Update reference docs. (#3204)

content/docs/reference/commands/galley/index.html

@@ -123,7 +123,7 @@ number_of_entries: 4
 </tr>
 <tr>
 <td><code>--monitoringPort &lt;uint&gt;</code></td>
-<td>Port to use for exposing self-monitoring information  (default `9093`)</td>
+<td>Port to use for exposing self-monitoring information  (default `15014`)</td>
 </tr>
 <tr>
 <td><code>--pprofPort &lt;uint&gt;</code></td>
@@ -158,6 +158,14 @@ number_of_entries: 4
 <td>Name of the validation service running in the same namespace as the deployment  (default `istio-galley`)</td>
 </tr>
 <tr>
+<td><code>--sinkAddress &lt;string&gt;</code></td>
+<td>Address of MCP Resource Sink server for Galley to connect to. Ex: &#39;foo.com:1234&#39;  (default ``)</td>
+</tr>
+<tr>
+<td><code>--sinkAuthMode &lt;string&gt;</code></td>
+<td>Name of authentication plugin to use for connection to sink server.  (default ``)</td>
+</tr>
+<tr>
 <td><code>--tlsCertFile &lt;string&gt;</code></td>
 <td>File containing the x509 Certificate for HTTPS.  (default `/etc/certs/cert-chain.pem`)</td>
 </tr>
@@ -303,7 +311,7 @@ number_of_entries: 4
 </tr>
 <tr>
 <td><code>--monitoringPort &lt;uint&gt;</code></td>
-<td>Port to use for exposing self-monitoring information  (default `9093`)</td>
+<td>Port to use for exposing self-monitoring information  (default `15014`)</td>
 </tr>
 <tr>
 <td><code>--pprofPort &lt;uint&gt;</code></td>
@@ -342,6 +350,14 @@ number_of_entries: 4
 <td>Name of the validation service running in the same namespace as the deployment  (default `istio-galley`)</td>
 </tr>
 <tr>
+<td><code>--sinkAddress &lt;string&gt;</code></td>
+<td>Address of MCP Resource Sink server for Galley to connect to. Ex: &#39;foo.com:1234&#39;  (default ``)</td>
+</tr>
+<tr>
+<td><code>--sinkAuthMode &lt;string&gt;</code></td>
+<td>Name of authentication plugin to use for connection to sink server.  (default ``)</td>
+</tr>
+<tr>
 <td><code>--tlsCertFile &lt;string&gt;</code></td>
 <td>File containing the x509 Certificate for HTTPS.  (default `/etc/certs/cert-chain.pem`)</td>
 </tr>
@@ -512,7 +528,7 @@ number_of_entries: 4
 <tr>
 <td><code>--monitoringPort &lt;uint&gt;</code></td>
 <td></td>
-<td>Port to use for exposing self-monitoring information  (default `9093`)</td>
+<td>Port to use for exposing self-monitoring information  (default `15014`)</td>
 </tr>
 <tr>
 <td><code>--output &lt;string&gt;</code></td>
@@ -565,6 +581,16 @@ number_of_entries: 4
 <td>Displays a short form of the version information </td>
 </tr>
 <tr>
+<td><code>--sinkAddress &lt;string&gt;</code></td>
+<td></td>
+<td>Address of MCP Resource Sink server for Galley to connect to. Ex: &#39;foo.com:1234&#39;  (default ``)</td>
+</tr>
+<tr>
+<td><code>--sinkAuthMode &lt;string&gt;</code></td>
+<td></td>
+<td>Name of authentication plugin to use for connection to sink server.  (default ``)</td>
+</tr>
+<tr>
 <td><code>--tlsCertFile &lt;string&gt;</code></td>
 <td></td>
 <td>File containing the x509 Certificate for HTTPS.  (default `/etc/certs/cert-chain.pem`)</td>

content/docs/reference/commands/istio_ca/index.html

@@ -115,7 +115,7 @@ number_of_entries: 4
 </tr>
 <tr>
 <td><code>--monitoring-port &lt;int&gt;</code></td>
-<td>The port number for monitoring Citadel. If unspecified, Citadel will disable monitoring.  (default `9093`)</td>
+<td>The port number for monitoring Citadel. If unspecified, Citadel will disable monitoring.  (default `15014`)</td>
 </tr>
 <tr>
 <td><code>--org &lt;string&gt;</code></td>

content/docs/reference/commands/mixs/index.html

@@ -235,7 +235,7 @@ nexus for policy evaluation and telemetry reporting.</p>
 <tr>
 <td><code>--monitoringPort &lt;uint16&gt;</code></td>
 <td></td>
-<td>HTTP port to use for the exposing mixer self-monitoring information  (default `9093`)</td>
+<td>HTTP port to use for Mixer self-monitoring information  (default `15014`)</td>
 </tr>
 <tr>
 <td><code>--numCheckCacheEntries &lt;int32&gt;</code></td>

content/docs/reference/commands/pilot-agent/index.html

@@ -116,10 +116,6 @@ number_of_entries: 5
 <td>Proxy IP address. If not provided uses ${INSTANCE_IP} environment variable.  (default ``)</td>
 </tr>
 <tr>
-<td><code>--kubeAppProberConfig &lt;string&gt;</code></td>
-<td>The json encoded string to pass app HTTP probe information from injector(istioctl or webhook). For example, --kubeAppProberConfig=&#39;{&#34;/app-health/httpbin/livez&#34;:{&#34;path&#34;: &#34;/hello&#34;, &#34;port&#34;: 8080}&#39; indicates that httpbin container liveness prober port is 8080 and probing path is /hello. This flag should never be set manually.  (default ``)</td>
-</tr>
-<tr>
 <td><code>--lightstepAccessToken &lt;string&gt;</code></td>
 <td>Access Token for LightStep Satellite pool  (default ``)</td>
 </tr>

content/docs/reference/commands/pilot-discovery/index.html

@@ -233,7 +233,7 @@ number_of_entries: 5
 <tr>
 <td><code>--monitoringAddr &lt;string&gt;</code></td>
 <td></td>
-<td>HTTP address to use for the exposing pilot self-monitoring information  (default `:9093`)</td>
+<td>HTTP address to use for pilot&#39;s self-monitoring information  (default `:15014`)</td>
 </tr>
 <tr>
 <td><code>--namespace &lt;string&gt;</code></td>

content/docs/reference/config/istio.networking.v1alpha3/index.html

@@ -2954,6 +2954,26 @@ holding the server&rsquo;s private key.</p>
 certificate authority certificates to use in verifying a presented
 client side certificate.</p>
 
+</td>
+</tr>
+<tr id="Server-TLSOptions-credential_name">
+<td><code>credentialName</code></td>
+<td><code>string</code></td>
+<td>
+<p>The credentialName stands for a unique identifier that can be used
+to identify the serverCertificate and the privateKey. The credentialName
+appended with suffix &ldquo;-cacert&rdquo; is used to identify the CaCertificates
+associated with this server. Gateway workloads capable of fetching
+credentials from a remote credential store will be configured to retrieve
+the serverCertificate and the privateKey using credentialName, instead of
+using the file system paths specified above. If using mutual TLS,
+gateway workloads will retrieve the CaCertificates using
+credentialName-cacert. The semantics of the name are platform dependent.
+In Kubernetes, the default Istio supplied credential server expects the
+credentialName to match the name of the Kubernetes secret that holds the
+server certificate, the private key, and the CA certificate
+(if using mutual TLS).</p>
+
 </td>
 </tr>
 <tr id="Server-TLSOptions-subject_alt_names">
@@ -2988,18 +3008,6 @@ certificate presented by the client.</p>
 <p>Optional: If specified, only support the specified cipher list.
 Otherwise default to the default cipher list supported by Envoy.</p>
 
-</td>
-</tr>
-<tr id="Server-TLSOptions-sds_name">
-<td><code>sdsName</code></td>
-<td><code>string</code></td>
-<td>
-<p>Optional: If specified, the gateway controllers (with SDS enabled)
-use the specified name as the SDS secret config name to call the SDS
-server, to retrieve the key and certificates. Otherwise, the gateway
-controllers (with SDS enabled) use the first value in the hosts as
-the SDS secret config name to call the SDS server.</p>
-
 </td>
 </tr>
 </tbody>
@@ -3381,6 +3389,32 @@ spec:
 specified above. In other words, a call to <code>http://foo.bar.com/baz</code> would
 be translated to <code>http://uk.foo.bar.com/baz</code>.</p>
 
+<p>The following example illustrates the usage of a ServiceEntry
+containing a subject alternate name
+whose format conforms to the SPIFEE standard
+<a href="https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md">https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md</a>:</p>
+
+<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: httpbin
+  namespace : httpbin-ns
+spec:
+  hosts:
+  - httpbin.com
+  location: MESH_INTERNAL
+  ports:
+  - number: 80
+    name: http
+    protocol: HTTP
+  resolution: STATIC
+  endpoints:
+  - address: 2.2.2.2
+  - address: 3.3.3.3
+  subjectAltNames:
+  - &quot;spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account&quot;
+</code></pre>
+
 <table class="message-fields">
 <thead>
 <tr>
@@ -3460,6 +3494,18 @@ said port will be allowed (i.e. 0.0.0.0:<port>).</p>
 <td>
 <p>One or more endpoints associated with the service.</p>
 
+</td>
+</tr>
+<tr id="ServiceEntry-subject_alt_names">
+<td><code>subjectAltNames</code></td>
+<td><code>string[]</code></td>
+<td>
+<p>The list of subject alternate names allowed for workloads that
+implement this service. This information is used to enforce
+secure-naming <a href="/docs/concepts/security/#secure-naming">https://istio.io/docs/concepts/security/#secure-naming</a>.
+If specified, the proxy will verify that the server
+certificate&rsquo;s subject alternate name matches one of the specified values.</p>
+
 </td>
 </tr>
 </tbody>
@@ -4188,7 +4234,9 @@ Should be empty if mode is <code>ISTIO_MUTUAL</code>.</p>
 <td>
 <p>A list of alternate names to verify the subject identity in the
 certificate. If specified, the proxy will verify that the server
-certificate&rsquo;s subject alt name matches one of the specified values.</p>
+certificate&rsquo;s subject alt name matches one of the specified values.
+If specified, this list overrides the value of subject<em>alt</em>names
+from the ServiceEntry.</p>
 
 </td>
 </tr>

content/docs/reference/config/policy-and-telemetry/adapters/zipkin/index.html

@@ -0,0 +1,51 @@
+---
+title: Zipkin
+description: Adapter to deliver tracing data to Zipkin.
+location: https://istio.io/docs/reference/config/policy-and-telemetry/adapters/zipkin.html
+layout: protoc-gen-docs
+generator: protoc-gen-docs
+supported_templates: tracespan
+number_of_entries: 1
+---
+<p>The <code>zipkin</code> adapter enables Istio to deliver tracing data to the
+<a href="https://cloud.google.com/zipkin/">Zipkin</a> tracing backend.</p>
+
+<p>This adapter supports the <a href="/docs/reference/config/policy-and-telemetry/templates/tracespan/">tracespan template</a>.</p>
+
+<h2 id="Params">Params</h2>
+<section>
+<p>Configuration format for the <code>zipkin</code> adapter.</p>
+
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Type</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="Params-url">
+<td><code>url</code></td>
+<td><code>string</code></td>
+<td>
+<p>URL of Zipkin HTTP endpoint.</p>
+
+<p>Required.</p>
+
+</td>
+</tr>
+<tr id="Params-sample_probability">
+<td><code>sampleProbability</code></td>
+<td><code>double</code></td>
+<td>
+<p>Uniform probability that a trace will be sampled.
+Defaults to 0 (sampling disabled) if unset.</p>
+
+<p>Optional.</p>
+
+</td>
+</tr>
+</tbody>
+</table>
+</section>

content/docs/reference/config/policy-and-telemetry/templates/tracespan/index.html

@@ -1,6 +1,6 @@
 ---
 title: Trace Span
-description: A template that represents\ an individual span within a distributed trace.
+description: A template that represents an individual span within a distributed trace.
 location: https://istio.io/docs/reference/config/policy-and-telemetry/templates/tracespan.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
@@ -30,8 +30,6 @@ spec:
     http.url: request.path | ""
     request.size: request.size | 0
     response.size: response.size | 0
-    source.ip: source.ip | ip("0.0.0.0")
-    source.service: source.service | ""
     source.user: source.user | ""
     source.version: source.labels["version"] | ""
 </code></pre>
@@ -169,6 +167,101 @@ parent span id of server span to the same newly generated id.</p>
 
 <p>Optional</p>
 
+</td>
+</tr>
+<tr id="Template-source_name">
+<td><code>sourceName</code></td>
+<td><code>string</code></td>
+<td>
+<p>Identifies the source (client side) of this span.
+Should usually be set to <code>source.workload.name</code>.</p>
+
+<p>Optional.</p>
+
+</td>
+</tr>
+<tr id="Template-source_ip">
+<td><code>sourceIp</code></td>
+<td><code><a href="/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html#IPAddress">istio.policy.v1beta1.IPAddress</a></code></td>
+<td>
+<p>Client IP address. Should usually be set to <code>source.ip</code>.</p>
+
+<p>Optional.</p>
+
+</td>
+</tr>
+<tr id="Template-destination_name">
+<td><code>destinationName</code></td>
+<td><code>string</code></td>
+<td>
+<p>Identifies the destination (server side) of this span.
+Should usually be set to <code>destination.workload.name</code>.</p>
+
+<p>Optional.</p>
+
+</td>
+</tr>
+<tr id="Template-destination_ip">
+<td><code>destinationIp</code></td>
+<td><code><a href="/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html#IPAddress">istio.policy.v1beta1.IPAddress</a></code></td>
+<td>
+<p>Server IP address. Should usually be set to <code>destination.ip</code>.</p>
+
+<p>Optional.</p>
+
+</td>
+</tr>
+<tr id="Template-request_size">
+<td><code>requestSize</code></td>
+<td><code>int64</code></td>
+<td>
+<p>Request body size. Should usually be set to <code>request.size</code>.</p>
+
+<p>Optional.</p>
+
+</td>
+</tr>
+<tr id="Template-request_total_size">
+<td><code>requestTotalSize</code></td>
+<td><code>int64</code></td>
+<td>
+<p>Total request size (headers and body).
+Should usually be set to <code>request.total_size</code>.</p>
+
+<p>Optional.</p>
+
+</td>
+</tr>
+<tr id="Template-response_size">
+<td><code>responseSize</code></td>
+<td><code>int64</code></td>
+<td>
+<p>Response body size. Should usually be set to <code>response.size</code>.</p>
+
+<p>Optional.</p>
+
+</td>
+</tr>
+<tr id="Template-response_total_size">
+<td><code>responseTotalSize</code></td>
+<td><code>int64</code></td>
+<td>
+<p>Response total size (headers and body).
+Should usually be set to <code>response.total_size</code>.</p>
+
+<p>Optional.</p>
+
+</td>
+</tr>
+<tr id="Template-api_protocol">
+<td><code>apiProtocol</code></td>
+<td><code>string</code></td>
+<td>
+<p>One of &ldquo;http&rdquo;, &ldquo;https&rdquo;, or &ldquo;grpc&rdquo; or any other value of
+the <code>api.protocol</code> attribute. Should usually be set to <code>api.protocol</code>.</p>
+
+<p>Optional.</p>
+
 </td>
 </tr>
 </tbody>

scripts/gen_site.sh

@@ -3,7 +3,7 @@ set -e
 
 hugo version
 
-if [ "$2" == "-no_minify" ]
+if [[ "$2" == "-no_minify" ]]
 then
     hugo --baseURL "$1"
 else

scripts/lint_site.sh

@@ -43,20 +43,20 @@ check_content() {
     pushd ${TMP} >/dev/null
 
     mdspell ${LANG} --ignore-acronyms --ignore-numbers --no-suggestions --report *.md */*.md */*/*.md */*/*/*.md */*/*/*/*.md */*/*/*/*/*.md */*/*/*/*/*/*.md
-    if [ "$?" != "0" ]
+    if [[ "$?" != "0" ]]
     then
         echo "To learn how to address spelling errors, please see https://github.com/istio/istio.io#linting"
         FAILED=1
     fi
 
     mdl --ignore-front-matter --style mdl_style.rb .
-    if [ "$?" != "0" ]
+    if [[ "$?" != "0" ]]
     then
         FAILED=1
     fi
 
     grep -nr -e "(https://istio.io" .
-    if [ "$?" == "0" ]
+    if [[ "$?" == "0" ]]
     then
         echo "Ensure markdown content uses relative references to istio.io"
         FAILED=1
@@ -73,18 +73,19 @@ check_content content --en-us
 check_content content_zh --zh-cn
 
 grep -nr -e "“" ./content
-if [ "$?" == "0" ]
+if [[ "$?" == "0" ]]
 then
     echo "Ensure markdown content only uses standard quotation marks and not “"
     FAILED=1
 fi
+
 htmlproofer ./public --assume-extension --check-html --disable_external ${DISABLE_EXTERNAL} --check-external-hash --check-opengraph --timeframe 2d --storage-dir .htmlproofer --url-ignore "/localhost/,/github.com/istio/istio.io/edit/master/,/github.com/istio/istio/issues/new/choose/,/groups.google.com/forum/,/www.trulia.com/"
-if [ "$?" != "0" ]
+if [[ "$?" != "0" ]]
 then
     FAILED=1
 fi
 
-if [ ${FAILED} -eq 1 ]
+if [[ ${FAILED} -eq 1 ]]
 then
     echo "LINTING FAILED"
     exit 1