From 323f2a67fa9258eb005edb27252e36a17d2da992 Mon Sep 17 00:00:00 2001 From: Martin Taillefer Date: Thu, 5 Mar 2020 15:21:03 -0800 Subject: [PATCH] Update generated docs (#6759) --- .../reference/commands/istioctl/index.html | 164 +- .../reference/commands/pilot-agent/index.html | 76 +- .../commands/pilot-discovery/index.html | 54 +- .../commands/sidecar-injector/index.html | 640 ---- .../config/istio.mesh.v1alpha1/index.html | 2631 ++++++++++++++++- .../config/istio.operator.v1alpha1/index.html | 21 +- .../networking/destination-rule/index.html | 11 + .../config/networking/gateway/index.html | 70 +- .../config/networking/sidecar/index.html | 242 +- .../networking/virtual-service/index.html | 66 +- .../istio.mixer.v1.config.client/index.html | 2 +- .../istio.authentication.v1alpha1/index.html | 93 +- scripts/grab_reference_docs.sh | 1 - static/operator.yaml | 11 +- 14 files changed, 2990 insertions(+), 1092 deletions(-) delete mode 100644 content/en/docs/reference/commands/sidecar-injector/index.html diff --git a/content/en/docs/reference/commands/istioctl/index.html b/content/en/docs/reference/commands/istioctl/index.html index 45e3057ab0..1f7d7b037b 100644 --- a/content/en/docs/reference/commands/istioctl/index.html +++ b/content/en/docs/reference/commands/istioctl/index.html @@ -171,104 +171,6 @@ istioctl analyze -S "IST0103=Pod *.testing" -S "IST0107=Deployment f # List available analyzers istioctl analyze -L - -

istioctl authn

-

-A group of commands used to interact with Istio authentication policies. - tls-check -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use (default ``)
--istioNamespace <string>-iIstio system namespace (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>-nConfig namespace (default ``)
-

Examples

-
# Check whether TLS setting are matching between authentication policy and destination rules:
-istioctl authn tls-check
-
-

istioctl authn tls-check

-

-Check what authentication policies and destination rules pilot uses to config a proxy instance, -and check if TLS settings are compatible between them. -

-
istioctl authn tls-check <pod-name[.namespace]> [<service>] [flags]
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use (default ``)
--istioNamespace <string>-iIstio system namespace (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn`)
--namespace <string>-nConfig namespace (default ``)
-

Examples

-

-# Check settings for pod "foo-656bd7df7c-5zp4s" in namespace default:
-istioctl authn tls-check foo-656bd7df7c-5zp4s.default
-
-# Check settings for pod "foo-656bd7df7c-5zp4s" in namespace default, filtered on destination
-service "bar" :
-istioctl authn tls-check foo-656bd7df7c-5zp4s.default bar
-

istioctl authz

(authz is experimental. Use `istioctl experimental authz`)

@@ -1173,7 +1075,7 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE. --output <string> -o -Output format: one of [yaml log json] (default `log`) +Output format: one of [log json yaml] (default `log`) --output-threshold <Level> @@ -2888,7 +2790,7 @@ istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml \ --filename <stringSlice> -f -Path to file containing IstioOperator CustomResource +Path to file containing IstioOperator custom resource This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default `[]`) @@ -3073,7 +2975,7 @@ e.g. --filename <stringSlice> -f -Path to file containing IstioOperator CustomResource +Path to file containing IstioOperator custom resource This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default `[]`) @@ -3201,7 +3103,7 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl

istioctl manifest versions

-

List the versions of Istio recommended for use or supported for upgrade by this version of the operator binary.

+

List the versions of Istio recommended for use or supported for upgrade by this version of istioctl.

istioctl manifest versions [flags]
@@ -3324,7 +3226,7 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl - @@ -3410,7 +3312,7 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi - @@ -3528,6 +3430,10 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
--filename <string> -fPath to file containing IstioOperator CustomResource +Path to file containing IstioOperator custom resource This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default ``)
--filename <string> -fPath to file containing IstioOperator CustomResource +Path to file containing IstioOperator custom resource This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default ``)
+

Examples

+
istioctl profile list
+istioctl manifest apply --set profile=demo  # Use a profile from the list
+

istioctl profile diff

The diff subcommand displays the differences between two Istio configuration profiles.

istioctl profile diff <file1.yaml> <file2.yaml> [flags]
@@ -3614,7 +3520,7 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi
 
 --filename <stringSlice>
 -f
-Path to file containing IstioOperator CustomResource
+Path to file containing IstioOperator custom resource
 This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.  (default `[]`)
 
 
@@ -4727,6 +4633,12 @@ These environment variables affect the behavior of the istioctl com
 Service name of istiod. If empty the istiod listener, certs will be disabled.
 
 
+ISTIO_DEFAULT_REQUEST_TIMEOUT
+Time Duration
+0s
+Default Http and gRPC Request timeout
+
+
 ISTIO_GPRC_MAXRECVMSGSIZE
 Integer
 4194304
@@ -4799,18 +4711,18 @@ These environment variables affect the behavior of the istioctl com
 
 
 
-PILOT_DISABLE_XDS_MARSHALING_TO_ANY
-Boolean
-false
-
-
-
 PILOT_DISTRIBUTION_HISTORY_RETENTION
 Time Duration
 1m0s
 If enabled, Pilot will keep track of old versions of distributed config for this duration.
 
 
+PILOT_ENABLED_SERVICE_APIS
+Boolean
+false
+If this is set to true, support for Kubernetes service-apis (github.com/kubernetes-sigs/service-apis) will  be enabled. This feature is currently experimental, and is off by default.
+
+
 PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING
 Boolean
 true
@@ -4835,12 +4747,6 @@ These environment variables affect the behavior of the istioctl com
 If enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.
 
 
-PILOT_ENABLE_FALLTHROUGH_ROUTE
-Boolean
-true
-EnableFallthroughRoute provides an option to add a final wildcard match for routes. When ALLOW_ANY traffic policy is used, a Passthrough cluster is used. When REGISTRY_ONLY traffic policy is used, a 502 error is returned.
-
-
 PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS
 Boolean
 true
@@ -4877,6 +4783,12 @@ These environment variables affect the behavior of the istioctl com
 If enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy
 
 
+PILOT_ENABLE_THRIFT_FILTER
+Boolean
+false
+EnableThriftFilter enables injection of `envoy.filters.network.thrift_proxy` in the filter chain.
+
+
 PILOT_FILTER_GATEWAY_CLUSTER_CONFIG
 Boolean
 false
@@ -4907,12 +4819,6 @@ These environment variables affect the behavior of the istioctl com
 Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes
 
 
-PILOT_RESPECT_DNS_TTL
-Boolean
-true
-If enabled, DNS based clusters will respect the TTL of the DNS, rather than polling at a fixed rate. This option is only provided for backward compatibility purposes and will be removed in the near future.
-
-
 PILOT_RESTRICT_POD_UP_TRAFFIC_LOOP
 Boolean
 true
@@ -4925,12 +4831,6 @@ These environment variables affect the behavior of the istioctl com
 If enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.
 
 
-PILOT_SCOPE_PUSHES
-Boolean
-true
-If enabled, pilot will attempt to limit unnecessary pushes by determining what proxies a config or endpoint update will impact.
-
-
 PILOT_SIDECAR_USE_REMOTE_ADDRESS
 Boolean
 false
@@ -4955,12 +4855,6 @@ These environment variables affect the behavior of the istioctl com
 If enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used
 
 
-PROV_CERT
-String
-
-Set to a directory containing provisioned certs, for VMs
-
-
 SECRET_WATCHER_RESYNC_PERIOD
 String
 
diff --git a/content/en/docs/reference/commands/pilot-agent/index.html b/content/en/docs/reference/commands/pilot-agent/index.html
index fce2a9aee8..afd76b5fce 100644
--- a/content/en/docs/reference/commands/pilot-agent/index.html
+++ b/content/en/docs/reference/commands/pilot-agent/index.html
@@ -81,7 +81,7 @@ remove_toc_prefix: 'pilot-agent '
 
 
 --connectTimeout <duration>
-Connection timeout used by Envoy for supporting services  (default `1s`)
+Connection timeout used by Envoy for supporting services  (default `10s`)
 
 
 --controlPlaneAuthPolicy <string>
@@ -105,11 +105,7 @@ remove_toc_prefix: 'pilot-agent '
 
 
 --discoveryAddress <string>
-Address of the discovery service exposing xDS (e.g. istio-pilot:8080)  (default `istio-pilot:15010`)
-
-
---dnsRefreshRate <string>
-The dns_refresh_rate for bootstrap STRICT_DNS clusters  (default `300s`)
+Address of the discovery service exposing xDS (e.g. istio-pilot:8080)  (default ``)
 
 
 --domain <string>
@@ -188,6 +184,10 @@ remove_toc_prefix: 'pilot-agent '
 The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
 
 
+--meshConfig <string>
+File name for Istio mesh configuration. If not specified, a default mesh will be used. MESH_CONFIG environment variable takes precedence.  (default `/etc/istio/config/mesh`)
+
+
 --mixerIdentity <string>
 The identity used as the suffix for mixer's spiffe SAN. This would only be used by pilot all other proxy would get this value from pilot  (default ``)
 
@@ -404,6 +404,12 @@ These environment variables affect the behavior of the pilot-agent
 
 
 
+GCP_METADATA
+String
+
+Pipe separted GCP metadata, schemed as PROJECT_ID|PROJECT_NUMBER|CLUSTER_NAME|CLUSTER_ZONE
+
+
 GKE_CLUSTER_URL
 String
 
@@ -458,6 +464,12 @@ These environment variables affect the behavior of the pilot-agent
 
 
 
+ISTIO_DEFAULT_REQUEST_TIMEOUT
+Time Duration
+0s
+Default Http and gRPC Request timeout
+
+
 ISTIO_GPRC_MAXRECVMSGSIZE
 Integer
 4194304
@@ -524,16 +536,22 @@ These environment variables affect the behavior of the pilot-agent
 The JWT validation policy.
 
 
+MESH_CONFIG
+String
+
+The mesh configuration
+
+
 NAMESPACE
 String
 istio-system
 namespace that nodeagent/citadel run in
 
 
-OUTPUT_CERTS
+OUTPUT_KEY_CERT_TO_DIRECTORY
 String
 
-The output directory for the key and certificate. If empty, key and certificate will not be saved. Must be set for VMs using provisioning certificates.
+The output directory for the key and certificate. If empty, no output of key and certificate.
 
 
 PILOT_BLOCK_HTTP_ON_443
@@ -572,18 +590,18 @@ These environment variables affect the behavior of the pilot-agent
 
 
 
-PILOT_DISABLE_XDS_MARSHALING_TO_ANY
-Boolean
-false
-
-
-
 PILOT_DISTRIBUTION_HISTORY_RETENTION
 Time Duration
 1m0s
 If enabled, Pilot will keep track of old versions of distributed config for this duration.
 
 
+PILOT_ENABLED_SERVICE_APIS
+Boolean
+false
+If this is set to true, support for Kubernetes service-apis (github.com/kubernetes-sigs/service-apis) will  be enabled. This feature is currently experimental, and is off by default.
+
+
 PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING
 Boolean
 true
@@ -608,12 +626,6 @@ These environment variables affect the behavior of the pilot-agent
 If enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.
 
 
-PILOT_ENABLE_FALLTHROUGH_ROUTE
-Boolean
-true
-EnableFallthroughRoute provides an option to add a final wildcard match for routes. When ALLOW_ANY traffic policy is used, a Passthrough cluster is used. When REGISTRY_ONLY traffic policy is used, a 502 error is returned.
-
-
 PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS
 Boolean
 true
@@ -650,6 +662,12 @@ These environment variables affect the behavior of the pilot-agent
 If enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy
 
 
+PILOT_ENABLE_THRIFT_FILTER
+Boolean
+false
+EnableThriftFilter enables injection of `envoy.filters.network.thrift_proxy` in the filter chain.
+
+
 PILOT_FILTER_GATEWAY_CLUSTER_CONFIG
 Boolean
 false
@@ -680,12 +698,6 @@ These environment variables affect the behavior of the pilot-agent
 Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes
 
 
-PILOT_RESPECT_DNS_TTL
-Boolean
-true
-If enabled, DNS based clusters will respect the TTL of the DNS, rather than polling at a fixed rate. This option is only provided for backward compatibility purposes and will be removed in the near future.
-
-
 PILOT_RESTRICT_POD_UP_TRAFFIC_LOOP
 Boolean
 true
@@ -698,12 +710,6 @@ These environment variables affect the behavior of the pilot-agent
 If enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.
 
 
-PILOT_SCOPE_PUSHES
-Boolean
-true
-If enabled, pilot will attempt to limit unnecessary pushes by determining what proxies a config or endpoint update will impact.
-
-
 PILOT_SIDECAR_USE_REMOTE_ADDRESS
 Boolean
 false
@@ -752,12 +758,6 @@ These environment variables affect the behavior of the pilot-agent
 
 
 
-PROV_CERT
-String
-
-Set to a directory containing provisioned certs, for VMs
-
-
 SDS_ENABLED
 Boolean
 false
diff --git a/content/en/docs/reference/commands/pilot-discovery/index.html b/content/en/docs/reference/commands/pilot-discovery/index.html
index d71b7dffec..60454ee66e 100644
--- a/content/en/docs/reference/commands/pilot-discovery/index.html
+++ b/content/en/docs/reference/commands/pilot-discovery/index.html
@@ -231,7 +231,7 @@ remove_toc_prefix: 'pilot-discovery '
 
 --namespace <string>
 -n
-Select a namespace where the controller resides. If not set, uses ${POD_NAMESPACE} environment variable  (default ``)
+Select a namespace where the controller resides. If not set, uses ${POD_NAMESPACE} environment variable  (default `istio-system`)
 
 
 --networksConfig <string>
@@ -261,7 +261,7 @@ remove_toc_prefix: 'pilot-discovery '
 
 --secureGrpcAddr <string>
 
-Discovery service grpc address, with https and spiffe certificates.  (default `:15011`)
+Discovery service grpc address, with https  (default ``)
 
 
 --trust-domain <string>
@@ -496,6 +496,12 @@ These environment variables affect the behavior of the pilot-discoveryService name of istiod. If empty the istiod listener, certs will be disabled.
 
 
+ISTIO_DEFAULT_REQUEST_TIMEOUT
+Time Duration
+0s
+Default Http and gRPC Request timeout
+
+
 ISTIO_GPRC_MAXRECVMSGSIZE
 Integer
 4194304
@@ -532,12 +538,6 @@ These environment variables affect the behavior of the pilot-discoveryKuberenetes service host, set automatically when running in-cluster
 
 
-MASTER_ELECTION
-Boolean
-true
-Enable master election
-
-
 MAX_WORKLOAD_CERT_TTL
 Time Duration
 2160h0m0s
@@ -580,18 +580,18 @@ These environment variables affect the behavior of the pilot-discovery
 
 
-PILOT_DISABLE_XDS_MARSHALING_TO_ANY
-Boolean
-false
-
-
-
 PILOT_DISTRIBUTION_HISTORY_RETENTION
 Time Duration
 1m0s
 If enabled, Pilot will keep track of old versions of distributed config for this duration.
 
 
+PILOT_ENABLED_SERVICE_APIS
+Boolean
+false
+If this is set to true, support for Kubernetes service-apis (github.com/kubernetes-sigs/service-apis) will  be enabled. This feature is currently experimental, and is off by default.
+
+
 PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING
 Boolean
 true
@@ -616,12 +616,6 @@ These environment variables affect the behavior of the pilot-discoveryIf enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.
 
 
-PILOT_ENABLE_FALLTHROUGH_ROUTE
-Boolean
-true
-EnableFallthroughRoute provides an option to add a final wildcard match for routes. When ALLOW_ANY traffic policy is used, a Passthrough cluster is used. When REGISTRY_ONLY traffic policy is used, a 502 error is returned.
-
-
 PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS
 Boolean
 true
@@ -658,6 +652,12 @@ These environment variables affect the behavior of the pilot-discoveryIf enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy
 
 
+PILOT_ENABLE_THRIFT_FILTER
+Boolean
+false
+EnableThriftFilter enables injection of `envoy.filters.network.thrift_proxy` in the filter chain.
+
+
 PILOT_FILTER_GATEWAY_CLUSTER_CONFIG
 Boolean
 false
@@ -688,12 +688,6 @@ These environment variables affect the behavior of the pilot-discoveryLimits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes
 
 
-PILOT_RESPECT_DNS_TTL
-Boolean
-true
-If enabled, DNS based clusters will respect the TTL of the DNS, rather than polling at a fixed rate. This option is only provided for backward compatibility purposes and will be removed in the near future.
-
-
 PILOT_RESTRICT_POD_UP_TRAFFIC_LOOP
 Boolean
 true
@@ -706,12 +700,6 @@ These environment variables affect the behavior of the pilot-discoveryIf enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.
 
 
-PILOT_SCOPE_PUSHES
-Boolean
-true
-If enabled, pilot will attempt to limit unnecessary pushes by determining what proxies a config or endpoint update will impact.
-
-
 PILOT_SIDECAR_USE_REMOTE_ADDRESS
 Boolean
 false
@@ -744,7 +732,7 @@ These environment variables affect the behavior of the pilot-discovery
 POD_NAMESPACE
 String
-
+istio-system
 
 
 
diff --git a/content/en/docs/reference/commands/sidecar-injector/index.html b/content/en/docs/reference/commands/sidecar-injector/index.html
deleted file mode 100644
index 0d4495f82d..0000000000
--- a/content/en/docs/reference/commands/sidecar-injector/index.html
+++ /dev/null
@@ -1,640 +0,0 @@
----
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/istio' REPO
-source_repo: https://github.com/istio/istio
-title: sidecar-injector
-description: Kubernetes webhook for automatic Istio sidecar injection.
-generator: pkg-collateral-docs
-number_of_entries: 4
-max_toc_level: 2
-remove_toc_prefix: 'sidecar-injector '
----
-
Kubernetes webhook for automatic Istio sidecar injection.

-
sidecar-injector [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsDescription
--caCertFile <string>File containing the x509 Certificate for HTTPS.  (default `/etc/istio/certs/root-cert.pem`)
--healthCheckFile <string>File that should be periodically updated if health checking is enabled  (default ``)
--healthCheckInterval <duration>Configure how frequently the health check file specified by --healthCheckFile should be updated  (default `0s`)
--injectConfig <string>File containing the Istio sidecar injection configuration and template  (default `/etc/istio/inject/config`)
--injectValues <string>File containing the Istio sidecar injection values, in yaml format  (default `/etc/istio/inject/values`)
--kubeconfig <string>Specifies path to kubeconfig file. This must be specified when not running inside a Kubernetes pod.  (default ``)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format 
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac, validation]  (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
--meshConfig <string>File containing the Istio mesh configuration  (default `/etc/istio/config/mesh`)
--monitoringPort <int>Webhook monitoring port  (default `15014`)
--port <int>Webhook port  (default `9443`)
--reconcileWebhookConfigEnable managing webhook configuration. 
--tlsCertFile <string>File containing the x509 Certificate for HTTPS.  (default `/etc/istio/certs/cert-chain.pem`)
--tlsKeyFile <string>File containing the x509 private key matching --tlsCertFile.  (default `/etc/istio/certs/key.pem`)
--webhookConfigName <string>Name of the mutatingwebhookconfiguration resource in Kubernetes.  (default `istio-sidecar-injector`)
--webhookName <string>Name of the webhook entry in the webhook config.  (default `sidecar-injector.istio.io`)

-
sidecar-injector probe

-
Check the liveness or readiness of a locally-running server

-
sidecar-injector probe [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsDescription
--caCertFile <string>File containing the x509 Certificate for HTTPS.  (default `/etc/istio/certs/root-cert.pem`)
--healthCheckFile <string>File that should be periodically updated if health checking is enabled  (default ``)
--healthCheckInterval <duration>Configure how frequently the health check file specified by --healthCheckFile should be updated  (default `0s`)
--injectConfig <string>File containing the Istio sidecar injection configuration and template  (default `/etc/istio/inject/config`)
--injectValues <string>File containing the Istio sidecar injection values, in yaml format  (default `/etc/istio/inject/values`)
--interval <duration>Duration used for checking the target file's last modified time.  (default `0s`)
--kubeconfig <string>Specifies path to kubeconfig file. This must be specified when not running inside a Kubernetes pod.  (default ``)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format 
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac, validation]  (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
--meshConfig <string>File containing the Istio mesh configuration  (default `/etc/istio/config/mesh`)
--monitoringPort <int>Webhook monitoring port  (default `15014`)
--port <int>Webhook port  (default `9443`)
--probe-path <string>Path of the file for checking the availability.  (default ``)
--reconcileWebhookConfigEnable managing webhook configuration. 
--tlsCertFile <string>File containing the x509 Certificate for HTTPS.  (default `/etc/istio/certs/cert-chain.pem`)
--tlsKeyFile <string>File containing the x509 private key matching --tlsCertFile.  (default `/etc/istio/certs/key.pem`)
--webhookConfigName <string>Name of the mutatingwebhookconfiguration resource in Kubernetes.  (default `istio-sidecar-injector`)
--webhookName <string>Name of the webhook entry in the webhook config.  (default `sidecar-injector.istio.io`)

-
sidecar-injector version

-
Prints out build version information

-
sidecar-injector version [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsShorthandDescription
--caCertFile <string>File containing the x509 Certificate for HTTPS.  (default `/etc/istio/certs/root-cert.pem`)
--healthCheckFile <string>File that should be periodically updated if health checking is enabled  (default ``)
--healthCheckInterval <duration>Configure how frequently the health check file specified by --healthCheckFile should be updated  (default `0s`)
--injectConfig <string>File containing the Istio sidecar injection configuration and template  (default `/etc/istio/inject/config`)
--injectValues <string>File containing the Istio sidecar injection values, in yaml format  (default `/etc/istio/inject/values`)
--kubeconfig <string>Specifies path to kubeconfig file. This must be specified when not running inside a Kubernetes pod.  (default ``)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format 
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, model, rbac, validation]  (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, default, model, rbac, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
--meshConfig <string>File containing the Istio mesh configuration  (default `/etc/istio/config/mesh`)
--monitoringPort <int>Webhook monitoring port  (default `15014`)
--output <string>-oOne of 'yaml' or 'json'.  (default ``)
--port <int>Webhook port  (default `9443`)
--reconcileWebhookConfigEnable managing webhook configuration. 
--short-sUse --short=false to generate full version information 
--tlsCertFile <string>File containing the x509 Certificate for HTTPS.  (default `/etc/istio/certs/cert-chain.pem`)
--tlsKeyFile <string>File containing the x509 private key matching --tlsCertFile.  (default `/etc/istio/certs/key.pem`)
--webhookConfigName <string>Name of the mutatingwebhookconfiguration resource in Kubernetes.  (default `istio-sidecar-injector`)
--webhookName <string>Name of the webhook entry in the webhook config.  (default `sidecar-injector.istio.io`)

-
Environment variables

-These environment variables affect the behavior of the sidecar-injector command.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Variable NameTypeDefault ValueDescription
ISTIOD_ADDRStringService name of istiod. If empty the istiod listener, certs will be disabled.
ISTIO_GPRC_MAXRECVMSGSIZEInteger4194304Sets the max receive buffer size of gRPC stream in bytes.
ISTIO_GPRC_MAXSTREAMSInteger100000Sets the maximum number of concurrent grpc streams.
JWT_POLICYStringthird-party-jwtThe JWT validation policy.
PILOT_BLOCK_HTTP_ON_443BooleantrueIf enabled, any HTTP services will be blocked on HTTPS port (443). If this is disabled, any HTTP service on port 443 could block all external traffic
PILOT_CERT_DIRString
PILOT_CERT_PROVIDERStringistiodthe provider of Pilot DNS certificate.
PILOT_DEBOUNCE_AFTERTime Duration100msThe delay added to config/registry events for debouncing. This will delay the push by at least this internal. If no change is detected within this period, the push will happen,  otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.
PILOT_DEBOUNCE_MAXTime Duration10sThe maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we'll trigger a push.
PILOT_DEBUG_ADSZ_CONFIGBooleanfalse
PILOT_DISABLE_XDS_MARSHALING_TO_ANYBooleanfalse
PILOT_DISTRIBUTION_HISTORY_RETENTIONTime Duration1m0sIf enabled, Pilot will keep track of old versions of distributed config for this duration.
PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKINGBooleantrueIf enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface.
PILOT_ENABLE_CRD_VALIDATIONBooleanfalseIf enabled, pilot will validate CRDs while retrieving CRDs from kubernetes cache.Use this flag to enable validation of CRDs in Pilot, especially in deployments that do not have galley installed.
PILOT_ENABLE_EDS_DEBOUNCEBooleantrueIf enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled
PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICESBooleanfalseIf enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.
PILOT_ENABLE_FALLTHROUGH_ROUTEBooleantrueEnableFallthroughRoute provides an option to add a final wildcard match for routes. When ALLOW_ANY traffic policy is used, a Passthrough cluster is used. When REGISTRY_ONLY traffic policy is used, a 502 error is returned.
PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERSBooleantrueIf enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
PILOT_ENABLE_MYSQL_FILTERBooleanfalseEnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUNDBooleantrueIf enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUNDBooleantrueIf enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported
PILOT_ENABLE_REDIS_FILTERBooleanfalseEnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
PILOT_ENABLE_TCP_METADATA_EXCHANGEBooleantrueIf enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy
PILOT_FILTER_GATEWAY_CLUSTER_CONFIGBooleanfalse
PILOT_HTTP10BooleanfalseEnables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.
PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUTTime Duration1sProtocol detection timeout for inbound listener
PILOT_INITIAL_FETCH_TIMEOUTTime Duration0sSpecifies the initial_fetch_timeout for config. If this time is reached without a response to the config requested by Envoy, the Envoy will move on with the init phase. This prevents envoy from getting stuck waiting on config during startup.
PILOT_PUSH_THROTTLEInteger100Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes
PILOT_RESPECT_DNS_TTLBooleantrueIf enabled, DNS based clusters will respect the TTL of the DNS, rather than polling at a fixed rate. This option is only provided for backward compatibility purposes and will be removed in the near future.
PILOT_RESTRICT_POD_UP_TRAFFIC_LOOPBooleantrueIf enabled, this will block inbound traffic from matching outbound listeners, which could result in an infinite loop of traffic. This option is only provided for backward compatibility purposes and will be removed in the near future.
PILOT_SCOPE_GATEWAY_TO_NAMESPACEBooleanfalseIf enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.
PILOT_SCOPE_PUSHESBooleantrueIf enabled, pilot will attempt to limit unnecessary pushes by determining what proxies a config or endpoint update will impact.
PILOT_SIDECAR_USE_REMOTE_ADDRESSBooleanfalseUseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.
PILOT_SKIP_VALIDATE_TRUST_DOMAINBooleanfalseSkip validating the peer is from the same trust domain when mTLS is enabled in authentication policy
PILOT_TRACE_SAMPLINGFloating-Point100Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.
PILOT_USE_ENDPOINT_SLICEBooleanfalseIf enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used
TERMINATION_DRAIN_DURATION_SECONDSInteger5The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes.
USE_ISTIO_JWT_FILTERBooleanfalseUse the Istio JWT filter for JWT token verification.

-
Exported metrics

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Metric NameTypeDescription
endpoint_no_podLastValueEndpoints without an associated pod.
istio_buildLastValueIstio component build info
pilot_conflict_inbound_listenerLastValueNumber of conflicting inbound listeners.
pilot_conflict_outbound_listener_http_over_current_tcpLastValueNumber of conflicting wildcard http listeners with current wildcard tcp listener.
pilot_conflict_outbound_listener_http_over_httpsLastValueNumber of conflicting HTTP listeners with well known HTTPS ports
pilot_conflict_outbound_listener_tcp_over_current_httpLastValueNumber of conflicting wildcard tcp listeners with current wildcard http listener.
pilot_conflict_outbound_listener_tcp_over_current_tcpLastValueNumber of conflicting tcp listeners with current tcp listener.
pilot_destrule_subsetsLastValueDuplicate subsets across destination rules for same host
pilot_duplicate_envoy_clustersLastValueDuplicate envoy clusters caused by service entries with same hostname
pilot_eds_no_instancesLastValueNumber of clusters without instances.
pilot_endpoint_not_readyLastValueEndpoint found in unready state.
pilot_jwks_resolver_network_fetch_fail_totalSumTotal number of failed network fetch by pilot jwks resolver
pilot_jwks_resolver_network_fetch_success_totalSumTotal number of successfully network fetch by pilot jwks resolver
pilot_no_ipLastValuePods not found in the endpoint table, possibly invalid.
pilot_total_rejected_configsSumTotal number of configs that Pilot had to reject or ignore.
pilot_virt_servicesLastValueTotal virtual services known to pilot.
pilot_vservice_dup_domainLastValueVirtual services with dup domains.
sidecar_injection_failure_totalSumTotal number of failed Side car injection requests.
sidecar_injection_requests_totalSumTotal number of Side car injection requests.
sidecar_injection_skip_totalSumTotal number of skipped injection requests.
sidecar_injection_success_totalSumTotal number of successful Side car injection requests.

diff --git a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
index a458cb0fef..3bce80dc6e 100644
--- a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
+++ b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
@@ -7,10 +7,54 @@ location: https://istio.io/docs/reference/config/istio.mesh.v1alpha1.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
 weight: 20
-number_of_entries: 24
+number_of_entries: 74
 ---
 
Configuration affecting the service mesh as a whole.

 
+
Affinity

+

+
Mirrors k8s.io.api.core.v1.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
nodeAffinityNodeAffinity
+
+No
+
podAffinityPodAffinity
+
+No
+
podAntiAffinityPodAntiAffinity
+
+No
+

+

 
AuthenticationPolicy

 

 
AuthenticationPolicy defines authentication policy. It can be set for
@@ -55,14 +99,14 @@ policy.

 

 
Certificate configures the provision of a certificate and its key.
 Example 1: key and cert stored in a secret
-{ secretName: galley-cert
+{ secretName: galley-cert
   secretNamespace: istio-system
   dnsNames:
     - galley.istio-system.svc
     - galley.mydomain.com
 }
 Example 2: key and cert stored in a directory
-{ dnsNames:
+{ dnsNames:
     - pilot.istio-system
     - pilot.istio-system.svc
     - pilot.mydomain.com
@@ -98,6 +142,155 @@ No
 
The DNS names for the certificate. A certificate may contain
 multiple DNS names.

 
+
+
+No
+
+
+
+
+

+
ClientIPConfig

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
timeoutSecondsint32
+
+No
+

+

+
ComponentSpec

+

+
Configuration for internal components.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
enabledTypeBoolValueForPB
+
Selects whether this component is installed.

+
+		
+No
+
namespacestring
+
Namespace for the component.

+
+		
+No
+
hubstring
+
Hub for the component (overrides top level hub setting).

+
+		
+No
+
tagstring
+
Tag for the component (overrides top level tag setting).

+
+		
+No
+
specTypeInterface
+
Arbitrary install time configuration for the component.

+
+		
+No
+
k8sKubernetesResourcesSpec
+
Kubernetes resource spec.

+
+		
+No
+

+

+
ConfigMapKeySelector

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
localObjectReferenceLocalObjectReference
+
+No
+
keystring
+
+No
+
optionalbool
 
 
 No
@@ -154,6 +347,1133 @@ No
 
 
Describes the source of configuration, if nothing is specified default is MCP

 
+		
+No
+

+

+
DeploymentStrategy

+

+
Mirrors k8s.io.api.apps.v1.DeploymentStrategy for unmarshaling.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
typestring
+
+No
+
rollingUpdateRollingUpdateDeployment
+
+No
+

+

+
EnvVar

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
namestring
+
+No
+
valuestring
+
+No
+
valueFromEnvVarSource
+
+No
+

+

+
EnvVarSource

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
fieldRefObjectFieldSelector
+
+No
+
resourceFieldRefResourceFieldSelector
+
+No
+
configMapKeyRefConfigMapKeySelector
+
+No
+
secretKeyRefSecretKeySelector
+
+No
+

+

+
ExecAction

+

+
Mirrors k8s.io.api.core.v1.ExecAction for unmarshaling.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
commandstring[]
+
+No
+

+

+
ExternalComponentSpec

+

+
Configuration for external components.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
namespacestring
+
Namespace for the component.

+
+		
+No
+
specTypeInterface
+
Arbitrary install time configuration for the component.

+
+		
+No
+
chartPathstring
+
Chart path for addon components.

+
+		
+No
+
schemaAny
+
Optional schema to validate spec against.

+
+		
+No
+
k8sKubernetesResourcesSpec
+
Kubernetes resource spec.

+
+		
+No
+

+

+
GatewaySpec

+

+
Configuration for gateways.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
namespacestring
+
Namespace for the gateway.

+
+		
+No
+
namestring
+
Name for the gateway.

+
+		
+No
+
labelmap<string, string>
+
Labels for the gateway.

+
+		
+No
+
hubstring
+
Hub for the component (overrides top level hub setting).

+
+		
+No
+
tagstring
+
Tag for the component (overrides top level tag setting).

+
+		
+No
+
k8sKubernetesResourcesSpec
+
Kubernetes resource spec.

+
+		
+No
+

+

+
HTTPGetAction

+

+
Mirrors k8s.io.api.core.v1.HTTPGetAction for unmarshaling.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
pathstring
+
+No
+
portTypeIntOrStringForPB
+
+No
+
hoststring
+
+No
+
schemestring
+
+No
+
httpHeadersHTTPHeader[]
+
+No
+

+

+
HTTPHeader

+

+
Mirrors k8s.io.api.core.v1.HTTPHeader for unmarshaling.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
namestring
+
+No
+
valuestring
+
+No
+

+

+
IstioComponentSetSpec

+

+
IstioComponentSpec defines the desired installed state of Istio components.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
pilotComponentSpec
+
+No
+
proxyComponentSpec
+
+No
+
sidecarInjectorComponentSpec
+
+No
+
policyComponentSpec
+
+No
+
telemetryComponentSpec
+
+No
+
citadelComponentSpec
+
+No
+
nodeAgentComponentSpec
+
+No
+
galleyComponentSpec
+
+No
+
cniComponentSpec
+
+No
+
coreDNSComponentSpec
+
+No
+
ingressGatewaysGatewaySpec[]
+
+No
+
egressGatewaysGatewaySpec[]
+
+No
+
extraComponentsmap<string, ExternalComponentSpec>
+
Extra addon components which are not explicitly specified above.

+
+		
+No
+

+

+
IstioOperatorSpec

+

+
IstioOperatorSpec defines the desired installed state of Istio components.
+The spec is a used to define a customization of the default profile values that are supplied with each Istio release.
+Because the spec is a customization API, specifying an empty IstioOperatorSpec results in a default Istio
+component values.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
profilestring
+
Path or name for the profile e.g.
+    - minimal (looks in profiles dir for a file called minimal.yaml)
+    - /tmp/istio/install/values/custom/custom-install.yaml (local file path)
+default profile is used if this field is unset.

+
+		
+No
+
installPackagePathstring
+
Path for the install package. e.g.
+    - /tmp/istio-installer/nightly (local file path)

+
+		
+No
+
hubstring
+
Root for docker image paths e.g. docker.io/istio

+
+		
+No
+
tagstring
+
Version tag for docker images e.g. 1.0.6

+
+		
+No
+
resourceSuffixstring
+
Resource suffix is appended to all resources installed by each component. Used in upgrade scenarios where two
+Istio control planes must exist in the same namespace.

+
+		
+No
+
meshConfigMeshConfig
+
Config used by control plane components internally.

+
+		
+No
+
componentsIstioComponentSetSpec
+
Kubernetes resource settings, enablement and component-specific settings that are not internal to the
+component.

+
+		
+No
+
valuesTypeMapStringInterface2
+
Overrides for default values.yaml. This is a validated pass-through to Helm templates.
+See the Helm installation options for schema details: https://istio.io/docs/reference/config/installation-options/.
+Anything that is available in IstioOperatorSpec should be set above rather than using the passthrough. This
+includes Kubernetes resource settings for components in KubernetesResourcesSpec.

+
+		
+No
+
unvalidatedValuesTypeMapStringInterface2
+
Unvalidated overrides for default values.yaml. Used for custom templates where new parameters are added.

+
+		
+No
+
statusStatus
+
Overall status of all components controlled by the operator.
+- If all components have status NONE, overall status is NONE.
+- If all components are HEALTHY, overall status is HEALTHY.
+- If one or more components are RECONCILING and others are HEALTHY, overall status is RECONCILING.
+- If one or more components are UPDATING and others are HEALTHY, overall status is UPDATING.
+- If components are a mix of RECONCILING, UPDATING and HEALTHY, overall status is UPDATING.
+- If any component is in ERROR state, overall status is ERROR.

+
+		
+No
+
componentStatusmap<string, VersionStatus>
+
Individual status of each component controlled by the operator. The map key is the name of the component.

+
+		
+No
+

+

+
IstioOperatorSpec.Status

+

+
Status describes the current state of a component.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
NameDescription
NONE
+
Component is not present.

+
+
UPDATING
+
Component is being updated to a different version.

+
+
RECONCILING
+
Controller has started but not yet completed reconciliation loop for the component.

+
+
HEALTHY
+
Component is healthy.

+
+
ERROR
+
Component is in an error state.

+
+

+

+
IstioOperatorSpec.VersionStatus

+

+
VersionStatus is the status and version of a component.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
versionstring
+
+No
+
statusStatus
+
+No
+
statusStringstring
+
+No
+
errorstring
+
+No
+

+

+
K8sObjectOverlay

+

+
Patch for an existing k8s resource.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
apiVersionstring
+
Resource API version.

+
+		
+No
+
kindstring
+
Resource kind.

+
+		
+No
+
namestring
+
Name of resource.
+Namespace is always the component namespace.

+
+		
+No
+
patchesPathValue[]
+
List of patches to apply to resource.

+
+		
+No
+

+

+
K8sObjectOverlay.PathValue

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
pathstring
+
Path of the form a.b:c.e.:f
+Where b:c is a list element selector of the form key:value and :f is a list selector of the form :value.
+All path intermediate nodes must exist.

+
+		
+No
+
valueTypeInterface
+
Value to add, delete or replace.
+For add, the path should be a new leaf.
+For delete, value should be unset.
+For replace, path should reference an existing node.
+All values are strings but are converted into appropriate type based on schema.

+
+		
+No
+

+

+
KubernetesResourcesSpec

+

+
KubernetesResourcesConfig is a common set of k8s resource configs for components.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
affinityAffinity
+
k8s affinity.
+https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

+
+		
+No
+
envEnvVar[]
+
Deployment environment variables.
+https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/

+
+		
+No
+
hpaSpecHorizontalPodAutoscalerSpec
+
k8s HorizontalPodAutoscaler settings.
+https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/

+
+		
+No
+
imagePullPolicystring
+
k8s imagePullPolicy.
+https://kubernetes.io/docs/concepts/containers/images/

+
+		
+No
+
nodeSelectormap<string, string>
+
k8s nodeSelector.
+https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector

+
+		
+No
+
podDisruptionBudgetPodDisruptionBudgetSpec
+
k8s PodDisruptionBudget settings.
+https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#how-disruption-budgets-work

+
+		
+No
+
podAnnotationsmap<string, string>
+
k8s pod annotations.
+https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

+
+		
+No
+
priorityClassNamestring
+
k8s priorityclassname. Default for all resources unless overridden.
+https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass

+
+		
+No
+
readinessProbeReadinessProbe
+
k8s readinessProbe settings.
+https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
+k8s.io.api.core.v1.Probe readiness_probe = 9;

+
+		
+No
+
replicaCountuint32
+
k8s Deployment replicas setting.
+https://kubernetes.io/docs/concepts/workloads/controllers/deployment/

+
+		
+No
+
resourcesResources
+
k8s resources settings.
+https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container

+
+		
+No
+
serviceServiceSpec
+
k8s Service settings.
+https://kubernetes.io/docs/concepts/services-networking/service/

+
+		
+No
+
strategyDeploymentStrategy
+
k8s deployment strategy.
+https://kubernetes.io/docs/concepts/workloads/controllers/deployment/

+
+		
+No
+
tolerationsToleration
+
k8s toleration
+https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

+
+		
+No
+
overlaysK8sObjectOverlay[]
+
Overlays for k8s resources in rendered manifests.

+
+		
+No
+

+

+
LocalObjectReference

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
FieldTypeDescriptionRequired
namestring
 
 
 No
@@ -297,8 +1617,7 @@ the first bits of data. For server first protocols like MySQL,
 MongoDB, etc., Envoy will timeout on the protocol detection after
 the specified period, defaulting to non mTLS plain TCP
 traffic. Set this field to tweak the period that Envoy will wait
-for the client to send the first bits of data. (MUST BE >=1ms or
-0s to disable)

+for the client to send the first bits of data. (MUST BE >=1ms)

 
 		
 
@@ -745,17 +2064,6 @@ No
 
 
Configure the provision of certificates.

 
-		
-No
-
thriftConfigThriftConfig
-
Set configuration for Thrift protocol

-
 		
 
 No
@@ -906,45 +2214,6 @@ service registry as well as those defined through ServiceEntries

 
outbound traffic to unknown destinations will be allowed, in case
 there are no services or ServiceEntries for the destination port

 
-

-

-
MeshConfig.ThriftConfig

-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -1175,6 +2444,391 @@ Yes
 
FieldTypeDescriptionRequired
rateLimitUrlstring
-
Specify thrift rate limit service URL. If pilot has thrift protocol support enabled,
-this will enable the rate limit service for destinations that have matching rate
-limit configurations.

-
-		
-No
-
rateLimitTimeoutDuration
-
Specify thrift rate limit service timeout, in milliseconds. Default is 50ms

-
-		
-No
 
 

 
 

 

+
NodeAffinity

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
requiredDuringSchedulingIgnoredDuringExecutionNodeSelector
+
+No
+
preferredDuringSchedulingIgnoredDuringExecutionPreferredSchedulingTerm[]
+
+No
+

+

+
NodeSelector

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
nodeSelectorTermsNodeSelectorTerm[]
+
+No
+

+

+
NodeSelectorRequirement

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
keystring
+
+No
+
operatorstring
+
+No
+
valuesstring[]
+
+No
+

+

+
NodeSelectorTerm

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
matchExpressionsNodeSelectorRequirement[]
+
+No
+
matchFieldsNodeSelectorRequirement[]
+
+No
+

+

+
ObjectFieldSelector

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
apiVersionstring
+
+No
+
fieldPathstring
+
+No
+

+

+
ObjectMeta

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
namestring
+
From k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta.

+
+		
+No
+
namespacestring
+
+No
+

+

+
PodAffinity

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
requiredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm[]
+
+No
+
preferredDuringSchedulingIgnoredDuringExecutionWeightedPodAffinityTerm[]
+
+No
+

+

+
PodAffinityTerm

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
labelSelectorLabelSelector
+
+No
+
namespacesstring[]
+
+No
+
topologyKeystring
+
+No
+

+

+
PodAntiAffinity

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
requiredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm[]
+
+No
+
preferredDuringSchedulingIgnoredDuringExecutionWeightedPodAffinityTerm[]
+
+No
+

+

+
PodDisruptionBudgetSpec

+

+
Mirrors k8s.io.api.policy.v1beta1.PodDisruptionBudget for unmarshaling.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
minAvailableuint32
+
+No
+
selectorLabelSelector
+
+No
+
maxUnavailableuint32
+
+No
+

+

+
PreferredSchedulingTerm

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
weightint32
+
+No
+
preferenceNodeSelectorTerm
+
+No
+

+

 
ProxyConfig

 

 
ProxyConfig defines variables for individual Envoy instances.

@@ -1471,6 +3125,95 @@ source and destination IP addresses and ports, so that they can be used for adva
 filtering and manipulation. This mode also configures the sidecar to run with the
 CAPNETADMIN capability, which is required to use TPROXY.

 
+
+
+
+
+

+
ReadinessProbe

+

+
Mirrors k8s.io.api.core.v1.Probe for unmarshaling.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1547,6 +3290,118 @@ No
 These auto generated service entries are combination of services and endpoints
 that are generated by a specific platform e.g. k8

 
+
+
+
+
FieldTypeDescriptionRequired
execExecAction
+
+No
+
httpGetHTTPGetAction
+
+No
+
tcpSocketTCPSocketAction
+
+No
+
initialDelaySecondsint32
+
+No
+
timeoutSecondsint32
+
+No
+
periodSecondsint32
+
+No
+
successThresholdint32
+
+No
+
failureThresholdint32
+
+No
 
 

 

+

+
ResourceFieldSelector

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
containerNamestring
+
+No
+
resourcestring
+
+No
+
divisorQuantity
+
+No
+

+

+
Resources

+

+
Mirrors k8s.io.api.core.v1.ResourceRequirements for unmarshaling.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
limitsmap<string, string>
+
+No
+
requestsmap<string, string>
+
+No
+

+

+
RollingUpdateDeployment

+

+
Mirrors k8s.io.api.apps.v1.RollingUpdateDeployment for unmarshaling.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -1585,6 +3440,359 @@ No
 
+
+
+
+
FieldTypeDescriptionRequired
maxUnavailableTypeIntOrStringForPB
+
+No
+
maxSurgeTypeIntOrStringForPB
+
+No
 
 

 

 
Path of k8s service account JWT path.

 
+		
+No
+

+

+
SecretKeySelector

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
localObjectReferenceLocalObjectReference
+
+No
+
keystring
+
+No
+
optionalbool
+
+No
+

+

+
ServicePort

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
namestring
+
+No
+
protocolstring
+
+No
+
portint32
+
+No
+
targetPortIntOrString
+
+No
+
nodePortint32
+
+No
+

+

+
ServiceSpec

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
portsServicePort[]
+
+No
+
selectormap<string, string>
+
+No
+
clusterIPstring
+
+No
+
typestring
+
+No
+
externalIPsstring[]
+
+No
+
sessionAffinitystring
+
+No
+
loadBalancerIPstring
+
+No
+
loadBalancerSourceRangesstring[]
+
+No
+
externalNamestring
+
+No
+
externalTrafficPolicystring
+
+No
+
healthCheckNodePortint32
+
+No
+
publishNotReadyAddressesbool
+
+No
+
sessionAffinityConfigSessionAffinityConfig
+
+No
+

+

+
SessionAffinityConfig

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
clientIPClientIPConfig
+
+No
+

+

+
TCPSocketAction

+

+
Mirrors k8s.io.api.core.v1.TCPSocketAction for unmarshaling.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
portTypeIntOrStringForPB
+
+No
+
hoststring
+
+No
+

+

+
Toleration

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
keystring
+
+No
+
operatorstring
+
+No
+
valuestring
+
+No
+
effectstring
+
+No
+
tolerationSecondsint64
 
 
 No
@@ -1789,3 +3997,316 @@ No
 

 

 

+
TypeBoolValueForPB

+

+
GOTYPE: *BoolValueForPB

+
+

+
TypeIntOrStringForPB

+

+
GOTYPE: *IntOrStringForPB

+
+

+
TypeInterface

+

+
GOTYPE: interface{}

+
+

+
TypeMapStringInterface

+

+
GOTYPE: map[string]interface{}

+
+

+
TypeMapStringInterface2

+

+
GOTYPE: map[string]interface{}

+
+

+
WeightedPodAffinityTerm

+

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
weightint32
+
+No
+
podAffinityTermPodAffinityTerm
+
+No
+

+

+
k8s.io.api.autoscaling.v2beta1.HorizontalPodAutoscalerSpec

+

+
HorizontalPodAutoscalerSpec describes the desired functionality of the HorizontalPodAutoscaler.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
scaleTargetRefCrossVersionObjectReference
+
scaleTargetRef points to the target resource to scale, and is used to the pods for which metrics
+should be collected, as well as to actually change the replica count.

+
+		
+No
+
minReplicasint32
+
minReplicas is the lower limit for the number of replicas to which the autoscaler
+can scale down.  It defaults to 1 pod.  minReplicas is allowed to be 0 if the
+alpha feature gate HPAScaleToZero is enabled and at least one Object or External
+metric is configured.  Scaling is active as long as at least one metric value is
+available.
++optional

+
+		
+No
+
maxReplicasint32
+
maxReplicas is the upper limit for the number of replicas to which the autoscaler can scale up.
+It cannot be less that minReplicas.

+
+		
+No
+
metricsMetricSpec[]
+
metrics contains the specifications for which to use to calculate the
+desired replica count (the maximum replica count across all metrics will
+be used).  The desired replica count is calculated multiplying the
+ratio between the target value and the current value by the current
+number of pods.  Ergo, metrics used must decrease as the pod count is
+increased, and vice-versa.  See the individual metric source types for
+more information about how each type of metric must respond.
++optional

+
+		
+No
+

+

+
k8s.io.apimachinery.pkg.api.resource.Quantity

+

+
Quantity is a fixed-point representation of a number.
+It provides convenient marshaling/unmarshaling in JSON and YAML,
+in addition to String() and Int64() accessors.

+
+
The serialization format is:

+
+
        ::= 
+  (Note that  may be empty, from the “” case in .)
+           ::= 0 | 1 | … | 9
+          ::=  | 
+          ::=  | . | . | .
+            ::= “+” | “-”
+    ::=  | 
+          ::=  |  | 
+        ::= Ki | Mi | Gi | Ti | Pi | Ei
+  (International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)
+       ::= m | “” | k | M | G | T | P | E
+  (Note that 1024 = 1Ki but 1000 = 1k; I didn’t choose the capitalization.)
+ ::= “e”  | “E” 

+
+
No matter which of the three exponent forms is used, no quantity may represent
+a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal
+places. Numbers larger or more precise will be capped or rounded up.
+(E.g.: 0.1m will rounded up to 1m.)
+This may be extended in the future if we require larger or smaller quantities.

+
+
When a Quantity is parsed from a string, it will remember the type of suffix
+it had, and will use the same type again when it is serialized.

+
+
Before serializing, Quantity will be put in “canonical form”.
+This means that Exponent/suffix will be adjusted up or down (with a
+corresponding increase or decrease in Mantissa) such that:
+  a. No precision is lost
+  b. No fractional digits will be emitted
+  c. The exponent (or suffix) is as large as possible.
+The sign will be omitted unless the number is negative.

+
+
Examples:
+  1.5 will be serialized as “1500m”
+  1.5Gi will be serialized as “1536Mi”

+
+
Note that the quantity will NEVER be internally represented by a
+floating point number. That is the whole point of this exercise.

+
+
Non-canonical values will still parse as long as they are well formed,
+but will be re-emitted in their canonical form. (So always use canonical
+form, or don’t diff.)

+
+
This format is intended to make it difficult to use these numbers without
+writing some sort of special handling code in the hopes that that will
+cause implementors to also use a fixed point implementation.

+
+
+protobuf=true
++protobuf.embed=string
++protobuf.options.marshal=false
++protobuf.options.(gogoproto.goproto_stringer)=false
++k8s:deepcopy-gen=true
++k8s:openapi-gen=true

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
stringstring
+
+No
+

+

+
k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector

+

+
A label selector is a label query over a set of resources. The result of matchLabels and
+matchExpressions are ANDed. An empty label selector matches all objects. A null
+label selector matches no objects.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
matchLabelsmap<string, string>
+
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is “key”, the
+operator is “In”, and the values array contains only “value”. The requirements are ANDed.
++optional

+
+		
+No
+
matchExpressionsLabelSelectorRequirement[]
+
matchExpressions is a list of label selector requirements. The requirements are ANDed.
++optional

+
+		
+No
+

+

+
k8s.io.apimachinery.pkg.util.intstr.IntOrString

+

+
IntOrString is a type that can hold an int32 or a string.  When used in
+JSON or YAML marshalling and unmarshalling, it produces or consumes the
+inner type.  This allows you to have, for example, a JSON field that can
+accept a name or number.
+TODO: Rename to Int32OrString

+
+
+protobuf=true
++protobuf.options.(gogoproto.goproto_stringer)=false
++k8s:openapi-gen=true

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
typeint64
+
+No
+
intValint32
+
+No
+
strValstring
+
+No
+

+

diff --git a/content/en/docs/reference/config/istio.operator.v1alpha1/index.html b/content/en/docs/reference/config/istio.operator.v1alpha1/index.html
index de5d730f44..78c10f79ee 100644
--- a/content/en/docs/reference/config/istio.operator.v1alpha1/index.html
+++ b/content/en/docs/reference/config/istio.operator.v1alpha1/index.html
@@ -7,7 +7,7 @@ location: https://istio.io/docs/reference/config/istio.operator.v1alpha1.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
 weight: 20
-number_of_entries: 59
+number_of_entries: 60
 ---
 
Configuration affecting Istio control plane installation version and shape.

 
@@ -681,7 +681,7 @@ No
 
 
 port
-TypeIntOrStringForPB
+TypeInterface_kubernetes
 
 
 
@@ -2259,7 +2259,7 @@ No
 
 
 targetAverageUtilization
-int32
+TypeInterface_kubernetes
 
 
 
@@ -2329,7 +2329,7 @@ No
 
 
 maxUnavailable
-TypeIntOrStringForPB
+TypeInterface_kubernetes
 
 
 
@@ -2338,7 +2338,7 @@ No
 
 
 maxSurge
-TypeIntOrStringForPB
+TypeInterface_kubernetes
 
 
 
@@ -2431,7 +2431,7 @@ No
 
 
 targetPort
-TypeIntOrStringForPB
+TypeInterface_kubernetes
 
 
 
@@ -2622,7 +2622,7 @@ No
 
 
 port
-TypeIntOrStringForPB
+TypeInterface_kubernetes
 
 
 
@@ -2660,6 +2660,11 @@ No
 

 
GOTYPE: interface{}

 
+

+
TypeInterface_kubernetes

+

+
GOTYPE: interface{}

+
 

 
TypeMapStringInterface

 

@@ -2919,4 +2924,4 @@ No
 
 
 
-

\ No newline at end of file
+

diff --git a/content/en/docs/reference/config/networking/destination-rule/index.html b/content/en/docs/reference/config/networking/destination-rule/index.html
index c6828c0a16..8ab6ffd112 100644
--- a/content/en/docs/reference/config/networking/destination-rule/index.html
+++ b/content/en/docs/reference/config/networking/destination-rule/index.html
@@ -744,6 +744,17 @@ Yes
 
 
Hash based on the source IP address.

 
+
+
+Yes
+
+
+
+httpQueryParameterName
+string (oneof)
+
+
Hash based on a specific HTTP query parameter.

+
 
 
 Yes
diff --git a/content/en/docs/reference/config/networking/gateway/index.html b/content/en/docs/reference/config/networking/gateway/index.html
index c2511618da..51c1f811e3 100644
--- a/content/en/docs/reference/config/networking/gateway/index.html
+++ b/content/en/docs/reference/config/networking/gateway/index.html
@@ -654,19 +654,6 @@ Yes
 these options to control if all http requests should be redirected to
 https, and the TLS modes to use.

 
-
-
-No
-
-
-
-defaultEndpoint
-string
-
-
The loopback IP endpoint or Unix domain socket to which traffic should
-be forwarded to by default. Format should be 127.0.0.1:PORT or
-unix:///path/to/socket or unix://@foobar (Linux abstract namespace).

-
 
 
 No
@@ -691,8 +678,9 @@ No
 httpsRedirect
 bool
 
-
If set to true, the load balancer will send a 301 redirect for all
-http connections, asking the clients to use HTTPS.

+
If set to true, the load balancer will send a 301 redirect for
+all http connections, asking the clients to use HTTPS. Not
+applicable in Sidecar API.

 
 
 
@@ -756,18 +744,18 @@ No
 
The credentialName stands for a unique identifier that can be used
 to identify the serverCertificate and the privateKey. The
 credentialName appended with suffix “-cacert” is used to identify
-the CaCertificates associated with this server. Gateway workloads
+the CaCertificates associated with this server. Proxies
 capable of fetching credentials from a remote credential store such
 as Kubernetes secrets, will be configured to retrieve the
 serverCertificate and the privateKey using credentialName, instead
 of using the file system paths specified above. If using mutual TLS,
-gateway workload instances will retrieve the CaCertificates using
+proxy instances will retrieve the CaCertificates using
 credentialName-cacert. The semantics of the name are platform
 dependent.  In Kubernetes, the default Istio supplied credential
 server expects the credentialName to match the name of the
 Kubernetes secret that holds the server certificate, the private
 key, and the CA certificate (if using mutual TLS). Set the
-ISTIO_META_USER_SDS metadata variable in the gateway’s proxy to
+ISTIO_META_USER_SDS metadata variable in the proxy to
 enable the dynamic credential fetching feature.

 
 
@@ -920,9 +908,11 @@ No
 
 PASSTHROUGH
 
-
The SNI string presented by the client will be used as the match
-criterion in a VirtualService TLS route to determine the
-destination service from the service registry.

+
The SNI string presented by the client will be used as the
+match criterion in a VirtualService TLS route to determine
+the destination service from the service registry. On a
+sidecar, TLS traffic will be forwarded as is to the default
+endpoint defined in the Ingress Listener.

 
 
 
@@ -936,36 +926,38 @@ destination service from the service registry.

 
 MUTUAL
 
-
Secure connections to the downstream using mutual TLS by presenting
-server certificates for authentication.

+
Secure connections to the downstream using mutual TLS by
+presenting server certificates for authentication.

 
 
 
 
 AUTO_PASSTHROUGH
 
-
Similar to the passthrough mode, except servers with this TLS mode
-do not require an associated VirtualService to map from the SNI
-value to service in the registry. The destination details such as
-the service/subset/port are encoded in the SNI value. The proxy
-will forward to the upstream (Envoy) cluster (a group of
-endpoints) specified by the SNI value. This server is typically
-used to provide connectivity between services in disparate L3
-networks that otherwise do not have direct connectivity between
-their respective endpoints. Use of this mode assumes that both the
-source and the destination are using Istio mTLS to secure traffic.

+
Similar to the passthrough mode, except servers with this TLS
+mode do not require an associated VirtualService to map from
+the SNI value to service in the registry. The destination
+details such as the service/subset/port are encoded in the
+SNI value. The proxy will forward to the upstream (Envoy)
+cluster (a group of endpoints) specified by the SNI
+value. This server is typically used to provide connectivity
+between services in disparate L3 networks that otherwise do
+not have direct connectivity between their respective
+endpoints. Use of this mode assumes that both the source and
+the destination are using Istio mTLS to secure traffic. Not
+applicable in Sidecar API.

 
 
 
 
 ISTIO_MUTUAL
 
-
Secure connections from the downstream using mutual TLS by presenting
-server certificates for authentication.
-Compared to Mutual mode, this mode uses certificates, representing
-gateway workload identity, generated automatically by Istio for
-mTLS authentication. When this mode is used, all other fields in
-TLSOptions should be empty.

+
Secure connections from the downstream using mutual TLS by
+presenting server certificates for authentication.  Compared
+to Mutual mode, this mode uses certificates, representing
+gateway workload identity, generated automatically by Istio
+for mTLS authentication. When this mode is used, all other
+fields in TLSOptions should be empty.

 
 
 
diff --git a/content/en/docs/reference/config/networking/sidecar/index.html b/content/en/docs/reference/config/networking/sidecar/index.html
index 1c76b6dc18..4b2bec0436 100644
--- a/content/en/docs/reference/config/networking/sidecar/index.html
+++ b/content/en/docs/reference/config/networking/sidecar/index.html
@@ -31,22 +31,26 @@ workload instance, preference will be given to the resource with a
 workloadSelector that selects this workload instance, over a Sidecar configuration
 without any workloadSelector.

 
-
NOTE 1: Each namespace can have only one Sidecar configuration without any
-workloadSelector. The behavior of the system is undefined if more
-than one selector-less Sidecar configurations exist in a given namespace. The
-behavior of the system is undefined if two or more Sidecar configurations
-with a workloadSelector select the same workload instance.

+
NOTE 1: Each namespace can have only one Sidecar
+configuration without any workloadSelector that specifies the
+default for all pods in that namespace. It is recommended to use
+the name default for the namespace-wide sidecar. The behavior of
+the system is undefined if more than one selector-less Sidecar
+configurations exist in a given namespace. The behavior of the
+system is undefined if two or more Sidecar configurations with a
+workloadSelector select the same workload instance.

 
-
NOTE 2: A Sidecar configuration in the MeshConfig
+
NOTE 2: A Sidecar configuration in the MeshConfig
 root namespace
 will be applied by default to all namespaces without a Sidecar
 configuration. This global default Sidecar configuration should not have
 any workloadSelector.

 
-
The example below declares a global default Sidecar configuration in the
-root namespace called istio-config, that configures sidecars in
-all namespaces to allow egress traffic only to other workloads in
-the same namespace, and to services in the istio-system namespace.

+
The example below declares a global default Sidecar configuration
+in the root namespace called istio-config, that configures
+sidecars in all namespaces to allow egress traffic only to other
+workloads in the same namespace as well as to services in the
+istio-system namespace.

 
 
{{}}
 {{}}

@@ -82,11 +86,11 @@ spec:
 
{{}}
 {{}}

 
-
The example below declares a Sidecar configuration in the prod-us1
-namespace that overrides the global default defined above, and
-configures the sidecars in the namespace to allow egress traffic to
-public services in the prod-us1, prod-apis, and the istio-system
-namespaces.

+
The example below declares a Sidecar configuration in the
+prod-us1 namespace that overrides the global default defined
+above, and configures the sidecars in the namespace to allow egress
+traffic to public services in the prod-us1, prod-apis, and the
+istio-system namespaces.

 
 
{{}}
 {{}}

@@ -124,12 +128,21 @@ spec:
 
{{}}
 {{}}

 
-
The example below declares a Sidecar configuration in the prod-us1 namespace
-that accepts inbound HTTP traffic on port 9080 and forwards
-it to the attached workload instance listening on a Unix domain socket. In the
-egress direction, in addition to the istio-system namespace, the sidecar
-proxies only HTTP traffic bound for port 9080 for services in the
-prod-us1 namespace.

+
The following example declares a Sidecar configuration in the
+prod-us1 namespace for all pods with labels app: ratings
+belonging to the ratings.prod-us1 service.  The workload accepts
+inbound HTTP traffic on port 9080 without any authentication, and
+HTTPS traffic on port 9443 with one-way TLS termination using
+custom certificates. To accomplish custom TLS termination on this
+workload, the PeerAuthentication security policy must be declared
+to disable Istio mutual TLS on these two ports. Any other
+auto-generated listener for this workload will still obey the
+mutual TLS termination requirements set forth in the
+PeerAuthentication policy. The traffic is then forwarded to the
+attached workload instance listening on a Unix domain socket. In
+the egress direction, in addition to the istio-system namespace,
+the sidecar proxies only HTTP traffic bound for port 9080 for
+services in the prod-us1 namespace.

 
 
{{}}
 {{}}

@@ -137,15 +150,27 @@ proxies only HTTP traffic bound for port 9080 for services in the
 
apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
 metadata:
-  name: default
+  name: ratings
   namespace: prod-us1
 spec:
+  workloadSelector:
+    labels:
+      app: ratings
   ingress:
   - port:
       number: 9080
       protocol: HTTP
       name: somename
     defaultEndpoint: unix:///var/run/someuds.sock
+  - port:
+      number: 9443
+      protocol: HTTPS
+      name: httpsport
+    inboundTls:
+      mode: SIMPLE # overrides namespace default
+      serverCertificate: /etc/certs/servercert.pem
+      privateKey: /etc/certs/privatekey.pem
+    defaultEndpoint: unix:///var/run/someuds.sock
   egress:
   - port:
       number: 9080
@@ -164,15 +189,27 @@ spec:
 
apiVersion: networking.istio.io/v1beta1
 kind: Sidecar
 metadata:
-  name: default
+  name: ratings
   namespace: prod-us1
 spec:
+  workloadSelector:
+    labels:
+      app: ratings
   ingress:
   - port:
       number: 9080
       protocol: HTTP
       name: somename
     defaultEndpoint: unix:///var/run/someuds.sock
+  - port:
+      number: 9443
+      protocol: HTTPS
+      name: httpsport
+    inboundTls:
+      mode: SIMPLE # overrides namespace default
+      serverCertificate: /etc/certs/servercert.pem
+      privateKey: /etc/certs/privatekey.pem
+    defaultEndpoint: unix:///var/run/someuds.sock
   egress:
   - port:
       number: 9080
@@ -187,18 +224,94 @@ spec:
 
{{}}
 {{}}

 
-
If the workload is deployed without IPTables-based traffic capture, the
-Sidecar configuration is the only way to configure the ports on the proxy
-attached to the workload instance. The following example declares a Sidecar
-configuration in the prod-us1 namespace for all pods with labels
-app: productpage belonging to the productpage.prod-us1 service. Assuming
-that these pods are deployed without IPtable rules (i.e. the istio-init
-container) and the proxy metadata ISTIO_META_INTERCEPTION_MODE is set to
-NONE, the specification, below, allows such pods to receive HTTP traffic
-on port 9080 and forward it to the application listening on
-127.0.0.1:8080. It also allows the application to communicate with a
-backing MySQL database on 127.0.0.1:3306, that then gets proxied to the
-externally hosted MySQL service at mysql.foo.com:3306.

+
and the associated PeerAuthentication security policy to ensure
+that mutual TLS based authentication is not configured for ports
+9080 and 9443:

+
+
apiVersion: security.istio.io/v1beta1
+kind: PeerAuthentication
+metadata:
+  name: ratings-istio-mtls-exception
+  namespace: prod-us1
+spec:
+  selector:
+    matchLabels:
+      app: ratings
+  # other ports inherit the settings from namespace-wide policy.
+  portLevelMtls:
+    9080:
+      mode: DISABLE
+    9443:
+      mode: DISABLE
+

+
+
and the associated DestinationRule to ensure that the clients use
+the appropriate TLS settings:

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: ratings-istio-mtls-exception
+  namespace: prod-us1
+spec:
+  host: ratings.prod-us1.svc.cluster.local
+  trafficPolicy:
+   portLevelSettings:
+   - port:
+       number: 9080
+     tls:
+       mode: DISABLE
+   - port:
+       number: 9443
+     tls:
+       mode: SIMPLE
+       caCertificates: /etc/certs/ca-certs.pem
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: DestinationRule
+metadata:
+  name: ratings-istio-mtls-exception
+  namespace: prod-us1
+spec:
+  host: ratings.prod-us1.svc.cluster.local
+  trafficPolicy:
+   portLevelSettings:
+   - port:
+       number: 9080
+     tls:
+       mode: DISABLE
+   - port:
+       number: 9443
+     tls:
+       mode: SIMPLE
+       caCertificates: /etc/certs/ca-certs.pem
+

+
+
{{}}
+{{}}

+
+
If the workload is deployed without IPTables-based traffic capture,
+the Sidecar configuration is the only way to configure the ports
+on the proxy attached to the workload instance. The following
+example declares a Sidecar configuration in the prod-us1
+namespace for all pods with labels app: productpage belonging to
+the productpage.prod-us1 service. Assuming that these pods are
+deployed without IPtable rules (i.e. the istio-init container)
+and the proxy metadata ISTIO_META_INTERCEPTION_MODE is set to
+NONE, the specification, below, allows such pods to receive HTTP
+traffic on port 9080 (wrapped inside Istio mutual TLS) and forward
+it to the application listening on 127.0.0.1:8080. It also allows
+the application to communicate with a backing MySQL database on
+127.0.0.1:3306, that then gets proxied to the externally hosted
+MySQL service at mysql.foo.com:3306.

 
 
{{}}
 {{}}

@@ -315,10 +428,11 @@ outbound traffic on 192.168.0.0/16 subnet. Assume that the VM has a
 additional network interface on 172.16.0.0/16 subnet for inbound
 traffic. The following Sidecar configuration allows the VM to expose a
 listener on 172.16.1.32:80 (the VM’s IP) for traffic arriving from the
-172.16.0.0/16 subnet. Note that in this scenario, the
-ISTIO_META_INTERCEPTION_MODE metadata on the proxy in the VM should
-contain REDIRECT or TPROXY as its value, implying that IP tables
-based traffic capture is active.

+172.16.0.0/16 subnet.

+
+
NOTE: The ISTIO_META_INTERCEPTION_MODE metadata on the
+proxy in the VM should contain REDIRECT or TPROXY as its value,
+implying that IP tables based traffic capture is active.

 
 
{{}}
 {{}}

@@ -607,6 +721,20 @@ connections. Format should be 127.0.0.1:PORT or unix:///path/
 Yes
 
 
+
+inboundTls
+TLSOptions
+
+
Overrides Sidecar level inboundTls settings. Has same
+restrictions as the Sidecar level inboundTls,
+i.e. PeerAuthentication policy takes precedance unless explicitly
+disabled.

+
+
+
+No
+
+
 
 
 
@@ -723,23 +851,43 @@ No
 IstioEgressListener[]
 
 
Egress specifies the configuration of the sidecar for processing
-outbound traffic from the attached workload instance to other services in the
-mesh.

+outbound traffic from the attached workload instance to other
+services in the mesh. If not specified, inherits the system
+detected defaults from the namespace-wide or the global default Sidecar.

 
 
 
-Yes
+No
 
 
 
 outboundTrafficPolicy
 OutboundTrafficPolicy
 
-
This allows to configure the outbound traffic policy.
-If your application uses one or more external
-services that are not known apriori, setting the policy to ALLOW_ANY
-will cause the sidecars to route any unknown traffic originating from
-the application to its requested destination.

+
Configuration for the outbound traffic policy.  If your
+application uses one or more external services that are not known
+apriori, setting the policy to ALLOW_ANY will cause the
+sidecars to route any unknown traffic originating from the
+application to its requested destination. If not specified,
+inherits the system detected defaults from the namespace-wide or
+the global default Sidecar.

+
+
+
+No
+
+
+
+inboundTls
+TLSOptions
+
+
Set of TLS related options that allow a listener to terminate
+SIMPLE or MUTUAL TLS connections at the
+sidecar. PeerAuthentication policy’s settings take precedance
+over custom TLS settings for the workload. When the
+PeerAuthentication policy disables mTLS tunneling for one or more
+ports in the workload, the TLS settings specified here will be
+applied.

 
 
 
diff --git a/content/en/docs/reference/config/networking/virtual-service/index.html b/content/en/docs/reference/config/networking/virtual-service/index.html
index a0a553ed5c..369780eb56 100644
--- a/content/en/docs/reference/config/networking/virtual-service/index.html
+++ b/content/en/docs/reference/config/networking/virtual-service/index.html
@@ -1068,7 +1068,8 @@ e.g. x-request-id.

 
  • regex: "value" for ECMAscript style regex-based match
    • 
 
 
-
    Note: The keys uri, scheme, method, and authority will be ignored.
    
+
    If the value is empty and only the name of header is specfied, presence of the header is checked.
+Note: The keys uri, scheme, method, and authority will be ignored.
    
 
 
 
@@ -1146,6 +1147,31 @@ No
 
    Note: The case will be ignored only in the case of exact and prefix
 URI matches.
    
 
+
+
+No
+
+
+
+withoutHeaders
+map<string, StringMatch>
+
+
    withoutHeader has the same syntax with the header, but has opposite meaning.
+If a header is matched with a matching rule among withoutHeader, the traffic becomes not matched one.
    
+
+
+
+No
+
+
+
+sourceNamespace
+string
+
+
    Source namespace constraining the applicability of a rule to workloads in that namespace.
+If the VirtualService has a list of gateways specified in the top-level gateways field,
+it must include the reserved gateway mesh for this field to be applicable.
    
+
 
 
 No
@@ -1352,6 +1378,18 @@ One or more policies can be specified using a ‘,’ delimited list.
 See the retry policies
 and gRPC retry policies for more details.
    
 
+
+
+No
+
+
+
+retryRemoteLocalities
+BoolValue
+
+
    Flag to specify whether the retries should retry to other localities.
+See the retry plugin configuration for more details.
    
+
 
 
 No
@@ -1989,6 +2027,19 @@ No
 in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
 match is independent of sourceLabels.
    
 
+
+
+No
+
+
+
+sourceNamespace
+string
+
+
    Source namespace constraining the applicability of a rule to workloads in that namespace.
+If the VirtualService has a list of gateways specified in the top-level gateways field,
+it must include the reserved gateway mesh for this field to be applicable.
    
+
 
 
 No
@@ -2309,6 +2360,19 @@ No
 in the top-level gateways field of the VirtualService (if any) are overridden. The gateway
 match is independent of sourceLabels.
    
 
+
+
+No
+
+
+
+sourceNamespace
+string
+
+
    Source namespace constraining the applicability of a rule to workloads in that namespace.
+If the VirtualService has a list of gateways specified in the top-level gateways field,
+it must include the reserved gateway mesh for this field to be applicable.
    
+
 
 
 No
diff --git a/content/en/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/index.html b/content/en/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/index.html
index db4b4f2967..dab4adb58b 100644
--- a/content/en/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/index.html
+++ b/content/en/docs/reference/config/policy-and-telemetry/istio.mixer.v1.config.client/index.html
@@ -1320,7 +1320,7 @@ specialized Mixer adapters and services can also generate attributes.
    
 here.
    
 
 
    Attributes are strongly typed. The supported attribute types are defined by
-ValueType.
+ValueType.
 Each type of value is encoded into one of the so-called transport types present
 in this message.
    
 
diff --git a/content/en/docs/reference/config/security/istio.authentication.v1alpha1/index.html b/content/en/docs/reference/config/security/istio.authentication.v1alpha1/index.html
index af5a0ef470..e51781794f 100644
--- a/content/en/docs/reference/config/security/istio.authentication.v1alpha1/index.html
+++ b/content/en/docs/reference/config/security/istio.authentication.v1alpha1/index.html
@@ -9,55 +9,10 @@ generator: protoc-gen-docs
 schema: istio.authentication.v1alpha1.Policy
 weight: 10
 aliases: [/docs/reference/config/istio.authentication.v1alpha1]
-number_of_entries: 4
+number_of_entries: 2
 ---
 
    This package defines user-facing authentication policy.
    
 
-
    MutualTls
    
-
    
-
    TLS authentication params.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    modeMode
-
    Defines the mode of mTLS authentication.
    
-
-    		
-No
-
    allowTlsbool
-
    Deprecated. Please use mode = PERMISSIVE instead.
-If set, will translate to TLS_PERMISSIVE mode.
-Set this flag to true to allow regular TLS (i.e without client x509
-certificate). If request carries client certificate, identity will be
-extracted and used (set to peer identity). Otherwise, peer identity will
-be left unset.
-When the flag is false (default), request must have client certificate.
    
-
-    		
-No
-
    
-
    
 
    MutualTls.Mode
    
 
    
 
    Defines the acceptable connection TLS mode.
    
@@ -82,37 +37,6 @@ No
 
 
    Connection can be either plaintext or TLS with Client cert.
    
 
-
-
-
-
-
    
-
    PeerAuthenticationMethod
    
-
    
-
    PeerAuthenticationMethod defines one particular type of authentication. Only mTLS is supported
-at the moment.
-The type can be progammatically determine by checking the type of the
-“params” field.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -201,21 +125,6 @@ spec:
 
-
-
-
-
-
-
diff --git a/scripts/grab_reference_docs.sh b/scripts/grab_reference_docs.sh
index 5c4732c95a..1bea336b6c 100755
--- a/scripts/grab_reference_docs.sh
+++ b/scripts/grab_reference_docs.sh
@@ -48,7 +48,6 @@ COMPONENTS=(
     https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@istioctl/cmd/istioctl@istioctl
     https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@pilot/cmd/pilot-agent@pilot-agent
     https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@pilot/cmd/pilot-discovery@pilot-discovery
-    https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@sidecar-injector/cmd/sidecar-injector@sidecar-injector
     https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@security/cmd/istio_ca@istio_ca
     https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@security/cmd/node_agent@node_agent
     https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@galley/cmd/galley@galley
diff --git a/static/operator.yaml b/static/operator.yaml
index cc423fc60f..e045b2c527 100644
--- a/static/operator.yaml
+++ b/static/operator.yaml
@@ -3,6 +3,13 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: istio-operator
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: istio-system
+  labels:
+    istio-injection: disabled
 ...
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
@@ -25,7 +32,7 @@ spec:
     singular: istiooperator
     shortNames:
     - iop
-
+...
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -196,7 +203,7 @@ spec:
       serviceAccountName: istio-operator
       containers:
         - name: istio-operator
-          image: docker.io/istio/operator:1.5.0-beta.4
+          image: gcr.io/istio-testing/operator:1.6-dev
           command:
           - operator
           - server

    FieldTypeDescriptionRequired
    mtlsMutualTls (oneof)
-
    Set if mTLS is used.
    
-
-    		
-Yes
 
 
    
     
 
 
    peersPeerAuthenticationMethod[]
-
    List of authentication methods that can be used for peer authentication.
-They will be evaluated in order; the first validate one will be used to
-set peer identity (source.user) and other peer attributes. If none of
-these methods pass, request will be rejected with authentication failed error (401).
-Leave the list empty if peer authentication is not required
    
-
-    		
-No
-
    
 
    
 targets
 TargetSelector[]