:"connection_pool,omitempty"`
+	unknownFields  protoimpl.UnknownFields
+	sizeCache      protoimpl.SizeCache
 }

 func (x *IstioIngressListener) Reset() {
@ -737,10 +736,7 @@ func (x *IstioIngressListener) GetConnectionPool() *ConnectionPoolSettings {
 // `IstioEgressListener` specifies the properties of an outbound traffic
 // listener on the sidecar proxy attached to a workload instance.
 type IstioEgressListener struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// The port associated with the listener. If using Unix domain socket,
 	// use 0 as the port number, with a valid protocol. The port if
 	// specified, will be used as the default destination port associated
@ -790,7 +786,9 @@ type IstioEgressListener struct {
 	// Private configurations (e.g., `exportTo` set to `.`) will
 	// not be available. Refer to the `exportTo` setting in `VirtualService`,
 	// `DestinationRule`, and `ServiceEntry` configurations for details.
-	Hosts []string `protobuf:"bytes,4,rep,name=hosts,proto3" json:"hosts,omitempty"`
+	Hosts         []string `protobuf:"bytes,4,rep,name=hosts,proto3" json:"hosts,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *IstioEgressListener) Reset() {
@ -861,10 +859,7 @@ func (x *IstioEgressListener) GetHosts() []string {
 // order for the workload instance to be selected. Currently, only
 // label based selection mechanism is supported.
 type WorkloadSelector struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// One or more labels that indicate a specific set of pods/VMs
 	// on which the configuration should be applied. The scope of
 	// label search is restricted to the configuration namespace in which the
@ -872,7 +867,9 @@ type WorkloadSelector struct {
 	// +kubebuilder:validation:MaxProperties=256
 	// +protoc-gen-crd:map-value-validation:MaxLength=63
 	// +protoc-gen-crd:map-value-validation:XValidation:message="wildcard is not supported in selector",rule="!self.contains('*')"
-	Labels map[string]string `protobuf:"bytes,1,rep,name=labels,proto3" json:"labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Labels        map[string]string `protobuf:"bytes,1,rep,name=labels,proto3" json:"labels,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *WorkloadSelector) Reset() {
@ -915,11 +912,8 @@ func (x *WorkloadSelector) GetLabels() map[string]string {
 // `OutboundTrafficPolicy` sets the default behavior of the sidecar for
 // handling unknown outbound traffic from the application.
 type OutboundTrafficPolicy struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
-	Mode OutboundTrafficPolicy_Mode `protobuf:"varint,1,opt,name=mode,proto3,enum=istio.networking.v1alpha3.OutboundTrafficPolicy_Mode" json:"mode,omitempty"`
+	state protoimpl.MessageState     `protogen:"open.v1"`
+	Mode  OutboundTrafficPolicy_Mode `protobuf:"varint,1,opt,name=mode,proto3,enum=istio.networking.v1alpha3.OutboundTrafficPolicy_Mode" json:"mode,omitempty"`
 	// Specifies the details of the egress proxy to which unknown
 	// traffic should be forwarded to from the sidecar. Valid only if
 	// the mode is set to ALLOW_ANY. If not specified when the mode is
@ -934,7 +928,9 @@ type OutboundTrafficPolicy struct {
 	// Envoy's dynamic forward proxy can handle only HTTP and TLS
 	// connections.
 	// $hide_from_docs
-	EgressProxy *Destination `protobuf:"bytes,2,opt,name=egress_proxy,json=egressProxy,proto3" json:"egress_proxy,omitempty"`
+	EgressProxy   *Destination `protobuf:"bytes,2,opt,name=egress_proxy,json=egressProxy,proto3" json:"egress_proxy,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *OutboundTrafficPolicy) Reset() {
@ -983,14 +979,11 @@ func (x *OutboundTrafficPolicy) GetEgressProxy() *Destination {

 // Port describes the properties of a specific port of a service.
 type SidecarPort struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// A valid non-negative integer port number.
 	Number uint32 `protobuf:"varint,1,opt,name=number,proto3" json:"number,omitempty"`
 	// The protocol exposed on the port.
-	// MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
+	// MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
 	// TLS can be either used to terminate non-HTTP based connections on a specific port
 	// or to route traffic based on SNI header to the destination without terminating the TLS connection.
 	Protocol string `protobuf:"bytes,2,opt,name=protocol,proto3" json:"protocol,omitempty"`
@ -1001,7 +994,9 @@ type SidecarPort struct {
 	// $hide_from_docs
 	//
 	// Deprecated: Marked as deprecated in networking/v1alpha3/sidecar.proto.
-	TargetPort uint32 `protobuf:"varint,4,opt,name=target_port,json=targetPort,proto3" json:"target_port,omitempty"`
+	TargetPort    uint32 `protobuf:"varint,4,opt,name=target_port,json=targetPort,proto3" json:"target_port,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
 }

 func (x *SidecarPort) Reset() {
@ -1065,140 +1060,57 @@ func (x *SidecarPort) GetTargetPort() uint32 {

 var File_networking_v1alpha3_sidecar_proto protoreflect.FileDescriptor

-var file_networking_v1alpha3_sidecar_proto_rawDesc = []byte{
-	0x0a, 0x21, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x61,
-	0x6c, 0x70, 0x68, 0x61, 0x33, 0x2f, 0x73, 0x69, 0x64, 0x65, 0x63, 0x61, 0x72, 0x2e, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x12, 0x19, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f,
-	0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x1a, 0x1f,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64,
-	0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a,
-	0x2a, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c,
-	0x70, 0x68, 0x61, 0x33, 0x2f, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e,
-	0x5f, 0x72, 0x75, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x21, 0x6e, 0x65, 0x74,
-	0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33,
-	0x2f, 0x67, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x29,
-	0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70,
-	0x68, 0x61, 0x33, 0x2f, 0x76, 0x69, 0x72, 0x74, 0x75, 0x61, 0x6c, 0x5f, 0x73, 0x65, 0x72, 0x76,
-	0x69, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xe2, 0x03, 0x0a, 0x07, 0x53, 0x69,
-	0x64, 0x65, 0x63, 0x61, 0x72, 0x12, 0x58, 0x0a, 0x11, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61,
-	0x64, 0x5f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b,
-	0x32, 0x2b, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b,
-	0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x57, 0x6f, 0x72,
-	0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x52, 0x10, 0x77,
-	0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12,
-	0x49, 0x0a, 0x07, 0x69, 0x6e, 0x67, 0x72, 0x65, 0x73, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b,
-	0x32, 0x2f, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b,
-	0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x49, 0x73, 0x74,
-	0x69, 0x6f, 0x49, 0x6e, 0x67, 0x72, 0x65, 0x73, 0x73, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65,
-	0x72, 0x52, 0x07, 0x69, 0x6e, 0x67, 0x72, 0x65, 0x73, 0x73, 0x12, 0x46, 0x0a, 0x06, 0x65, 0x67,
-	0x72, 0x65, 0x73, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2e, 0x2e, 0x69, 0x73, 0x74,
-	0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31,
-	0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x49, 0x73, 0x74, 0x69, 0x6f, 0x45, 0x67, 0x72, 0x65,
-	0x73, 0x73, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x52, 0x06, 0x65, 0x67, 0x72, 0x65,
-	0x73, 0x73, 0x12, 0x69, 0x0a, 0x17, 0x69, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x5f, 0x63, 0x6f,
-	0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x6f, 0x6f, 0x6c, 0x18, 0x07, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77,
-	0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e,
-	0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x6f, 0x6f, 0x6c, 0x53, 0x65,
-	0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x15, 0x69, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x43,
-	0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x6f, 0x6f, 0x6c, 0x12, 0x68, 0x0a,
-	0x17, 0x6f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x5f, 0x74, 0x72, 0x61, 0x66, 0x66, 0x69,
-	0x63, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30,
-	0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e,
-	0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x4f, 0x75, 0x74, 0x62, 0x6f,
-	0x75, 0x6e, 0x64, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79,
-	0x52, 0x15, 0x6f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69,
-	0x63, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x4a, 0x04, 0x08,
-	0x06, 0x10, 0x07, 0x52, 0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x22, 0xa0,
-	0x03, 0x0a, 0x14, 0x49, 0x73, 0x74, 0x69, 0x6f, 0x49, 0x6e, 0x67, 0x72, 0x65, 0x73, 0x73, 0x4c,
-	0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x12, 0x40, 0x0a, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65,
-	0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
-	0x33, 0x2e, 0x53, 0x69, 0x64, 0x65, 0x63, 0x61, 0x72, 0x50, 0x6f, 0x72, 0x74, 0x42, 0x04, 0xe2,
-	0x41, 0x01, 0x02, 0x52, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x62, 0x69, 0x6e,
-	0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x62, 0x69, 0x6e, 0x64, 0x12, 0x49, 0x0a,
-	0x0c, 0x63, 0x61, 0x70, 0x74, 0x75, 0x72, 0x65, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x03, 0x20,
-	0x01, 0x28, 0x0e, 0x32, 0x26, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77,
-	0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e,
-	0x43, 0x61, 0x70, 0x74, 0x75, 0x72, 0x65, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x0b, 0x63, 0x61, 0x70,
-	0x74, 0x75, 0x72, 0x65, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x29, 0x0a, 0x10, 0x64, 0x65, 0x66, 0x61,
-	0x75, 0x6c, 0x74, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x04, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x0f, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x45, 0x6e, 0x64, 0x70, 0x6f,
-	0x69, 0x6e, 0x74, 0x12, 0x3e, 0x0a, 0x03, 0x74, 0x6c, 0x73, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b,
-	0x32, 0x2c, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b,
-	0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x53, 0x65, 0x72,
-	0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x52, 0x03,
-	0x74, 0x6c, 0x73, 0x12, 0x5a, 0x0a, 0x0f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f,
-	0x6e, 0x5f, 0x70, 0x6f, 0x6f, 0x6c, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x69,
-	0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e,
-	0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74,
-	0x69, 0x6f, 0x6e, 0x50, 0x6f, 0x6f, 0x6c, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x52,
-	0x0e, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x6f, 0x6f, 0x6c, 0x4a,
-	0x04, 0x08, 0x05, 0x10, 0x06, 0x4a, 0x04, 0x08, 0x06, 0x10, 0x07, 0x52, 0x14, 0x6c, 0x6f, 0x63,
-	0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x74, 0x6c,
-	0x73, 0x22, 0xee, 0x01, 0x0a, 0x13, 0x49, 0x73, 0x74, 0x69, 0x6f, 0x45, 0x67, 0x72, 0x65, 0x73,
-	0x73, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x12, 0x3a, 0x0a, 0x04, 0x70, 0x6f, 0x72,
-	0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e,
-	0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70,
-	0x68, 0x61, 0x33, 0x2e, 0x53, 0x69, 0x64, 0x65, 0x63, 0x61, 0x72, 0x50, 0x6f, 0x72, 0x74, 0x52,
-	0x04, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x62, 0x69, 0x6e, 0x64, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x04, 0x62, 0x69, 0x6e, 0x64, 0x12, 0x49, 0x0a, 0x0c, 0x63, 0x61, 0x70,
-	0x74, 0x75, 0x72, 0x65, 0x5f, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32,
-	0x26, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69,
-	0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x43, 0x61, 0x70, 0x74,
-	0x75, 0x72, 0x65, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x0b, 0x63, 0x61, 0x70, 0x74, 0x75, 0x72, 0x65,
-	0x4d, 0x6f, 0x64, 0x65, 0x12, 0x1a, 0x0a, 0x05, 0x68, 0x6f, 0x73, 0x74, 0x73, 0x18, 0x04, 0x20,
-	0x03, 0x28, 0x09, 0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x05, 0x68, 0x6f, 0x73, 0x74, 0x73,
-	0x4a, 0x04, 0x08, 0x05, 0x10, 0x06, 0x4a, 0x04, 0x08, 0x06, 0x10, 0x07, 0x52, 0x14, 0x6c, 0x6f,
-	0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x74,
-	0x6c, 0x73, 0x22, 0x9e, 0x01, 0x0a, 0x10, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x53,
-	0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x4f, 0x0a, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c,
-	0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x37, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e,
-	0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70,
-	0x68, 0x61, 0x33, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x65, 0x6c, 0x65,
-	0x63, 0x74, 0x6f, 0x72, 0x2e, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79,
-	0x52, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x1a, 0x39, 0x0a, 0x0b, 0x4c, 0x61, 0x62, 0x65,
-	0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c,
-	0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a,
-	0x02, 0x38, 0x01, 0x22, 0xd7, 0x01, 0x0a, 0x15, 0x4f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64,
-	0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x49, 0x0a,
-	0x04, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x35, 0x2e, 0x69, 0x73,
-	0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76,
-	0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x4f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64,
-	0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4d, 0x6f,
-	0x64, 0x65, 0x52, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x12, 0x49, 0x0a, 0x0c, 0x65, 0x67, 0x72, 0x65,
-	0x73, 0x73, 0x5f, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26,
-	0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e,
-	0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x44, 0x65, 0x73, 0x74, 0x69,
-	0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0b, 0x65, 0x67, 0x72, 0x65, 0x73, 0x73, 0x50, 0x72,
-	0x6f, 0x78, 0x79, 0x22, 0x28, 0x0a, 0x04, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x11, 0x0a, 0x0d, 0x52,
-	0x45, 0x47, 0x49, 0x53, 0x54, 0x52, 0x59, 0x5f, 0x4f, 0x4e, 0x4c, 0x59, 0x10, 0x00, 0x12, 0x0d,
-	0x0a, 0x09, 0x41, 0x4c, 0x4c, 0x4f, 0x57, 0x5f, 0x41, 0x4e, 0x59, 0x10, 0x01, 0x22, 0x7a, 0x0a,
-	0x0b, 0x53, 0x69, 0x64, 0x65, 0x63, 0x61, 0x72, 0x50, 0x6f, 0x72, 0x74, 0x12, 0x16, 0x0a, 0x06,
-	0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x6e, 0x75,
-	0x6d, 0x62, 0x65, 0x72, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c,
-	0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
-	0x6e, 0x61, 0x6d, 0x65, 0x12, 0x23, 0x0a, 0x0b, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x70,
-	0x6f, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0d, 0x42, 0x02, 0x18, 0x01, 0x52, 0x0a, 0x74,
-	0x61, 0x72, 0x67, 0x65, 0x74, 0x50, 0x6f, 0x72, 0x74, 0x2a, 0x32, 0x0a, 0x0b, 0x43, 0x61, 0x70,
-	0x74, 0x75, 0x72, 0x65, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x0b, 0x0a, 0x07, 0x44, 0x45, 0x46, 0x41,
-	0x55, 0x4c, 0x54, 0x10, 0x00, 0x12, 0x0c, 0x0a, 0x08, 0x49, 0x50, 0x54, 0x41, 0x42, 0x4c, 0x45,
-	0x53, 0x10, 0x01, 0x12, 0x08, 0x0a, 0x04, 0x4e, 0x4f, 0x4e, 0x45, 0x10, 0x02, 0x42, 0x22, 0x5a,
-	0x20, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6e, 0x65,
-	0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
-	0x33, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
-}
+const file_networking_v1alpha3_sidecar_proto_rawDesc = "" +
+	"\n" +
+	"!networking/v1alpha3/sidecar.proto\x12\x19istio.networking.v1alpha3\x1a\x1fgoogle/api/field_behavior.proto\x1a*networking/v1alpha3/destination_rule.proto\x1a!networking/v1alpha3/gateway.proto\x1a)networking/v1alpha3/virtual_service.proto\"\xe2\x03\n" +
+	"\aSidecar\x12X\n" +
+	"\x11workload_selector\x18\x01 \x01(\v2+.istio.networking.v1alpha3.WorkloadSelectorR\x10workloadSelector\x12I\n" +
+	"\aingress\x18\x02 \x03(\v2/.istio.networking.v1alpha3.IstioIngressListenerR\aingress\x12F\n" +
+	"\x06egress\x18\x03 \x03(\v2..istio.networking.v1alpha3.IstioEgressListenerR\x06egress\x12i\n" +
+	"\x17inbound_connection_pool\x18\a \x01(\v21.istio.networking.v1alpha3.ConnectionPoolSettingsR\x15inboundConnectionPool\x12h\n" +
+	"\x17outbound_traffic_policy\x18\x04 \x01(\v20.istio.networking.v1alpha3.OutboundTrafficPolicyR\x15outboundTrafficPolicyJ\x04\b\x05\x10\x06J\x04\b\x06\x10\aR\tlocalhost\"\xa0\x03\n" +
+	"\x14IstioIngressListener\x12@\n" +
+	"\x04port\x18\x01 \x01(\v2&.istio.networking.v1alpha3.SidecarPortB\x04\xe2A\x01\x02R\x04port\x12\x12\n" +
+	"\x04bind\x18\x02 \x01(\tR\x04bind\x12I\n" +
+	"\fcapture_mode\x18\x03 \x01(\x0e2&.istio.networking.v1alpha3.CaptureModeR\vcaptureMode\x12)\n" +
+	"\x10default_endpoint\x18\x04 \x01(\tR\x0fdefaultEndpoint\x12>\n" +
+	"\x03tls\x18\a \x01(\v2,.istio.networking.v1alpha3.ServerTLSSettingsR\x03tls\x12Z\n" +
+	"\x0fconnection_pool\x18\b \x01(\v21.istio.networking.v1alpha3.ConnectionPoolSettingsR\x0econnectionPoolJ\x04\b\x05\x10\x06J\x04\b\x06\x10\aR\x14localhost_client_tls\"\xee\x01\n" +
+	"\x13IstioEgressListener\x12:\n" +
+	"\x04port\x18\x01 \x01(\v2&.istio.networking.v1alpha3.SidecarPortR\x04port\x12\x12\n" +
+	"\x04bind\x18\x02 \x01(\tR\x04bind\x12I\n" +
+	"\fcapture_mode\x18\x03 \x01(\x0e2&.istio.networking.v1alpha3.CaptureModeR\vcaptureMode\x12\x1a\n" +
+	"\x05hosts\x18\x04 \x03(\tB\x04\xe2A\x01\x02R\x05hostsJ\x04\b\x05\x10\x06J\x04\b\x06\x10\aR\x14localhost_server_tls\"\x9e\x01\n" +
+	"\x10WorkloadSelector\x12O\n" +
+	"\x06labels\x18\x01 \x03(\v27.istio.networking.v1alpha3.WorkloadSelector.LabelsEntryR\x06labels\x1a9\n" +
+	"\vLabelsEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01\"\xd7\x01\n" +
+	"\x15OutboundTrafficPolicy\x12I\n" +
+	"\x04mode\x18\x01 \x01(\x0e25.istio.networking.v1alpha3.OutboundTrafficPolicy.ModeR\x04mode\x12I\n" +
+	"\fegress_proxy\x18\x02 \x01(\v2&.istio.networking.v1alpha3.DestinationR\vegressProxy\"(\n" +
+	"\x04Mode\x12\x11\n" +
+	"\rREGISTRY_ONLY\x10\x00\x12\r\n" +
+	"\tALLOW_ANY\x10\x01\"z\n" +
+	"\vSidecarPort\x12\x16\n" +
+	"\x06number\x18\x01 \x01(\rR\x06number\x12\x1a\n" +
+	"\bprotocol\x18\x02 \x01(\tR\bprotocol\x12\x12\n" +
+	"\x04name\x18\x03 \x01(\tR\x04name\x12#\n" +
+	"\vtarget_port\x18\x04 \x01(\rB\x02\x18\x01R\n" +
+	"targetPort*2\n" +
+	"\vCaptureMode\x12\v\n" +
+	"\aDEFAULT\x10\x00\x12\f\n" +
+	"\bIPTABLES\x10\x01\x12\b\n" +
+	"\x04NONE\x10\x02B\"Z istio.io/api/networking/v1alpha3b\x06proto3"

 var (
 	file_networking_v1alpha3_sidecar_proto_rawDescOnce sync.Once
-	file_networking_v1alpha3_sidecar_proto_rawDescData = file_networking_v1alpha3_sidecar_proto_rawDesc
+	file_networking_v1alpha3_sidecar_proto_rawDescData []byte
 )

 func file_networking_v1alpha3_sidecar_proto_rawDescGZIP() []byte {
 	file_networking_v1alpha3_sidecar_proto_rawDescOnce.Do(func() {
-		file_networking_v1alpha3_sidecar_proto_rawDescData = protoimpl.X.CompressGZIP(file_networking_v1alpha3_sidecar_proto_rawDescData)
+		file_networking_v1alpha3_sidecar_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_networking_v1alpha3_sidecar_proto_rawDesc), len(file_networking_v1alpha3_sidecar_proto_rawDesc)))
 	})
 	return file_networking_v1alpha3_sidecar_proto_rawDescData
 }
@ -1253,7 +1165,7 @@ func file_networking_v1alpha3_sidecar_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_networking_v1alpha3_sidecar_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_networking_v1alpha3_sidecar_proto_rawDesc), len(file_networking_v1alpha3_sidecar_proto_rawDesc)),
 			NumEnums:      2,
 			NumMessages:   7,
 			NumExtensions: 0,
@ -1265,7 +1177,6 @@ func file_networking_v1alpha3_sidecar_proto_init() {
 		MessageInfos:      file_networking_v1alpha3_sidecar_proto_msgTypes,
 	}.Build()
 	File_networking_v1alpha3_sidecar_proto = out.File
-	file_networking_v1alpha3_sidecar_proto_rawDesc = nil
 	file_networking_v1alpha3_sidecar_proto_goTypes = nil
 	file_networking_v1alpha3_sidecar_proto_depIdxs = nil
 }
--- a/networking/v1alpha3/sidecar.pb.html
+++ b/networking/v1alpha3/sidecar.pb.html
@ -21,7 +21,7 @@ This configuration scoping, among <a href="/docs/ops/configuration/mesh/configur
 out unneeded configuration, to improve scalability of the mesh.
 A common misunderstanding is that restricting the configuration amounts to <em>blocking</em> the traffic.
 If requests are sent to destinations not included in the scoping, the traffic will be treated as
-<a href="docs/ops/configuration/traffic-management/traffic-routing/#unmatched-traffic">unmatched traffic</a>, which is often still allowed.
+<a href="/docs/ops/configuration/traffic-management/traffic-routing/#unmatched-traffic">unmatched traffic</a>, which is often still allowed.
 The sidecar is not able to enforce an outbound traffic restriction (see <a href="/docs/tasks/traffic-management/egress/egress-gateway/">Egress Gateways</a> for how to achieve this).</p>
 <p>Services and configuration in a mesh are organized into one or more
 namespaces (e.g., a Kubernetes namespace or a CF org/space). A <code>Sidecar</code>
@ -314,28 +314,25 @@ attached.</p>
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="Sidecar-workload_selector">
-<td><code>workloadSelector</code></td>
-<td><code><a href="#WorkloadSelector">WorkloadSelector</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#Sidecar-workload_selector">workloadSelector</a></code></div>
+<div class="type"><a href="#WorkloadSelector">WorkloadSelector</a></div>
+</div></td>
 <td>
 <p>Criteria used to select the specific set of pods/VMs on which this
 <code>Sidecar</code> configuration should be applied. If omitted, the <code>Sidecar</code>
 configuration will be applied to all workload instances in the same namespace.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="Sidecar-ingress">
-<td><code>ingress</code></td>
-<td><code><a href="#IstioIngressListener">IstioIngressListener[]</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#Sidecar-ingress">ingress</a></code></div>
+<div class="type"><a href="#IstioIngressListener">IstioIngressListener[]</a></div>
+</div></td>
 <td>
 <p>Ingress specifies the configuration of the sidecar for processing
 inbound traffic to the attached workload instance. If omitted, Istio will
@ -344,28 +341,24 @@ obtained from the orchestration platform (e.g., exposed ports, services,
 etc.). If specified, inbound ports are configured if and only if the
 workload instance is associated with a service.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="Sidecar-egress">
-<td><code>egress</code></td>
-<td><code><a href="#IstioEgressListener">IstioEgressListener[]</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#Sidecar-egress">egress</a></code></div>
+<div class="type"><a href="#IstioEgressListener">IstioEgressListener[]</a></div>
+</div></td>
 <td>
 <p>Egress specifies the configuration of the sidecar for processing
 outbound traffic from the attached workload instance to other
 services in the mesh. If not specified, inherits the system
 detected defaults from the namespace-wide or the global default Sidecar.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="Sidecar-inbound_connection_pool">
-<td><code>inboundConnectionPool</code></td>
-<td><code><a href="https://istio.io/docs/reference/config/networking/destination-rule.html#ConnectionPoolSettings">ConnectionPoolSettings</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#Sidecar-inbound_connection_pool">inboundConnectionPool</a></code></div>
+<div class="type"><a href="https://istio.io/docs/reference/config/networking/destination-rule.html#ConnectionPoolSettings">ConnectionPoolSettings</a></div>
+</div></td>
 <td>
 <p>Settings controlling the volume of connections Envoy will accept from the network.
 This default will apply for all inbound listeners and can be overridden per-port
@ -391,22 +384,17 @@ following precedence, highest to lowest:</p>
 </ul>
 <p>In every case, the connection pool settings are overridden, not merged.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="Sidecar-outbound_traffic_policy">
-<td><code>outboundTrafficPolicy</code></td>
-<td><code><a href="#OutboundTrafficPolicy">OutboundTrafficPolicy</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#Sidecar-outbound_traffic_policy">outboundTrafficPolicy</a></code></div>
+<div class="type"><a href="#OutboundTrafficPolicy">OutboundTrafficPolicy</a></div>
+</div></td>
 <td>
 <p>Set the default behavior of the sidecar for handling outbound
 traffic from the application.</p>
 <p>Default mode is <code>ALLOW_ANY</code>, which means outbound traffic to unknown destinations will be allowed.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 </tbody>
@ -421,26 +409,24 @@ traffic listener on the sidecar proxy attached to a workload instance.</p>
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="IstioIngressListener-port">
-<td><code>port</code></td>
-<td><code><a href="#SidecarPort">SidecarPort</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#IstioIngressListener-port">port</a></code></div>
+<div class="type"><a href="#SidecarPort">SidecarPort</a></div>
+<div class="required">Required</div>
+</div></td>
 <td>
 <p>The port associated with the listener.</p>

-</td>
-<td>
-Yes
 </td>
 </tr>
 <tr id="IstioIngressListener-bind">
-<td><code>bind</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#IstioIngressListener-bind">bind</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>The IP(IPv4 or IPv6) to which the listener should be bound.
 Unix domain socket addresses are not allowed in
@ -449,26 +435,22 @@ automatically configure the defaults based on imported services
 and the workload instances to which this configuration is applied
 to.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="IstioIngressListener-capture_mode">
-<td><code>captureMode</code></td>
-<td><code><a href="#CaptureMode">CaptureMode</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#IstioIngressListener-capture_mode">captureMode</a></code></div>
+<div class="type"><a href="#CaptureMode">CaptureMode</a></div>
+</div></td>
 <td>
 <p>The captureMode option dictates how traffic to the listener is
 expected to be captured (or not).</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="IstioIngressListener-default_endpoint">
-<td><code>defaultEndpoint</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#IstioIngressListener-default_endpoint">defaultEndpoint</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>The IP endpoint or Unix domain socket to which
 traffic should be forwarded to. This configuration can be used to
@ -479,27 +461,23 @@ connections. Arbitrary IPs are not supported. Format should be one of
 <code>0.0.0.0:PORT</code>, <code>[::]:PORT</code> (forward to the instance IP),
 or <code>unix:///path/to/socket</code> (forward to Unix domain socket).</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="IstioIngressListener-tls">
-<td><code>tls</code></td>
-<td><code><a href="https://istio.io/docs/reference/config/networking/gateway.html#ServerTLSSettings">ServerTLSSettings</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#IstioIngressListener-tls">tls</a></code></div>
+<div class="type"><a href="https://istio.io/docs/reference/config/networking/gateway.html#ServerTLSSettings">ServerTLSSettings</a></div>
+</div></td>
 <td>
 <p>Set of TLS related options that will enable TLS termination on the
 sidecar for requests originating from outside the mesh.
 Currently supports only SIMPLE and MUTUAL TLS modes.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="IstioIngressListener-connection_pool">
-<td><code>connectionPool</code></td>
-<td><code><a href="https://istio.io/docs/reference/config/networking/destination-rule.html#ConnectionPoolSettings">ConnectionPoolSettings</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#IstioIngressListener-connection_pool">connectionPool</a></code></div>
+<div class="type"><a href="https://istio.io/docs/reference/config/networking/destination-rule.html#ConnectionPoolSettings">ConnectionPoolSettings</a></div>
+</div></td>
 <td>
 <p>Settings controlling the volume of connections Envoy will accept from the network.
 This setting overrides the top-level default <code>inboundConnectionPool</code> to configure
@ -509,9 +487,6 @@ This port level connection pool has the highest precedence in configuration,
 overriding both the <code>Sidecar</code>&rsquo;s top level <code>InboundConnectionPool</code> as well as any
 connection pooling settings from the <code>DestinationRule</code>.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 </tbody>
@ -526,15 +501,14 @@ listener on the sidecar proxy attached to a workload instance.</p>
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="IstioEgressListener-port">
-<td><code>port</code></td>
-<td><code><a href="#SidecarPort">SidecarPort</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#IstioEgressListener-port">port</a></code></div>
+<div class="type"><a href="#SidecarPort">SidecarPort</a></div>
+</div></td>
 <td>
 <p>The port associated with the listener. If using Unix domain socket,
 use 0 as the port number, with a valid protocol. The port if
@ -546,14 +520,12 @@ specific ports while others have no port, the hosts exposed on a
 listener port will be based on the listener with the most specific
 port.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="IstioEgressListener-bind">
-<td><code>bind</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#IstioEgressListener-bind">bind</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>The IP(IPv4 or IPv6) or the Unix domain socket to which the listener should be bound
 to. Port MUST be specified if bind is not empty. Format: IPv4 or IPv6 address formats or
@ -563,27 +535,24 @@ services, the workload instances to which this configuration is applied to and
 the captureMode. If captureMode is <code>NONE</code>, bind will default to
 127.0.0.1.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="IstioEgressListener-capture_mode">
-<td><code>captureMode</code></td>
-<td><code><a href="#CaptureMode">CaptureMode</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#IstioEgressListener-capture_mode">captureMode</a></code></div>
+<div class="type"><a href="#CaptureMode">CaptureMode</a></div>
+</div></td>
 <td>
 <p>When the bind address is an IP, the captureMode option dictates
 how traffic to the listener is expected to be captured (or not).
 captureMode must be DEFAULT or <code>NONE</code> for Unix domain socket binds.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="IstioEgressListener-hosts">
-<td><code>hosts</code></td>
-<td><code>string[]</code></td>
+<td><div class="field"><div class="name"><code><a href="#IstioEgressListener-hosts">hosts</a></code></div>
+<div class="type">string[]</div>
+<div class="required">Required</div>
+</div></td>
 <td>
 <p>One or more service hosts exposed by the listener
 in <code>namespace/dnsName</code> format. Services in the specified namespace
@ -610,9 +579,6 @@ Private configurations (e.g., <code>exportTo</code> set to <code>.</code>) will
 not be available. Refer to the <code>exportTo</code> setting in <code>VirtualService</code>,
 <code>DestinationRule</code>, and <code>ServiceEntry</code> configurations for details.</p>

-</td>
-<td>
-Yes
 </td>
 </tr>
 </tbody>
@ -634,24 +600,20 @@ label based selection mechanism is supported.</p>
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="WorkloadSelector-labels">
-<td><code>labels</code></td>
-<td><code>map&lt;string,&nbsp;string&gt;</code></td>
+<td><div class="field"><div class="name"><code><a href="#WorkloadSelector-labels">labels</a></code></div>
+<div class="type">map&lt;string,&nbsp;string&gt;</div>
+</div></td>
 <td>
 <p>One or more labels that indicate a specific set of pods/VMs
 on which the configuration should be applied. The scope of
 label search is restricted to the configuration namespace in which the
 the resource is present.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 </tbody>
@ -666,19 +628,49 @@ handling unknown outbound traffic from the application.</p>
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="OutboundTrafficPolicy-mode">
-<td><code>mode</code></td>
-<td><code><a href="#OutboundTrafficPolicy-Mode">Mode</a></code></td>
+<td><div class="field"><div class="name"><code><a href="#OutboundTrafficPolicy-mode">mode</a></code></div>
+<div class="type"><a href="#OutboundTrafficPolicy-Mode">Mode</a></div>
+</div></td>
 <td>
 </td>
+</tr>
+</tbody>
+</table>
+</section>
+<h3 id="OutboundTrafficPolicy-Mode">Mode</h3>
+<section>
+<table class="enum-values">
+<thead>
+<tr>
+<th>Name</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="OutboundTrafficPolicy-Mode-REGISTRY_ONLY">
+<td><code><a href="#OutboundTrafficPolicy-Mode-REGISTRY_ONLY">REGISTRY_ONLY</a></code></td>
 <td>
-No
+<p>In <code>REGISTRY_ONLY</code> mode, unknown outbound traffic will be dropped.
+Traffic destinations must be explicitly declared into the service registry through <code>ServiceEntry</code> configurations.</p>
+<p>Note: Istio <a href="https://istio.io/latest/docs/ops/best-practices/security/#understand-traffic-capture-limitations">does not offer an outbound traffic security policy</a>.
+This option does not act as one, or as any form of an outbound firewall.
+Instead, this option exists primarily to offer users a way to detect missing <code>ServiceEntry</code> configurations by explicitly failing.</p>
+
+</td>
+</tr>
+<tr id="OutboundTrafficPolicy-Mode-ALLOW_ANY">
+<td><code><a href="#OutboundTrafficPolicy-Mode-ALLOW_ANY">ALLOW_ANY</a></code></td>
+<td>
+<p>In <code>ALLOW_ANY</code> mode, any traffic to unknown destinations will be allowed.
+Unknown destination traffic will have limited functionality, however, such as reduced observability.
+This mode allows users that do not have all possible egress destinations registered through <code>ServiceEntry</code> configurations to still connect
+to arbitrary destinations.</p>
+
 </td>
 </tr>
 </tbody>
@ -692,80 +684,38 @@ No
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="SidecarPort-number">
-<td><code>number</code></td>
-<td><code>uint32</code></td>
+<td><div class="field"><div class="name"><code><a href="#SidecarPort-number">number</a></code></div>
+<div class="type">uint32</div>
+</div></td>
 <td>
 <p>A valid non-negative integer port number.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="SidecarPort-protocol">
-<td><code>protocol</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#SidecarPort-protocol">protocol</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>The protocol exposed on the port.
-MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
+MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
 TLS can be either used to terminate non-HTTP based connections on a specific port
 or to route traffic based on SNI header to the destination without terminating the TLS connection.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="SidecarPort-name">
-<td><code>name</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#SidecarPort-name">name</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>Label assigned to the port.</p>

-</td>
-<td>
-No
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="OutboundTrafficPolicy-Mode">OutboundTrafficPolicy.Mode</h2>
-<section>
-<table class="enum-values">
-<thead>
-<tr>
-<th>Name</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr id="OutboundTrafficPolicy-Mode-REGISTRY_ONLY">
-<td><code>REGISTRY_ONLY</code></td>
-<td>
-<p>In <code>REGISTRY_ONLY</code> mode, unknown outbound traffic will be dropped.
-Traffic destinations must be explicitly declared into the service registry through <code>ServiceEntry</code> configurations.</p>
-<p>Note: Istio <a href="https://istio.io/latest/docs/ops/best-practices/security/#understand-traffic-capture-limitations">does not offer an outbound traffic security policy</a>.
-This option does not act as one, or as any form of an outbound firewall.
-Instead, this option exists primarily to offer users a way to detect missing <code>ServiceEntry</code> configurations by explicitly failing.</p>
-
-</td>
-</tr>
-<tr id="OutboundTrafficPolicy-Mode-ALLOW_ANY">
-<td><code>ALLOW_ANY</code></td>
-<td>
-<p>In <code>ALLOW_ANY</code> mode, any traffic to unknown destinations will be allowed.
-Unknown destination traffic will have limited functionality, however, such as reduced observability.
-This mode allows users that do not have all possible egress destinations registered through <code>ServiceEntry</code> configurations to still connect
-to arbitrary destinations.</p>
-
 </td>
 </tr>
 </tbody>
@ -785,21 +735,21 @@ captured. Applicable only when the listener is bound to an IP.</p>
 </thead>
 <tbody>
 <tr id="CaptureMode-DEFAULT">
-<td><code>DEFAULT</code></td>
+<td><code><a href="#CaptureMode-DEFAULT">DEFAULT</a></code></td>
 <td>
 <p>The default capture mode defined by the environment.</p>

 </td>
 </tr>
 <tr id="CaptureMode-IPTABLES">
-<td><code>IPTABLES</code></td>
+<td><code><a href="#CaptureMode-IPTABLES">IPTABLES</a></code></td>
 <td>
 <p>Capture traffic using IPtables redirection.</p>

 </td>
 </tr>
 <tr id="CaptureMode-NONE">
-<td><code>NONE</code></td>
+<td><code><a href="#CaptureMode-NONE">NONE</a></code></td>
 <td>
 <p>No traffic capture. When used in an egress listener, the application is
 expected to explicitly communicate with the listener port or Unix
--- a/networking/v1alpha3/sidecar.proto
+++ b/networking/v1alpha3/sidecar.proto
@ -14,11 +14,6 @@

 syntax = "proto3";

-import "google/api/field_behavior.proto";
-import "networking/v1alpha3/destination_rule.proto";
-import "networking/v1alpha3/gateway.proto";
-import "networking/v1alpha3/virtual_service.proto";
-
 // $schema: istio.networking.v1alpha3.Sidecar
 // $title: Sidecar
 // $description: Configuration affecting network reachability of a sidecar.
@ -39,7 +34,7 @@ import "networking/v1alpha3/virtual_service.proto";
 // out unneeded configuration, to improve scalability of the mesh.
 // A common misunderstanding is that restricting the configuration amounts to *blocking* the traffic.
 // If requests are sent to destinations not included in the scoping, the traffic will be treated as
-// [unmatched traffic](docs/ops/configuration/traffic-management/traffic-routing/#unmatched-traffic), which is often still allowed.
+// [unmatched traffic](/docs/ops/configuration/traffic-management/traffic-routing/#unmatched-traffic), which is often still allowed.
 // The sidecar is not able to enforce an outbound traffic restriction (see [Egress Gateways](/docs/tasks/traffic-management/egress/egress-gateway/) for how to achieve this).
 //
 // Services and configuration in a mesh are organized into one or more
@ -352,6 +347,11 @@ import "networking/v1alpha3/virtual_service.proto";
 // ```
 package istio.networking.v1alpha3;

+import "google/api/field_behavior.proto";
+import "networking/v1alpha3/destination_rule.proto";
+import "networking/v1alpha3/gateway.proto";
+import "networking/v1alpha3/virtual_service.proto";
+
 option go_package = "istio.io/api/networking/v1alpha3";

 // `Sidecar` describes the configuration of the sidecar proxy that mediates
@ -360,7 +360,7 @@ option go_package = "istio.io/api/networking/v1alpha3";
 //
 // <!-- crd generation tags
 // +cue-gen:Sidecar:groupName:networking.istio.io
-// +cue-gen:Sidecar:versions:v1beta1,v1alpha3,v1
+// +cue-gen:Sidecar:versions:v1,v1beta1,v1alpha3
 // +cue-gen:Sidecar:annotations:helm.sh/resource-policy=keep
 // +cue-gen:Sidecar:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
 // +cue-gen:Sidecar:subresource:status
@ -559,7 +559,7 @@ message WorkloadSelector {

  // $hide_from_docs
  // other forms of identification supplied by the proxy
-  // when connecting to Pilot, such as X509 fields, tenant IDs, JWT,
+  // when connecting to istiod, such as X509 fields, tenant IDs, JWT,
  // etc. This has nothing to do with the request level authN etc.
 }

@ -599,7 +599,6 @@ message OutboundTrafficPolicy {
  Destination egress_proxy = 2;
 }

-
 // `CaptureMode` describes how traffic to a listener is expected to be
 // captured. Applicable only when the listener is bound to an IP.
 enum CaptureMode {
@ -623,7 +622,7 @@ message SidecarPort {
  uint32 number = 1;

  // The protocol exposed on the port.
-  // MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
+  // MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
  // TLS can be either used to terminate non-HTTP based connections on a specific port
  // or to route traffic based on SNI header to the destination without terminating the TLS connection.
  string protocol = 2;
@ -634,5 +633,5 @@ message SidecarPort {
  // Has no effect, only for backwards compatibility
  // received. Applicable only when used with ServiceEntries.
  // $hide_from_docs
-  uint32 target_port = 4 [deprecated=true];
+  uint32 target_port = 4 [deprecated = true];
 }
--- a/networking/v1alpha3/virtual_service.pb.go
+++ b/networking/v1alpha3/virtual_service.pb.go
--- a/networking/v1alpha3/virtual_service.pb.html
+++ b/networking/v1alpha3/virtual_service.pb.html
--- a/networking/v1alpha3/virtual_service.proto
+++ b/networking/v1alpha3/virtual_service.proto
@ -14,10 +14,6 @@

 syntax = "proto3";

-import "google/api/field_behavior.proto";
-import "google/protobuf/duration.proto";
-import "google/protobuf/wrappers.proto";
-
 // $schema: istio.networking.v1alpha3.VirtualService
 // $title: Virtual Service
 // $description: Configuration affecting label/content routing, sni routing, etc.
@ -117,13 +113,17 @@ import "google/protobuf/wrappers.proto";
 //
 package istio.networking.v1alpha3;

+import "google/api/field_behavior.proto";
+import "google/protobuf/duration.proto";
+import "google/protobuf/wrappers.proto";
+
 option go_package = "istio.io/api/networking/v1alpha3";

 // Configuration affecting traffic routing.
 //
 // <!-- crd generation tags
 // +cue-gen:VirtualService:groupName:networking.istio.io
-// +cue-gen:VirtualService:versions:v1beta1,v1alpha3,v1
+// +cue-gen:VirtualService:versions:v1,v1beta1,v1alpha3
 // +cue-gen:VirtualService:annotations:helm.sh/resource-policy=keep
 // +cue-gen:VirtualService:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
 // +cue-gen:VirtualService:subresource:status
@ -450,7 +450,7 @@ message HTTPRoute {
  //
  // ```yaml
  // attempts: 2
-  // retryOn: "connect-failure,refused-stream,unavailable,cancelled,503"
+  // retryOn: "connect-failure,refused-stream,unavailable,cancelled"
  // ```
  //
  // This can be customized in [`Mesh Config` `defaultHttpRetryPolicy`](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig).
@ -482,7 +482,7 @@ message HTTPRoute {
  // double `mirror_percentage` field instead
  // $hide_from_docs
  // +kubebuilder:altName=mirror_percent
-  google.protobuf.UInt32Value mirror_percent = 18 [deprecated=true];
+  google.protobuf.UInt32Value mirror_percent = 18 [deprecated = true];

  // Percentage of the traffic to be mirrored by the `mirror` field.
  // If this field is absent, all the traffic (100%) will be mirrored.
@ -495,7 +495,7 @@ message HTTPRoute {
  CorsPolicy cors_policy = 10;

  reserved 11 to 15;
-  reserved "append_headers", "remove_response_headers", "append_response_headers","remove_request_headers", "append_request_headers";
+  reserved "append_headers", "remove_response_headers", "append_response_headers", "remove_request_headers", "append_request_headers";

  // Header manipulation rules
  Headers headers = 16;
@ -504,7 +504,6 @@ message HTTPRoute {
  // Next available field number: 23
 }

-
 // Describes the delegate VirtualService.
 // The following routing rules forward the traffic to `/productpage` by a delegate VirtualService named `productpage`,
 // forward the traffic to `/reviews` by a delegate VirtualService named `reviews`.
@ -573,7 +572,6 @@ message Delegate {
  string namespace = 2;
 }

-
 // Message headers can be manipulated when Envoy forwards requests to,
 // or responses from, a destination service. Header manipulation rules can
 // be specified for a specific route destination or for all destinations.
@ -817,6 +815,9 @@ message HTTPMatchRequest {
  // with the given labels. If the VirtualService has a list of gateways specified
  // in the top-level `gateways` field, it must include the reserved gateway
  // `mesh` for this field to be applicable.
+  //
+  // **Note:** This is not a runtime match, but is a selector; it filters which workloads the
+  // VirtualService applies to.
  map<string, string> source_labels = 7;

  // Names of gateways where the rule should be applied. Gateway names
@ -855,6 +856,9 @@ message HTTPMatchRequest {
  // Source namespace constraining the applicability of a rule to workloads in that namespace.
  // If the VirtualService has a list of gateways specified in the top-level `gateways` field,
  // it must include the reserved gateway `mesh` for this field to be applicable.
+  //
+  // **Note:** This is not a runtime match, but is a selector; it filters which workloads the
+  // VirtualService applies to.
  string source_namespace = 13;

  // The human readable prefix to use when emitting statistics for this route.
@ -983,6 +987,9 @@ message L4MatchAttributes {
  // workloads with the given labels. If the VirtualService has a list of
  // gateways specified in the top-level `gateways` field, it should include the reserved gateway
  // `mesh` in order for this field to be applicable.
+  //
+  // **Note:** This is not a runtime match, but is a selector; it filters which workloads the
+  // VirtualService applies to.
  map<string, string> source_labels = 4;

  // Names of gateways where the rule should be applied. Gateway names
@ -993,6 +1000,9 @@ message L4MatchAttributes {
  // Source namespace constraining the applicability of a rule to workloads in that namespace.
  // If the VirtualService has a list of gateways specified in the top-level `gateways` field,
  // it must include the reserved gateway `mesh` for this field to be applicable.
+  //
+  // **Note:** This is not a runtime match, but is a selector; it filters which workloads the
+  // VirtualService applies to.
  string source_namespace = 6;
 }

@ -1021,6 +1031,9 @@ message TLSMatchAttributes {
  // workloads with the given labels. If the VirtualService has a list of
  // gateways specified in the top-level `gateways` field, it should include the reserved gateway
  // `mesh` in order for this field to be applicable.
+  //
+  // **Note:** This is not a runtime match, but is a selector; it filters which workloads the
+  // VirtualService applies to.
  map<string, string> source_labels = 5;

  // Names of gateways where the rule should be applied. Gateway names
@ -1031,6 +1044,9 @@ message TLSMatchAttributes {
  // Source namespace constraining the applicability of a rule to workloads in that namespace.
  // If the VirtualService has a list of gateways specified in the top-level `gateways` field,
  // it must include the reserved gateway `mesh` for this field to be applicable.
+  //
+  // **Note:** This is not a runtime match, but is a selector; it filters which workloads the
+  // VirtualService applies to.
  string source_namespace = 7;
 }

@ -1244,7 +1260,6 @@ message RegexRewrite {
 // case-sensitive. `regex` matching supports case-insensitive matches.
 message StringMatch {
  oneof match_type {
-
    // exact string match
    string exact = 1;

@ -1287,11 +1302,11 @@ message HTTPRetry {
  // between retries will be determined automatically (25ms+). When request
  // `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute)
  // or `per_try_timeout` is configured, the actual number of retries attempted also depends on
-  // the specified request `timeout` and `per_try_timeout` values. MUST BE >= 0. If `0`, retries will be disabled.
+  // the specified request `timeout` and `per_try_timeout` values. MUST be >= 0. If `0`, retries will be disabled.
  // The maximum possible number of requests made will be 1 + `attempts`.
  int32 attempts = 1;

-  // Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST BE >=1ms.
+  // Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST be >=1ms.
  // Default is same value as request
  // `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute),
  // which means no timeout.
@ -1307,12 +1322,23 @@ message HTTPRetry {
  // For example, if a connection is reset, Istio will translate this to 503 for it's response.
  // However, the destination did not return a 503 error, so this would not match `"503"` (it would, however, match `"reset"`).
  //
-  // If not specified, this defaults to `connect-failure,refused-stream,unavailable,cancelled,503`.
+  // If not specified, this defaults to `connect-failure,refused-stream,unavailable,cancelled`.
  string retry_on = 3;

  // Flag to specify whether the retries should retry to other localities.
  // See the [retry plugin configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http_connection_management#retry-plugin-configuration) for more details.
  google.protobuf.BoolValue retry_remote_localities = 4;
+
+  // Flag to specify whether the retries should ignore previously tried hosts during retry.
+  // Defaults to true.
+  google.protobuf.BoolValue retry_ignore_previous_hosts = 5;
+
+  // Specifies the minimum duration between retry attempts.
+  // If unset, default minimum duration of 25ms is used as base interval for exponetial backoff.
+  // This has an impact on the total number of retries that will be attempted based on the `attempts` field
+  // and route timeout. For example, with attempts is set to 3, backoff to 2s and timeout to 3s, the request will
+  // be retried only once.
+  google.protobuf.Duration backoff = 6;
 }

 // Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
@ -1353,7 +1379,7 @@ message CorsPolicy {
  // content will be serialized into the Access-Control-Allow-Origin
  // header. Wildcard * will allow all origins.
  // $hide_from_docs
-  repeated string allow_origin = 1 [deprecated=true];
+  repeated string allow_origin = 1 [deprecated = true];

  // String patterns that match allowed origins.
  // An origin is allowed if any of the string matchers match.
@ -1381,8 +1407,8 @@ message CorsPolicy {
  // `Access-Control-Allow-Credentials` header.
  google.protobuf.BoolValue allow_credentials = 6;

-  // Indicates whether preflight requests not matching the configured 
-  // allowed origin shouldn't be forwarded to the upstream. 
+  // Indicates whether preflight requests not matching the configured
+  // allowed origin shouldn't be forwarded to the upstream.
  // Default is forward to upstream.
  UnmatchedPreflights unmatched_preflights = 8;

@ -1450,7 +1476,7 @@ message HTTPFaultInjection {
    // Percentage of requests on which the delay will be injected (0-100).
    // Use of integer `percent` value is deprecated. Use the double `percentage`
    // field instead.
-    int32 percent = 1 [deprecated=true];
+    int32 percent = 1 [deprecated = true];

    oneof http_delay_type {
      // Add a fixed delay before forwarding the request. Format:
@ -1458,7 +1484,7 @@ message HTTPFaultInjection {
      google.protobuf.Duration fixed_delay = 2;

      // $hide_from_docs
-      google.protobuf.Duration exponential_delay = 3 ;
+      google.protobuf.Duration exponential_delay = 3;
    }

    // Percentage of requests on which the delay will be injected.
--- a/networking/v1alpha3/workload_entry.pb.go
+++ b/networking/v1alpha3/workload_entry.pb.go
@ -14,7 +14,7 @@

 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.35.1
+// 	protoc-gen-go v1.36.6
 // 	protoc        (unknown)
 // source: networking/v1alpha3/workload_entry.proto

@ -158,6 +158,7 @@ import (
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
 	reflect "reflect"
 	sync "sync"
+	unsafe "unsafe"
 )

 const (
@ -171,7 +172,7 @@ const (
 //
 // <!-- crd generation tags
 // +cue-gen:WorkloadEntry:groupName:networking.istio.io
-// +cue-gen:WorkloadEntry:versions:v1beta1,v1alpha3,v1
+// +cue-gen:WorkloadEntry:versions:v1,v1beta1,v1alpha3
 // +cue-gen:WorkloadEntry:annotations:helm.sh/resource-policy=keep
 // +cue-gen:WorkloadEntry:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
 // +cue-gen:WorkloadEntry:subresource:status
@ -193,12 +194,9 @@ const (
 // +k8s:deepcopy-gen=true
 // -->
 // +kubebuilder:validation:XValidation:message="Address is required",rule="has(self.address) || has(self.network)"
-// +kubebuilder:validation:XValidation:message="UDS may not include ports",rule="(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports) : true"
+// +kubebuilder:validation:XValidation:message="UDS may not include ports",rule="(default(self.address, "").startsWith('unix://')) ? !has(self.ports) : true"
 type WorkloadEntry struct {
-	state         protoimpl.MessageState
-	sizeCache     protoimpl.SizeCache
-	unknownFields protoimpl.UnknownFields
-
+	state protoimpl.MessageState `protogen:"open.v1"`
 	// Address associated with the network endpoint without the
 	// port.  Domain names can be used if and only if the resolution is set
 	// to DNS, and must be fully-qualified without wildcards. Use the form
@ -225,10 +223,10 @@ type WorkloadEntry struct {
 	// +protoc-gen-crd:map-value-validation:XValidation:message="port must be between 1-65535",rule="0 < self && self <= 65535"
 	// +kubebuilder:validation:MaxProperties=128
 	// +kubebuilder:validation:XValidation:message="port name must be valid",rule="self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$'))"
-	Ports map[string]uint32 `protobuf:"bytes,2,rep,name=ports,proto3" json:"ports,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"varint,2,opt,name=value,proto3"`
+	Ports map[string]uint32 `protobuf:"bytes,2,rep,name=ports,proto3" json:"ports,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"varint,2,opt,name=value"`
 	// One or more labels associated with the endpoint.
 	// +kubebuilder:validation:MaxProperties=256
-	Labels map[string]string `protobuf:"bytes,3,rep,name=labels,proto3" json:"labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Labels map[string]string `protobuf:"bytes,3,rep,name=labels,proto3" json:"labels,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
 	// Network enables Istio to group endpoints resident in the same L3
 	// domain/network. All endpoints in the same network are assumed to be
 	// directly reachable from one another. When endpoints in different
@ -267,6 +265,8 @@ type WorkloadEntry struct {
 	// ServiceEntry)
 	// +kubebuilder:validation:MaxLength=253
 	ServiceAccount string `protobuf:"bytes,7,opt,name=service_account,json=serviceAccount,proto3" json:"service_account,omitempty"`
+	unknownFields  protoimpl.UnknownFields
+	sizeCache      protoimpl.SizeCache
 }

 func (x *WorkloadEntry) Reset() {
@ -350,52 +350,33 @@ func (x *WorkloadEntry) GetServiceAccount() string {

 var File_networking_v1alpha3_workload_entry_proto protoreflect.FileDescriptor

-var file_networking_v1alpha3_workload_entry_proto_rawDesc = []byte{
-	0x0a, 0x28, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x61,
-	0x6c, 0x70, 0x68, 0x61, 0x33, 0x2f, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x65,
-	0x6e, 0x74, 0x72, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x19, 0x69, 0x73, 0x74, 0x69,
-	0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61,
-	0x6c, 0x70, 0x68, 0x61, 0x33, 0x22, 0xae, 0x03, 0x0a, 0x0d, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f,
-	0x61, 0x64, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65,
-	0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73,
-	0x73, 0x12, 0x49, 0x0a, 0x05, 0x70, 0x6f, 0x72, 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b,
-	0x32, 0x33, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b,
-	0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x57, 0x6f, 0x72,
-	0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x73,
-	0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x05, 0x70, 0x6f, 0x72, 0x74, 0x73, 0x12, 0x4c, 0x0a, 0x06,
-	0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x34, 0x2e, 0x69,
-	0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e,
-	0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61,
-	0x64, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x2e, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x45, 0x6e, 0x74,
-	0x72, 0x79, 0x52, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x6e, 0x65,
-	0x74, 0x77, 0x6f, 0x72, 0x6b, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6e, 0x65, 0x74,
-	0x77, 0x6f, 0x72, 0x6b, 0x12, 0x1a, 0x0a, 0x08, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x69, 0x74, 0x79,
-	0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x69, 0x74, 0x79,
-	0x12, 0x16, 0x0a, 0x06, 0x77, 0x65, 0x69, 0x67, 0x68, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0d,
-	0x52, 0x06, 0x77, 0x65, 0x69, 0x67, 0x68, 0x74, 0x12, 0x27, 0x0a, 0x0f, 0x73, 0x65, 0x72, 0x76,
-	0x69, 0x63, 0x65, 0x5f, 0x61, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x0e, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e,
-	0x74, 0x1a, 0x38, 0x0a, 0x0a, 0x50, 0x6f, 0x72, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12,
-	0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65,
-	0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0d,
-	0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x39, 0x0a, 0x0b, 0x4c,
-	0x61, 0x62, 0x65, 0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65,
-	0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05,
-	0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c,
-	0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x22, 0x5a, 0x20, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e,
-	0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e,
-	0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x33,
-}
+const file_networking_v1alpha3_workload_entry_proto_rawDesc = "" +
+	"\n" +
+	"(networking/v1alpha3/workload_entry.proto\x12\x19istio.networking.v1alpha3\"\xae\x03\n" +
+	"\rWorkloadEntry\x12\x18\n" +
+	"\aaddress\x18\x01 \x01(\tR\aaddress\x12I\n" +
+	"\x05ports\x18\x02 \x03(\v23.istio.networking.v1alpha3.WorkloadEntry.PortsEntryR\x05ports\x12L\n" +
+	"\x06labels\x18\x03 \x03(\v24.istio.networking.v1alpha3.WorkloadEntry.LabelsEntryR\x06labels\x12\x18\n" +
+	"\anetwork\x18\x04 \x01(\tR\anetwork\x12\x1a\n" +
+	"\blocality\x18\x05 \x01(\tR\blocality\x12\x16\n" +
+	"\x06weight\x18\x06 \x01(\rR\x06weight\x12'\n" +
+	"\x0fservice_account\x18\a \x01(\tR\x0eserviceAccount\x1a8\n" +
+	"\n" +
+	"PortsEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\rR\x05value:\x028\x01\x1a9\n" +
+	"\vLabelsEntry\x12\x10\n" +
+	"\x03key\x18\x01 \x01(\tR\x03key\x12\x14\n" +
+	"\x05value\x18\x02 \x01(\tR\x05value:\x028\x01B\"Z istio.io/api/networking/v1alpha3b\x06proto3"

 var (
 	file_networking_v1alpha3_workload_entry_proto_rawDescOnce sync.Once
-	file_networking_v1alpha3_workload_entry_proto_rawDescData = file_networking_v1alpha3_workload_entry_proto_rawDesc
+	file_networking_v1alpha3_workload_entry_proto_rawDescData []byte
 )

 func file_networking_v1alpha3_workload_entry_proto_rawDescGZIP() []byte {
 	file_networking_v1alpha3_workload_entry_proto_rawDescOnce.Do(func() {
-		file_networking_v1alpha3_workload_entry_proto_rawDescData = protoimpl.X.CompressGZIP(file_networking_v1alpha3_workload_entry_proto_rawDescData)
+		file_networking_v1alpha3_workload_entry_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_networking_v1alpha3_workload_entry_proto_rawDesc), len(file_networking_v1alpha3_workload_entry_proto_rawDesc)))
 	})
 	return file_networking_v1alpha3_workload_entry_proto_rawDescData
 }
@ -425,7 +406,7 @@ func file_networking_v1alpha3_workload_entry_proto_init() {
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
-			RawDescriptor: file_networking_v1alpha3_workload_entry_proto_rawDesc,
+			RawDescriptor: unsafe.Slice(unsafe.StringData(file_networking_v1alpha3_workload_entry_proto_rawDesc), len(file_networking_v1alpha3_workload_entry_proto_rawDesc)),
 			NumEnums:      0,
 			NumMessages:   3,
 			NumExtensions: 0,
@ -436,7 +417,6 @@ func file_networking_v1alpha3_workload_entry_proto_init() {
 		MessageInfos:      file_networking_v1alpha3_workload_entry_proto_msgTypes,
 	}.Build()
 	File_networking_v1alpha3_workload_entry_proto = out.File
-	file_networking_v1alpha3_workload_entry_proto_rawDesc = nil
 	file_networking_v1alpha3_workload_entry_proto_goTypes = nil
 	file_networking_v1alpha3_workload_entry_proto_depIdxs = nil
 }
--- a/networking/v1alpha3/workload_entry.pb.html
+++ b/networking/v1alpha3/workload_entry.pb.html
@ -126,15 +126,14 @@ spec:
 <thead>
 <tr>
 <th>Field</th>
-<th>Type</th>
 <th>Description</th>
-<th>Required</th>
 </tr>
 </thead>
 <tbody>
 <tr id="WorkloadEntry-address">
-<td><code>address</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#WorkloadEntry-address">address</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>Address associated with the network endpoint without the
 port.  Domain names can be used if and only if the resolution is set
@ -142,14 +141,12 @@ to DNS, and must be fully-qualified without wildcards. Use the form
 unix:///absolute/path/to/socket for Unix domain socket endpoints.
 If address is empty, network must be specified.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WorkloadEntry-ports">
-<td><code>ports</code></td>
-<td><code>map&lt;string,&nbsp;uint32&gt;</code></td>
+<td><div class="field"><div class="name"><code><a href="#WorkloadEntry-ports">ports</a></code></div>
+<div class="type">map&lt;string,&nbsp;uint32&gt;</div>
+</div></td>
 <td>
 <p>Set of ports associated with the endpoint. If the port map is
 specified, it must be a map of servicePortName to this endpoint&rsquo;s
@ -164,25 +161,21 @@ the same port.</p>
 <p><strong>NOTE 1:</strong> Do not use for <code>unix://</code> addresses.</p>
 <p><strong>NOTE 2:</strong> endpoint port map takes precedence over targetPort.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WorkloadEntry-labels">
-<td><code>labels</code></td>
-<td><code>map&lt;string,&nbsp;string&gt;</code></td>
+<td><div class="field"><div class="name"><code><a href="#WorkloadEntry-labels">labels</a></code></div>
+<div class="type">map&lt;string,&nbsp;string&gt;</div>
+</div></td>
 <td>
 <p>One or more labels associated with the endpoint.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WorkloadEntry-network">
-<td><code>network</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#WorkloadEntry-network">network</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>Network enables Istio to group endpoints resident in the same L3
 domain/network. All endpoints in the same network are assumed to be
@ -193,14 +186,12 @@ used to establish connectivity (usually using the
 an advanced configuration used typically for spanning an Istio mesh
 over multiple clusters. Required if address is not provided.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WorkloadEntry-locality">
-<td><code>locality</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#WorkloadEntry-locality">locality</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>The locality associated with the endpoint. A locality corresponds
 to a failure domain (e.g., country/region/zone). Arbitrary failure
@ -220,35 +211,28 @@ locality. Endpoint e2 could be the IP associated with a gateway
 (that bridges networks n1 and n2), or the IP associated with a
 standard service endpoint.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WorkloadEntry-weight">
-<td><code>weight</code></td>
-<td><code>uint32</code></td>
+<td><div class="field"><div class="name"><code><a href="#WorkloadEntry-weight">weight</a></code></div>
+<div class="type">uint32</div>
+</div></td>
 <td>
 <p>The load balancing weight associated with the endpoint. Endpoints
 with higher weights will receive proportionally higher traffic.</p>

-</td>
-<td>
-No
 </td>
 </tr>
 <tr id="WorkloadEntry-service_account">
-<td><code>serviceAccount</code></td>
-<td><code>string</code></td>
+<td><div class="field"><div class="name"><code><a href="#WorkloadEntry-service_account">serviceAccount</a></code></div>
+<div class="type">string</div>
+</div></td>
 <td>
 <p>The service account associated with the workload if a sidecar
 is present in the workload. The service account must be present
 in the same namespace as the configuration ( WorkloadEntry or a
 ServiceEntry)</p>

-</td>
-<td>
-No
 </td>
 </tr>
 </tbody>
--- a/networking/v1alpha3/workload_entry.proto
+++ b/networking/v1alpha3/workload_entry.proto
@ -129,9 +129,9 @@ syntax = "proto3";
 // ```
 //
 // The following example declares a VM workload without an address.
-// An alternative to having istiod read from remote API servers is 
-// to write a `WorkloadEntry` in the local cluster that represents 
-// the Workload(s) in the remote network with the given labels. A 
+// An alternative to having istiod read from remote API servers is
+// to write a `WorkloadEntry` in the local cluster that represents
+// the Workload(s) in the remote network with the given labels. A
 // single `WorkloadEntry` with weights represent the aggregate of all
 // the actual workloads in a given remote network.
 //
@ -154,7 +154,7 @@ option go_package = "istio.io/api/networking/v1alpha3";
 //
 // <!-- crd generation tags
 // +cue-gen:WorkloadEntry:groupName:networking.istio.io
-// +cue-gen:WorkloadEntry:versions:v1beta1,v1alpha3,v1
+// +cue-gen:WorkloadEntry:versions:v1,v1beta1,v1alpha3
 // +cue-gen:WorkloadEntry:annotations:helm.sh/resource-policy=keep
 // +cue-gen:WorkloadEntry:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
 // +cue-gen:WorkloadEntry:subresource:status
@ -176,7 +176,7 @@ option go_package = "istio.io/api/networking/v1alpha3";
 // +k8s:deepcopy-gen=true
 // -->
 // +kubebuilder:validation:XValidation:message="Address is required",rule="has(self.address) || has(self.network)"
-// +kubebuilder:validation:XValidation:message="UDS may not include ports",rule="(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports) : true"
+// +kubebuilder:validation:XValidation:message="UDS may not include ports",rule="(default(self.address, "").startsWith('unix://')) ? !has(self.ports) : true"
 message WorkloadEntry {
  // Address associated with the network endpoint without the
  // port.  Domain names can be used if and only if the resolution is set
@ -252,5 +252,4 @@ message WorkloadEntry {
  // ServiceEntry)
  // +kubebuilder:validation:MaxLength=253
  string service_account = 7;
-};
-
+}
--- a/Show More
+++ b/Show More