Automator: update istio.io@ reference docs (#16088)

content/en/docs/reference/commands/install-cni/index.html

@@ -488,6 +488,12 @@ These environment variables affect the behavior of the <code>install-cni</code>
 <td>If enabled, status messages for ambient mode will be written to resources. Currently, this does not do leader election, so may be unsafe to enable with multiple replicas.</td>
 </tr>
 <tr>
+<td><code>AMBIENT_USE_SCOPED_XTABLES_LOCKING</code></td>
+<td>Boolean</td>
+<td><code>true</code></td>
+<td></td>
+</tr>
+<tr>
 <td><code>BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS</code></td>
 <td>Boolean</td>
 <td><code>true</code></td>

content/en/docs/reference/config/istio.mesh.v1alpha1/index.html

@@ -64,7 +64,7 @@ No
 <td><code><a href="#MeshConfig-connect_timeout">connectTimeout</a></code></td>
 <td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
 <td>
-<p>Connection timeout used by Envoy. (MUST BE &gt;=1ms)
+<p>Connection timeout used by Envoy. (MUST be &gt;=1ms)
 Default timeout is 10s.</p>
 
 </td>
@@ -786,7 +786,7 @@ No
 <td><code><a href="/docs/reference/config/networking/destination-rule/#ClientTLSSettings">ClientTLSSettings</a></code></td>
 <td>
 <p>Use the tlsSettings to specify the tls mode to use. If the MCP server
-uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
+uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
 mode as <code>ISTIO_MUTUAL</code>.</p>
 
 </td>
@@ -3089,7 +3089,7 @@ No
 <td><code><a href="/docs/reference/config/networking/destination-rule/#ClientTLSSettings">ClientTLSSettings</a></code></td>
 <td>
 <p>Use the tlsSettings to specify the tls mode to use. If the remote tracing service
-uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
+uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
 mode as <code>ISTIO_MUTUAL</code>.</p>
 
 </td>
@@ -3183,7 +3183,7 @@ No
 <h2 id="PrivateKeyProvider">PrivateKeyProvider</h2>
 <section>
 <p>PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured
-mesh wide or individual per-workload basis.</p>
+mesh-wide or individual per-workload basis.</p>
 
 <table class="message-fields">
 <thead>
@@ -3224,7 +3224,7 @@ No
 <section>
 <p>ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis
 as well as by the mesh-wide defaults.
-To set the mesh wide defaults, configure the <code>defaultConfig</code> section of <code>meshConfig</code>. For example:</p>
+To set the mesh-wide defaults, configure the <code>defaultConfig</code> section of <code>meshConfig</code>. For example:</p>
 <pre><code>meshConfig:
   defaultConfig:
     discoveryAddress: istiod:15012
@@ -3372,7 +3372,7 @@ No
 <td><code>string</code></td>
 <td>
 <p>File path of custom proxy configuration, currently used by proxies
-in front of Mixer and Pilot.</p>
+in front of istiod.</p>
 
 </td>
 <td>
@@ -3668,7 +3668,9 @@ Note: currently all headers are enabled by default.</p>
 <pre><code class="language-yaml">proxyHeaders:
   server:
     value: &quot;my-custom-server&quot;
-  requestId: {} // Explicitly enable Request IDs. As this is the default, this has no effect.
+  # Explicitly enable Request IDs.
+  # As this is the default, this has no effect.
+  requestId: {}
   attemptCount:
     disabled: true
 </code></pre>
@@ -3741,7 +3743,7 @@ No
 <td><code><a href="/docs/reference/config/networking/destination-rule/#ClientTLSSettings">ClientTLSSettings</a></code></td>
 <td>
 <p>Use the <code>tlsSettings</code> to specify the tls mode to use. If the remote service
-uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
+uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
 mode as <code>ISTIO_MUTUAL</code>.</p>
 
 </td>
@@ -4546,7 +4548,7 @@ use mTLS.</p>
 <td><code><a href="#Network-IstioNetworkGateway-registry_service_name">registryServiceName</a></code></td>
 <td><code>string (oneof)</code></td>
 <td>
-<p>A fully qualified domain name of the gateway service.  Pilot will
+<p>A fully qualified domain name of the gateway service.  istiod will
 lookup the service from the service registries in the network and
 obtain the endpoint IPs of the gateway from the service
 registry. Note that while the service name is a fully qualified

content/en/docs/reference/config/networking/destination-rule/index.html

@@ -123,9 +123,9 @@ instead of “reviews.default.svc.cluster.local”), Istio will interpre
 the short name based on the namespace of the rule, not the service. A
 rule in the “default” namespace containing a host “reviews” will be
 interpreted as “reviews.default.svc.cluster.local”, irrespective of
-the actual namespace associated with the reviews service. <em>To avoid
+the actual namespace associated with the reviews service. To avoid
 potential misconfigurations, it is recommended to always use fully
-qualified domain names over short names.</em></p>
+qualified domain names over short names.</p>
 <p>Note that the host field applies to both HTTP and TCP services.</p>
 
 </td>
@@ -454,7 +454,7 @@ No
 <td><code><a href="#LoadBalancerSettings-locality_lb_setting">localityLbSetting</a></code></td>
 <td><code><a href="#LocalityLoadBalancerSetting">LocalityLoadBalancerSetting</a></code></td>
 <td>
-<p>Locality load balancer settings, this will override mesh wide settings in entirety, meaning no merging would be performed
+<p>Locality load balancer settings, this will override mesh-wide settings in entirety, meaning no merging would be performed
 between this object and the object one in MeshConfig</p>
 
 </td>
@@ -655,7 +655,7 @@ spec:
 <td><code>bool</code></td>
 <td>
 <p>Determines whether to distinguish local origin failures from external errors. If set to true
-consecutive_local_origin_failure is taken into account for outlier detection calculations.
+<code>consecutiveLocalOriginFailures</code> is taken into account for outlier detection calculations.
 This should be used when you want to derive the outlier detection status based on the errors
 seen locally such as failure to connect, timeout while connecting etc. rather than the status code
 returned by upstream service. This is especially useful when the upstream service explicitly returns
@@ -673,7 +673,7 @@ No
 <td><code><a href="#google-protobuf-UInt32Value">UInt32Value</a></code></td>
 <td>
 <p>The number of consecutive locally originated failures before ejection
-occurs. Defaults to 5. Parameter takes effect only when split_external_local_origin_errors
+occurs. Defaults to 5. Parameter takes effect only when <code>splitExternalLocalOriginErrors</code>
 is set to true.</p>
 
 </td>
@@ -691,11 +691,11 @@ code qualifies as a gateway error. When the upstream host is accessed over
 an opaque TCP connection, connect timeouts and connection error/failure
 events qualify as a gateway error.
 This feature is disabled by default or when set to the value 0.</p>
-<p>Note that consecutive_gateway_errors and consecutive_5xx_errors can be
+<p>Note that <code>consecutiveGatewayErrors</code> and <code>consecutive5xxErrors</code> can be
 used separately or together. Because the errors counted by
-consecutive_gateway_errors are also included in consecutive_5xx_errors,
-if the value of consecutive_gateway_errors is greater than or equal to
-the value of consecutive_5xx_errors, consecutive_gateway_errors will have
+<code>consecutiveGatewayErrors</code> are also included in <code>consecutive5xxErrors</code>,
+if the value of <code>consecutiveGatewayErrors</code> is greater than or equal to
+the value of <code>consecutive5xxErrors</code>, <code>consecutiveGatewayErrors</code> will have
 no effect.</p>
 
 </td>
@@ -712,11 +712,11 @@ When the upstream host is accessed over an opaque TCP connection, connect
 timeouts, connection error/failure and request failure events qualify as a
 5xx error.
 This feature defaults to 5 but can be disabled by setting the value to 0.</p>
-<p>Note that consecutive_gateway_errors and consecutive_5xx_errors can be
+<p>Note that <code>consecutiveGatewayErrors</code> and <code>consecutive5xxErrors</code> can be
 used separately or together. Because the errors counted by
-consecutive_gateway_errors are also included in consecutive_5xx_errors,
-if the value of consecutive_gateway_errors is greater than or equal to
-the value of consecutive_5xx_errors, consecutive_gateway_errors will have
+<code>consecutiveGatewayErrors</code> are also included in <code>consecutive5xxErrors</code>,
+if the value of <code>consecutiveGatewayErrors</code> is greater than or equal to
+the value of <code>consecutive5xxErrors</code>, <code>consecutiveGatewayErrors</code> will have
 no effect.</p>
 
 </td>
@@ -729,7 +729,7 @@ No
 <td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
 <td>
 <p>Time interval between ejection sweep analysis. format:
-1h/1m/1s/1ms. MUST BE &gt;=1ms. Default is 10s.</p>
+1h/1m/1s/1ms. MUST be &gt;=1ms. Default is 10s.</p>
 
 </td>
 <td>
@@ -744,7 +744,7 @@ No
 equal to the product of minimum ejection duration and the number of
 times the host has been ejected. This technique allows the system to
 automatically increase the ejection period for unhealthy upstream
-servers. format: 1h/1m/1s/1ms. MUST BE &gt;=1ms. Default is 30s.</p>
+servers. format: 1h/1m/1s/1ms. MUST be &gt;=1ms. Default is 30s.</p>
 
 </td>
 <td>
@@ -768,7 +768,7 @@ No
 <td><code>int32</code></td>
 <td>
 <p>Outlier detection will be enabled as long as the associated load balancing
-pool has at least min_health_percent hosts in healthy mode. When the
+pool has at least <code>minHealthPercent</code> hosts in healthy mode. When the
 percentage of healthy hosts in the load balancing pool drops below this
 threshold, outlier detection will be disabled and the proxy will load balance
 across all hosts in the pool (healthy and unhealthy). The threshold can be
@@ -926,8 +926,8 @@ No
 <p>A list of alternate names to verify the subject identity in the
 certificate. If specified, the proxy will verify that the server
 certificate&rsquo;s subject alt name matches one of the specified values.
-If specified, this list overrides the value of subject_alt_names
-from the ServiceEntry. If unspecified, automatic validation of upstream
+If specified, this list overrides the value of <code>subjectAltNames</code>
+from the <code>ServiceEntry</code>. If unspecified, automatic validation of upstream
 presented certificate for new upstream connections will be done based on the
 downstream HTTP host/authority header.</p>
 
@@ -990,13 +990,13 @@ specified using arbitrary labels that designate a hierarchy of localities in
 {region}/{zone}/{sub-zone} form. For additional detail refer to
 <a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight">Locality Weight</a>
 The following example shows how to setup locality weights mesh-wide.</p>
-<p>Given a mesh with workloads and their service deployed to &ldquo;us-west/zone1/<em>&rdquo;
-and &ldquo;us-west/zone2/</em>&rdquo;. This example specifies that when traffic accessing a
-service originates from workloads in &ldquo;us-west/zone1/<em>&rdquo;, 80% of the traffic
-will be sent to endpoints in &ldquo;us-west/zone1/</em>&rdquo;, i.e the same zone, and the
-remaining 20% will go to endpoints in &ldquo;us-west/zone2/<em>&rdquo;. This setup is
+<p>Given a mesh with workloads and their service deployed to &ldquo;us-west/zone1/*&rdquo;
+and &ldquo;us-west/zone2/*&rdquo;. This example specifies that when traffic accessing a
+service originates from workloads in &ldquo;us-west/zone1/*&rdquo;, 80% of the traffic
+will be sent to endpoints in &ldquo;us-west/zone1/*&rdquo;, i.e the same zone, and the
+remaining 20% will go to endpoints in &ldquo;us-west/zone2/*&rdquo;. This setup is
 intended to favor routing traffic to endpoints in the same locality.
-A similar setting is specified for traffic originating in &ldquo;us-west/zone2/</em>&rdquo;.</p>
+A similar setting is specified for traffic originating in &ldquo;us-west/zone2/*&rdquo;.</p>
 <pre><code class="language-yaml">  distribute:
     - from: us-west/zone1/*
       to:
@@ -1022,7 +1022,6 @@ and similarly us-west should failover to us-east.</p>
    - from: us-west
      to: us-east
 </code></pre>
-<p>Locality load balancing settings.</p>
 
 <table class="message-fields">
 <thead>
@@ -1138,8 +1137,8 @@ No
 <td><code><a href="#LocalityLoadBalancerSetting-enabled">enabled</a></code></td>
 <td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></code></td>
 <td>
-<p>enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.
-e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is.</p>
+<p>Enable locality load balancing. This is DestinationRule-level and will override mesh-wide settings in entirety.
+e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh-wide settings is.</p>
 
 </td>
 <td>
@@ -1239,11 +1238,13 @@ No
 <td><code>string</code></td>
 <td>
 <p>Specifies which protocol to use for tunneling the downstream connection.
-Supported protocols are:
-CONNECT - uses HTTP CONNECT;
-POST - uses HTTP POST.
-CONNECT is used by default if not specified.
-HTTP version for upstream requests is determined by the service protocol defined for the proxy.</p>
+Supported protocols are:</p>
+<ul>
+<li>CONNECT - uses HTTP CONNECT;</li>
+<li>POST - uses HTTP POST.</li>
+</ul>
+<p>CONNECT is used by default if not specified.</p>
+<p>HTTP version for upstream requests is determined by the service protocol defined for the proxy.</p>
 
 </td>
 <td>
@@ -1554,7 +1555,7 @@ No
 <td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
 <td>
 <p>TCP connection timeout. format:
-1h/1m/1s/1ms. MUST BE &gt;=1ms. Default is 10s.</p>
+1h/1m/1s/1ms. MUST be &gt;=1ms. Default is 10s.</p>
 
 </td>
 <td>
@@ -1577,7 +1578,7 @@ No
 <td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
 <td>
 <p>The maximum duration of a connection. The duration is defined as the period since a connection
-was established. If not set, there is no max duration. When max_connection_duration
+was established. If not set, there is no max duration. When <code>maxConnectionDuration</code>
 is reached the connection will be closed. Duration must be at least 1ms.</p>
 
 </td>
@@ -1705,7 +1706,7 @@ No
 <td><code>bool</code></td>
 <td>
 <p>If set to true, client protocol will be preserved while initiating connection to backend.
-Note that when this is set to true, h2_upgrade_policy will be ineffective i.e. the client
+Note that when this is set to true, <code>h2UpgradePolicy</code> will be ineffective i.e. the client
 connections will not be upgraded to http2.</p>
 
 </td>

content/en/docs/reference/config/networking/envoy-filter/index.html

@@ -11,7 +11,7 @@ aliases: [/docs/reference/config/networking/v1alpha3/envoy-filter]
 number_of_entries: 18
 ---
 <p><code>EnvoyFilter</code> provides a mechanism to customize the Envoy
-configuration generated by Istio Pilot. Use EnvoyFilter to modify
+configuration generated by istiod. Use EnvoyFilter to modify
 values for certain fields, add specific filters, or even add
 entirely new listeners, clusters, etc. This feature must be used
 with care, as incorrect configurations could potentially
@@ -357,7 +357,7 @@ spec:
 <h2 id="EnvoyFilter">EnvoyFilter</h2>
 <section>
 <p>EnvoyFilter provides a mechanism to customize the Envoy configuration
-generated by Istio Pilot.</p>
+generated by istiod.</p>
 
 <table class="message-fields">
 <thead>
@@ -469,7 +469,7 @@ No
 used to select proxies using a specific version of istio
 proxy. The Istio version for a given proxy is obtained from the
 node metadata field <code>ISTIO_VERSION</code> supplied by the proxy when
-connecting to Pilot. This value is embedded as an environment
+connecting to istiod. This value is embedded as an environment
 variable (<code>ISTIO_META_ISTIO_VERSION</code>) in the Istio proxy docker
 image. Custom proxy implementations should provide this metadata
 variable to take advantage of the Istio version check option.</p>
@@ -484,9 +484,9 @@ No
 <td><code>map&lt;string,&nbsp;string&gt;</code></td>
 <td>
 <p>Match on the node metadata supplied by a proxy when connecting
-to Istio Pilot. Note that while Envoy&rsquo;s node metadata is of
+to istiod. Note that while Envoy&rsquo;s node metadata is of
 type Struct, only string key-value pairs are processed by
-Pilot. All keys specified in the metadata must match with exact
+istiod. All keys specified in the metadata must match with exact
 values. The match will fail if any of the specified keys are
 absent or the values fail to match.</p>
 
@@ -716,7 +716,7 @@ No
 <td><code>string</code></td>
 <td>
 <p>Match a specific listener by its name. The listeners generated
-by Pilot are typically named as IP:Port.</p>
+by istiod are typically named as IP:Port.</p>
 
 </td>
 <td>
@@ -796,7 +796,7 @@ to the generated configuration for a given proxy.</p>
 <td><code><a href="#EnvoyFilter-EnvoyConfigObjectMatch-context">context</a></code></td>
 <td><code><a href="#EnvoyFilter-PatchContext">PatchContext</a></code></td>
 <td>
-<p>The specific config generation context to match on. Istio Pilot
+<p>The specific config generation context to match on. istiod
 generates envoy configuration in the context of a gateway,
 inbound traffic to sidecar and outbound traffic from sidecar.</p>
 

content/en/docs/reference/config/networking/gateway/index.html

@@ -407,7 +407,7 @@ Yes
 <td><code>string</code></td>
 <td>
 <p>The protocol exposed on the port.
-MUST BE one of HTTP|HTTPS|GRPC|GRPC-WEB|HTTP2|MONGO|TCP|TLS.
+MUST be one of HTTP|HTTPS|GRPC|GRPC-WEB|HTTP2|MONGO|TCP|TLS.
 TLS can be either used to terminate non-HTTP based connections on a specific port
 or to route traffic based on SNI header to the destination without terminating the TLS connection.</p>
 

content/en/docs/reference/config/networking/proxy-config/index.html

@@ -54,7 +54,7 @@ spec:
     imageType: debug
 </code></pre>
 <p>If a <code>ProxyConfig</code> CR is defined that matches a workload it will merge with its <code>proxy.istio.io/config</code> annotation if present,
-with the CR taking precedence over the annotation for overlapping fields. Similarly, if a mesh wide <code>ProxyConfig</code> CR is defined and
+with the CR taking precedence over the annotation for overlapping fields. Similarly, if a mesh-wide <code>ProxyConfig</code> CR is defined and
 <code>meshConfig.DefaultConfig</code> is set, the two resources will be merged with the CR taking precedence for overlapping fields.</p>
 
 <h2 id="ProxyConfig">ProxyConfig</h2>

content/en/docs/reference/config/networking/service-entry/index.html

@@ -553,7 +553,7 @@ Yes
 <td><code>string</code></td>
 <td>
 <p>The protocol exposed on the port.
-MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
+MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
 TLS implies the connection will be routed based on the SNI header to
 the destination without terminating the TLS connection.</p>
 
@@ -652,7 +652,7 @@ No
 </section>
 <h2 id="ServiceEntryAddress">ServiceEntryAddress</h2>
 <section>
-<p>minor abstraction to allow for adding hostnames if relevant</p>
+<p>A minor abstraction to allow for adding hostnames if relevant.</p>
 
 <table class="message-fields">
 <thead>
@@ -668,7 +668,7 @@ No
 <td><code><a href="#ServiceEntryAddress-value">value</a></code></td>
 <td><code>string</code></td>
 <td>
-<p>Value is the address (192.168.0.2)</p>
+<p>The address (e.g. 192.168.0.2)</p>
 
 </td>
 <td>
@@ -679,7 +679,7 @@ No
 <td><code><a href="#ServiceEntryAddress-host">host</a></code></td>
 <td><code>string</code></td>
 <td>
-<p>Host is the name associated with this address</p>
+<p>The host name associated with this address</p>
 
 </td>
 <td>

content/en/docs/reference/config/networking/sidecar/index.html

@@ -716,7 +716,7 @@ No
 <td><code>string</code></td>
 <td>
 <p>The protocol exposed on the port.
-MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
+MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
 TLS can be either used to terminate non-HTTP based connections on a specific port
 or to route traffic based on SNI header to the destination without terminating the TLS connection.</p>
 

content/en/docs/reference/config/networking/virtual-service/index.html

@@ -2042,7 +2042,7 @@ spec:
 between retries will be determined automatically (25ms+). When request
 <code>timeout</code> of the <a href="/docs/reference/config/networking/virtual-service/#HTTPRoute">HTTP route</a>
 or <code>per_try_timeout</code> is configured, the actual number of retries attempted also depends on
-the specified request <code>timeout</code> and <code>per_try_timeout</code> values. MUST BE &gt;= 0. If <code>0</code>, retries will be disabled.
+the specified request <code>timeout</code> and <code>per_try_timeout</code> values. MUST be &gt;= 0. If <code>0</code>, retries will be disabled.
 The maximum possible number of requests made will be 1 + <code>attempts</code>.</p>
 
 </td>
@@ -2054,7 +2054,7 @@ No
 <td><code><a href="#HTTPRetry-per_try_timeout">perTryTimeout</a></code></td>
 <td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
 <td>
-<p>Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST BE &gt;=1ms.
+<p>Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST be &gt;=1ms.
 Default is same value as request
 <code>timeout</code> of the <a href="/docs/reference/config/networking/virtual-service/#HTTPRoute">HTTP route</a>,
 which means no timeout.</p>

content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html

@@ -12,7 +12,7 @@ number_of_entries: 9
 ---
 <p>WasmPlugins provides a mechanism to extend the functionality provided by
 the Istio proxy through WebAssembly filters.</p>
-<p>Order of execution (as part of Envoy&rsquo;s filter chain) is determined by
+<p>The order of execution (as part of Envoy&rsquo;s filter chain) is determined by
 phase and priority settings, allowing the configuration of complex
 interactions between user-supplied WasmPlugins and Istio&rsquo;s internal
 filters.</p>
@@ -171,7 +171,7 @@ spec:
 
 <h2 id="WasmPlugin">WasmPlugin</h2>
 <section>
-<p>WasmPlugins provides a mechanism to extend the functionality provided by
+<p>WasmPlugin provides a mechanism to extend the functionality provided by
 the Istio proxy through WebAssembly filters.</p>
 
 <table class="message-fields">
@@ -676,7 +676,7 @@ this plugin. Note that the change includes <code>metadata</code> field as well.<
 <tr id="EnvValueSource-HOST">
 <td><code><a href="#EnvValueSource-HOST">HOST</a></code></td>
 <td>
-<p><em>Istio-proxy&rsquo;s</em> environment variables exposed to this VM.</p>
+<p>Proxy environment variables exposed to this VM.</p>
 
 </td>
 </tr>

content/en/docs/reference/config/security/peer_authentication/index.html

@@ -10,8 +10,6 @@ schema: istio.security.v1beta1.PeerAuthentication
 aliases: [/docs/reference/config/security/v1beta1/peer_authentication]
 number_of_entries: 3
 ---
-<h2 id="PeerAuthentication">PeerAuthentication</h2>
-<section>
 <p>PeerAuthentication defines mutual TLS (mTLS) requirements for incoming connections.</p>
 <p>In sidecar mode, PeerAuthentication determines whether or not mTLS is allowed or required
 for connections to an Envoy proxy sidecar.</p>
@@ -90,6 +88,9 @@ spec:
       mode: DISABLE
 </code></pre>
 
+<h2 id="PeerAuthentication">PeerAuthentication</h2>
+<section>
+
 <table class="message-fields">
 <thead>
 <tr>

content/en/docs/reference/config/security/request_authentication/index.html

@@ -10,17 +10,13 @@ schema: istio.security.v1beta1.RequestAuthentication
 aliases: [/docs/reference/config/security/v1beta1/request_authentication, /docs/reference/config/security/v1beta1/jwt, /docs/reference/config/security/v1beta1/jwt.html]
 number_of_entries: 4
 ---
-<h2 id="RequestAuthentication">RequestAuthentication</h2>
-<section>
 <p>RequestAuthentication defines what request authentication methods are supported by a workload.
 It will reject a request if the request contains invalid authentication information, based on the
 configured authentication rules. A request that does not contain any authentication credentials
 will be accepted but will not have any authenticated identity. To restrict access to authenticated
 requests only, this should be accompanied by an authorization rule.
 Examples:</p>
-<ul>
-<li>Require JWT for all request for workloads that have label <code>app:httpbin</code></li>
-</ul>
+<p>Require JWT for all request for workloads that have label <code>app:httpbin</code>:</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1
 kind: RequestAuthentication
 metadata:
@@ -48,11 +44,9 @@ spec:
     - source:
         requestPrincipals: [&quot;*&quot;]
 </code></pre>
-<ul>
-<li>A policy in the root namespace (&ldquo;istio-system&rdquo; by default) applies to workloads in all namespaces
+<p>A policy in the root namespace (&ldquo;istio-system&rdquo; by default) applies to workloads in all namespaces
 in a mesh. The following policy makes all workloads only accept requests that contain a
-valid JWT token.</li>
-</ul>
+valid JWT token:</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1
 kind: RequestAuthentication
 metadata:
@@ -74,11 +68,9 @@ spec:
     - source:
         requestPrincipals: [&quot;*&quot;]
 </code></pre>
-<ul>
-<li>The next example shows how to set a different JWT requirement for a different <code>host</code>. The <code>RequestAuthentication</code>
+<p>The next example shows how to set a different JWT requirement for a different <code>host</code>. The <code>RequestAuthentication</code>
 declares it can accept JWTs issued by either <code>issuer-foo</code> or <code>issuer-bar</code> (the public key set is implicitly
-set from the OpenID Connect spec).</li>
-</ul>
+set from the OpenID Connect spec):</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1
 kind: RequestAuthentication
 metadata:
@@ -115,11 +107,9 @@ spec:
     - operation:
         hosts: [&quot;another-host.com&quot;]
 </code></pre>
-<ul>
-<li>You can fine tune the authorization policy to set different requirement per path. For example,
+<p>You can fine-tune the authorization policy to set different requirement per path. For example,
 to require JWT on all paths, except /healthz, the same <code>RequestAuthentication</code> can be used, but the
-authorization policy could be:</li>
-</ul>
+authorization policy could be:</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -205,6 +195,9 @@ spec:
         subset: v1
 </code></pre>
 
+<h2 id="RequestAuthentication">RequestAuthentication</h2>
+<section>
+
 <table class="message-fields">
 <thead>
 <tr>

content/en/docs/reference/config/telemetry/index.html

@@ -8,23 +8,27 @@ layout: protoc-gen-docs
 generator: protoc-gen-docs
 schema: istio.telemetry.v1alpha1.Telemetry
 aliases: [/docs/reference/config/telemetry/v1alpha1/telemetry]
+weight: 45
 number_of_entries: 18
 ---
-<p>Telemetry defines how the telemetry is generated for workloads within a mesh.</p>
-<p>For mesh level configuration, put the resource in root configuration
-namespace for your Istio installation <em>without</em> a workload selector.</p>
-<p>For any namespace, including the root configuration namespace, it is only
-valid to have a single workload selector-less Telemetry resource.</p>
-<p>For resources with a workload selector, it is only valid to have one resource
-selecting any given workload.</p>
+<p><code>Telemetry</code> defines how telemetry (metrics, logs and traces)
+is generated for workloads within a mesh.</p>
 <p>The hierarchy of Telemetry configuration is as follows:</p>
 <ol>
 <li>Workload-specific configuration</li>
 <li>Namespace-specific configuration</li>
 <li>Root namespace configuration</li>
 </ol>
-<h4 id="examples">Examples</h4>
-<p>Policy to enable random sampling for 10% of traffic:</p>
+<p>For mesh level configuration, put a resource in the root configuration
+namespace for your Istio installation <em>without</em> a workload selector.</p>
+<p>For any namespace, including the root configuration namespace, it is only
+valid to have a single workload selector-less Telemetry resource.</p>
+<p>For resources with a workload selector, it is only valid to have one resource
+selecting any given workload.</p>
+<p>Gateways and waypoints are targeted for telemetry configuration
+using the <code>targetRefs</code> field.</p>
+<p>Examples:</p>
+<p>Enable random sampling for 10% of traffic:</p>
 <pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
@@ -35,8 +39,8 @@ spec:
   tracing:
   - randomSamplingPercentage: 10.00
 </code></pre>
-<p>Policy to disable trace reporting for the <code>foo</code> workload (note: tracing
-context will still be propagated):</p>
+<p>Disable trace reporting for the <code>foo</code> workload
+(note: tracing context will still be propagated):</p>
 <pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
@@ -49,7 +53,7 @@ spec:
   tracing:
   - disableSpanReporting: true
 </code></pre>
-<p>Policy to select the alternate zipkin provider for trace reporting:</p>
+<p>Select a named tracing provider for trace reporting:</p>
 <pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
@@ -64,7 +68,7 @@ spec:
     - name: &quot;zipkin-alternate&quot;
     randomSamplingPercentage: 10.00
 </code></pre>
-<p>Policy to tailor the zipkin provider to sample traces from Client workloads only:</p>
+<p>Tailor the &ldquo;zipkin&rdquo; provider to sample traces from client workloads only:</p>
 <pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
@@ -77,7 +81,7 @@ spec:
   - providers:
     - name: &quot;zipkin&quot;
 </code></pre>
-<p>Policy to add a custom tag from a literal value:</p>
+<p>Add a custom tag from a literal value:</p>
 <pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
@@ -92,7 +96,7 @@ spec:
         literal:
           value: &quot;foo&quot;
 </code></pre>
-<p>Policy to disable server-side metrics for Prometheus for an entire mesh:</p>
+<p>Disable server-side metrics for Prometheus for an entire mesh:</p>
 <pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
@@ -109,7 +113,7 @@ spec:
         mode: SERVER
       disabled: true
 </code></pre>
-<p>Policy to add dimensions to all Prometheus metrics for the <code>foo</code> namespace:</p>
+<p>Add dimensions to all Prometheus metrics for the <code>foo</code> namespace:</p>
 <pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
@@ -128,7 +132,7 @@ spec:
         request_host:
           value: &quot;request.host&quot;
 </code></pre>
-<p>Policy to remove the <code>response_code</code> dimension on some Prometheus metrics for
+<p>Remove the <code>response_code</code> dimension on some Prometheus metrics for
 the <code>bar.foo</code> workload:</p>
 <pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
 kind: Telemetry
@@ -164,7 +168,7 @@ spec:
         response_code:
           operation: REMOVE
 </code></pre>
-<p>Policy to enable access logging for the entire mesh:</p>
+<p>Enable access logging for the entire mesh:</p>
 <pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
@@ -180,7 +184,7 @@ spec:
     # cases where a parent configuration has marked as `disabled: true`. In
     # those cases, `disabled: false` must be set explicitly to override.
 </code></pre>
-<p>Policy to disable access logging for the <code>foo</code> namespace:</p>
+<p>Disable access logging for the <code>foo</code> namespace:</p>
 <pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:

content/zh/docs/reference/commands/install-cni/index.html

@@ -488,6 +488,12 @@ These environment variables affect the behavior of the <code>install-cni</code>
 <td>If enabled, status messages for ambient mode will be written to resources. Currently, this does not do leader election, so may be unsafe to enable with multiple replicas.</td>
 </tr>
 <tr>
+<td><code>AMBIENT_USE_SCOPED_XTABLES_LOCKING</code></td>
+<td>Boolean</td>
+<td><code>true</code></td>
+<td></td>
+</tr>
+<tr>
 <td><code>BYPASS_OVERLOAD_MANAGER_FOR_STATIC_LISTENERS</code></td>
 <td>Boolean</td>
 <td><code>true</code></td>

content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html

@@ -64,7 +64,7 @@ No
 <td><code><a href="#MeshConfig-connect_timeout">connectTimeout</a></code></td>
 <td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
 <td>
-<p>Connection timeout used by Envoy. (MUST BE &gt;=1ms)
+<p>Connection timeout used by Envoy. (MUST be &gt;=1ms)
 Default timeout is 10s.</p>
 
 </td>
@@ -786,7 +786,7 @@ No
 <td><code><a href="/zh/docs/reference/config/networking/destination-rule/#ClientTLSSettings">ClientTLSSettings</a></code></td>
 <td>
 <p>Use the tlsSettings to specify the tls mode to use. If the MCP server
-uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
+uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
 mode as <code>ISTIO_MUTUAL</code>.</p>
 
 </td>
@@ -3089,7 +3089,7 @@ No
 <td><code><a href="/zh/docs/reference/config/networking/destination-rule/#ClientTLSSettings">ClientTLSSettings</a></code></td>
 <td>
 <p>Use the tlsSettings to specify the tls mode to use. If the remote tracing service
-uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
+uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
 mode as <code>ISTIO_MUTUAL</code>.</p>
 
 </td>
@@ -3183,7 +3183,7 @@ No
 <h2 id="PrivateKeyProvider">PrivateKeyProvider</h2>
 <section>
 <p>PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured
-mesh wide or individual per-workload basis.</p>
+mesh-wide or individual per-workload basis.</p>
 
 <table class="message-fields">
 <thead>
@@ -3224,7 +3224,7 @@ No
 <section>
 <p>ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis
 as well as by the mesh-wide defaults.
-To set the mesh wide defaults, configure the <code>defaultConfig</code> section of <code>meshConfig</code>. For example:</p>
+To set the mesh-wide defaults, configure the <code>defaultConfig</code> section of <code>meshConfig</code>. For example:</p>
 <pre><code>meshConfig:
   defaultConfig:
     discoveryAddress: istiod:15012
@@ -3372,7 +3372,7 @@ No
 <td><code>string</code></td>
 <td>
 <p>File path of custom proxy configuration, currently used by proxies
-in front of Mixer and Pilot.</p>
+in front of istiod.</p>
 
 </td>
 <td>
@@ -3668,7 +3668,9 @@ Note: currently all headers are enabled by default.</p>
 <pre><code class="language-yaml">proxyHeaders:
   server:
     value: &quot;my-custom-server&quot;
-  requestId: {} // Explicitly enable Request IDs. As this is the default, this has no effect.
+  # Explicitly enable Request IDs.
+  # As this is the default, this has no effect.
+  requestId: {}
   attemptCount:
     disabled: true
 </code></pre>
@@ -3741,7 +3743,7 @@ No
 <td><code><a href="/zh/docs/reference/config/networking/destination-rule/#ClientTLSSettings">ClientTLSSettings</a></code></td>
 <td>
 <p>Use the <code>tlsSettings</code> to specify the tls mode to use. If the remote service
-uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
+uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
 mode as <code>ISTIO_MUTUAL</code>.</p>
 
 </td>
@@ -4546,7 +4548,7 @@ use mTLS.</p>
 <td><code><a href="#Network-IstioNetworkGateway-registry_service_name">registryServiceName</a></code></td>
 <td><code>string (oneof)</code></td>
 <td>
-<p>A fully qualified domain name of the gateway service.  Pilot will
+<p>A fully qualified domain name of the gateway service.  istiod will
 lookup the service from the service registries in the network and
 obtain the endpoint IPs of the gateway from the service
 registry. Note that while the service name is a fully qualified

content/zh/docs/reference/config/networking/destination-rule/index.html

@@ -123,9 +123,9 @@ instead of “reviews.default.svc.cluster.local”), Istio will interpre
 the short name based on the namespace of the rule, not the service. A
 rule in the “default” namespace containing a host “reviews” will be
 interpreted as “reviews.default.svc.cluster.local”, irrespective of
-the actual namespace associated with the reviews service. <em>To avoid
+the actual namespace associated with the reviews service. To avoid
 potential misconfigurations, it is recommended to always use fully
-qualified domain names over short names.</em></p>
+qualified domain names over short names.</p>
 <p>Note that the host field applies to both HTTP and TCP services.</p>
 
 </td>
@@ -454,7 +454,7 @@ No
 <td><code><a href="#LoadBalancerSettings-locality_lb_setting">localityLbSetting</a></code></td>
 <td><code><a href="#LocalityLoadBalancerSetting">LocalityLoadBalancerSetting</a></code></td>
 <td>
-<p>Locality load balancer settings, this will override mesh wide settings in entirety, meaning no merging would be performed
+<p>Locality load balancer settings, this will override mesh-wide settings in entirety, meaning no merging would be performed
 between this object and the object one in MeshConfig</p>
 
 </td>
@@ -655,7 +655,7 @@ spec:
 <td><code>bool</code></td>
 <td>
 <p>Determines whether to distinguish local origin failures from external errors. If set to true
-consecutive_local_origin_failure is taken into account for outlier detection calculations.
+<code>consecutiveLocalOriginFailures</code> is taken into account for outlier detection calculations.
 This should be used when you want to derive the outlier detection status based on the errors
 seen locally such as failure to connect, timeout while connecting etc. rather than the status code
 returned by upstream service. This is especially useful when the upstream service explicitly returns
@@ -673,7 +673,7 @@ No
 <td><code><a href="#google-protobuf-UInt32Value">UInt32Value</a></code></td>
 <td>
 <p>The number of consecutive locally originated failures before ejection
-occurs. Defaults to 5. Parameter takes effect only when split_external_local_origin_errors
+occurs. Defaults to 5. Parameter takes effect only when <code>splitExternalLocalOriginErrors</code>
 is set to true.</p>
 
 </td>
@@ -691,11 +691,11 @@ code qualifies as a gateway error. When the upstream host is accessed over
 an opaque TCP connection, connect timeouts and connection error/failure
 events qualify as a gateway error.
 This feature is disabled by default or when set to the value 0.</p>
-<p>Note that consecutive_gateway_errors and consecutive_5xx_errors can be
+<p>Note that <code>consecutiveGatewayErrors</code> and <code>consecutive5xxErrors</code> can be
 used separately or together. Because the errors counted by
-consecutive_gateway_errors are also included in consecutive_5xx_errors,
-if the value of consecutive_gateway_errors is greater than or equal to
-the value of consecutive_5xx_errors, consecutive_gateway_errors will have
+<code>consecutiveGatewayErrors</code> are also included in <code>consecutive5xxErrors</code>,
+if the value of <code>consecutiveGatewayErrors</code> is greater than or equal to
+the value of <code>consecutive5xxErrors</code>, <code>consecutiveGatewayErrors</code> will have
 no effect.</p>
 
 </td>
@@ -712,11 +712,11 @@ When the upstream host is accessed over an opaque TCP connection, connect
 timeouts, connection error/failure and request failure events qualify as a
 5xx error.
 This feature defaults to 5 but can be disabled by setting the value to 0.</p>
-<p>Note that consecutive_gateway_errors and consecutive_5xx_errors can be
+<p>Note that <code>consecutiveGatewayErrors</code> and <code>consecutive5xxErrors</code> can be
 used separately or together. Because the errors counted by
-consecutive_gateway_errors are also included in consecutive_5xx_errors,
-if the value of consecutive_gateway_errors is greater than or equal to
-the value of consecutive_5xx_errors, consecutive_gateway_errors will have
+<code>consecutiveGatewayErrors</code> are also included in <code>consecutive5xxErrors</code>,
+if the value of <code>consecutiveGatewayErrors</code> is greater than or equal to
+the value of <code>consecutive5xxErrors</code>, <code>consecutiveGatewayErrors</code> will have
 no effect.</p>
 
 </td>
@@ -729,7 +729,7 @@ No
 <td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
 <td>
 <p>Time interval between ejection sweep analysis. format:
-1h/1m/1s/1ms. MUST BE &gt;=1ms. Default is 10s.</p>
+1h/1m/1s/1ms. MUST be &gt;=1ms. Default is 10s.</p>
 
 </td>
 <td>
@@ -744,7 +744,7 @@ No
 equal to the product of minimum ejection duration and the number of
 times the host has been ejected. This technique allows the system to
 automatically increase the ejection period for unhealthy upstream
-servers. format: 1h/1m/1s/1ms. MUST BE &gt;=1ms. Default is 30s.</p>
+servers. format: 1h/1m/1s/1ms. MUST be &gt;=1ms. Default is 30s.</p>
 
 </td>
 <td>
@@ -768,7 +768,7 @@ No
 <td><code>int32</code></td>
 <td>
 <p>Outlier detection will be enabled as long as the associated load balancing
-pool has at least min_health_percent hosts in healthy mode. When the
+pool has at least <code>minHealthPercent</code> hosts in healthy mode. When the
 percentage of healthy hosts in the load balancing pool drops below this
 threshold, outlier detection will be disabled and the proxy will load balance
 across all hosts in the pool (healthy and unhealthy). The threshold can be
@@ -926,8 +926,8 @@ No
 <p>A list of alternate names to verify the subject identity in the
 certificate. If specified, the proxy will verify that the server
 certificate&rsquo;s subject alt name matches one of the specified values.
-If specified, this list overrides the value of subject_alt_names
-from the ServiceEntry. If unspecified, automatic validation of upstream
+If specified, this list overrides the value of <code>subjectAltNames</code>
+from the <code>ServiceEntry</code>. If unspecified, automatic validation of upstream
 presented certificate for new upstream connections will be done based on the
 downstream HTTP host/authority header.</p>
 
@@ -990,13 +990,13 @@ specified using arbitrary labels that designate a hierarchy of localities in
 {region}/{zone}/{sub-zone} form. For additional detail refer to
 <a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight">Locality Weight</a>
 The following example shows how to setup locality weights mesh-wide.</p>
-<p>Given a mesh with workloads and their service deployed to &ldquo;us-west/zone1/<em>&rdquo;
-and &ldquo;us-west/zone2/</em>&rdquo;. This example specifies that when traffic accessing a
-service originates from workloads in &ldquo;us-west/zone1/<em>&rdquo;, 80% of the traffic
-will be sent to endpoints in &ldquo;us-west/zone1/</em>&rdquo;, i.e the same zone, and the
-remaining 20% will go to endpoints in &ldquo;us-west/zone2/<em>&rdquo;. This setup is
+<p>Given a mesh with workloads and their service deployed to &ldquo;us-west/zone1/*&rdquo;
+and &ldquo;us-west/zone2/*&rdquo;. This example specifies that when traffic accessing a
+service originates from workloads in &ldquo;us-west/zone1/*&rdquo;, 80% of the traffic
+will be sent to endpoints in &ldquo;us-west/zone1/*&rdquo;, i.e the same zone, and the
+remaining 20% will go to endpoints in &ldquo;us-west/zone2/*&rdquo;. This setup is
 intended to favor routing traffic to endpoints in the same locality.
-A similar setting is specified for traffic originating in &ldquo;us-west/zone2/</em>&rdquo;.</p>
+A similar setting is specified for traffic originating in &ldquo;us-west/zone2/*&rdquo;.</p>
 <pre><code class="language-yaml">  distribute:
     - from: us-west/zone1/*
       to:
@@ -1022,7 +1022,6 @@ and similarly us-west should failover to us-east.</p>
    - from: us-west
      to: us-east
 </code></pre>
-<p>Locality load balancing settings.</p>
 
 <table class="message-fields">
 <thead>
@@ -1138,8 +1137,8 @@ No
 <td><code><a href="#LocalityLoadBalancerSetting-enabled">enabled</a></code></td>
 <td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></code></td>
 <td>
-<p>enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety.
-e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is.</p>
+<p>Enable locality load balancing. This is DestinationRule-level and will override mesh-wide settings in entirety.
+e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh-wide settings is.</p>
 
 </td>
 <td>
@@ -1239,11 +1238,13 @@ No
 <td><code>string</code></td>
 <td>
 <p>Specifies which protocol to use for tunneling the downstream connection.
-Supported protocols are:
-CONNECT - uses HTTP CONNECT;
-POST - uses HTTP POST.
-CONNECT is used by default if not specified.
-HTTP version for upstream requests is determined by the service protocol defined for the proxy.</p>
+Supported protocols are:</p>
+<ul>
+<li>CONNECT - uses HTTP CONNECT;</li>
+<li>POST - uses HTTP POST.</li>
+</ul>
+<p>CONNECT is used by default if not specified.</p>
+<p>HTTP version for upstream requests is determined by the service protocol defined for the proxy.</p>
 
 </td>
 <td>
@@ -1554,7 +1555,7 @@ No
 <td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
 <td>
 <p>TCP connection timeout. format:
-1h/1m/1s/1ms. MUST BE &gt;=1ms. Default is 10s.</p>
+1h/1m/1s/1ms. MUST be &gt;=1ms. Default is 10s.</p>
 
 </td>
 <td>
@@ -1577,7 +1578,7 @@ No
 <td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
 <td>
 <p>The maximum duration of a connection. The duration is defined as the period since a connection
-was established. If not set, there is no max duration. When max_connection_duration
+was established. If not set, there is no max duration. When <code>maxConnectionDuration</code>
 is reached the connection will be closed. Duration must be at least 1ms.</p>
 
 </td>
@@ -1705,7 +1706,7 @@ No
 <td><code>bool</code></td>
 <td>
 <p>If set to true, client protocol will be preserved while initiating connection to backend.
-Note that when this is set to true, h2_upgrade_policy will be ineffective i.e. the client
+Note that when this is set to true, <code>h2UpgradePolicy</code> will be ineffective i.e. the client
 connections will not be upgraded to http2.</p>
 
 </td>

content/zh/docs/reference/config/networking/envoy-filter/index.html

@@ -11,7 +11,7 @@ aliases: [/zh/docs/reference/config/networking/v1alpha3/envoy-filter]
 number_of_entries: 18
 ---
 <p><code>EnvoyFilter</code> provides a mechanism to customize the Envoy
-configuration generated by Istio Pilot. Use EnvoyFilter to modify
+configuration generated by istiod. Use EnvoyFilter to modify
 values for certain fields, add specific filters, or even add
 entirely new listeners, clusters, etc. This feature must be used
 with care, as incorrect configurations could potentially
@@ -357,7 +357,7 @@ spec:
 <h2 id="EnvoyFilter">EnvoyFilter</h2>
 <section>
 <p>EnvoyFilter provides a mechanism to customize the Envoy configuration
-generated by Istio Pilot.</p>
+generated by istiod.</p>
 
 <table class="message-fields">
 <thead>
@@ -469,7 +469,7 @@ No
 used to select proxies using a specific version of istio
 proxy. The Istio version for a given proxy is obtained from the
 node metadata field <code>ISTIO_VERSION</code> supplied by the proxy when
-connecting to Pilot. This value is embedded as an environment
+connecting to istiod. This value is embedded as an environment
 variable (<code>ISTIO_META_ISTIO_VERSION</code>) in the Istio proxy docker
 image. Custom proxy implementations should provide this metadata
 variable to take advantage of the Istio version check option.</p>
@@ -484,9 +484,9 @@ No
 <td><code>map&lt;string,&nbsp;string&gt;</code></td>
 <td>
 <p>Match on the node metadata supplied by a proxy when connecting
-to Istio Pilot. Note that while Envoy&rsquo;s node metadata is of
+to istiod. Note that while Envoy&rsquo;s node metadata is of
 type Struct, only string key-value pairs are processed by
-Pilot. All keys specified in the metadata must match with exact
+istiod. All keys specified in the metadata must match with exact
 values. The match will fail if any of the specified keys are
 absent or the values fail to match.</p>
 
@@ -716,7 +716,7 @@ No
 <td><code>string</code></td>
 <td>
 <p>Match a specific listener by its name. The listeners generated
-by Pilot are typically named as IP:Port.</p>
+by istiod are typically named as IP:Port.</p>
 
 </td>
 <td>
@@ -796,7 +796,7 @@ to the generated configuration for a given proxy.</p>
 <td><code><a href="#EnvoyFilter-EnvoyConfigObjectMatch-context">context</a></code></td>
 <td><code><a href="#EnvoyFilter-PatchContext">PatchContext</a></code></td>
 <td>
-<p>The specific config generation context to match on. Istio Pilot
+<p>The specific config generation context to match on. istiod
 generates envoy configuration in the context of a gateway,
 inbound traffic to sidecar and outbound traffic from sidecar.</p>
 

content/zh/docs/reference/config/networking/gateway/index.html

@@ -407,7 +407,7 @@ Yes
 <td><code>string</code></td>
 <td>
 <p>The protocol exposed on the port.
-MUST BE one of HTTP|HTTPS|GRPC|GRPC-WEB|HTTP2|MONGO|TCP|TLS.
+MUST be one of HTTP|HTTPS|GRPC|GRPC-WEB|HTTP2|MONGO|TCP|TLS.
 TLS can be either used to terminate non-HTTP based connections on a specific port
 or to route traffic based on SNI header to the destination without terminating the TLS connection.</p>
 

content/zh/docs/reference/config/networking/proxy-config/index.html

@@ -54,7 +54,7 @@ spec:
     imageType: debug
 </code></pre>
 <p>If a <code>ProxyConfig</code> CR is defined that matches a workload it will merge with its <code>proxy.istio.io/config</code> annotation if present,
-with the CR taking precedence over the annotation for overlapping fields. Similarly, if a mesh wide <code>ProxyConfig</code> CR is defined and
+with the CR taking precedence over the annotation for overlapping fields. Similarly, if a mesh-wide <code>ProxyConfig</code> CR is defined and
 <code>meshConfig.DefaultConfig</code> is set, the two resources will be merged with the CR taking precedence for overlapping fields.</p>
 
 <h2 id="ProxyConfig">ProxyConfig</h2>

content/zh/docs/reference/config/networking/service-entry/index.html

@@ -553,7 +553,7 @@ Yes
 <td><code>string</code></td>
 <td>
 <p>The protocol exposed on the port.
-MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
+MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
 TLS implies the connection will be routed based on the SNI header to
 the destination without terminating the TLS connection.</p>
 
@@ -652,7 +652,7 @@ No
 </section>
 <h2 id="ServiceEntryAddress">ServiceEntryAddress</h2>
 <section>
-<p>minor abstraction to allow for adding hostnames if relevant</p>
+<p>A minor abstraction to allow for adding hostnames if relevant.</p>
 
 <table class="message-fields">
 <thead>
@@ -668,7 +668,7 @@ No
 <td><code><a href="#ServiceEntryAddress-value">value</a></code></td>
 <td><code>string</code></td>
 <td>
-<p>Value is the address (192.168.0.2)</p>
+<p>The address (e.g. 192.168.0.2)</p>
 
 </td>
 <td>
@@ -679,7 +679,7 @@ No
 <td><code><a href="#ServiceEntryAddress-host">host</a></code></td>
 <td><code>string</code></td>
 <td>
-<p>Host is the name associated with this address</p>
+<p>The host name associated with this address</p>
 
 </td>
 <td>

content/zh/docs/reference/config/networking/sidecar/index.html

@@ -716,7 +716,7 @@ No
 <td><code>string</code></td>
 <td>
 <p>The protocol exposed on the port.
-MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
+MUST be one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS.
 TLS can be either used to terminate non-HTTP based connections on a specific port
 or to route traffic based on SNI header to the destination without terminating the TLS connection.</p>
 

content/zh/docs/reference/config/networking/virtual-service/index.html

@@ -2042,7 +2042,7 @@ spec:
 between retries will be determined automatically (25ms+). When request
 <code>timeout</code> of the <a href="/zh/docs/reference/config/networking/virtual-service/#HTTPRoute">HTTP route</a>
 or <code>per_try_timeout</code> is configured, the actual number of retries attempted also depends on
-the specified request <code>timeout</code> and <code>per_try_timeout</code> values. MUST BE &gt;= 0. If <code>0</code>, retries will be disabled.
+the specified request <code>timeout</code> and <code>per_try_timeout</code> values. MUST be &gt;= 0. If <code>0</code>, retries will be disabled.
 The maximum possible number of requests made will be 1 + <code>attempts</code>.</p>
 
 </td>
@@ -2054,7 +2054,7 @@ No
 <td><code><a href="#HTTPRetry-per_try_timeout">perTryTimeout</a></code></td>
 <td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
 <td>
-<p>Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST BE &gt;=1ms.
+<p>Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST be &gt;=1ms.
 Default is same value as request
 <code>timeout</code> of the <a href="/zh/docs/reference/config/networking/virtual-service/#HTTPRoute">HTTP route</a>,
 which means no timeout.</p>

content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html

@@ -12,7 +12,7 @@ number_of_entries: 9
 ---
 <p>WasmPlugins provides a mechanism to extend the functionality provided by
 the Istio proxy through WebAssembly filters.</p>
-<p>Order of execution (as part of Envoy&rsquo;s filter chain) is determined by
+<p>The order of execution (as part of Envoy&rsquo;s filter chain) is determined by
 phase and priority settings, allowing the configuration of complex
 interactions between user-supplied WasmPlugins and Istio&rsquo;s internal
 filters.</p>
@@ -171,7 +171,7 @@ spec:
 
 <h2 id="WasmPlugin">WasmPlugin</h2>
 <section>
-<p>WasmPlugins provides a mechanism to extend the functionality provided by
+<p>WasmPlugin provides a mechanism to extend the functionality provided by
 the Istio proxy through WebAssembly filters.</p>
 
 <table class="message-fields">
@@ -676,7 +676,7 @@ this plugin. Note that the change includes <code>metadata</code> field as well.<
 <tr id="EnvValueSource-HOST">
 <td><code><a href="#EnvValueSource-HOST">HOST</a></code></td>
 <td>
-<p><em>Istio-proxy&rsquo;s</em> environment variables exposed to this VM.</p>
+<p>Proxy environment variables exposed to this VM.</p>
 
 </td>
 </tr>

content/zh/docs/reference/config/security/peer_authentication/index.html

@@ -10,8 +10,6 @@ schema: istio.security.v1beta1.PeerAuthentication
 aliases: [/zh/docs/reference/config/security/v1beta1/peer_authentication]
 number_of_entries: 3
 ---
-<h2 id="PeerAuthentication">PeerAuthentication</h2>
-<section>
 <p>PeerAuthentication defines mutual TLS (mTLS) requirements for incoming connections.</p>
 <p>In sidecar mode, PeerAuthentication determines whether or not mTLS is allowed or required
 for connections to an Envoy proxy sidecar.</p>
@@ -90,6 +88,9 @@ spec:
       mode: DISABLE
 </code></pre>
 
+<h2 id="PeerAuthentication">PeerAuthentication</h2>
+<section>
+
 <table class="message-fields">
 <thead>
 <tr>

content/zh/docs/reference/config/security/request_authentication/index.html

@@ -10,17 +10,13 @@ schema: istio.security.v1beta1.RequestAuthentication
 aliases: [/zh/docs/reference/config/security/v1beta1/request_authentication, /docs/reference/config/security/v1beta1/jwt, /docs/reference/config/security/v1beta1/jwt.html]
 number_of_entries: 4
 ---
-<h2 id="RequestAuthentication">RequestAuthentication</h2>
-<section>
 <p>RequestAuthentication defines what request authentication methods are supported by a workload.
 It will reject a request if the request contains invalid authentication information, based on the
 configured authentication rules. A request that does not contain any authentication credentials
 will be accepted but will not have any authenticated identity. To restrict access to authenticated
 requests only, this should be accompanied by an authorization rule.
 Examples:</p>
-<ul>
-<li>Require JWT for all request for workloads that have label <code>app:httpbin</code></li>
-</ul>
+<p>Require JWT for all request for workloads that have label <code>app:httpbin</code>:</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1
 kind: RequestAuthentication
 metadata:
@@ -48,11 +44,9 @@ spec:
     - source:
         requestPrincipals: [&quot;*&quot;]
 </code></pre>
-<ul>
-<li>A policy in the root namespace (&ldquo;istio-system&rdquo; by default) applies to workloads in all namespaces
+<p>A policy in the root namespace (&ldquo;istio-system&rdquo; by default) applies to workloads in all namespaces
 in a mesh. The following policy makes all workloads only accept requests that contain a
-valid JWT token.</li>
-</ul>
+valid JWT token:</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1
 kind: RequestAuthentication
 metadata:
@@ -74,11 +68,9 @@ spec:
     - source:
         requestPrincipals: [&quot;*&quot;]
 </code></pre>
-<ul>
-<li>The next example shows how to set a different JWT requirement for a different <code>host</code>. The <code>RequestAuthentication</code>
+<p>The next example shows how to set a different JWT requirement for a different <code>host</code>. The <code>RequestAuthentication</code>
 declares it can accept JWTs issued by either <code>issuer-foo</code> or <code>issuer-bar</code> (the public key set is implicitly
-set from the OpenID Connect spec).</li>
-</ul>
+set from the OpenID Connect spec):</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1
 kind: RequestAuthentication
 metadata:
@@ -115,11 +107,9 @@ spec:
     - operation:
         hosts: [&quot;another-host.com&quot;]
 </code></pre>
-<ul>
-<li>You can fine tune the authorization policy to set different requirement per path. For example,
+<p>You can fine-tune the authorization policy to set different requirement per path. For example,
 to require JWT on all paths, except /healthz, the same <code>RequestAuthentication</code> can be used, but the
-authorization policy could be:</li>
-</ul>
+authorization policy could be:</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@@ -205,6 +195,9 @@ spec:
         subset: v1
 </code></pre>
 
+<h2 id="RequestAuthentication">RequestAuthentication</h2>
+<section>
+
 <table class="message-fields">
 <thead>
 <tr>

content/zh/docs/reference/config/telemetry/index.html

@@ -8,23 +8,27 @@ layout: protoc-gen-docs
 generator: protoc-gen-docs
 schema: istio.telemetry.v1alpha1.Telemetry
 aliases: [/zh/docs/reference/config/telemetry/v1alpha1/telemetry]
+weight: 45
 number_of_entries: 18
 ---
-<p>Telemetry defines how the telemetry is generated for workloads within a mesh.</p>
-<p>For mesh level configuration, put the resource in root configuration
-namespace for your Istio installation <em>without</em> a workload selector.</p>
-<p>For any namespace, including the root configuration namespace, it is only
-valid to have a single workload selector-less Telemetry resource.</p>
-<p>For resources with a workload selector, it is only valid to have one resource
-selecting any given workload.</p>
+<p><code>Telemetry</code> defines how telemetry (metrics, logs and traces)
+is generated for workloads within a mesh.</p>
 <p>The hierarchy of Telemetry configuration is as follows:</p>
 <ol>
 <li>Workload-specific configuration</li>
 <li>Namespace-specific configuration</li>
 <li>Root namespace configuration</li>
 </ol>
-<h4 id="examples">Examples</h4>
-<p>Policy to enable random sampling for 10% of traffic:</p>
+<p>For mesh level configuration, put a resource in the root configuration
+namespace for your Istio installation <em>without</em> a workload selector.</p>
+<p>For any namespace, including the root configuration namespace, it is only
+valid to have a single workload selector-less Telemetry resource.</p>
+<p>For resources with a workload selector, it is only valid to have one resource
+selecting any given workload.</p>
+<p>Gateways and waypoints are targeted for telemetry configuration
+using the <code>targetRefs</code> field.</p>
+<p>Examples:</p>
+<p>Enable random sampling for 10% of traffic:</p>
 <pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
@@ -35,8 +39,8 @@ spec:
   tracing:
   - randomSamplingPercentage: 10.00
 </code></pre>
-<p>Policy to disable trace reporting for the <code>foo</code> workload (note: tracing
-context will still be propagated):</p>
+<p>Disable trace reporting for the <code>foo</code> workload
+(note: tracing context will still be propagated):</p>
 <pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
@@ -49,7 +53,7 @@ spec:
   tracing:
   - disableSpanReporting: true
 </code></pre>
-<p>Policy to select the alternate zipkin provider for trace reporting:</p>
+<p>Select a named tracing provider for trace reporting:</p>
 <pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
@@ -64,7 +68,7 @@ spec:
     - name: &quot;zipkin-alternate&quot;
     randomSamplingPercentage: 10.00
 </code></pre>
-<p>Policy to tailor the zipkin provider to sample traces from Client workloads only:</p>
+<p>Tailor the &ldquo;zipkin&rdquo; provider to sample traces from client workloads only:</p>
 <pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
@@ -77,7 +81,7 @@ spec:
   - providers:
     - name: &quot;zipkin&quot;
 </code></pre>
-<p>Policy to add a custom tag from a literal value:</p>
+<p>Add a custom tag from a literal value:</p>
 <pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
@@ -92,7 +96,7 @@ spec:
         literal:
           value: &quot;foo&quot;
 </code></pre>
-<p>Policy to disable server-side metrics for Prometheus for an entire mesh:</p>
+<p>Disable server-side metrics for Prometheus for an entire mesh:</p>
 <pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
@@ -109,7 +113,7 @@ spec:
         mode: SERVER
       disabled: true
 </code></pre>
-<p>Policy to add dimensions to all Prometheus metrics for the <code>foo</code> namespace:</p>
+<p>Add dimensions to all Prometheus metrics for the <code>foo</code> namespace:</p>
 <pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
@@ -128,7 +132,7 @@ spec:
         request_host:
           value: &quot;request.host&quot;
 </code></pre>
-<p>Policy to remove the <code>response_code</code> dimension on some Prometheus metrics for
+<p>Remove the <code>response_code</code> dimension on some Prometheus metrics for
 the <code>bar.foo</code> workload:</p>
 <pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
 kind: Telemetry
@@ -164,7 +168,7 @@ spec:
         response_code:
           operation: REMOVE
 </code></pre>
-<p>Policy to enable access logging for the entire mesh:</p>
+<p>Enable access logging for the entire mesh:</p>
 <pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata:
@@ -180,7 +184,7 @@ spec:
     # cases where a parent configuration has marked as `disabled: true`. In
     # those cases, `disabled: false` must be set explicitly to override.
 </code></pre>
-<p>Policy to disable access logging for the <code>foo</code> namespace:</p>
+<p>Disable access logging for the <code>foo</code> namespace:</p>
 <pre><code class="language-yaml">apiVersion: telemetry.istio.io/v1
 kind: Telemetry
 metadata: