Automator: update istio.io@ reference docs (#13316)

2023-06-07 19:15:04 -07:00 · 2023-06-07 19:15:04 -07:00 · 58feb89fde
parent 91afadd482
commit 58feb89fde
22 changed files with 688 additions and 5114 deletions
--- a/content/en/docs/reference/commands/install-cni/index.html
+++ b/content/en/docs/reference/commands/install-cni/index.html
@ -32,14 +32,6 @@ remove_toc_prefix: 'install-cni '
 <td>Name of the CNI configuration file  (default ``)</td>
 </tr>
 <tr>
-<td><code>--cni-enable-install</code></td>
-<td>Whether to install CNI configuration and binary files </td>
-</tr>
-<tr>
-<td><code>--cni-enable-reinstall</code></td>
-<td>Whether to reinstall CNI configuration and binary files </td>
-</tr>
-<tr>
 <td><code>--cni-net-dir &lt;string&gt;</code></td>
 <td>Directory on the host where CNI network plugins are installed  (default `/etc/cni/net.d`)</td>
 </tr>
@ -89,11 +81,11 @@ remove_toc_prefix: 'install-cni '
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -113,7 +105,7 @@ remove_toc_prefix: 'install-cni '
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -172,25 +164,13 @@ remove_toc_prefix: 'install-cni '
 <td>The name of the managed node (will manage all nodes if unset)  (default ``)</td>
 </tr>
 <tr>
-<td><code>--repair-run-as-daemon</code></td>
-<td>Controller will run in a loop </td>
-</tr>
-<tr>
 <td><code>--repair-sidecar-annotation &lt;string&gt;</code></td>
 <td>An annotation key that indicates this pod contains an istio sidecar. All pods without this annotation will be ignored.The value of the annotation is ignored.  (default `sidecar.istio.io/status`)</td>
 </tr>
 <tr>
-<td><code>--skip-cni-binaries &lt;istio-cni&gt;</code></td>
-<td>Binaries that should not be installed. Currently Istio only installs one binary istio-cni  (default `[]`)</td>
-</tr>
-<tr>
 <td><code>--skip-tls-verify</code></td>
 <td>Whether to use insecure TLS in kubeconfig file </td>
 </tr>
-<tr>
-<td><code>--update-cni-binaries</code></td>
-<td>Whether to refresh existing binaries when installing CNI </td>
-</tr>
 </tbody>
 </table>
 <h2 id="install-cni-completion">install-cni completion</h2>
@ -219,11 +199,11 @@ See each sub-command&#39;s help for details on how to use the generated script.
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -243,7 +223,7 @@ See each sub-command&#39;s help for details on how to use the generated script.
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -288,11 +268,11 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -312,7 +292,7 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -356,11 +336,11 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -380,7 +360,7 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -423,11 +403,11 @@ to your powershell profile.
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -447,7 +427,7 @@ to your powershell profile.
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -497,11 +477,11 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -521,7 +501,7 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -564,12 +544,12 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -594,7 +574,7 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -632,12 +612,6 @@ These environment variables affect the behavior of the <code>install-cni</code>
 <td>Whether ambient controller is enabled</td>
 </tr>
 <tr>
-<td><code>AUTO_RELOAD_PLUGIN_CERTS</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, if user introduces new intermediate plug-in CA, user need not to restart istiod to pick up certs.Istiod picks newly added intermediate plug-in CA certs and updates it. Plug-in new Root-CA not supported.</td>
-</tr>
-<tr>
 <td><code>CA_TRUSTED_NODE_ACCOUNTS</code></td>
 <td>String</td>
 <td><code></code></td>
@ -668,18 +642,6 @@ These environment variables affect the behavior of the <code>install-cni</code>
 <td>Name of the CNI configuration file</td>
 </tr>
 <tr>
-<td><code>CNI_ENABLE_INSTALL</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Whether to install CNI configuration and binary files</td>
-</tr>
-<tr>
-<td><code>CNI_ENABLE_REINSTALL</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Whether to reinstall CNI configuration and binary files</td>
-</tr>
-<tr>
 <td><code>CNI_NETWORK_CONFIG</code></td>
 <td>String</td>
 <td><code></code></td>
@ -704,12 +666,6 @@ These environment variables affect the behavior of the <code>install-cni</code>
 <td>Whether ebpf redirection is enabled</td>
 </tr>
 <tr>
-<td><code>ENABLE_AUTO_MTLS_CHECK_POLICIES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Enable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio}  when server side policy enables mTLS PERMISSIVE or STRICT.</td>
-</tr>
-<tr>
 <td><code>ENABLE_AUTO_SNI</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -746,18 +702,6 @@ These environment variables affect the behavior of the <code>install-cni</code>
 <td>If enabled (default), starts a leader election client and gains leadership before executing controllers. If false, it assumes that only one instance of istiod is running and skips leader election.</td>
 </tr>
 <tr>
-<td><code>ENABLE_LEGACY_FSGROUP_INJECTION</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If true, Istiod will set the pod fsGroup to 1337 on injection. This is required for Kubernetes 1.18 and older (see https://github.com/kubernetes/kubernetes/issues/57923 for details) unless JWT_POLICY is &#34;first-party-jwt&#34;.</td>
-</tr>
-<tr>
-<td><code>ENABLE_LEGACY_LB_ALGORITHM_DEFAULT</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, destinations for which no LB algorithm is specified will use the legacy default, ROUND_ROBIN. Care should be taken when using ROUND_ROBIN in general as it can overburden endpoints, especially when weights are used.</td>
-</tr>
-<tr>
 <td><code>ENABLE_MCS_AUTO_EXPORT</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -794,12 +738,6 @@ These environment variables affect the behavior of the <code>install-cni</code>
 <td>If enabled, the TLS configuration on Sidecar.ingress will take effect</td>
 </tr>
 <tr>
-<td><code>ENABLE_WASM_TELEMETRY</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, Wasm-based telemetry will be enabled.</td>
-</tr>
-<tr>
 <td><code>EXTERNAL_ISTIOD</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -842,12 +780,6 @@ These environment variables affect the behavior of the <code>install-cni</code>
 <td>If enabled, Istio agent will intercept ECDS resource update, downloads Wasm module, and replaces Wasm module remote load with downloaded local module file.</td>
 </tr>
 <tr>
-<td><code>ISTIO_DEFAULT_REQUEST_TIMEOUT</code></td>
-<td>Time Duration</td>
-<td><code>0s</code></td>
-<td>Default Http and gRPC Request timeout</td>
-</tr>
-<tr>
 <td><code>ISTIO_DELTA_XDS</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -884,12 +816,6 @@ These environment variables affect the behavior of the <code>install-cni</code>
 <td>The content type to use for Kubernetes clients. Defaults to protobuf. Valid options: [protobuf, json]</td>
 </tr>
 <tr>
-<td><code>ISTIO_METADATA_DISCOVERY</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>Enables proxy discovery of the workload metadata to back-fill the telemetry reports.</td>
-</tr>
-<tr>
 <td><code>ISTIO_MULTIROOT_MESH</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -1002,6 +928,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>Directory on the container where CNI networks are installed</td>
 </tr>
 <tr>
+<td><code>MUTEX_PROFILE_FRACTION</code></td>
+<td>Integer</td>
+<td><code>1000</code></td>
+<td>If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, &#39;1000&#39; will record 0.1% of events. Set to 0 to disable entirely.</td>
+</tr>
+<tr>
 <td><code>NODE_NAME</code></td>
 <td>String</td>
 <td><code></code></td>
@ -1146,30 +1078,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>If enabled, inbound clusters will be configured as ORIGINAL_DST clusters. When disabled, requests are always sent to localhost. The primary implication of this is that when enabled, binding to POD_IP will work while localhost will not; when disable, bind to POD_IP will not work, while localhost will. The enabled behavior matches the behavior without Istio enabled at all; this flag exists only for backwards compatibility. Regardless of this setting, the configuration can be overridden with the Sidecar.Ingress.DefaultEndpoint configuration.</td>
 </tr>
 <tr>
-<td><code>PILOT_ENABLE_ISTIO_TAGS</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Determines whether or not trace spans generated by Envoy will include Istio-specific tags.</td>
-</tr>
-<tr>
 <td><code>PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES</code></td>
 <td>Boolean</td>
 <td><code>true</code></td>
 <td>If enabled, Kubernetes services with selectors will select workload entries with matching labels. It is safe to disable it if you are quite sure you don&#39;t need this feature</td>
 </tr>
 <tr>
-<td><code>PILOT_ENABLE_LEGACY_AUTO_PASSTHROUGH</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, pilot will allow any upstream cluster to be used with AUTO_PASSTHROUGH. This option is intended for backwards compatibility only and is not secure with untrusted downstreams; it will be removed in the future.</td>
-</tr>
-<tr>
-<td><code>PILOT_ENABLE_LEGACY_ISTIO_MUTUAL_CREDENTIAL_NAME</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, Gateway&#39;s with ISTIO_MUTUAL mode and credentialName configured will use simple TLS. This is to retain legacy behavior only and not recommended for use beyond migration.</td>
-</tr>
-<tr>
 <td><code>PILOT_ENABLE_METADATA_EXCHANGE</code></td>
 <td>Boolean</td>
 <td><code>true</code></td>
@ -1296,12 +1210,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.</td>
 </tr>
 <tr>
-<td><code>PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT</code></td>
-<td>Time Duration</td>
-<td><code>1s</code></td>
-<td>Protocol detection timeout for inbound listener</td>
-</tr>
-<tr>
 <td><code>PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONS</code></td>
 <td>String</td>
 <td><code></code></td>
@ -1320,24 +1228,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>The interval for istiod to fetch the jwks_uri for the jwks public key.</td>
 </tr>
 <tr>
-<td><code>PILOT_LEGACY_INGRESS_BEHAVIOR</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If this is set to true, istio ingress will perform the legacy behavior, which does not meet https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches.</td>
-</tr>
-<tr>
 <td><code>PILOT_MAX_REQUESTS_PER_SECOND</code></td>
 <td>Floating-Point</td>
 <td><code>25</code></td>
 <td>Limits the number of incoming XDS requests per second. On larger machines this can be increased to handle more proxies concurrently.</td>
 </tr>
 <tr>
-<td><code>PILOT_PARTIAL_FULL_PUSHES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, pilot will send partial pushes in for child resources (RDS, EDS, etc) when possible. This occurs for EDS in many cases regardless of this setting.</td>
-</tr>
-<tr>
 <td><code>PILOT_PERSISTENT_SESSION_HEADER_LABEL</code></td>
 <td>String</td>
 <td><code>istio.io/persistent-session-header</code></td>
@ -1377,7 +1273,7 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td><code>PILOT_SIDECAR_USE_REMOTE_ADDRESS</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
-<td>UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.</td>
+<td>UseRemoteAddress sets useRemoteAddress to true for sidecar outbound listeners.</td>
 </tr>
 <tr>
 <td><code>PILOT_SKIP_VALIDATE_TRUST_DOMAIN</code></td>
@ -1458,12 +1354,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td></td>
 </tr>
 <tr>
-<td><code>PRIORITIZED_LEADER_ELECTION</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, the default revision will steal leader locks from non-default revisions</td>
-</tr>
-<tr>
 <td><code>REPAIR_BROKEN_POD_LABEL_KEY</code></td>
 <td>String</td>
 <td><code>cni.istio.io/uninitialized</code></td>
@ -1530,12 +1420,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>The name of the managed node (will manage all nodes if unset)</td>
 </tr>
 <tr>
-<td><code>REPAIR_RUN_AS_DAEMON</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>Controller will run in a loop</td>
-</tr>
-<tr>
 <td><code>REPAIR_SIDECAR_ANNOTATION</code></td>
 <td>String</td>
 <td><code>sidecar.istio.io/status</code></td>
@ -1554,42 +1438,18 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td></td>
 </tr>
 <tr>
-<td><code>REWRITE_TCP_PROBES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If false, TCP probes will not be rewritten and therefor always succeed when a sidecar is used.</td>
-</tr>
-<tr>
 <td><code>SHARED_MESH_CONFIG</code></td>
 <td>String</td>
 <td><code></code></td>
 <td>Additional config map to load for shared MeshConfig settings. The standard mesh config will take precedence.</td>
 </tr>
 <tr>
-<td><code>SIDECAR_IGNORE_PORT_IN_HOST_MATCH</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, port will not be used in vhost domain matches.</td>
-</tr>
-<tr>
-<td><code>SKIP_CNI_BINARIES</code></td>
-<td>String</td>
-<td><code></code></td>
-<td>Binaries that should not be installed. Currently Istio only installs one binary `istio-cni`</td>
-</tr>
-<tr>
 <td><code>SKIP_TLS_VERIFY</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
 <td>Whether to use insecure TLS in kubeconfig file</td>
 </tr>
 <tr>
-<td><code>SPIFFE_BUNDLE_ENDPOINTS</code></td>
-<td>String</td>
-<td><code></code></td>
-<td>The SPIFFE bundle trust domain to endpoint mappings. Istiod retrieves the root certificate from each SPIFFE bundle endpoint and uses it to verify client certificates from that trust domain. The endpoint must be compliant to the SPIFFE Bundle Endpoint standard. For details, please refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md . No need to configure this for root certificates issued via Istiod or web-PKI based root certificates. Use || between &lt;trustdomain, endpoint&gt; tuples. Use | as delimiter between trust domain and endpoint in each tuple. For example: foo|https://url/for/foo||bar|https://url/for/bar</td>
-</tr>
-<tr>
 <td><code>SYSTEM_NAMESPACE</code></td>
 <td>String</td>
 <td><code>istio-system</code></td>
@ -1620,12 +1480,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>If enabled, addition runtime asserts will be performed. These checks are both expensive and panic on failure. As a result, this should be used only for testing.</td>
 </tr>
 <tr>
-<td><code>UPDATE_CNI_BINARIES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Whether to refresh existing binaries when installing CNI</td>
-</tr>
-<tr>
 <td><code>VALIDATION_WEBHOOK_CONFIG_NAME</code></td>
 <td>String</td>
 <td><code>istio-istio-system</code></td>
@ -1658,9 +1512,25 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 </thead>
 <tbody>
 <tr><td><code>controller_sync_errors_total</code></td><td><code>Sum</code></td><td>Total number of errorMetric syncing controllers.</td></tr>
+<tr><td><code>endpoint_no_pod</code></td><td><code>LastValue</code></td><td>Endpoints without an associated pod.</td></tr>
 <tr><td><code>istio_build</code></td><td><code>LastValue</code></td><td>Istio component build info</td></tr>
 <tr><td><code>istio_cni_install_ready</code></td><td><code>LastValue</code></td><td>Whether the CNI plugin installation is ready or not</td></tr>
 <tr><td><code>istio_cni_installs_total</code></td><td><code>Sum</code></td><td>Total number of CNI plugins installed by the Istio CNI installer</td></tr>
 <tr><td><code>istio_cni_repair_pods_repaired_total</code></td><td><code>Sum</code></td><td>Total number of pods repaired by repair controller</td></tr>
+<tr><td><code>pilot_conflict_inbound_listener</code></td><td><code>LastValue</code></td><td>Number of conflicting inbound listeners.</td></tr>
+<tr><td><code>pilot_conflict_outbound_listener_http_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard http listeners with current wildcard tcp listener.</td></tr>
+<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_http</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard tcp listeners with current wildcard http listener.</td></tr>
+<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting tcp listeners with current tcp listener.</td></tr>
+<tr><td><code>pilot_destrule_subsets</code></td><td><code>LastValue</code></td><td>Duplicate subsets across destination rules for same host</td></tr>
+<tr><td><code>pilot_duplicate_envoy_clusters</code></td><td><code>LastValue</code></td><td>Duplicate envoy clusters caused by service entries with same hostname</td></tr>
+<tr><td><code>pilot_eds_no_instances</code></td><td><code>LastValue</code></td><td>Number of clusters without instances.</td></tr>
+<tr><td><code>pilot_endpoint_not_ready</code></td><td><code>LastValue</code></td><td>Endpoint found in unready state.</td></tr>
+<tr><td><code>pilot_jwks_resolver_network_fetch_fail_total</code></td><td><code>Sum</code></td><td>Total number of failed network fetch by pilot jwks resolver</td></tr>
+<tr><td><code>pilot_jwks_resolver_network_fetch_success_total</code></td><td><code>Sum</code></td><td>Total number of successfully network fetch by pilot jwks resolver</td></tr>
+<tr><td><code>pilot_no_ip</code></td><td><code>LastValue</code></td><td>Pods not found in the endpoint table, possibly invalid.</td></tr>
+<tr><td><code>pilot_total_rejected_configs</code></td><td><code>Sum</code></td><td>Total number of configs that Pilot had to reject or ignore.</td></tr>
+<tr><td><code>pilot_virt_services</code></td><td><code>LastValue</code></td><td>Total virtual services known to pilot.</td></tr>
+<tr><td><code>pilot_vservice_dup_domain</code></td><td><code>LastValue</code></td><td>Virtual services with dup domains.</td></tr>
+<tr><td><code>provider_lookup_cluster_failures</code></td><td><code>Sum</code></td><td>Number of times a cluster lookup failed</td></tr>
 </tbody>
 </table>
--- a/content/en/docs/reference/commands/istioctl/index.html
+++ b/content/en/docs/reference/commands/istioctl/index.html
--- a/content/en/docs/reference/commands/operator/index.html
+++ b/content/en/docs/reference/commands/operator/index.html
@ -22,14 +22,6 @@ remove_toc_prefix: 'operator '
 <td>Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)</td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -52,14 +44,6 @@ See each sub-command&#39;s help for details on how to use the generated script.
 <td>Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)</td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -97,14 +81,6 @@ If it is not installed already, you can install it via your OS&#39;s package man
 <td>disable completion descriptions </td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -137,14 +113,6 @@ If it is not installed already, you can install it via your OS&#39;s package man
 <td>disable completion descriptions </td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -176,14 +144,6 @@ to your powershell profile.
 <td>disable completion descriptions </td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -222,14 +182,6 @@ to enable it.  You can execute the following once:</p>
 <td>disable completion descriptions </td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -312,14 +264,6 @@ to enable it.  You can execute the following once:</p>
 <td>HTTP port to use for operator&#39;s self-monitoring information  (default `8383`)</td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -349,16 +293,6 @@ to enable it.  You can execute the following once:</p>
 <td>One of &#39;yaml&#39; or &#39;json&#39;.  (default ``)</td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--short</code></td>
 <td><code>-s</code></td>
 <td>Use --short=false to generate full version information </td>
@ -383,12 +317,6 @@ These environment variables affect the behavior of the <code>operator</code> com
 </thead>
 <tbody>
 <tr>
-<td><code>AUTO_RELOAD_PLUGIN_CERTS</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, if user introduces new intermediate plug-in CA, user need not to restart istiod to pick up certs.Istiod picks newly added intermediate plug-in CA certs and updates it. Plug-in new Root-CA not supported.</td>
-</tr>
-<tr>
 <td><code>CA_TRUSTED_NODE_ACCOUNTS</code></td>
 <td>String</td>
 <td><code></code></td>
@ -413,12 +341,6 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>Defines the cluster and service registry that this Istiod instance is belongs to</td>
 </tr>
 <tr>
-<td><code>ENABLE_AUTO_MTLS_CHECK_POLICIES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Enable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio}  when server side policy enables mTLS PERMISSIVE or STRICT.</td>
-</tr>
-<tr>
 <td><code>ENABLE_AUTO_SNI</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -455,18 +377,6 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>If enabled (default), starts a leader election client and gains leadership before executing controllers. If false, it assumes that only one instance of istiod is running and skips leader election.</td>
 </tr>
 <tr>
-<td><code>ENABLE_LEGACY_FSGROUP_INJECTION</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If true, Istiod will set the pod fsGroup to 1337 on injection. This is required for Kubernetes 1.18 and older (see https://github.com/kubernetes/kubernetes/issues/57923 for details) unless JWT_POLICY is &#34;first-party-jwt&#34;.</td>
-</tr>
-<tr>
-<td><code>ENABLE_LEGACY_LB_ALGORITHM_DEFAULT</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, destinations for which no LB algorithm is specified will use the legacy default, ROUND_ROBIN. Care should be taken when using ROUND_ROBIN in general as it can overburden endpoints, especially when weights are used.</td>
-</tr>
-<tr>
 <td><code>ENABLE_MCS_AUTO_EXPORT</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -509,12 +419,6 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>If enabled, the TLS configuration on Sidecar.ingress will take effect</td>
 </tr>
 <tr>
-<td><code>ENABLE_WASM_TELEMETRY</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, Wasm-based telemetry will be enabled.</td>
-</tr>
-<tr>
 <td><code>EXTERNAL_ISTIOD</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -575,12 +479,6 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td></td>
 </tr>
 <tr>
-<td><code>ISTIO_DEFAULT_REQUEST_TIMEOUT</code></td>
-<td>Time Duration</td>
-<td><code>0s</code></td>
-<td>Default Http and gRPC Request timeout</td>
-</tr>
-<tr>
 <td><code>ISTIO_DELTA_XDS</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -623,12 +521,6 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>The content type to use for Kubernetes clients. Defaults to protobuf. Valid options: [protobuf, json]</td>
 </tr>
 <tr>
-<td><code>ISTIO_METADATA_DISCOVERY</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>Enables proxy discovery of the workload metadata to back-fill the telemetry reports.</td>
-</tr>
-<tr>
 <td><code>ISTIO_MULTIROOT_MESH</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -701,6 +593,12 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>Metric scope rotation interval, set to 0 to disable the metric scope rotation</td>
 </tr>
 <tr>
+<td><code>MUTEX_PROFILE_FRACTION</code></td>
+<td>Integer</td>
+<td><code>1000</code></td>
+<td>If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, &#39;1000&#39; will record 0.1% of events. Set to 0 to disable entirely.</td>
+</tr>
+<tr>
 <td><code>PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -839,30 +737,12 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>If enabled, inbound clusters will be configured as ORIGINAL_DST clusters. When disabled, requests are always sent to localhost. The primary implication of this is that when enabled, binding to POD_IP will work while localhost will not; when disable, bind to POD_IP will not work, while localhost will. The enabled behavior matches the behavior without Istio enabled at all; this flag exists only for backwards compatibility. Regardless of this setting, the configuration can be overridden with the Sidecar.Ingress.DefaultEndpoint configuration.</td>
 </tr>
 <tr>
-<td><code>PILOT_ENABLE_ISTIO_TAGS</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Determines whether or not trace spans generated by Envoy will include Istio-specific tags.</td>
-</tr>
-<tr>
 <td><code>PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES</code></td>
 <td>Boolean</td>
 <td><code>true</code></td>
 <td>If enabled, Kubernetes services with selectors will select workload entries with matching labels. It is safe to disable it if you are quite sure you don&#39;t need this feature</td>
 </tr>
 <tr>
-<td><code>PILOT_ENABLE_LEGACY_AUTO_PASSTHROUGH</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, pilot will allow any upstream cluster to be used with AUTO_PASSTHROUGH. This option is intended for backwards compatibility only and is not secure with untrusted downstreams; it will be removed in the future.</td>
-</tr>
-<tr>
-<td><code>PILOT_ENABLE_LEGACY_ISTIO_MUTUAL_CREDENTIAL_NAME</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, Gateway&#39;s with ISTIO_MUTUAL mode and credentialName configured will use simple TLS. This is to retain legacy behavior only and not recommended for use beyond migration.</td>
-</tr>
-<tr>
 <td><code>PILOT_ENABLE_METADATA_EXCHANGE</code></td>
 <td>Boolean</td>
 <td><code>true</code></td>
@ -989,12 +869,6 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.</td>
 </tr>
 <tr>
-<td><code>PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT</code></td>
-<td>Time Duration</td>
-<td><code>1s</code></td>
-<td>Protocol detection timeout for inbound listener</td>
-</tr>
-<tr>
 <td><code>PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONS</code></td>
 <td>String</td>
 <td><code></code></td>
@ -1013,24 +887,12 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>The interval for istiod to fetch the jwks_uri for the jwks public key.</td>
 </tr>
 <tr>
-<td><code>PILOT_LEGACY_INGRESS_BEHAVIOR</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If this is set to true, istio ingress will perform the legacy behavior, which does not meet https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches.</td>
-</tr>
-<tr>
 <td><code>PILOT_MAX_REQUESTS_PER_SECOND</code></td>
 <td>Floating-Point</td>
 <td><code>25</code></td>
 <td>Limits the number of incoming XDS requests per second. On larger machines this can be increased to handle more proxies concurrently.</td>
 </tr>
 <tr>
-<td><code>PILOT_PARTIAL_FULL_PUSHES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, pilot will send partial pushes in for child resources (RDS, EDS, etc) when possible. This occurs for EDS in many cases regardless of this setting.</td>
-</tr>
-<tr>
 <td><code>PILOT_PERSISTENT_SESSION_HEADER_LABEL</code></td>
 <td>String</td>
 <td><code>istio.io/persistent-session-header</code></td>
@ -1070,7 +932,7 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td><code>PILOT_SIDECAR_USE_REMOTE_ADDRESS</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
-<td>UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.</td>
+<td>UseRemoteAddress sets useRemoteAddress to true for sidecar outbound listeners.</td>
 </tr>
 <tr>
 <td><code>PILOT_SKIP_VALIDATE_TRUST_DOMAIN</code></td>
@ -1145,12 +1007,6 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>The timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push.</td>
 </tr>
 <tr>
-<td><code>PRIORITIZED_LEADER_ELECTION</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, the default revision will steal leader locks from non-default revisions</td>
-</tr>
-<tr>
 <td><code>REQUIRE_3P_TOKEN</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -1169,30 +1025,12 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>If enabled, readiness probes will be sent to &#39;localhost&#39;. Otherwise, they will be sent to the Pod&#39;s IP, matching Kubernetes&#39; behavior.</td>
 </tr>
 <tr>
-<td><code>REWRITE_TCP_PROBES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If false, TCP probes will not be rewritten and therefor always succeed when a sidecar is used.</td>
-</tr>
-<tr>
 <td><code>SHARED_MESH_CONFIG</code></td>
 <td>String</td>
 <td><code></code></td>
 <td>Additional config map to load for shared MeshConfig settings. The standard mesh config will take precedence.</td>
 </tr>
 <tr>
-<td><code>SIDECAR_IGNORE_PORT_IN_HOST_MATCH</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, port will not be used in vhost domain matches.</td>
-</tr>
-<tr>
-<td><code>SPIFFE_BUNDLE_ENDPOINTS</code></td>
-<td>String</td>
-<td><code></code></td>
-<td>The SPIFFE bundle trust domain to endpoint mappings. Istiod retrieves the root certificate from each SPIFFE bundle endpoint and uses it to verify client certificates from that trust domain. The endpoint must be compliant to the SPIFFE Bundle Endpoint standard. For details, please refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md . No need to configure this for root certificates issued via Istiod or web-PKI based root certificates. Use || between &lt;trustdomain, endpoint&gt; tuples. Use | as delimiter between trust domain and endpoint in each tuple. For example: foo|https://url/for/foo||bar|https://url/for/bar</td>
-</tr>
-<tr>
 <td><code>TERM</code></td>
 <td>String</td>
 <td><code></code></td>
@ -1325,6 +1163,7 @@ These environment variables affect the behavior of the <code>operator</code> com
 <tr><td><code>pilot_xds_rds_reject</code></td><td><code>LastValue</code></td><td>Pilot rejected RDS.</td></tr>
 <tr><td><code>pilot_xds_send_time</code></td><td><code>Distribution</code></td><td>Total time in seconds Pilot takes to send generated configuration.</td></tr>
 <tr><td><code>pilot_xds_write_timeout</code></td><td><code>Sum</code></td><td>Pilot XDS response write timeouts.</td></tr>
+<tr><td><code>provider_lookup_cluster_failures</code></td><td><code>Sum</code></td><td>Number of times a cluster lookup failed</td></tr>
 <tr><td><code>reconcile_request_total</code></td><td><code>Sum</code></td><td>Number of times requesting Reconcile</td></tr>
 <tr><td><code>remote_cluster_sync_timeouts_total</code></td><td><code>Sum</code></td><td>Number of times remote clusters took too long to sync, causing slow startup that excludes remote clusters.</td></tr>
 <tr><td><code>render_manifest_total</code></td><td><code>Sum</code></td><td>Number of component manifests rendered</td></tr>
--- a/content/en/docs/reference/commands/pilot-agent/index.html
+++ b/content/en/docs/reference/commands/pilot-agent/index.html
@ -23,11 +23,11 @@ remove_toc_prefix: 'pilot-agent '
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -47,21 +47,13 @@ remove_toc_prefix: 'pilot-agent '
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
 <td>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)</td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -85,11 +77,11 @@ See each sub-command&#39;s help for details on how to use the generated script.
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -109,21 +101,13 @@ See each sub-command&#39;s help for details on how to use the generated script.
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
 <td>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)</td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -158,11 +142,11 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -182,7 +166,7 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -193,14 +177,6 @@ If it is not installed already, you can install it via your OS&#39;s package man
 <td>disable completion descriptions </td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -230,11 +206,11 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -254,7 +230,7 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -265,14 +241,6 @@ If it is not installed already, you can install it via your OS&#39;s package man
 <td>disable completion descriptions </td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -301,11 +269,11 @@ to your powershell profile.
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -325,7 +293,7 @@ to your powershell profile.
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -336,14 +304,6 @@ to your powershell profile.
 <td>disable completion descriptions </td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -379,11 +339,11 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -403,7 +363,7 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -414,14 +374,6 @@ to enable it.  You can execute the following once:</p>
 <td>disable completion descriptions </td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -463,12 +415,12 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -493,7 +445,7 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -516,16 +468,6 @@ to enable it.  You can execute the following once:</p>
 <td>Enable capture of dns traffic by istio-agent </td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
@ -658,12 +600,12 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -688,7 +630,7 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -731,16 +673,6 @@ to enable it.  You can execute the following once:</p>
 <td>Validate iptables </td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--skip-rule-apply</code></td>
 <td></td>
 <td>Skip iptables apply </td>
@ -778,11 +710,11 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -802,7 +734,7 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -829,14 +761,6 @@ to enable it.  You can execute the following once:</p>
 <td>The log level used to start the Envoy proxy (choose from {trace, debug, info, warning, error, critical, off}).Level may also include one or more scopes, such as &#39;info,misc:error,upstream:debug&#39;  (default `warning,misc:error`)</td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--serviceCluster &lt;string&gt;</code></td>
 <td>Service cluster  (default `istio-proxy`)</td>
 </tr>
@ -880,11 +804,11 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -904,21 +828,13 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
 <td>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)</td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -945,12 +861,12 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -975,7 +891,7 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -988,16 +904,6 @@ to enable it.  You can execute the following once:</p>
 <td>One of &#39;yaml&#39; or &#39;json&#39;.  (default ``)</td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--short</code></td>
 <td><code>-s</code></td>
 <td>Use --short=false to generate full version information </td>
@ -1027,11 +933,11 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -1051,7 +957,7 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -1066,14 +972,6 @@ to enable it.  You can execute the following once:</p>
 <td>number of milliseconds to wait for response  (default `500`)</td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--timeoutSeconds &lt;int&gt;</code></td>
 <td>maximum number of seconds to wait for Envoy to be ready  (default `60`)</td>
 </tr>
@ -1100,12 +998,6 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
 </thead>
 <tbody>
 <tr>
-<td><code>AUTO_RELOAD_PLUGIN_CERTS</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, if user introduces new intermediate plug-in CA, user need not to restart istiod to pick up certs.Istiod picks newly added intermediate plug-in CA certs and updates it. Plug-in new Root-CA not supported.</td>
-</tr>
-<tr>
 <td><code>BOOTSTRAP_XDS_AGENT</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -1202,12 +1094,6 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
 <td>The type of ECC signature algorithm to use when generating private keys</td>
 </tr>
 <tr>
-<td><code>ENABLE_AUTO_MTLS_CHECK_POLICIES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Enable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio}  when server side policy enables mTLS PERMISSIVE or STRICT.</td>
-</tr>
-<tr>
 <td><code>ENABLE_AUTO_SNI</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -1244,18 +1130,6 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
 <td>If enabled (default), starts a leader election client and gains leadership before executing controllers. If false, it assumes that only one instance of istiod is running and skips leader election.</td>
 </tr>
 <tr>
-<td><code>ENABLE_LEGACY_FSGROUP_INJECTION</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If true, Istiod will set the pod fsGroup to 1337 on injection. This is required for Kubernetes 1.18 and older (see https://github.com/kubernetes/kubernetes/issues/57923 for details) unless JWT_POLICY is &#34;first-party-jwt&#34;.</td>
-</tr>
-<tr>
-<td><code>ENABLE_LEGACY_LB_ALGORITHM_DEFAULT</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, destinations for which no LB algorithm is specified will use the legacy default, ROUND_ROBIN. Care should be taken when using ROUND_ROBIN in general as it can overburden endpoints, especially when weights are used.</td>
-</tr>
-<tr>
 <td><code>ENABLE_MCS_AUTO_EXPORT</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -1298,12 +1172,6 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
 <td>If enabled, the TLS configuration on Sidecar.ingress will take effect</td>
 </tr>
 <tr>
-<td><code>ENABLE_WASM_TELEMETRY</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, Wasm-based telemetry will be enabled.</td>
-</tr>
-<tr>
 <td><code>ENVOY_PROMETHEUS_PORT</code></td>
 <td>Integer</td>
 <td><code>15090</code></td>
@ -1466,12 +1334,6 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
 <td>CPU limit for the current process. Expressed as an integer value, rounded up.</td>
 </tr>
 <tr>
-<td><code>ISTIO_DEFAULT_REQUEST_TIMEOUT</code></td>
-<td>Time Duration</td>
-<td><code>0s</code></td>
-<td>Default Http and gRPC Request timeout</td>
-</tr>
-<tr>
 <td><code>ISTIO_DELTA_XDS</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -1520,12 +1382,6 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
 <td>The content type to use for Kubernetes clients. Defaults to protobuf. Valid options: [protobuf, json]</td>
 </tr>
 <tr>
-<td><code>ISTIO_METADATA_DISCOVERY</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>Enables proxy discovery of the workload metadata to back-fill the telemetry reports.</td>
-</tr>
-<tr>
 <td><code>ISTIO_META_CERT_SIGNER</code></td>
 <td>String</td>
 <td><code></code></td>
@ -1644,6 +1500,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>The minimum duration for which agent waits before it checks for active connections and terminates proxywhen number of active connections become zero</td>
 </tr>
 <tr>
+<td><code>MUTEX_PROFILE_FRACTION</code></td>
+<td>Integer</td>
+<td><code>1000</code></td>
+<td>If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, &#39;1000&#39; will record 0.1% of events. Set to 0 to disable entirely.</td>
+</tr>
+<tr>
 <td><code>OUTPUT_CERTS</code></td>
 <td>String</td>
 <td><code></code></td>
@ -1788,30 +1650,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>If enabled, inbound clusters will be configured as ORIGINAL_DST clusters. When disabled, requests are always sent to localhost. The primary implication of this is that when enabled, binding to POD_IP will work while localhost will not; when disable, bind to POD_IP will not work, while localhost will. The enabled behavior matches the behavior without Istio enabled at all; this flag exists only for backwards compatibility. Regardless of this setting, the configuration can be overridden with the Sidecar.Ingress.DefaultEndpoint configuration.</td>
 </tr>
 <tr>
-<td><code>PILOT_ENABLE_ISTIO_TAGS</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Determines whether or not trace spans generated by Envoy will include Istio-specific tags.</td>
-</tr>
-<tr>
 <td><code>PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES</code></td>
 <td>Boolean</td>
 <td><code>true</code></td>
 <td>If enabled, Kubernetes services with selectors will select workload entries with matching labels. It is safe to disable it if you are quite sure you don&#39;t need this feature</td>
 </tr>
 <tr>
-<td><code>PILOT_ENABLE_LEGACY_AUTO_PASSTHROUGH</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, pilot will allow any upstream cluster to be used with AUTO_PASSTHROUGH. This option is intended for backwards compatibility only and is not secure with untrusted downstreams; it will be removed in the future.</td>
-</tr>
-<tr>
-<td><code>PILOT_ENABLE_LEGACY_ISTIO_MUTUAL_CREDENTIAL_NAME</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, Gateway&#39;s with ISTIO_MUTUAL mode and credentialName configured will use simple TLS. This is to retain legacy behavior only and not recommended for use beyond migration.</td>
-</tr>
-<tr>
 <td><code>PILOT_ENABLE_METADATA_EXCHANGE</code></td>
 <td>Boolean</td>
 <td><code>true</code></td>
@ -1938,12 +1782,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.</td>
 </tr>
 <tr>
-<td><code>PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT</code></td>
-<td>Time Duration</td>
-<td><code>1s</code></td>
-<td>Protocol detection timeout for inbound listener</td>
-</tr>
-<tr>
 <td><code>PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONS</code></td>
 <td>String</td>
 <td><code></code></td>
@ -1962,24 +1800,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>The interval for istiod to fetch the jwks_uri for the jwks public key.</td>
 </tr>
 <tr>
-<td><code>PILOT_LEGACY_INGRESS_BEHAVIOR</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If this is set to true, istio ingress will perform the legacy behavior, which does not meet https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches.</td>
-</tr>
-<tr>
 <td><code>PILOT_MAX_REQUESTS_PER_SECOND</code></td>
 <td>Floating-Point</td>
 <td><code>25</code></td>
 <td>Limits the number of incoming XDS requests per second. On larger machines this can be increased to handle more proxies concurrently.</td>
 </tr>
 <tr>
-<td><code>PILOT_PARTIAL_FULL_PUSHES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, pilot will send partial pushes in for child resources (RDS, EDS, etc) when possible. This occurs for EDS in many cases regardless of this setting.</td>
-</tr>
-<tr>
 <td><code>PILOT_PERSISTENT_SESSION_HEADER_LABEL</code></td>
 <td>String</td>
 <td><code>istio.io/persistent-session-header</code></td>
@ -2019,7 +1845,7 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td><code>PILOT_SIDECAR_USE_REMOTE_ADDRESS</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
-<td>UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.</td>
+<td>UseRemoteAddress sets useRemoteAddress to true for sidecar outbound listeners.</td>
 </tr>
 <tr>
 <td><code>PILOT_SKIP_VALIDATE_TRUST_DOMAIN</code></td>
@ -2112,12 +1938,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td></td>
 </tr>
 <tr>
-<td><code>PRIORITIZED_LEADER_ELECTION</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, the default revision will steal leader locks from non-default revisions</td>
-</tr>
-<tr>
 <td><code>PROV_CERT</code></td>
 <td>String</td>
 <td><code></code></td>
@ -2166,12 +1986,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>If enabled, readiness probes will be sent to &#39;localhost&#39;. Otherwise, they will be sent to the Pod&#39;s IP, matching Kubernetes&#39; behavior.</td>
 </tr>
 <tr>
-<td><code>REWRITE_TCP_PROBES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If false, TCP probes will not be rewritten and therefor always succeed when a sidecar is used.</td>
-</tr>
-<tr>
 <td><code>SECRET_GRACE_PERIOD_RATIO</code></td>
 <td>Floating-Point</td>
 <td><code>0.5</code></td>
@ -2196,18 +2010,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>Additional config map to load for shared MeshConfig settings. The standard mesh config will take precedence.</td>
 </tr>
 <tr>
-<td><code>SIDECAR_IGNORE_PORT_IN_HOST_MATCH</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, port will not be used in vhost domain matches.</td>
-</tr>
-<tr>
-<td><code>SPIFFE_BUNDLE_ENDPOINTS</code></td>
-<td>String</td>
-<td><code></code></td>
-<td>The SPIFFE bundle trust domain to endpoint mappings. Istiod retrieves the root certificate from each SPIFFE bundle endpoint and uses it to verify client certificates from that trust domain. The endpoint must be compliant to the SPIFFE Bundle Endpoint standard. For details, please refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md . No need to configure this for root certificates issued via Istiod or web-PKI based root certificates. Use || between &lt;trustdomain, endpoint&gt; tuples. Use | as delimiter between trust domain and endpoint in each tuple. For example: foo|https://url/for/foo||bar|https://url/for/bar</td>
-</tr>
-<tr>
 <td><code>TOKEN_AUDIENCES</code></td>
 <td>String</td>
 <td><code>istio-ca</code></td>
@ -2387,6 +2189,7 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <tr><td><code>pilot_xds_rds_reject</code></td><td><code>LastValue</code></td><td>Pilot rejected RDS.</td></tr>
 <tr><td><code>pilot_xds_send_time</code></td><td><code>Distribution</code></td><td>Total time in seconds Pilot takes to send generated configuration.</td></tr>
 <tr><td><code>pilot_xds_write_timeout</code></td><td><code>Sum</code></td><td>Pilot XDS response write timeouts.</td></tr>
+<tr><td><code>provider_lookup_cluster_failures</code></td><td><code>Sum</code></td><td>Number of times a cluster lookup failed</td></tr>
 <tr><td><code>remote_cluster_sync_timeouts_total</code></td><td><code>Sum</code></td><td>Number of times remote clusters took too long to sync, causing slow startup that excludes remote clusters.</td></tr>
 <tr><td><code>scrape_failures_total</code></td><td><code>Sum</code></td><td>The total number of failed scrapes.</td></tr>
 <tr><td><code>scrapes_total</code></td><td><code>Sum</code></td><td>The total number of scrapes.</td></tr>
--- a/content/en/docs/reference/commands/pilot-discovery/index.html
+++ b/content/en/docs/reference/commands/pilot-discovery/index.html
@ -8,7 +8,7 @@ number_of_entries: 10
 max_toc_level: 2
 remove_toc_prefix: 'pilot-discovery '
 ---
-<p>Istio Pilot provides fleet-wide traffic management capabilities in the Istio Service Mesh.</p>
+<p>Istio Pilot provides mesh-wide traffic management, security and policy capabilities in the Istio Service Mesh.</p>
 <table class="command-flags">
 <thead>
 <tr>
@ -269,12 +269,12 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, file, gateway, grpcgen, ingress status, installer, klog, kube, model, monitor, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, tpath, trustBundle, util, validation, validationController, validationServer, wasm, wle]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, file, gateway, grpcgen, ingress status, klog, kube, model, monitor, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, file, gateway, grpcgen, ingress status, installer, klog, kube, model, monitor, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, tpath, trustBundle, util, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, file, gateway, grpcgen, ingress status, klog, kube, model, monitor, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -299,7 +299,7 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, file, gateway, grpcgen, ingress status, installer, klog, kube, model, monitor, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, tpath, trustBundle, util, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, file, gateway, grpcgen, ingress status, klog, kube, model, monitor, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -437,12 +437,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>Expected audience in the tokens. </td>
 </tr>
 <tr>
-<td><code>AUTO_RELOAD_PLUGIN_CERTS</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, if user introduces new intermediate plug-in CA, user need not to restart istiod to pick up certs.Istiod picks newly added intermediate plug-in CA certs and updates it. Plug-in new Root-CA not supported.</td>
-</tr>
-<tr>
 <td><code>CA_TRUSTED_NODE_ACCOUNTS</code></td>
 <td>String</td>
 <td><code></code></td>
@ -503,12 +497,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>The default TTL of issued workload certificates. Applied when the client sets a non-positive TTL in the CSR.</td>
 </tr>
 <tr>
-<td><code>ENABLE_AUTO_MTLS_CHECK_POLICIES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Enable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio}  when server side policy enables mTLS PERMISSIVE or STRICT.</td>
-</tr>
-<tr>
 <td><code>ENABLE_AUTO_SNI</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -545,18 +533,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>If enabled (default), starts a leader election client and gains leadership before executing controllers. If false, it assumes that only one instance of istiod is running and skips leader election.</td>
 </tr>
 <tr>
-<td><code>ENABLE_LEGACY_FSGROUP_INJECTION</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If true, Istiod will set the pod fsGroup to 1337 on injection. This is required for Kubernetes 1.18 and older (see https://github.com/kubernetes/kubernetes/issues/57923 for details) unless JWT_POLICY is &#34;first-party-jwt&#34;.</td>
-</tr>
-<tr>
-<td><code>ENABLE_LEGACY_LB_ALGORITHM_DEFAULT</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, destinations for which no LB algorithm is specified will use the legacy default, ROUND_ROBIN. Care should be taken when using ROUND_ROBIN in general as it can overburden endpoints, especially when weights are used.</td>
-</tr>
-<tr>
 <td><code>ENABLE_MCS_AUTO_EXPORT</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -599,12 +575,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>If enabled, the TLS configuration on Sidecar.ingress will take effect</td>
 </tr>
 <tr>
-<td><code>ENABLE_WASM_TELEMETRY</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, Wasm-based telemetry will be enabled.</td>
-</tr>
-<tr>
 <td><code>EXTERNAL_CA</code></td>
 <td>String</td>
 <td><code></code></td>
@ -677,12 +647,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td></td>
 </tr>
 <tr>
-<td><code>ISTIO_DEFAULT_REQUEST_TIMEOUT</code></td>
-<td>Time Duration</td>
-<td><code>0s</code></td>
-<td>Default Http and gRPC Request timeout</td>
-</tr>
-<tr>
 <td><code>ISTIO_DELTA_XDS</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -725,12 +689,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>The content type to use for Kubernetes clients. Defaults to protobuf. Valid options: [protobuf, json]</td>
 </tr>
 <tr>
-<td><code>ISTIO_METADATA_DISCOVERY</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>Enables proxy discovery of the workload metadata to back-fill the telemetry reports.</td>
-</tr>
-<tr>
 <td><code>ISTIO_MULTIROOT_MESH</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -827,6 +785,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>Metric scope rotation interval, set to 0 to disable the metric scope rotation</td>
 </tr>
 <tr>
+<td><code>MUTEX_PROFILE_FRACTION</code></td>
+<td>Integer</td>
+<td><code>1000</code></td>
+<td>If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, &#39;1000&#39; will record 0.1% of events. Set to 0 to disable entirely.</td>
+</tr>
+<tr>
 <td><code>PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -965,30 +929,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>If enabled, inbound clusters will be configured as ORIGINAL_DST clusters. When disabled, requests are always sent to localhost. The primary implication of this is that when enabled, binding to POD_IP will work while localhost will not; when disable, bind to POD_IP will not work, while localhost will. The enabled behavior matches the behavior without Istio enabled at all; this flag exists only for backwards compatibility. Regardless of this setting, the configuration can be overridden with the Sidecar.Ingress.DefaultEndpoint configuration.</td>
 </tr>
 <tr>
-<td><code>PILOT_ENABLE_ISTIO_TAGS</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Determines whether or not trace spans generated by Envoy will include Istio-specific tags.</td>
-</tr>
-<tr>
 <td><code>PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES</code></td>
 <td>Boolean</td>
 <td><code>true</code></td>
 <td>If enabled, Kubernetes services with selectors will select workload entries with matching labels. It is safe to disable it if you are quite sure you don&#39;t need this feature</td>
 </tr>
 <tr>
-<td><code>PILOT_ENABLE_LEGACY_AUTO_PASSTHROUGH</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, pilot will allow any upstream cluster to be used with AUTO_PASSTHROUGH. This option is intended for backwards compatibility only and is not secure with untrusted downstreams; it will be removed in the future.</td>
-</tr>
-<tr>
-<td><code>PILOT_ENABLE_LEGACY_ISTIO_MUTUAL_CREDENTIAL_NAME</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, Gateway&#39;s with ISTIO_MUTUAL mode and credentialName configured will use simple TLS. This is to retain legacy behavior only and not recommended for use beyond migration.</td>
-</tr>
-<tr>
 <td><code>PILOT_ENABLE_METADATA_EXCHANGE</code></td>
 <td>Boolean</td>
 <td><code>true</code></td>
@ -1115,12 +1061,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.</td>
 </tr>
 <tr>
-<td><code>PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT</code></td>
-<td>Time Duration</td>
-<td><code>1s</code></td>
-<td>Protocol detection timeout for inbound listener</td>
-</tr>
-<tr>
 <td><code>PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONS</code></td>
 <td>String</td>
 <td><code></code></td>
@ -1139,24 +1079,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>The interval for istiod to fetch the jwks_uri for the jwks public key.</td>
 </tr>
 <tr>
-<td><code>PILOT_LEGACY_INGRESS_BEHAVIOR</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If this is set to true, istio ingress will perform the legacy behavior, which does not meet https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches.</td>
-</tr>
-<tr>
 <td><code>PILOT_MAX_REQUESTS_PER_SECOND</code></td>
 <td>Floating-Point</td>
 <td><code>25</code></td>
 <td>Limits the number of incoming XDS requests per second. On larger machines this can be increased to handle more proxies concurrently.</td>
 </tr>
 <tr>
-<td><code>PILOT_PARTIAL_FULL_PUSHES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, pilot will send partial pushes in for child resources (RDS, EDS, etc) when possible. This occurs for EDS in many cases regardless of this setting.</td>
-</tr>
-<tr>
 <td><code>PILOT_PERSISTENT_SESSION_HEADER_LABEL</code></td>
 <td>String</td>
 <td><code>istio.io/persistent-session-header</code></td>
@ -1196,7 +1124,7 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td><code>PILOT_SIDECAR_USE_REMOTE_ADDRESS</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
-<td>UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.</td>
+<td>UseRemoteAddress sets useRemoteAddress to true for sidecar outbound listeners.</td>
 </tr>
 <tr>
 <td><code>PILOT_SKIP_VALIDATE_TRUST_DOMAIN</code></td>
@ -1283,12 +1211,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td></td>
 </tr>
 <tr>
-<td><code>PRIORITIZED_LEADER_ELECTION</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, the default revision will steal leader locks from non-default revisions</td>
-</tr>
-<tr>
 <td><code>REQUIRE_3P_TOKEN</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -1313,12 +1235,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>If enabled, readiness probes will be sent to &#39;localhost&#39;. Otherwise, they will be sent to the Pod&#39;s IP, matching Kubernetes&#39; behavior.</td>
 </tr>
 <tr>
-<td><code>REWRITE_TCP_PROBES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If false, TCP probes will not be rewritten and therefor always succeed when a sidecar is used.</td>
-</tr>
-<tr>
 <td><code>ROOT_CA_DIR</code></td>
 <td>String</td>
 <td><code>./etc/cacerts</code></td>
@ -1331,18 +1247,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>Additional config map to load for shared MeshConfig settings. The standard mesh config will take precedence.</td>
 </tr>
 <tr>
-<td><code>SIDECAR_IGNORE_PORT_IN_HOST_MATCH</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, port will not be used in vhost domain matches.</td>
-</tr>
-<tr>
-<td><code>SPIFFE_BUNDLE_ENDPOINTS</code></td>
-<td>String</td>
-<td><code></code></td>
-<td>The SPIFFE bundle trust domain to endpoint mappings. Istiod retrieves the root certificate from each SPIFFE bundle endpoint and uses it to verify client certificates from that trust domain. The endpoint must be compliant to the SPIFFE Bundle Endpoint standard. For details, please refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md . No need to configure this for root certificates issued via Istiod or web-PKI based root certificates. Use || between &lt;trustdomain, endpoint&gt; tuples. Use | as delimiter between trust domain and endpoint in each tuple. For example: foo|https://url/for/foo||bar|https://url/for/bar</td>
-</tr>
-<tr>
 <td><code>TOKEN_AUDIENCES</code></td>
 <td>String</td>
 <td><code>istio-ca</code></td>
@ -1437,11 +1341,9 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <tr><td><code>citadel_server_success_cert_issuance_count</code></td><td><code>Sum</code></td><td>The number of certificates issuances that have succeeded.</td></tr>
 <tr><td><code>controller_sync_errors_total</code></td><td><code>Sum</code></td><td>Total number of errorMetric syncing controllers.</td></tr>
 <tr><td><code>endpoint_no_pod</code></td><td><code>LastValue</code></td><td>Endpoints without an associated pod.</td></tr>
-<tr><td><code>galley_validation_config_delete_error</code></td><td><code>Count</code></td><td>k8s webhook configuration delete error</td></tr>
-<tr><td><code>galley_validation_config_load</code></td><td><code>Count</code></td><td>k8s webhook configuration (re)loads</td></tr>
-<tr><td><code>galley_validation_config_load_error</code></td><td><code>Count</code></td><td>k8s webhook configuration (re)load error</td></tr>
-<tr><td><code>galley_validation_config_update_error</code></td><td><code>Count</code></td><td>k8s webhook configuration update error</td></tr>
-<tr><td><code>galley_validation_config_updates</code></td><td><code>Count</code></td><td>k8s webhook configuration updates</td></tr>
+<tr><td><code>galley_validation_config_load_error</code></td><td><code>Sum</code></td><td>k8s webhook configuration (re)load error</td></tr>
+<tr><td><code>galley_validation_config_update_error</code></td><td><code>Sum</code></td><td>k8s webhook configuration update error</td></tr>
+<tr><td><code>galley_validation_config_updates</code></td><td><code>Sum</code></td><td>k8s webhook configuration updates</td></tr>
 <tr><td><code>galley_validation_failed</code></td><td><code>Sum</code></td><td>Resource validation failed</td></tr>
 <tr><td><code>galley_validation_http_error</code></td><td><code>Sum</code></td><td>Resource validation http serve errors</td></tr>
 <tr><td><code>galley_validation_passed</code></td><td><code>Sum</code></td><td>Resource is valid</td></tr>
@ -1458,6 +1360,7 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <tr><td><code>pilot_eds_no_instances</code></td><td><code>LastValue</code></td><td>Number of clusters without instances.</td></tr>
 <tr><td><code>pilot_endpoint_not_ready</code></td><td><code>LastValue</code></td><td>Endpoint found in unready state.</td></tr>
 <tr><td><code>pilot_inbound_updates</code></td><td><code>Sum</code></td><td>Total number of updates received by pilot.</td></tr>
+<tr><td><code>pilot_info</code></td><td><code>LastValue</code></td><td>Pilot version and build information.</td></tr>
 <tr><td><code>pilot_jwks_resolver_network_fetch_fail_total</code></td><td><code>Sum</code></td><td>Total number of failed network fetch by pilot jwks resolver</td></tr>
 <tr><td><code>pilot_jwks_resolver_network_fetch_success_total</code></td><td><code>Sum</code></td><td>Total number of successfully network fetch by pilot jwks resolver</td></tr>
 <tr><td><code>pilot_k8s_cfg_events</code></td><td><code>Sum</code></td><td>Events from k8s config.</td></tr>
@ -1488,6 +1391,7 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <tr><td><code>pilot_xds_rds_reject</code></td><td><code>LastValue</code></td><td>Pilot rejected RDS.</td></tr>
 <tr><td><code>pilot_xds_send_time</code></td><td><code>Distribution</code></td><td>Total time in seconds Pilot takes to send generated configuration.</td></tr>
 <tr><td><code>pilot_xds_write_timeout</code></td><td><code>Sum</code></td><td>Pilot XDS response write timeouts.</td></tr>
+<tr><td><code>provider_lookup_cluster_failures</code></td><td><code>Sum</code></td><td>Number of times a cluster lookup failed</td></tr>
 <tr><td><code>remote_cluster_sync_timeouts_total</code></td><td><code>Sum</code></td><td>Number of times remote clusters took too long to sync, causing slow startup that excludes remote clusters.</td></tr>
 <tr><td><code>scrape_failures_total</code></td><td><code>Sum</code></td><td>The total number of failed scrapes.</td></tr>
 <tr><td><code>scrapes_total</code></td><td><code>Sum</code></td><td>The total number of scrapes.</td></tr>
--- a/content/en/docs/reference/config/annotations/index.html
+++ b/content/en/docs/reference/config/annotations/index.html
@ -322,7 +322,7 @@ Istio supports to control its behavior.
 					<td>Alpha</td>
 				
 					<td>[Pod]</td>
-					<td>An additional list of tags to extract from the in-proxy Istio telemetry. each additional tag needs to be present in this list.</td>
+					<td>An additional list of tags to extract from the in-proxy Istio Wasm telemetry. Each additional tag needs to be present in this list.</td>
 				</tr>
 			
 		
@ -458,6 +458,19 @@ Istio supports to control its behavior.
 		
 			
 				
+					<tr>
+				
+					<td><code>sidecar.istio.io/statsHistogramBuckets</code></td>
+				
+					<td>Alpha</td>
+				
+					<td>[Pod]</td>
+					<td>Specifies the custom histogram buckets with a prefix matcher to separate the Istio mesh metrics from the Envoy stats, e.g. `{"istio":[1,5,10,50,100,500,1000,5000,10000],"envoy":[1,5,10,25,50,100,250,500,1000,2500,5000,10000]}`. Default buckets are `[0.5,1,5,10,25,50,100,250,500,1000,2500,5000,10000,30000,60000,300000,600000,1800000,3600000]`.</td>
+				</tr>
+			
+		
+			
+				
 					<tr class="deprecated">
 				
 					<td><code>sidecar.istio.io/statsInclusionPrefixes</code></td>
--- a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
+++ b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
@ -1169,6 +1169,24 @@ No
 If not specified, the default curves enforced by envoy will be used. For details about the default curves, refer to
 <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto">Ecdh Curves</a></p>

+</td>
+<td>
+No
+</td>
+</tr>
+<tr id="MeshConfig-TLSConfig-cipher_suites">
+<td><code>cipherSuites</code></td>
+<td><code>string[]</code></td>
+<td>
+<p>Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2.
+If not specified, the following cipher suites will be used:
+ECDHE-ECDSA-AES256-GCM-SHA384
+ECDHE-RSA-AES256-GCM-SHA384
+ECDHE-ECDSA-AES128-GCM-SHA256
+ECDHE-RSA-AES128-GCM-SHA256
+AES256-GCM-SHA384
+AES128-GCM-SHA256</p>
+
 </td>
 <td>
 No
--- a/content/en/docs/reference/config/networking/destination-rule/index.html
+++ b/content/en/docs/reference/config/networking/destination-rule/index.html
@ -1066,12 +1066,14 @@ No
 client including the CA certificates. This secret must exist in
 the namespace of the proxy using the certificates.
 An Opaque secret should contain the following keys and values:
-<code>key: &lt;privateKey&gt;</code>, <code>cert: &lt;clientCert&gt;</code>, <code>cacert: &lt;CACertificate&gt;</code>.
+<code>key: &lt;privateKey&gt;</code>, <code>cert: &lt;clientCert&gt;</code>, <code>cacert: &lt;CACertificate&gt;</code>,
+<code>crl: &lt;certificateRevocationList&gt;</code>
 Here CACertificate is used to verify the server certificate.
 For mutual TLS, <code>cacert: &lt;CACertificate&gt;</code> can be provided in the
 same secret or a separate secret named <code>&lt;secret&gt;-cacert</code>.
 A TLS secret for client certificates with an additional
-<code>ca.crt</code> key for CA certificates is also supported.
+<code>ca.crt</code> key for CA certificates and <code>ca.crl</code> key for
+certificate revocation list(CRL) is also supported.
 Only one of client certificates and CA certificate
 or credentialName can be specified.</p>
 <p><strong>NOTE:</strong> This field is applicable at sidecars only if
@ -1227,13 +1229,29 @@ No
 <td>
 <p>failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing.
 This is to support traffic failover across different groups of endpoints.
-Suppose there are total N labels specified:</p>
+Two kinds of labels can be specified:</p>
+<ul>
+<li>
+<p>Specify only label keys <code>[key1, key2, key3]</code>, istio would compare the label values of client with endpoints.
+Suppose there are total N label keys <code>[key1, key2, key3, ...keyN]</code> specified:</p>
 <ol>
 <li>Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority.</li>
 <li>Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority.</li>
 <li>By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority.</li>
 <li>All the other endpoints have priority P(N) i.e. lowest priority.</li>
 </ol>
+</li>
+<li>
+<p>Specify labels with key and value <code>[key1=value1, key2=value2, key3=value3]</code>, istio would compare the labels with endpoints.
+Suppose there are total N labels <code>[key1=value1, key2=value2, key3=value3, ...keyN=valueN]</code> specified:</p>
+<ol>
+<li>Endpoints matching all N labels have priority P(0) i.e. the highest priority.</li>
+<li>Endpoints matching the first N-1 labels have priority P(1) i.e. second highest priority.</li>
+<li>By extension of this logic, endpoints matching only the first label has priority P(N-1) i.e. second lowest priority.</li>
+<li>All the other endpoints have priority P(N) i.e. lowest priority.</li>
+</ol>
+</li>
+</ul>
 <p>Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match.</p>
 <p>It can be any label specified on both client and server workloads.
 The following labels which have special semantic meaning are also supported:</p>
@ -1258,6 +1276,16 @@ The following labels which have special semantic meaning are also supported:</p>
 <li>endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority.</li>
 <li>all the other endpoints have the same lowest priority.</li>
 </ol>
+<p>Suppose a service associated endpoints reside in multi clusters, the below example represents:</p>
+<ol>
+<li>endpoints in <code>clusterA</code> and has <code>version=v1</code> label have P(0) priority.</li>
+<li>endpoints not in <code>clusterA</code> but has <code>version=v1</code> label have P(1) priority.</li>
+<li>all the other endpoints have P(2) priority.</li>
+</ol>
+<pre><code class="language-yaml">failoverPriority:
+- &quot;version=v1&quot;
+- &quot;topology.istio.io/cluster=clusterA&quot;
+</code></pre>
 <p>Optional: only one of distribute, failover or failoverPriority can be set.
 And it should be used together with <code>OutlierDetection</code> to detect unhealthy endpoints, otherwise has no effect.</p>

--- a/content/en/docs/reference/config/networking/gateway/index.html
+++ b/content/en/docs/reference/config/networking/gateway/index.html
@ -725,10 +725,11 @@ No
 holds the TLS certs including the CA certificates. Applicable
 only on Kubernetes. An Opaque secret should contain the following
 keys and values: <code>key: &lt;privateKey&gt;</code> and <code>cert: &lt;serverCert&gt;</code>.
-For mutual TLS, <code>cacert: &lt;CACertificate&gt;</code> can be provided in the
-same secret or a separate secret named <code>&lt;secret&gt;-cacert</code>.
-A TLS secret for server certificates with an additional <code>ca.crt</code>
-key for CA certificates is also supported.
+For mutual TLS, <code>cacert: &lt;CACertificate&gt;</code> and <code>crl: &lt;CertificateRevocationList&gt;</code>
+can be provided in the same secret or a separate secret named <code>&lt;secret&gt;-cacert</code>.
+A TLS secret for server certificates with an additional <code>tls.ocsp-staple</code> key
+for specifying OCSP staple information, <code>ca.crt</code> key for CA certificates
+and <code>ca.crl</code> for certificate revocation list is also supported.
 Only one of server certificates and CA certificate
 or credentialName can be specified.</p>

--- a/content/en/docs/reference/config/networking/virtual-service/index.html
+++ b/content/en/docs/reference/config/networking/virtual-service/index.html
@ -8,7 +8,7 @@ layout: protoc-gen-docs
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.VirtualService
 aliases: [/docs/reference/config/networking/v1alpha3/virtual-service]
-number_of_entries: 27
+number_of_entries: 28
 ---
 <p>Configuration affecting traffic routing. Here are a few terms useful to define
 in the context of traffic routing.</p>
@ -1349,7 +1349,12 @@ e.g. <em>x-request-id</em>.</p>
 </li>
 </ul>
 <p>If the value is empty and only the name of header is specified, presence of the header is checked.
-<strong>Note:</strong> The keys <code>uri</code>, <code>scheme</code>, <code>method</code>, and <code>authority</code> will be ignored.</p>
+To provide an empty value, use <code>{}</code>, for example:</p>
+<pre><code> - match:
+   - headers:
+       myheader: {}
+</code></pre>
+<p><strong>Note:</strong> The keys <code>uri</code>, <code>scheme</code>, <code>method</code>, and <code>authority</code> will be ignored.</p>

 </td>
 <td>
@ -2309,6 +2314,62 @@ No
 <td>
 <p>rewrite the Authority/Host header with this value.</p>

+</td>
+<td>
+No
+</td>
+</tr>
+<tr id="HTTPRewrite-uri_regex_rewrite">
+<td><code>uriRegexRewrite</code></td>
+<td><code><a href="#RegexRewrite">RegexRewrite</a></code></td>
+<td>
+<p>rewrite the path portion of the URI with the specified regex.</p>
+
+</td>
+<td>
+No
+</td>
+</tr>
+</tbody>
+</table>
+</section>
+<h2 id="RegexRewrite">RegexRewrite</h2>
+<section>
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Type</th>
+<th>Description</th>
+<th>Required</th>
+</tr>
+</thead>
+<tbody>
+<tr id="RegexRewrite-match">
+<td><code>match</code></td>
+<td><code>string</code></td>
+<td>
+<p>RE2 style regex-based match (<a href="https://github.com/google/re2/wiki/Syntax)">https://github.com/google/re2/wiki/Syntax)</a>.</p>
+
+</td>
+<td>
+No
+</td>
+</tr>
+<tr id="RegexRewrite-rewrite">
+<td><code>rewrite</code></td>
+<td><code>string</code></td>
+<td>
+<p>The string that should replace into matching portions of original URI.
+Capture groups in the pattern can be referenced in the new URI.
+Examples:</p>
+<p>Example 1: rewrite with capture groups
+Path pattern &ldquo;/service/update/v1/api&rdquo; with match &ldquo;^/service/([^/]+)(/.*)$&rdquo; and
+rewrite string of &ldquo;/customprefix/\2/\1&rdquo; would transform into &ldquo;/customprefix/v1/api/update&rdquo;.</p>
+<p>Example 2: case insensitive rewrite
+Path pattern &ldquo;/aaa/XxX/bbb&rdquo; with match &ldquo;(?i)/xxx/&rdquo; and a rewrite string of /yyy/ would do a
+case-insensitive match and transform the path to &ldquo;/aaa/yyy/bbb&rdquo;.</p>
+
 </td>
 <td>
 No
--- a/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html
+++ b/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html
@ -8,7 +8,7 @@ layout: protoc-gen-docs
 generator: protoc-gen-docs
 schema: istio.extensions.v1alpha1.WasmPlugin
 aliases: [/docs/reference/config/extensions/v1alpha1/wasm-plugin]
-number_of_entries: 7
+number_of_entries: 8
 ---
 <p>WasmPlugins provides a mechanism to extend the functionality provided by
 the Istio proxy through WebAssembly filters.</p>
@ -297,7 +297,7 @@ No
 </tr>
 <tr id="WasmPlugin-priority">
 <td><code>priority</code></td>
-<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#int64value">Int64Value</a></code></td>
+<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#int32value">Int32Value</a></code></td>
 <td>
 <p>Determines ordering of <code>WasmPlugins</code> in the same <code>phase</code>.
 When multiple <code>WasmPlugins</code> are applied to the same workload in the
@ -306,6 +306,17 @@ If <code>priority</code> is not set, or two <code>WasmPlugins</code> exist with
 value, the ordering will be deterministically derived from name and
 namespace of the <code>WasmPlugins</code>. Defaults to <code>0</code>.</p>

+</td>
+<td>
+No
+</td>
+</tr>
+<tr id="WasmPlugin-fail_strategy">
+<td><code>failStrategy</code></td>
+<td><code><a href="#FailStrategy">FailStrategy</a></code></td>
+<td>
+<p>Specifies the failure behavior for the plugin due to fatal errors.</p>
+
 </td>
 <td>
 No
@ -585,3 +596,34 @@ this plugin. Note that the change includes <code>metadata</code> field as well.<
 </tbody>
 </table>
 </section>
+<h2 id="FailStrategy">FailStrategy</h2>
+<section>
+<table class="enum-values">
+<thead>
+<tr>
+<th>Name</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="FailStrategy-FAIL_CLOSE">
+<td><code>FAIL_CLOSE</code></td>
+<td>
+<p>A fatal error in the binary fetching or during the plugin execution causes
+all subsequent requests to fail with 5xx.</p>
+
+</td>
+</tr>
+<tr id="FailStrategy-FAIL_OPEN">
+<td><code>FAIL_OPEN</code></td>
+<td>
+<p>Enables the fail open behavior for the Wasm plugin fatal errors to bypass
+the plugin execution. A fatal error can be a failure to fetch the remote
+binary, an exception, or abort() on the VM. This flag is not recommended
+for the authentication or the authorization plugins.</p>
+
+</td>
+</tr>
+</tbody>
+</table>
+</section>
--- a/content/zh/docs/reference/commands/install-cni/index.html
+++ b/content/zh/docs/reference/commands/install-cni/index.html
@ -32,14 +32,6 @@ remove_toc_prefix: 'install-cni '
 <td>Name of the CNI configuration file  (default ``)</td>
 </tr>
 <tr>
-<td><code>--cni-enable-install</code></td>
-<td>Whether to install CNI configuration and binary files </td>
-</tr>
-<tr>
-<td><code>--cni-enable-reinstall</code></td>
-<td>Whether to reinstall CNI configuration and binary files </td>
-</tr>
-<tr>
 <td><code>--cni-net-dir &lt;string&gt;</code></td>
 <td>Directory on the host where CNI network plugins are installed  (default `/etc/cni/net.d`)</td>
 </tr>
@ -89,11 +81,11 @@ remove_toc_prefix: 'install-cni '
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -113,7 +105,7 @@ remove_toc_prefix: 'install-cni '
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -172,25 +164,13 @@ remove_toc_prefix: 'install-cni '
 <td>The name of the managed node (will manage all nodes if unset)  (default ``)</td>
 </tr>
 <tr>
-<td><code>--repair-run-as-daemon</code></td>
-<td>Controller will run in a loop </td>
-</tr>
-<tr>
 <td><code>--repair-sidecar-annotation &lt;string&gt;</code></td>
 <td>An annotation key that indicates this pod contains an istio sidecar. All pods without this annotation will be ignored.The value of the annotation is ignored.  (default `sidecar.istio.io/status`)</td>
 </tr>
 <tr>
-<td><code>--skip-cni-binaries &lt;istio-cni&gt;</code></td>
-<td>Binaries that should not be installed. Currently Istio only installs one binary istio-cni  (default `[]`)</td>
-</tr>
-<tr>
 <td><code>--skip-tls-verify</code></td>
 <td>Whether to use insecure TLS in kubeconfig file </td>
 </tr>
-<tr>
-<td><code>--update-cni-binaries</code></td>
-<td>Whether to refresh existing binaries when installing CNI </td>
-</tr>
 </tbody>
 </table>
 <h2 id="install-cni-completion">install-cni completion</h2>
@ -219,11 +199,11 @@ See each sub-command&#39;s help for details on how to use the generated script.
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -243,7 +223,7 @@ See each sub-command&#39;s help for details on how to use the generated script.
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -288,11 +268,11 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -312,7 +292,7 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -356,11 +336,11 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -380,7 +360,7 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -423,11 +403,11 @@ to your powershell profile.
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -447,7 +427,7 @@ to your powershell profile.
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -497,11 +477,11 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -521,7 +501,7 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -564,12 +544,12 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -594,7 +574,7 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, repair, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [all, ambient, cni, controllers, default, ebpf, install, klog, model, repair, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -632,12 +612,6 @@ These environment variables affect the behavior of the <code>install-cni</code>
 <td>Whether ambient controller is enabled</td>
 </tr>
 <tr>
-<td><code>AUTO_RELOAD_PLUGIN_CERTS</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, if user introduces new intermediate plug-in CA, user need not to restart istiod to pick up certs.Istiod picks newly added intermediate plug-in CA certs and updates it. Plug-in new Root-CA not supported.</td>
-</tr>
-<tr>
 <td><code>CA_TRUSTED_NODE_ACCOUNTS</code></td>
 <td>String</td>
 <td><code></code></td>
@ -668,18 +642,6 @@ These environment variables affect the behavior of the <code>install-cni</code>
 <td>Name of the CNI configuration file</td>
 </tr>
 <tr>
-<td><code>CNI_ENABLE_INSTALL</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Whether to install CNI configuration and binary files</td>
-</tr>
-<tr>
-<td><code>CNI_ENABLE_REINSTALL</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Whether to reinstall CNI configuration and binary files</td>
-</tr>
-<tr>
 <td><code>CNI_NETWORK_CONFIG</code></td>
 <td>String</td>
 <td><code></code></td>
@ -704,12 +666,6 @@ These environment variables affect the behavior of the <code>install-cni</code>
 <td>Whether ebpf redirection is enabled</td>
 </tr>
 <tr>
-<td><code>ENABLE_AUTO_MTLS_CHECK_POLICIES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Enable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio}  when server side policy enables mTLS PERMISSIVE or STRICT.</td>
-</tr>
-<tr>
 <td><code>ENABLE_AUTO_SNI</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -746,18 +702,6 @@ These environment variables affect the behavior of the <code>install-cni</code>
 <td>If enabled (default), starts a leader election client and gains leadership before executing controllers. If false, it assumes that only one instance of istiod is running and skips leader election.</td>
 </tr>
 <tr>
-<td><code>ENABLE_LEGACY_FSGROUP_INJECTION</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If true, Istiod will set the pod fsGroup to 1337 on injection. This is required for Kubernetes 1.18 and older (see https://github.com/kubernetes/kubernetes/issues/57923 for details) unless JWT_POLICY is &#34;first-party-jwt&#34;.</td>
-</tr>
-<tr>
-<td><code>ENABLE_LEGACY_LB_ALGORITHM_DEFAULT</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, destinations for which no LB algorithm is specified will use the legacy default, ROUND_ROBIN. Care should be taken when using ROUND_ROBIN in general as it can overburden endpoints, especially when weights are used.</td>
-</tr>
-<tr>
 <td><code>ENABLE_MCS_AUTO_EXPORT</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -794,12 +738,6 @@ These environment variables affect the behavior of the <code>install-cni</code>
 <td>If enabled, the TLS configuration on Sidecar.ingress will take effect</td>
 </tr>
 <tr>
-<td><code>ENABLE_WASM_TELEMETRY</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, Wasm-based telemetry will be enabled.</td>
-</tr>
-<tr>
 <td><code>EXTERNAL_ISTIOD</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -842,12 +780,6 @@ These environment variables affect the behavior of the <code>install-cni</code>
 <td>If enabled, Istio agent will intercept ECDS resource update, downloads Wasm module, and replaces Wasm module remote load with downloaded local module file.</td>
 </tr>
 <tr>
-<td><code>ISTIO_DEFAULT_REQUEST_TIMEOUT</code></td>
-<td>Time Duration</td>
-<td><code>0s</code></td>
-<td>Default Http and gRPC Request timeout</td>
-</tr>
-<tr>
 <td><code>ISTIO_DELTA_XDS</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -884,12 +816,6 @@ These environment variables affect the behavior of the <code>install-cni</code>
 <td>The content type to use for Kubernetes clients. Defaults to protobuf. Valid options: [protobuf, json]</td>
 </tr>
 <tr>
-<td><code>ISTIO_METADATA_DISCOVERY</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>Enables proxy discovery of the workload metadata to back-fill the telemetry reports.</td>
-</tr>
-<tr>
 <td><code>ISTIO_MULTIROOT_MESH</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -1002,6 +928,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>Directory on the container where CNI networks are installed</td>
 </tr>
 <tr>
+<td><code>MUTEX_PROFILE_FRACTION</code></td>
+<td>Integer</td>
+<td><code>1000</code></td>
+<td>If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, &#39;1000&#39; will record 0.1% of events. Set to 0 to disable entirely.</td>
+</tr>
+<tr>
 <td><code>NODE_NAME</code></td>
 <td>String</td>
 <td><code></code></td>
@ -1146,30 +1078,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>If enabled, inbound clusters will be configured as ORIGINAL_DST clusters. When disabled, requests are always sent to localhost. The primary implication of this is that when enabled, binding to POD_IP will work while localhost will not; when disable, bind to POD_IP will not work, while localhost will. The enabled behavior matches the behavior without Istio enabled at all; this flag exists only for backwards compatibility. Regardless of this setting, the configuration can be overridden with the Sidecar.Ingress.DefaultEndpoint configuration.</td>
 </tr>
 <tr>
-<td><code>PILOT_ENABLE_ISTIO_TAGS</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Determines whether or not trace spans generated by Envoy will include Istio-specific tags.</td>
-</tr>
-<tr>
 <td><code>PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES</code></td>
 <td>Boolean</td>
 <td><code>true</code></td>
 <td>If enabled, Kubernetes services with selectors will select workload entries with matching labels. It is safe to disable it if you are quite sure you don&#39;t need this feature</td>
 </tr>
 <tr>
-<td><code>PILOT_ENABLE_LEGACY_AUTO_PASSTHROUGH</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, pilot will allow any upstream cluster to be used with AUTO_PASSTHROUGH. This option is intended for backwards compatibility only and is not secure with untrusted downstreams; it will be removed in the future.</td>
-</tr>
-<tr>
-<td><code>PILOT_ENABLE_LEGACY_ISTIO_MUTUAL_CREDENTIAL_NAME</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, Gateway&#39;s with ISTIO_MUTUAL mode and credentialName configured will use simple TLS. This is to retain legacy behavior only and not recommended for use beyond migration.</td>
-</tr>
-<tr>
 <td><code>PILOT_ENABLE_METADATA_EXCHANGE</code></td>
 <td>Boolean</td>
 <td><code>true</code></td>
@ -1296,12 +1210,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.</td>
 </tr>
 <tr>
-<td><code>PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT</code></td>
-<td>Time Duration</td>
-<td><code>1s</code></td>
-<td>Protocol detection timeout for inbound listener</td>
-</tr>
-<tr>
 <td><code>PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONS</code></td>
 <td>String</td>
 <td><code></code></td>
@ -1320,24 +1228,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>The interval for istiod to fetch the jwks_uri for the jwks public key.</td>
 </tr>
 <tr>
-<td><code>PILOT_LEGACY_INGRESS_BEHAVIOR</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If this is set to true, istio ingress will perform the legacy behavior, which does not meet https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches.</td>
-</tr>
-<tr>
 <td><code>PILOT_MAX_REQUESTS_PER_SECOND</code></td>
 <td>Floating-Point</td>
 <td><code>25</code></td>
 <td>Limits the number of incoming XDS requests per second. On larger machines this can be increased to handle more proxies concurrently.</td>
 </tr>
 <tr>
-<td><code>PILOT_PARTIAL_FULL_PUSHES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, pilot will send partial pushes in for child resources (RDS, EDS, etc) when possible. This occurs for EDS in many cases regardless of this setting.</td>
-</tr>
-<tr>
 <td><code>PILOT_PERSISTENT_SESSION_HEADER_LABEL</code></td>
 <td>String</td>
 <td><code>istio.io/persistent-session-header</code></td>
@ -1377,7 +1273,7 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td><code>PILOT_SIDECAR_USE_REMOTE_ADDRESS</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
-<td>UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.</td>
+<td>UseRemoteAddress sets useRemoteAddress to true for sidecar outbound listeners.</td>
 </tr>
 <tr>
 <td><code>PILOT_SKIP_VALIDATE_TRUST_DOMAIN</code></td>
@ -1458,12 +1354,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td></td>
 </tr>
 <tr>
-<td><code>PRIORITIZED_LEADER_ELECTION</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, the default revision will steal leader locks from non-default revisions</td>
-</tr>
-<tr>
 <td><code>REPAIR_BROKEN_POD_LABEL_KEY</code></td>
 <td>String</td>
 <td><code>cni.istio.io/uninitialized</code></td>
@ -1530,12 +1420,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>The name of the managed node (will manage all nodes if unset)</td>
 </tr>
 <tr>
-<td><code>REPAIR_RUN_AS_DAEMON</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>Controller will run in a loop</td>
-</tr>
-<tr>
 <td><code>REPAIR_SIDECAR_ANNOTATION</code></td>
 <td>String</td>
 <td><code>sidecar.istio.io/status</code></td>
@ -1554,42 +1438,18 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td></td>
 </tr>
 <tr>
-<td><code>REWRITE_TCP_PROBES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If false, TCP probes will not be rewritten and therefor always succeed when a sidecar is used.</td>
-</tr>
-<tr>
 <td><code>SHARED_MESH_CONFIG</code></td>
 <td>String</td>
 <td><code></code></td>
 <td>Additional config map to load for shared MeshConfig settings. The standard mesh config will take precedence.</td>
 </tr>
 <tr>
-<td><code>SIDECAR_IGNORE_PORT_IN_HOST_MATCH</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, port will not be used in vhost domain matches.</td>
-</tr>
-<tr>
-<td><code>SKIP_CNI_BINARIES</code></td>
-<td>String</td>
-<td><code></code></td>
-<td>Binaries that should not be installed. Currently Istio only installs one binary `istio-cni`</td>
-</tr>
-<tr>
 <td><code>SKIP_TLS_VERIFY</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
 <td>Whether to use insecure TLS in kubeconfig file</td>
 </tr>
 <tr>
-<td><code>SPIFFE_BUNDLE_ENDPOINTS</code></td>
-<td>String</td>
-<td><code></code></td>
-<td>The SPIFFE bundle trust domain to endpoint mappings. Istiod retrieves the root certificate from each SPIFFE bundle endpoint and uses it to verify client certificates from that trust domain. The endpoint must be compliant to the SPIFFE Bundle Endpoint standard. For details, please refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md . No need to configure this for root certificates issued via Istiod or web-PKI based root certificates. Use || between &lt;trustdomain, endpoint&gt; tuples. Use | as delimiter between trust domain and endpoint in each tuple. For example: foo|https://url/for/foo||bar|https://url/for/bar</td>
-</tr>
-<tr>
 <td><code>SYSTEM_NAMESPACE</code></td>
 <td>String</td>
 <td><code>istio-system</code></td>
@ -1620,12 +1480,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>If enabled, addition runtime asserts will be performed. These checks are both expensive and panic on failure. As a result, this should be used only for testing.</td>
 </tr>
 <tr>
-<td><code>UPDATE_CNI_BINARIES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Whether to refresh existing binaries when installing CNI</td>
-</tr>
-<tr>
 <td><code>VALIDATION_WEBHOOK_CONFIG_NAME</code></td>
 <td>String</td>
 <td><code>istio-istio-system</code></td>
@ -1658,9 +1512,25 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 </thead>
 <tbody>
 <tr><td><code>controller_sync_errors_total</code></td><td><code>Sum</code></td><td>Total number of errorMetric syncing controllers.</td></tr>
+<tr><td><code>endpoint_no_pod</code></td><td><code>LastValue</code></td><td>Endpoints without an associated pod.</td></tr>
 <tr><td><code>istio_build</code></td><td><code>LastValue</code></td><td>Istio component build info</td></tr>
 <tr><td><code>istio_cni_install_ready</code></td><td><code>LastValue</code></td><td>Whether the CNI plugin installation is ready or not</td></tr>
 <tr><td><code>istio_cni_installs_total</code></td><td><code>Sum</code></td><td>Total number of CNI plugins installed by the Istio CNI installer</td></tr>
 <tr><td><code>istio_cni_repair_pods_repaired_total</code></td><td><code>Sum</code></td><td>Total number of pods repaired by repair controller</td></tr>
+<tr><td><code>pilot_conflict_inbound_listener</code></td><td><code>LastValue</code></td><td>Number of conflicting inbound listeners.</td></tr>
+<tr><td><code>pilot_conflict_outbound_listener_http_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard http listeners with current wildcard tcp listener.</td></tr>
+<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_http</code></td><td><code>LastValue</code></td><td>Number of conflicting wildcard tcp listeners with current wildcard http listener.</td></tr>
+<tr><td><code>pilot_conflict_outbound_listener_tcp_over_current_tcp</code></td><td><code>LastValue</code></td><td>Number of conflicting tcp listeners with current tcp listener.</td></tr>
+<tr><td><code>pilot_destrule_subsets</code></td><td><code>LastValue</code></td><td>Duplicate subsets across destination rules for same host</td></tr>
+<tr><td><code>pilot_duplicate_envoy_clusters</code></td><td><code>LastValue</code></td><td>Duplicate envoy clusters caused by service entries with same hostname</td></tr>
+<tr><td><code>pilot_eds_no_instances</code></td><td><code>LastValue</code></td><td>Number of clusters without instances.</td></tr>
+<tr><td><code>pilot_endpoint_not_ready</code></td><td><code>LastValue</code></td><td>Endpoint found in unready state.</td></tr>
+<tr><td><code>pilot_jwks_resolver_network_fetch_fail_total</code></td><td><code>Sum</code></td><td>Total number of failed network fetch by pilot jwks resolver</td></tr>
+<tr><td><code>pilot_jwks_resolver_network_fetch_success_total</code></td><td><code>Sum</code></td><td>Total number of successfully network fetch by pilot jwks resolver</td></tr>
+<tr><td><code>pilot_no_ip</code></td><td><code>LastValue</code></td><td>Pods not found in the endpoint table, possibly invalid.</td></tr>
+<tr><td><code>pilot_total_rejected_configs</code></td><td><code>Sum</code></td><td>Total number of configs that Pilot had to reject or ignore.</td></tr>
+<tr><td><code>pilot_virt_services</code></td><td><code>LastValue</code></td><td>Total virtual services known to pilot.</td></tr>
+<tr><td><code>pilot_vservice_dup_domain</code></td><td><code>LastValue</code></td><td>Virtual services with dup domains.</td></tr>
+<tr><td><code>provider_lookup_cluster_failures</code></td><td><code>Sum</code></td><td>Number of times a cluster lookup failed</td></tr>
 </tbody>
 </table>
--- a/content/zh/docs/reference/commands/istioctl/index.html
+++ b/content/zh/docs/reference/commands/istioctl/index.html
--- a/content/zh/docs/reference/commands/operator/index.html
+++ b/content/zh/docs/reference/commands/operator/index.html
@ -22,14 +22,6 @@ remove_toc_prefix: 'operator '
 <td>Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)</td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -52,14 +44,6 @@ See each sub-command&#39;s help for details on how to use the generated script.
 <td>Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)</td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -97,14 +81,6 @@ If it is not installed already, you can install it via your OS&#39;s package man
 <td>disable completion descriptions </td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -137,14 +113,6 @@ If it is not installed already, you can install it via your OS&#39;s package man
 <td>disable completion descriptions </td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -176,14 +144,6 @@ to your powershell profile.
 <td>disable completion descriptions </td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -222,14 +182,6 @@ to enable it.  You can execute the following once:</p>
 <td>disable completion descriptions </td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -312,14 +264,6 @@ to enable it.  You can execute the following once:</p>
 <td>HTTP port to use for operator&#39;s self-monitoring information  (default `8383`)</td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -349,16 +293,6 @@ to enable it.  You can execute the following once:</p>
 <td>One of &#39;yaml&#39; or &#39;json&#39;.  (default ``)</td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--short</code></td>
 <td><code>-s</code></td>
 <td>Use --short=false to generate full version information </td>
@ -383,12 +317,6 @@ These environment variables affect the behavior of the <code>operator</code> com
 </thead>
 <tbody>
 <tr>
-<td><code>AUTO_RELOAD_PLUGIN_CERTS</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, if user introduces new intermediate plug-in CA, user need not to restart istiod to pick up certs.Istiod picks newly added intermediate plug-in CA certs and updates it. Plug-in new Root-CA not supported.</td>
-</tr>
-<tr>
 <td><code>CA_TRUSTED_NODE_ACCOUNTS</code></td>
 <td>String</td>
 <td><code></code></td>
@ -413,12 +341,6 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>Defines the cluster and service registry that this Istiod instance is belongs to</td>
 </tr>
 <tr>
-<td><code>ENABLE_AUTO_MTLS_CHECK_POLICIES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Enable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio}  when server side policy enables mTLS PERMISSIVE or STRICT.</td>
-</tr>
-<tr>
 <td><code>ENABLE_AUTO_SNI</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -455,18 +377,6 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>If enabled (default), starts a leader election client and gains leadership before executing controllers. If false, it assumes that only one instance of istiod is running and skips leader election.</td>
 </tr>
 <tr>
-<td><code>ENABLE_LEGACY_FSGROUP_INJECTION</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If true, Istiod will set the pod fsGroup to 1337 on injection. This is required for Kubernetes 1.18 and older (see https://github.com/kubernetes/kubernetes/issues/57923 for details) unless JWT_POLICY is &#34;first-party-jwt&#34;.</td>
-</tr>
-<tr>
-<td><code>ENABLE_LEGACY_LB_ALGORITHM_DEFAULT</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, destinations for which no LB algorithm is specified will use the legacy default, ROUND_ROBIN. Care should be taken when using ROUND_ROBIN in general as it can overburden endpoints, especially when weights are used.</td>
-</tr>
-<tr>
 <td><code>ENABLE_MCS_AUTO_EXPORT</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -509,12 +419,6 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>If enabled, the TLS configuration on Sidecar.ingress will take effect</td>
 </tr>
 <tr>
-<td><code>ENABLE_WASM_TELEMETRY</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, Wasm-based telemetry will be enabled.</td>
-</tr>
-<tr>
 <td><code>EXTERNAL_ISTIOD</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -575,12 +479,6 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td></td>
 </tr>
 <tr>
-<td><code>ISTIO_DEFAULT_REQUEST_TIMEOUT</code></td>
-<td>Time Duration</td>
-<td><code>0s</code></td>
-<td>Default Http and gRPC Request timeout</td>
-</tr>
-<tr>
 <td><code>ISTIO_DELTA_XDS</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -623,12 +521,6 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>The content type to use for Kubernetes clients. Defaults to protobuf. Valid options: [protobuf, json]</td>
 </tr>
 <tr>
-<td><code>ISTIO_METADATA_DISCOVERY</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>Enables proxy discovery of the workload metadata to back-fill the telemetry reports.</td>
-</tr>
-<tr>
 <td><code>ISTIO_MULTIROOT_MESH</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -701,6 +593,12 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>Metric scope rotation interval, set to 0 to disable the metric scope rotation</td>
 </tr>
 <tr>
+<td><code>MUTEX_PROFILE_FRACTION</code></td>
+<td>Integer</td>
+<td><code>1000</code></td>
+<td>If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, &#39;1000&#39; will record 0.1% of events. Set to 0 to disable entirely.</td>
+</tr>
+<tr>
 <td><code>PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -839,30 +737,12 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>If enabled, inbound clusters will be configured as ORIGINAL_DST clusters. When disabled, requests are always sent to localhost. The primary implication of this is that when enabled, binding to POD_IP will work while localhost will not; when disable, bind to POD_IP will not work, while localhost will. The enabled behavior matches the behavior without Istio enabled at all; this flag exists only for backwards compatibility. Regardless of this setting, the configuration can be overridden with the Sidecar.Ingress.DefaultEndpoint configuration.</td>
 </tr>
 <tr>
-<td><code>PILOT_ENABLE_ISTIO_TAGS</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Determines whether or not trace spans generated by Envoy will include Istio-specific tags.</td>
-</tr>
-<tr>
 <td><code>PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES</code></td>
 <td>Boolean</td>
 <td><code>true</code></td>
 <td>If enabled, Kubernetes services with selectors will select workload entries with matching labels. It is safe to disable it if you are quite sure you don&#39;t need this feature</td>
 </tr>
 <tr>
-<td><code>PILOT_ENABLE_LEGACY_AUTO_PASSTHROUGH</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, pilot will allow any upstream cluster to be used with AUTO_PASSTHROUGH. This option is intended for backwards compatibility only and is not secure with untrusted downstreams; it will be removed in the future.</td>
-</tr>
-<tr>
-<td><code>PILOT_ENABLE_LEGACY_ISTIO_MUTUAL_CREDENTIAL_NAME</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, Gateway&#39;s with ISTIO_MUTUAL mode and credentialName configured will use simple TLS. This is to retain legacy behavior only and not recommended for use beyond migration.</td>
-</tr>
-<tr>
 <td><code>PILOT_ENABLE_METADATA_EXCHANGE</code></td>
 <td>Boolean</td>
 <td><code>true</code></td>
@ -989,12 +869,6 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.</td>
 </tr>
 <tr>
-<td><code>PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT</code></td>
-<td>Time Duration</td>
-<td><code>1s</code></td>
-<td>Protocol detection timeout for inbound listener</td>
-</tr>
-<tr>
 <td><code>PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONS</code></td>
 <td>String</td>
 <td><code></code></td>
@ -1013,24 +887,12 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>The interval for istiod to fetch the jwks_uri for the jwks public key.</td>
 </tr>
 <tr>
-<td><code>PILOT_LEGACY_INGRESS_BEHAVIOR</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If this is set to true, istio ingress will perform the legacy behavior, which does not meet https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches.</td>
-</tr>
-<tr>
 <td><code>PILOT_MAX_REQUESTS_PER_SECOND</code></td>
 <td>Floating-Point</td>
 <td><code>25</code></td>
 <td>Limits the number of incoming XDS requests per second. On larger machines this can be increased to handle more proxies concurrently.</td>
 </tr>
 <tr>
-<td><code>PILOT_PARTIAL_FULL_PUSHES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, pilot will send partial pushes in for child resources (RDS, EDS, etc) when possible. This occurs for EDS in many cases regardless of this setting.</td>
-</tr>
-<tr>
 <td><code>PILOT_PERSISTENT_SESSION_HEADER_LABEL</code></td>
 <td>String</td>
 <td><code>istio.io/persistent-session-header</code></td>
@ -1070,7 +932,7 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td><code>PILOT_SIDECAR_USE_REMOTE_ADDRESS</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
-<td>UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.</td>
+<td>UseRemoteAddress sets useRemoteAddress to true for sidecar outbound listeners.</td>
 </tr>
 <tr>
 <td><code>PILOT_SKIP_VALIDATE_TRUST_DOMAIN</code></td>
@ -1145,12 +1007,6 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>The timeout to send the XDS configuration to proxies. After this timeout is reached, Pilot will discard that push.</td>
 </tr>
 <tr>
-<td><code>PRIORITIZED_LEADER_ELECTION</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, the default revision will steal leader locks from non-default revisions</td>
-</tr>
-<tr>
 <td><code>REQUIRE_3P_TOKEN</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -1169,30 +1025,12 @@ These environment variables affect the behavior of the <code>operator</code> com
 <td>If enabled, readiness probes will be sent to &#39;localhost&#39;. Otherwise, they will be sent to the Pod&#39;s IP, matching Kubernetes&#39; behavior.</td>
 </tr>
 <tr>
-<td><code>REWRITE_TCP_PROBES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If false, TCP probes will not be rewritten and therefor always succeed when a sidecar is used.</td>
-</tr>
-<tr>
 <td><code>SHARED_MESH_CONFIG</code></td>
 <td>String</td>
 <td><code></code></td>
 <td>Additional config map to load for shared MeshConfig settings. The standard mesh config will take precedence.</td>
 </tr>
 <tr>
-<td><code>SIDECAR_IGNORE_PORT_IN_HOST_MATCH</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, port will not be used in vhost domain matches.</td>
-</tr>
-<tr>
-<td><code>SPIFFE_BUNDLE_ENDPOINTS</code></td>
-<td>String</td>
-<td><code></code></td>
-<td>The SPIFFE bundle trust domain to endpoint mappings. Istiod retrieves the root certificate from each SPIFFE bundle endpoint and uses it to verify client certificates from that trust domain. The endpoint must be compliant to the SPIFFE Bundle Endpoint standard. For details, please refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md . No need to configure this for root certificates issued via Istiod or web-PKI based root certificates. Use || between &lt;trustdomain, endpoint&gt; tuples. Use | as delimiter between trust domain and endpoint in each tuple. For example: foo|https://url/for/foo||bar|https://url/for/bar</td>
-</tr>
-<tr>
 <td><code>TERM</code></td>
 <td>String</td>
 <td><code></code></td>
@ -1325,6 +1163,7 @@ These environment variables affect the behavior of the <code>operator</code> com
 <tr><td><code>pilot_xds_rds_reject</code></td><td><code>LastValue</code></td><td>Pilot rejected RDS.</td></tr>
 <tr><td><code>pilot_xds_send_time</code></td><td><code>Distribution</code></td><td>Total time in seconds Pilot takes to send generated configuration.</td></tr>
 <tr><td><code>pilot_xds_write_timeout</code></td><td><code>Sum</code></td><td>Pilot XDS response write timeouts.</td></tr>
+<tr><td><code>provider_lookup_cluster_failures</code></td><td><code>Sum</code></td><td>Number of times a cluster lookup failed</td></tr>
 <tr><td><code>reconcile_request_total</code></td><td><code>Sum</code></td><td>Number of times requesting Reconcile</td></tr>
 <tr><td><code>remote_cluster_sync_timeouts_total</code></td><td><code>Sum</code></td><td>Number of times remote clusters took too long to sync, causing slow startup that excludes remote clusters.</td></tr>
 <tr><td><code>render_manifest_total</code></td><td><code>Sum</code></td><td>Number of component manifests rendered</td></tr>
--- a/content/zh/docs/reference/commands/pilot-agent/index.html
+++ b/content/zh/docs/reference/commands/pilot-agent/index.html
@ -23,11 +23,11 @@ remove_toc_prefix: 'pilot-agent '
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -47,21 +47,13 @@ remove_toc_prefix: 'pilot-agent '
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
 <td>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)</td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -85,11 +77,11 @@ See each sub-command&#39;s help for details on how to use the generated script.
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -109,21 +101,13 @@ See each sub-command&#39;s help for details on how to use the generated script.
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
 <td>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)</td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -158,11 +142,11 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -182,7 +166,7 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -193,14 +177,6 @@ If it is not installed already, you can install it via your OS&#39;s package man
 <td>disable completion descriptions </td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -230,11 +206,11 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -254,7 +230,7 @@ If it is not installed already, you can install it via your OS&#39;s package man
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -265,14 +241,6 @@ If it is not installed already, you can install it via your OS&#39;s package man
 <td>disable completion descriptions </td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -301,11 +269,11 @@ to your powershell profile.
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -325,7 +293,7 @@ to your powershell profile.
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -336,14 +304,6 @@ to your powershell profile.
 <td>disable completion descriptions </td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -379,11 +339,11 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -403,7 +363,7 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -414,14 +374,6 @@ to enable it.  You can execute the following once:</p>
 <td>disable completion descriptions </td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -463,12 +415,12 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -493,7 +445,7 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -516,16 +468,6 @@ to enable it.  You can execute the following once:</p>
 <td>Enable capture of dns traffic by istio-agent </td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
@ -658,12 +600,12 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -688,7 +630,7 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -731,16 +673,6 @@ to enable it.  You can execute the following once:</p>
 <td>Validate iptables </td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--skip-rule-apply</code></td>
 <td></td>
 <td>Skip iptables apply </td>
@ -778,11 +710,11 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -802,7 +734,7 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -829,14 +761,6 @@ to enable it.  You can execute the following once:</p>
 <td>The log level used to start the Envoy proxy (choose from {trace, debug, info, warning, error, critical, off}).Level may also include one or more scopes, such as &#39;info,misc:error,upstream:debug&#39;  (default `warning,misc:error`)</td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--serviceCluster &lt;string&gt;</code></td>
 <td>Service cluster  (default `istio-proxy`)</td>
 </tr>
@ -880,11 +804,11 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -904,21 +828,13 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
 <td>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)</td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
@ -945,12 +861,12 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -975,7 +891,7 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -988,16 +904,6 @@ to enable it.  You can execute the following once:</p>
 <td>One of &#39;yaml&#39; or &#39;json&#39;.  (default ``)</td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--short</code></td>
 <td><code>-s</code></td>
 <td>Use --short=false to generate full version information </td>
@ -1027,11 +933,11 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -1051,7 +957,7 @@ to enable it.  You can execute the following once:</p>
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, installer, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, util, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, authn, authorization, ca, cache, citadelclient, controllers, default, delta, dns, gateway, gcecred, googleca, googlecas, grpcgen, healthcheck, ingress status, iptables, klog, kube, mockcred, model, retry, sds, security, serviceentry, spiffe, status, stsclient, stsserver, token, trustBundle, validation, wasm, wle, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -1066,14 +972,6 @@ to enable it.  You can execute the following once:</p>
 <td>number of milliseconds to wait for response  (default `500`)</td>
 </tr>
 <tr>
-<td><code>--s2a_enable_appengine_dialer</code></td>
-<td>If true, opportunistically use AppEngine-specific dialer to call S2A. </td>
-</tr>
-<tr>
-<td><code>--s2a_timeout &lt;duration&gt;</code></td>
-<td>Timeout enforced on the connection to the S2A service for handshake.  (default `3s`)</td>
-</tr>
-<tr>
 <td><code>--timeoutSeconds &lt;int&gt;</code></td>
 <td>maximum number of seconds to wait for Envoy to be ready  (default `60`)</td>
 </tr>
@ -1100,12 +998,6 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
 </thead>
 <tbody>
 <tr>
-<td><code>AUTO_RELOAD_PLUGIN_CERTS</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, if user introduces new intermediate plug-in CA, user need not to restart istiod to pick up certs.Istiod picks newly added intermediate plug-in CA certs and updates it. Plug-in new Root-CA not supported.</td>
-</tr>
-<tr>
 <td><code>BOOTSTRAP_XDS_AGENT</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -1202,12 +1094,6 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
 <td>The type of ECC signature algorithm to use when generating private keys</td>
 </tr>
 <tr>
-<td><code>ENABLE_AUTO_MTLS_CHECK_POLICIES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Enable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio}  when server side policy enables mTLS PERMISSIVE or STRICT.</td>
-</tr>
-<tr>
 <td><code>ENABLE_AUTO_SNI</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -1244,18 +1130,6 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
 <td>If enabled (default), starts a leader election client and gains leadership before executing controllers. If false, it assumes that only one instance of istiod is running and skips leader election.</td>
 </tr>
 <tr>
-<td><code>ENABLE_LEGACY_FSGROUP_INJECTION</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If true, Istiod will set the pod fsGroup to 1337 on injection. This is required for Kubernetes 1.18 and older (see https://github.com/kubernetes/kubernetes/issues/57923 for details) unless JWT_POLICY is &#34;first-party-jwt&#34;.</td>
-</tr>
-<tr>
-<td><code>ENABLE_LEGACY_LB_ALGORITHM_DEFAULT</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, destinations for which no LB algorithm is specified will use the legacy default, ROUND_ROBIN. Care should be taken when using ROUND_ROBIN in general as it can overburden endpoints, especially when weights are used.</td>
-</tr>
-<tr>
 <td><code>ENABLE_MCS_AUTO_EXPORT</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -1298,12 +1172,6 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
 <td>If enabled, the TLS configuration on Sidecar.ingress will take effect</td>
 </tr>
 <tr>
-<td><code>ENABLE_WASM_TELEMETRY</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, Wasm-based telemetry will be enabled.</td>
-</tr>
-<tr>
 <td><code>ENVOY_PROMETHEUS_PORT</code></td>
 <td>Integer</td>
 <td><code>15090</code></td>
@ -1466,12 +1334,6 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
 <td>CPU limit for the current process. Expressed as an integer value, rounded up.</td>
 </tr>
 <tr>
-<td><code>ISTIO_DEFAULT_REQUEST_TIMEOUT</code></td>
-<td>Time Duration</td>
-<td><code>0s</code></td>
-<td>Default Http and gRPC Request timeout</td>
-</tr>
-<tr>
 <td><code>ISTIO_DELTA_XDS</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -1520,12 +1382,6 @@ These environment variables affect the behavior of the <code>pilot-agent</code>
 <td>The content type to use for Kubernetes clients. Defaults to protobuf. Valid options: [protobuf, json]</td>
 </tr>
 <tr>
-<td><code>ISTIO_METADATA_DISCOVERY</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>Enables proxy discovery of the workload metadata to back-fill the telemetry reports.</td>
-</tr>
-<tr>
 <td><code>ISTIO_META_CERT_SIGNER</code></td>
 <td>String</td>
 <td><code></code></td>
@ -1644,6 +1500,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>The minimum duration for which agent waits before it checks for active connections and terminates proxywhen number of active connections become zero</td>
 </tr>
 <tr>
+<td><code>MUTEX_PROFILE_FRACTION</code></td>
+<td>Integer</td>
+<td><code>1000</code></td>
+<td>If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, &#39;1000&#39; will record 0.1% of events. Set to 0 to disable entirely.</td>
+</tr>
+<tr>
 <td><code>OUTPUT_CERTS</code></td>
 <td>String</td>
 <td><code></code></td>
@ -1788,30 +1650,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>If enabled, inbound clusters will be configured as ORIGINAL_DST clusters. When disabled, requests are always sent to localhost. The primary implication of this is that when enabled, binding to POD_IP will work while localhost will not; when disable, bind to POD_IP will not work, while localhost will. The enabled behavior matches the behavior without Istio enabled at all; this flag exists only for backwards compatibility. Regardless of this setting, the configuration can be overridden with the Sidecar.Ingress.DefaultEndpoint configuration.</td>
 </tr>
 <tr>
-<td><code>PILOT_ENABLE_ISTIO_TAGS</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Determines whether or not trace spans generated by Envoy will include Istio-specific tags.</td>
-</tr>
-<tr>
 <td><code>PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES</code></td>
 <td>Boolean</td>
 <td><code>true</code></td>
 <td>If enabled, Kubernetes services with selectors will select workload entries with matching labels. It is safe to disable it if you are quite sure you don&#39;t need this feature</td>
 </tr>
 <tr>
-<td><code>PILOT_ENABLE_LEGACY_AUTO_PASSTHROUGH</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, pilot will allow any upstream cluster to be used with AUTO_PASSTHROUGH. This option is intended for backwards compatibility only and is not secure with untrusted downstreams; it will be removed in the future.</td>
-</tr>
-<tr>
-<td><code>PILOT_ENABLE_LEGACY_ISTIO_MUTUAL_CREDENTIAL_NAME</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, Gateway&#39;s with ISTIO_MUTUAL mode and credentialName configured will use simple TLS. This is to retain legacy behavior only and not recommended for use beyond migration.</td>
-</tr>
-<tr>
 <td><code>PILOT_ENABLE_METADATA_EXCHANGE</code></td>
 <td>Boolean</td>
 <td><code>true</code></td>
@ -1938,12 +1782,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.</td>
 </tr>
 <tr>
-<td><code>PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT</code></td>
-<td>Time Duration</td>
-<td><code>1s</code></td>
-<td>Protocol detection timeout for inbound listener</td>
-</tr>
-<tr>
 <td><code>PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONS</code></td>
 <td>String</td>
 <td><code></code></td>
@ -1962,24 +1800,12 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>The interval for istiod to fetch the jwks_uri for the jwks public key.</td>
 </tr>
 <tr>
-<td><code>PILOT_LEGACY_INGRESS_BEHAVIOR</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If this is set to true, istio ingress will perform the legacy behavior, which does not meet https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches.</td>
-</tr>
-<tr>
 <td><code>PILOT_MAX_REQUESTS_PER_SECOND</code></td>
 <td>Floating-Point</td>
 <td><code>25</code></td>
 <td>Limits the number of incoming XDS requests per second. On larger machines this can be increased to handle more proxies concurrently.</td>
 </tr>
 <tr>
-<td><code>PILOT_PARTIAL_FULL_PUSHES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, pilot will send partial pushes in for child resources (RDS, EDS, etc) when possible. This occurs for EDS in many cases regardless of this setting.</td>
-</tr>
-<tr>
 <td><code>PILOT_PERSISTENT_SESSION_HEADER_LABEL</code></td>
 <td>String</td>
 <td><code>istio.io/persistent-session-header</code></td>
@ -2019,7 +1845,7 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td><code>PILOT_SIDECAR_USE_REMOTE_ADDRESS</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
-<td>UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.</td>
+<td>UseRemoteAddress sets useRemoteAddress to true for sidecar outbound listeners.</td>
 </tr>
 <tr>
 <td><code>PILOT_SKIP_VALIDATE_TRUST_DOMAIN</code></td>
@ -2112,12 +1938,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td></td>
 </tr>
 <tr>
-<td><code>PRIORITIZED_LEADER_ELECTION</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, the default revision will steal leader locks from non-default revisions</td>
-</tr>
-<tr>
 <td><code>PROV_CERT</code></td>
 <td>String</td>
 <td><code></code></td>
@ -2166,12 +1986,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>If enabled, readiness probes will be sent to &#39;localhost&#39;. Otherwise, they will be sent to the Pod&#39;s IP, matching Kubernetes&#39; behavior.</td>
 </tr>
 <tr>
-<td><code>REWRITE_TCP_PROBES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If false, TCP probes will not be rewritten and therefor always succeed when a sidecar is used.</td>
-</tr>
-<tr>
 <td><code>SECRET_GRACE_PERIOD_RATIO</code></td>
 <td>Floating-Point</td>
 <td><code>0.5</code></td>
@ -2196,18 +2010,6 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <td>Additional config map to load for shared MeshConfig settings. The standard mesh config will take precedence.</td>
 </tr>
 <tr>
-<td><code>SIDECAR_IGNORE_PORT_IN_HOST_MATCH</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, port will not be used in vhost domain matches.</td>
-</tr>
-<tr>
-<td><code>SPIFFE_BUNDLE_ENDPOINTS</code></td>
-<td>String</td>
-<td><code></code></td>
-<td>The SPIFFE bundle trust domain to endpoint mappings. Istiod retrieves the root certificate from each SPIFFE bundle endpoint and uses it to verify client certificates from that trust domain. The endpoint must be compliant to the SPIFFE Bundle Endpoint standard. For details, please refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md . No need to configure this for root certificates issued via Istiod or web-PKI based root certificates. Use || between &lt;trustdomain, endpoint&gt; tuples. Use | as delimiter between trust domain and endpoint in each tuple. For example: foo|https://url/for/foo||bar|https://url/for/bar</td>
-</tr>
-<tr>
 <td><code>TOKEN_AUDIENCES</code></td>
 <td>String</td>
 <td><code>istio-ca</code></td>
@ -2387,6 +2189,7 @@ Only applies when traffic from all groups (i.e. &#34;*&#34;) is being redirected
 <tr><td><code>pilot_xds_rds_reject</code></td><td><code>LastValue</code></td><td>Pilot rejected RDS.</td></tr>
 <tr><td><code>pilot_xds_send_time</code></td><td><code>Distribution</code></td><td>Total time in seconds Pilot takes to send generated configuration.</td></tr>
 <tr><td><code>pilot_xds_write_timeout</code></td><td><code>Sum</code></td><td>Pilot XDS response write timeouts.</td></tr>
+<tr><td><code>provider_lookup_cluster_failures</code></td><td><code>Sum</code></td><td>Number of times a cluster lookup failed</td></tr>
 <tr><td><code>remote_cluster_sync_timeouts_total</code></td><td><code>Sum</code></td><td>Number of times remote clusters took too long to sync, causing slow startup that excludes remote clusters.</td></tr>
 <tr><td><code>scrape_failures_total</code></td><td><code>Sum</code></td><td>The total number of failed scrapes.</td></tr>
 <tr><td><code>scrapes_total</code></td><td><code>Sum</code></td><td>The total number of scrapes.</td></tr>
--- a/content/zh/docs/reference/commands/pilot-discovery/index.html
+++ b/content/zh/docs/reference/commands/pilot-discovery/index.html
@ -8,7 +8,7 @@ number_of_entries: 10
 max_toc_level: 2
 remove_toc_prefix: 'pilot-discovery '
 ---
-<p>Istio Pilot provides fleet-wide traffic management capabilities in the Istio Service Mesh.</p>
+<p>Istio Pilot provides mesh-wide traffic management, security and policy capabilities in the Istio Service Mesh.</p>
 <table class="command-flags">
 <thead>
 <tr>
@ -269,12 +269,12 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, file, gateway, grpcgen, ingress status, installer, klog, kube, model, monitor, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, tpath, trustBundle, util, validation, validationController, validationServer, wasm, wle]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, file, gateway, grpcgen, ingress status, klog, kube, model, monitor, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, file, gateway, grpcgen, ingress status, installer, klog, kube, model, monitor, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, tpath, trustBundle, util, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, file, gateway, grpcgen, ingress status, klog, kube, model, monitor, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)</td>
 </tr>
 <tr>
 <td><code>--log_rotate &lt;string&gt;</code></td>
@ -299,7 +299,7 @@ to enable it.  You can execute the following once:</p>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, file, gateway, grpcgen, ingress status, installer, klog, kube, model, monitor, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, tpath, trustBundle, util, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, file, gateway, grpcgen, ingress status, klog, kube, model, monitor, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>
@ -437,12 +437,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>Expected audience in the tokens. </td>
 </tr>
 <tr>
-<td><code>AUTO_RELOAD_PLUGIN_CERTS</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, if user introduces new intermediate plug-in CA, user need not to restart istiod to pick up certs.Istiod picks newly added intermediate plug-in CA certs and updates it. Plug-in new Root-CA not supported.</td>
-</tr>
-<tr>
 <td><code>CA_TRUSTED_NODE_ACCOUNTS</code></td>
 <td>String</td>
 <td><code></code></td>
@ -503,12 +497,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>The default TTL of issued workload certificates. Applied when the client sets a non-positive TTL in the CSR.</td>
 </tr>
 <tr>
-<td><code>ENABLE_AUTO_MTLS_CHECK_POLICIES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Enable the auto mTLS EDS output to consult the PeerAuthentication Policy, only set the {tlsMode: istio}  when server side policy enables mTLS PERMISSIVE or STRICT.</td>
-</tr>
-<tr>
 <td><code>ENABLE_AUTO_SNI</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -545,18 +533,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>If enabled (default), starts a leader election client and gains leadership before executing controllers. If false, it assumes that only one instance of istiod is running and skips leader election.</td>
 </tr>
 <tr>
-<td><code>ENABLE_LEGACY_FSGROUP_INJECTION</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If true, Istiod will set the pod fsGroup to 1337 on injection. This is required for Kubernetes 1.18 and older (see https://github.com/kubernetes/kubernetes/issues/57923 for details) unless JWT_POLICY is &#34;first-party-jwt&#34;.</td>
-</tr>
-<tr>
-<td><code>ENABLE_LEGACY_LB_ALGORITHM_DEFAULT</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, destinations for which no LB algorithm is specified will use the legacy default, ROUND_ROBIN. Care should be taken when using ROUND_ROBIN in general as it can overburden endpoints, especially when weights are used.</td>
-</tr>
-<tr>
 <td><code>ENABLE_MCS_AUTO_EXPORT</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -599,12 +575,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>If enabled, the TLS configuration on Sidecar.ingress will take effect</td>
 </tr>
 <tr>
-<td><code>ENABLE_WASM_TELEMETRY</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, Wasm-based telemetry will be enabled.</td>
-</tr>
-<tr>
 <td><code>EXTERNAL_CA</code></td>
 <td>String</td>
 <td><code></code></td>
@ -677,12 +647,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td></td>
 </tr>
 <tr>
-<td><code>ISTIO_DEFAULT_REQUEST_TIMEOUT</code></td>
-<td>Time Duration</td>
-<td><code>0s</code></td>
-<td>Default Http and gRPC Request timeout</td>
-</tr>
-<tr>
 <td><code>ISTIO_DELTA_XDS</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -725,12 +689,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>The content type to use for Kubernetes clients. Defaults to protobuf. Valid options: [protobuf, json]</td>
 </tr>
 <tr>
-<td><code>ISTIO_METADATA_DISCOVERY</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>Enables proxy discovery of the workload metadata to back-fill the telemetry reports.</td>
-</tr>
-<tr>
 <td><code>ISTIO_MULTIROOT_MESH</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -827,6 +785,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>Metric scope rotation interval, set to 0 to disable the metric scope rotation</td>
 </tr>
 <tr>
+<td><code>MUTEX_PROFILE_FRACTION</code></td>
+<td>Integer</td>
+<td><code>1000</code></td>
+<td>If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, &#39;1000&#39; will record 0.1% of events. Set to 0 to disable entirely.</td>
+</tr>
+<tr>
 <td><code>PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -965,30 +929,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>If enabled, inbound clusters will be configured as ORIGINAL_DST clusters. When disabled, requests are always sent to localhost. The primary implication of this is that when enabled, binding to POD_IP will work while localhost will not; when disable, bind to POD_IP will not work, while localhost will. The enabled behavior matches the behavior without Istio enabled at all; this flag exists only for backwards compatibility. Regardless of this setting, the configuration can be overridden with the Sidecar.Ingress.DefaultEndpoint configuration.</td>
 </tr>
 <tr>
-<td><code>PILOT_ENABLE_ISTIO_TAGS</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>Determines whether or not trace spans generated by Envoy will include Istio-specific tags.</td>
-</tr>
-<tr>
 <td><code>PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES</code></td>
 <td>Boolean</td>
 <td><code>true</code></td>
 <td>If enabled, Kubernetes services with selectors will select workload entries with matching labels. It is safe to disable it if you are quite sure you don&#39;t need this feature</td>
 </tr>
 <tr>
-<td><code>PILOT_ENABLE_LEGACY_AUTO_PASSTHROUGH</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, pilot will allow any upstream cluster to be used with AUTO_PASSTHROUGH. This option is intended for backwards compatibility only and is not secure with untrusted downstreams; it will be removed in the future.</td>
-</tr>
-<tr>
-<td><code>PILOT_ENABLE_LEGACY_ISTIO_MUTUAL_CREDENTIAL_NAME</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If enabled, Gateway&#39;s with ISTIO_MUTUAL mode and credentialName configured will use simple TLS. This is to retain legacy behavior only and not recommended for use beyond migration.</td>
-</tr>
-<tr>
 <td><code>PILOT_ENABLE_METADATA_EXCHANGE</code></td>
 <td>Boolean</td>
 <td><code>true</code></td>
@ -1115,12 +1061,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.</td>
 </tr>
 <tr>
-<td><code>PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT</code></td>
-<td>Time Duration</td>
-<td><code>1s</code></td>
-<td>Protocol detection timeout for inbound listener</td>
-</tr>
-<tr>
 <td><code>PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONS</code></td>
 <td>String</td>
 <td><code></code></td>
@ -1139,24 +1079,12 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>The interval for istiod to fetch the jwks_uri for the jwks public key.</td>
 </tr>
 <tr>
-<td><code>PILOT_LEGACY_INGRESS_BEHAVIOR</code></td>
-<td>Boolean</td>
-<td><code>false</code></td>
-<td>If this is set to true, istio ingress will perform the legacy behavior, which does not meet https://kubernetes.io/docs/concepts/services-networking/ingress/#multiple-matches.</td>
-</tr>
-<tr>
 <td><code>PILOT_MAX_REQUESTS_PER_SECOND</code></td>
 <td>Floating-Point</td>
 <td><code>25</code></td>
 <td>Limits the number of incoming XDS requests per second. On larger machines this can be increased to handle more proxies concurrently.</td>
 </tr>
 <tr>
-<td><code>PILOT_PARTIAL_FULL_PUSHES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, pilot will send partial pushes in for child resources (RDS, EDS, etc) when possible. This occurs for EDS in many cases regardless of this setting.</td>
-</tr>
-<tr>
 <td><code>PILOT_PERSISTENT_SESSION_HEADER_LABEL</code></td>
 <td>String</td>
 <td><code>istio.io/persistent-session-header</code></td>
@ -1196,7 +1124,7 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td><code>PILOT_SIDECAR_USE_REMOTE_ADDRESS</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
-<td>UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.</td>
+<td>UseRemoteAddress sets useRemoteAddress to true for sidecar outbound listeners.</td>
 </tr>
 <tr>
 <td><code>PILOT_SKIP_VALIDATE_TRUST_DOMAIN</code></td>
@ -1283,12 +1211,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td></td>
 </tr>
 <tr>
-<td><code>PRIORITIZED_LEADER_ELECTION</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, the default revision will steal leader locks from non-default revisions</td>
-</tr>
-<tr>
 <td><code>REQUIRE_3P_TOKEN</code></td>
 <td>Boolean</td>
 <td><code>false</code></td>
@ -1313,12 +1235,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>If enabled, readiness probes will be sent to &#39;localhost&#39;. Otherwise, they will be sent to the Pod&#39;s IP, matching Kubernetes&#39; behavior.</td>
 </tr>
 <tr>
-<td><code>REWRITE_TCP_PROBES</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If false, TCP probes will not be rewritten and therefor always succeed when a sidecar is used.</td>
-</tr>
-<tr>
 <td><code>ROOT_CA_DIR</code></td>
 <td>String</td>
 <td><code>./etc/cacerts</code></td>
@ -1331,18 +1247,6 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <td>Additional config map to load for shared MeshConfig settings. The standard mesh config will take precedence.</td>
 </tr>
 <tr>
-<td><code>SIDECAR_IGNORE_PORT_IN_HOST_MATCH</code></td>
-<td>Boolean</td>
-<td><code>true</code></td>
-<td>If enabled, port will not be used in vhost domain matches.</td>
-</tr>
-<tr>
-<td><code>SPIFFE_BUNDLE_ENDPOINTS</code></td>
-<td>String</td>
-<td><code></code></td>
-<td>The SPIFFE bundle trust domain to endpoint mappings. Istiod retrieves the root certificate from each SPIFFE bundle endpoint and uses it to verify client certificates from that trust domain. The endpoint must be compliant to the SPIFFE Bundle Endpoint standard. For details, please refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md . No need to configure this for root certificates issued via Istiod or web-PKI based root certificates. Use || between &lt;trustdomain, endpoint&gt; tuples. Use | as delimiter between trust domain and endpoint in each tuple. For example: foo|https://url/for/foo||bar|https://url/for/bar</td>
-</tr>
-<tr>
 <td><code>TOKEN_AUDIENCES</code></td>
 <td>String</td>
 <td><code>istio-ca</code></td>
@ -1437,11 +1341,9 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <tr><td><code>citadel_server_success_cert_issuance_count</code></td><td><code>Sum</code></td><td>The number of certificates issuances that have succeeded.</td></tr>
 <tr><td><code>controller_sync_errors_total</code></td><td><code>Sum</code></td><td>Total number of errorMetric syncing controllers.</td></tr>
 <tr><td><code>endpoint_no_pod</code></td><td><code>LastValue</code></td><td>Endpoints without an associated pod.</td></tr>
-<tr><td><code>galley_validation_config_delete_error</code></td><td><code>Count</code></td><td>k8s webhook configuration delete error</td></tr>
-<tr><td><code>galley_validation_config_load</code></td><td><code>Count</code></td><td>k8s webhook configuration (re)loads</td></tr>
-<tr><td><code>galley_validation_config_load_error</code></td><td><code>Count</code></td><td>k8s webhook configuration (re)load error</td></tr>
-<tr><td><code>galley_validation_config_update_error</code></td><td><code>Count</code></td><td>k8s webhook configuration update error</td></tr>
-<tr><td><code>galley_validation_config_updates</code></td><td><code>Count</code></td><td>k8s webhook configuration updates</td></tr>
+<tr><td><code>galley_validation_config_load_error</code></td><td><code>Sum</code></td><td>k8s webhook configuration (re)load error</td></tr>
+<tr><td><code>galley_validation_config_update_error</code></td><td><code>Sum</code></td><td>k8s webhook configuration update error</td></tr>
+<tr><td><code>galley_validation_config_updates</code></td><td><code>Sum</code></td><td>k8s webhook configuration updates</td></tr>
 <tr><td><code>galley_validation_failed</code></td><td><code>Sum</code></td><td>Resource validation failed</td></tr>
 <tr><td><code>galley_validation_http_error</code></td><td><code>Sum</code></td><td>Resource validation http serve errors</td></tr>
 <tr><td><code>galley_validation_passed</code></td><td><code>Sum</code></td><td>Resource is valid</td></tr>
@ -1458,6 +1360,7 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <tr><td><code>pilot_eds_no_instances</code></td><td><code>LastValue</code></td><td>Number of clusters without instances.</td></tr>
 <tr><td><code>pilot_endpoint_not_ready</code></td><td><code>LastValue</code></td><td>Endpoint found in unready state.</td></tr>
 <tr><td><code>pilot_inbound_updates</code></td><td><code>Sum</code></td><td>Total number of updates received by pilot.</td></tr>
+<tr><td><code>pilot_info</code></td><td><code>LastValue</code></td><td>Pilot version and build information.</td></tr>
 <tr><td><code>pilot_jwks_resolver_network_fetch_fail_total</code></td><td><code>Sum</code></td><td>Total number of failed network fetch by pilot jwks resolver</td></tr>
 <tr><td><code>pilot_jwks_resolver_network_fetch_success_total</code></td><td><code>Sum</code></td><td>Total number of successfully network fetch by pilot jwks resolver</td></tr>
 <tr><td><code>pilot_k8s_cfg_events</code></td><td><code>Sum</code></td><td>Events from k8s config.</td></tr>
@ -1488,6 +1391,7 @@ These environment variables affect the behavior of the <code>pilot-discovery</co
 <tr><td><code>pilot_xds_rds_reject</code></td><td><code>LastValue</code></td><td>Pilot rejected RDS.</td></tr>
 <tr><td><code>pilot_xds_send_time</code></td><td><code>Distribution</code></td><td>Total time in seconds Pilot takes to send generated configuration.</td></tr>
 <tr><td><code>pilot_xds_write_timeout</code></td><td><code>Sum</code></td><td>Pilot XDS response write timeouts.</td></tr>
+<tr><td><code>provider_lookup_cluster_failures</code></td><td><code>Sum</code></td><td>Number of times a cluster lookup failed</td></tr>
 <tr><td><code>remote_cluster_sync_timeouts_total</code></td><td><code>Sum</code></td><td>Number of times remote clusters took too long to sync, causing slow startup that excludes remote clusters.</td></tr>
 <tr><td><code>scrape_failures_total</code></td><td><code>Sum</code></td><td>The total number of failed scrapes.</td></tr>
 <tr><td><code>scrapes_total</code></td><td><code>Sum</code></td><td>The total number of scrapes.</td></tr>
--- a/content/zh/docs/reference/config/annotations/index.html
+++ b/content/zh/docs/reference/config/annotations/index.html
@ -322,7 +322,7 @@ Istio supports to control its behavior.
 					<td>Alpha</td>
 				
 					<td>[Pod]</td>
-					<td>An additional list of tags to extract from the in-proxy Istio telemetry. each additional tag needs to be present in this list.</td>
+					<td>An additional list of tags to extract from the in-proxy Istio Wasm telemetry. Each additional tag needs to be present in this list.</td>
 				</tr>
 			
 		
@ -458,6 +458,19 @@ Istio supports to control its behavior.
 		
 			
 				
+					<tr>
+				
+					<td><code>sidecar.istio.io/statsHistogramBuckets</code></td>
+				
+					<td>Alpha</td>
+				
+					<td>[Pod]</td>
+					<td>Specifies the custom histogram buckets with a prefix matcher to separate the Istio mesh metrics from the Envoy stats, e.g. `{"istio":[1,5,10,50,100,500,1000,5000,10000],"envoy":[1,5,10,25,50,100,250,500,1000,2500,5000,10000]}`. Default buckets are `[0.5,1,5,10,25,50,100,250,500,1000,2500,5000,10000,30000,60000,300000,600000,1800000,3600000]`.</td>
+				</tr>
+			
+		
+			
+				
 					<tr class="deprecated">
 				
 					<td><code>sidecar.istio.io/statsInclusionPrefixes</code></td>
--- a/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
+++ b/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
@ -1169,6 +1169,24 @@ No
 If not specified, the default curves enforced by envoy will be used. For details about the default curves, refer to
 <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto">Ecdh Curves</a></p>

+</td>
+<td>
+No
+</td>
+</tr>
+<tr id="MeshConfig-TLSConfig-cipher_suites">
+<td><code>cipherSuites</code></td>
+<td><code>string[]</code></td>
+<td>
+<p>Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2.
+If not specified, the following cipher suites will be used:
+ECDHE-ECDSA-AES256-GCM-SHA384
+ECDHE-RSA-AES256-GCM-SHA384
+ECDHE-ECDSA-AES128-GCM-SHA256
+ECDHE-RSA-AES128-GCM-SHA256
+AES256-GCM-SHA384
+AES128-GCM-SHA256</p>
+
 </td>
 <td>
 No
--- a/content/zh/docs/reference/config/networking/destination-rule/index.html
+++ b/content/zh/docs/reference/config/networking/destination-rule/index.html
@ -1066,12 +1066,14 @@ No
 client including the CA certificates. This secret must exist in
 the namespace of the proxy using the certificates.
 An Opaque secret should contain the following keys and values:
-<code>key: &lt;privateKey&gt;</code>, <code>cert: &lt;clientCert&gt;</code>, <code>cacert: &lt;CACertificate&gt;</code>.
+<code>key: &lt;privateKey&gt;</code>, <code>cert: &lt;clientCert&gt;</code>, <code>cacert: &lt;CACertificate&gt;</code>,
+<code>crl: &lt;certificateRevocationList&gt;</code>
 Here CACertificate is used to verify the server certificate.
 For mutual TLS, <code>cacert: &lt;CACertificate&gt;</code> can be provided in the
 same secret or a separate secret named <code>&lt;secret&gt;-cacert</code>.
 A TLS secret for client certificates with an additional
-<code>ca.crt</code> key for CA certificates is also supported.
+<code>ca.crt</code> key for CA certificates and <code>ca.crl</code> key for
+certificate revocation list(CRL) is also supported.
 Only one of client certificates and CA certificate
 or credentialName can be specified.</p>
 <p><strong>NOTE:</strong> This field is applicable at sidecars only if
@ -1227,13 +1229,29 @@ No
 <td>
 <p>failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing.
 This is to support traffic failover across different groups of endpoints.
-Suppose there are total N labels specified:</p>
+Two kinds of labels can be specified:</p>
+<ul>
+<li>
+<p>Specify only label keys <code>[key1, key2, key3]</code>, istio would compare the label values of client with endpoints.
+Suppose there are total N label keys <code>[key1, key2, key3, ...keyN]</code> specified:</p>
 <ol>
 <li>Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority.</li>
 <li>Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority.</li>
 <li>By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority.</li>
 <li>All the other endpoints have priority P(N) i.e. lowest priority.</li>
 </ol>
+</li>
+<li>
+<p>Specify labels with key and value <code>[key1=value1, key2=value2, key3=value3]</code>, istio would compare the labels with endpoints.
+Suppose there are total N labels <code>[key1=value1, key2=value2, key3=value3, ...keyN=valueN]</code> specified:</p>
+<ol>
+<li>Endpoints matching all N labels have priority P(0) i.e. the highest priority.</li>
+<li>Endpoints matching the first N-1 labels have priority P(1) i.e. second highest priority.</li>
+<li>By extension of this logic, endpoints matching only the first label has priority P(N-1) i.e. second lowest priority.</li>
+<li>All the other endpoints have priority P(N) i.e. lowest priority.</li>
+</ol>
+</li>
+</ul>
 <p>Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match.</p>
 <p>It can be any label specified on both client and server workloads.
 The following labels which have special semantic meaning are also supported:</p>
@ -1258,6 +1276,16 @@ The following labels which have special semantic meaning are also supported:</p>
 <li>endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority.</li>
 <li>all the other endpoints have the same lowest priority.</li>
 </ol>
+<p>Suppose a service associated endpoints reside in multi clusters, the below example represents:</p>
+<ol>
+<li>endpoints in <code>clusterA</code> and has <code>version=v1</code> label have P(0) priority.</li>
+<li>endpoints not in <code>clusterA</code> but has <code>version=v1</code> label have P(1) priority.</li>
+<li>all the other endpoints have P(2) priority.</li>
+</ol>
+<pre><code class="language-yaml">failoverPriority:
+- &quot;version=v1&quot;
+- &quot;topology.istio.io/cluster=clusterA&quot;
+</code></pre>
 <p>Optional: only one of distribute, failover or failoverPriority can be set.
 And it should be used together with <code>OutlierDetection</code> to detect unhealthy endpoints, otherwise has no effect.</p>

--- a/content/zh/docs/reference/config/networking/gateway/index.html
+++ b/content/zh/docs/reference/config/networking/gateway/index.html
@ -725,10 +725,11 @@ No
 holds the TLS certs including the CA certificates. Applicable
 only on Kubernetes. An Opaque secret should contain the following
 keys and values: <code>key: &lt;privateKey&gt;</code> and <code>cert: &lt;serverCert&gt;</code>.
-For mutual TLS, <code>cacert: &lt;CACertificate&gt;</code> can be provided in the
-same secret or a separate secret named <code>&lt;secret&gt;-cacert</code>.
-A TLS secret for server certificates with an additional <code>ca.crt</code>
-key for CA certificates is also supported.
+For mutual TLS, <code>cacert: &lt;CACertificate&gt;</code> and <code>crl: &lt;CertificateRevocationList&gt;</code>
+can be provided in the same secret or a separate secret named <code>&lt;secret&gt;-cacert</code>.
+A TLS secret for server certificates with an additional <code>tls.ocsp-staple</code> key
+for specifying OCSP staple information, <code>ca.crt</code> key for CA certificates
+and <code>ca.crl</code> for certificate revocation list is also supported.
 Only one of server certificates and CA certificate
 or credentialName can be specified.</p>

--- a/content/zh/docs/reference/config/networking/virtual-service/index.html
+++ b/content/zh/docs/reference/config/networking/virtual-service/index.html
@ -8,7 +8,7 @@ layout: protoc-gen-docs
 generator: protoc-gen-docs
 schema: istio.networking.v1alpha3.VirtualService
 aliases: [/zh/docs/reference/config/networking/v1alpha3/virtual-service]
-number_of_entries: 27
+number_of_entries: 28
 ---
 <p>Configuration affecting traffic routing. Here are a few terms useful to define
 in the context of traffic routing.</p>
@ -1349,7 +1349,12 @@ e.g. <em>x-request-id</em>.</p>
 </li>
 </ul>
 <p>If the value is empty and only the name of header is specified, presence of the header is checked.
-<strong>Note:</strong> The keys <code>uri</code>, <code>scheme</code>, <code>method</code>, and <code>authority</code> will be ignored.</p>
+To provide an empty value, use <code>{}</code>, for example:</p>
+<pre><code> - match:
+   - headers:
+       myheader: {}
+</code></pre>
+<p><strong>Note:</strong> The keys <code>uri</code>, <code>scheme</code>, <code>method</code>, and <code>authority</code> will be ignored.</p>

 </td>
 <td>
@ -2309,6 +2314,62 @@ No
 <td>
 <p>rewrite the Authority/Host header with this value.</p>

+</td>
+<td>
+No
+</td>
+</tr>
+<tr id="HTTPRewrite-uri_regex_rewrite">
+<td><code>uriRegexRewrite</code></td>
+<td><code><a href="#RegexRewrite">RegexRewrite</a></code></td>
+<td>
+<p>rewrite the path portion of the URI with the specified regex.</p>
+
+</td>
+<td>
+No
+</td>
+</tr>
+</tbody>
+</table>
+</section>
+<h2 id="RegexRewrite">RegexRewrite</h2>
+<section>
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Type</th>
+<th>Description</th>
+<th>Required</th>
+</tr>
+</thead>
+<tbody>
+<tr id="RegexRewrite-match">
+<td><code>match</code></td>
+<td><code>string</code></td>
+<td>
+<p>RE2 style regex-based match (<a href="https://github.com/google/re2/wiki/Syntax)">https://github.com/google/re2/wiki/Syntax)</a>.</p>
+
+</td>
+<td>
+No
+</td>
+</tr>
+<tr id="RegexRewrite-rewrite">
+<td><code>rewrite</code></td>
+<td><code>string</code></td>
+<td>
+<p>The string that should replace into matching portions of original URI.
+Capture groups in the pattern can be referenced in the new URI.
+Examples:</p>
+<p>Example 1: rewrite with capture groups
+Path pattern &ldquo;/service/update/v1/api&rdquo; with match &ldquo;^/service/([^/]+)(/.*)$&rdquo; and
+rewrite string of &ldquo;/customprefix/\2/\1&rdquo; would transform into &ldquo;/customprefix/v1/api/update&rdquo;.</p>
+<p>Example 2: case insensitive rewrite
+Path pattern &ldquo;/aaa/XxX/bbb&rdquo; with match &ldquo;(?i)/xxx/&rdquo; and a rewrite string of /yyy/ would do a
+case-insensitive match and transform the path to &ldquo;/aaa/yyy/bbb&rdquo;.</p>
+
 </td>
 <td>
 No
--- a/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html
+++ b/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html
@ -8,7 +8,7 @@ layout: protoc-gen-docs
 generator: protoc-gen-docs
 schema: istio.extensions.v1alpha1.WasmPlugin
 aliases: [/zh/docs/reference/config/extensions/v1alpha1/wasm-plugin]
-number_of_entries: 7
+number_of_entries: 8
 ---
 <p>WasmPlugins provides a mechanism to extend the functionality provided by
 the Istio proxy through WebAssembly filters.</p>
@ -297,7 +297,7 @@ No
 </tr>
 <tr id="WasmPlugin-priority">
 <td><code>priority</code></td>
-<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#int64value">Int64Value</a></code></td>
+<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#int32value">Int32Value</a></code></td>
 <td>
 <p>Determines ordering of <code>WasmPlugins</code> in the same <code>phase</code>.
 When multiple <code>WasmPlugins</code> are applied to the same workload in the
@ -306,6 +306,17 @@ If <code>priority</code> is not set, or two <code>WasmPlugins</code> exist with
 value, the ordering will be deterministically derived from name and
 namespace of the <code>WasmPlugins</code>. Defaults to <code>0</code>.</p>

+</td>
+<td>
+No
+</td>
+</tr>
+<tr id="WasmPlugin-fail_strategy">
+<td><code>failStrategy</code></td>
+<td><code><a href="#FailStrategy">FailStrategy</a></code></td>
+<td>
+<p>Specifies the failure behavior for the plugin due to fatal errors.</p>
+
 </td>
 <td>
 No
@ -585,3 +596,34 @@ this plugin. Note that the change includes <code>metadata</code> field as well.<
 </tbody>
 </table>
 </section>
+<h2 id="FailStrategy">FailStrategy</h2>
+<section>
+<table class="enum-values">
+<thead>
+<tr>
+<th>Name</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="FailStrategy-FAIL_CLOSE">
+<td><code>FAIL_CLOSE</code></td>
+<td>
+<p>A fatal error in the binary fetching or during the plugin execution causes
+all subsequent requests to fail with 5xx.</p>
+
+</td>
+</tr>
+<tr id="FailStrategy-FAIL_OPEN">
+<td><code>FAIL_OPEN</code></td>
+<td>
+<p>Enables the fail open behavior for the Wasm plugin fatal errors to bypass
+the plugin execution. A fatal error can be a failure to fetch the remote
+binary, an exception, or abort() on the VM. This flag is not recommended
+for the authentication or the authorization plugins.</p>
+
+</td>
+</tr>
+</tbody>
+</table>
+</section>