Automator: update istio.io@ reference docs (#15373)

content/en/docs/reference/config/networking/virtual-service/index.html

@@ -542,6 +542,11 @@ No
 <td><code><a href="#HTTPRetry">HTTPRetry</a></code></td>
 <td>
 <p>Retry policy for HTTP requests.</p>
+<p>Note: the default cluster-wide retry policy, if not specified, is:</p>
+<pre><code class="language-yaml">attempts: 2
+retryOn: &quot;connect-failure,refused-stream,unavailable,cancelled,503&quot;
+</code></pre>
+<p>This can be customized in <a href="/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig"><code>Mesh Config</code> <code>defaultHttpRetryPolicy</code></a>.</p>
 
 </td>
 <td>
@@ -2064,9 +2069,13 @@ No
 <td>
 <p>Specifies the conditions under which retry takes place.
 One or more policies can be specified using a ‘,’ delimited list.
-If <code>retry_on</code> specifies a valid HTTP status, it will be added to retriable_status_codes retry policy.
 See the <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on">retry policies</a>
 and <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on">gRPC retry policies</a> for more details.</p>
+<p>In addition to the policies specified above, a list of HTTP status codes can be passed, such as <code>retryOn: &quot;503,reset&quot;</code>.
+Note these status codes refer to the actual responses received from the destination.
+For example, if a connection is reset, Istio will translate this to 503 for it&rsquo;s response.
+However, the destination did not return a 503 error, so this would not match <code>&quot;503&quot;</code> (it would, however, match <code>&quot;reset&quot;</code>).</p>
+<p>If not specified, this defaults to <code>connect-failure,refused-stream,unavailable,cancelled,503</code>.</p>
 
 </td>
 <td>

content/en/docs/reference/config/security/peer_authentication/index.html

@@ -12,12 +12,15 @@ number_of_entries: 3
 ---
 <h2 id="PeerAuthentication">PeerAuthentication</h2>
 <section>
-<p>{{&lt; warning &gt;}}
+<p>PeerAuthentication defines mutual TLS (mTLS) requirements for incoming connections.</p>
-Development of PeerAuthentication is currently frozen and likely to be replaced in Ambient.
+<p>In sidecar mode, PeerAuthentication determines whether or not mTLS is allowed or required
-{{&lt; /warning &gt;}}
+for connections to an Envoy proxy sidecar.</p>
-PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.</p>
+<p>In ambient mode, security is transparently enabled for a pod by the ztunnel node agent.
+(Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.)
+Because of this, <code>DISABLE</code> mode is not supported.
+<code>STRICT</code> mode is useful to ensure that connections that bypass the mesh are not possible.</p>
 <p>Examples:</p>
-<p>Policy to allow mTLS traffic for all workloads under namespace <code>foo</code>:</p>
+<p>Policy to require mTLS traffic for all workloads under namespace <code>foo</code>:</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1
 kind: PeerAuthentication
 metadata:

content/zh/docs/reference/config/networking/virtual-service/index.html

@@ -542,6 +542,11 @@ No
 <td><code><a href="#HTTPRetry">HTTPRetry</a></code></td>
 <td>
 <p>Retry policy for HTTP requests.</p>
+<p>Note: the default cluster-wide retry policy, if not specified, is:</p>
+<pre><code class="language-yaml">attempts: 2
+retryOn: &quot;connect-failure,refused-stream,unavailable,cancelled,503&quot;
+</code></pre>
+<p>This can be customized in <a href="/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig"><code>Mesh Config</code> <code>defaultHttpRetryPolicy</code></a>.</p>
 
 </td>
 <td>
@@ -2064,9 +2069,13 @@ No
 <td>
 <p>Specifies the conditions under which retry takes place.
 One or more policies can be specified using a ‘,’ delimited list.
-If <code>retry_on</code> specifies a valid HTTP status, it will be added to retriable_status_codes retry policy.
 See the <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on">retry policies</a>
 and <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on">gRPC retry policies</a> for more details.</p>
+<p>In addition to the policies specified above, a list of HTTP status codes can be passed, such as <code>retryOn: &quot;503,reset&quot;</code>.
+Note these status codes refer to the actual responses received from the destination.
+For example, if a connection is reset, Istio will translate this to 503 for it&rsquo;s response.
+However, the destination did not return a 503 error, so this would not match <code>&quot;503&quot;</code> (it would, however, match <code>&quot;reset&quot;</code>).</p>
+<p>If not specified, this defaults to <code>connect-failure,refused-stream,unavailable,cancelled,503</code>.</p>
 
 </td>
 <td>

content/zh/docs/reference/config/security/peer_authentication/index.html

@@ -12,12 +12,15 @@ number_of_entries: 3
 ---
 <h2 id="PeerAuthentication">PeerAuthentication</h2>
 <section>
-<p>{{&lt; warning &gt;}}
+<p>PeerAuthentication defines mutual TLS (mTLS) requirements for incoming connections.</p>
-Development of PeerAuthentication is currently frozen and likely to be replaced in Ambient.
+<p>In sidecar mode, PeerAuthentication determines whether or not mTLS is allowed or required
-{{&lt; /warning &gt;}}
+for connections to an Envoy proxy sidecar.</p>
-PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.</p>
+<p>In ambient mode, security is transparently enabled for a pod by the ztunnel node agent.
+(Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.)
+Because of this, <code>DISABLE</code> mode is not supported.
+<code>STRICT</code> mode is useful to ensure that connections that bypass the mesh are not possible.</p>
 <p>Examples:</p>
-<p>Policy to allow mTLS traffic for all workloads under namespace <code>foo</code>:</p>
+<p>Policy to require mTLS traffic for all workloads under namespace <code>foo</code>:</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1
 kind: PeerAuthentication
 metadata: