Automator: update istio.io@ reference docs (#9420)

content/en/docs/reference/commands/istioctl/index.html

@@ -1653,116 +1653,6 @@ or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.10/i
   istioctl --kubeconfig=c0.yaml x create-remote-secret --name c0 --auth-type=plugin --auth-plugin-name=gcp \
     | kubectl --kubeconfig=c1.yaml apply -f -
 </code></pre>
-<h2 id="istioctl-experimental-debug">istioctl experimental debug</h2>
-<p>
-Retrieves the debug information from Istiod or Pods in the mesh using the service account from the pod if --cert-dir is empty.
-By default it will use the default serviceAccount from (istio-system) namespace if the pod is not specified.</p>
-<p>
-THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.</p>
-<pre class="language-bash"><code>istioctl experimental debug [&lt;type&gt;/]&lt;name&gt;[.&lt;namespace&gt;] [flags]
-</code></pre>
-<table class="command-flags">
-<thead>
-<tr>
-<th>Flags</th>
-<th>Shorthand</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr>
-<td><code>--authority &lt;string&gt;</code></td>
-<td></td>
-<td>XDS Subject Alternative Name (for example istiod.istio-system.svc)  (default ``)</td>
-</tr>
-<tr>
-<td><code>--cert-dir &lt;string&gt;</code></td>
-<td></td>
-<td>XDS Endpoint certificate directory  (default ``)</td>
-</tr>
-<tr>
-<td><code>--context &lt;string&gt;</code></td>
-<td></td>
-<td>The name of the kubeconfig context to use  (default ``)</td>
-</tr>
-<tr>
-<td><code>--insecure</code></td>
-<td></td>
-<td>Skip server certificate and domain verification. (NOT SECURE!) </td>
-</tr>
-<tr>
-<td><code>--istioNamespace &lt;string&gt;</code></td>
-<td><code>-i</code></td>
-<td>Istio system namespace  (default `istio-system`)</td>
-</tr>
-<tr>
-<td><code>--kubeconfig &lt;string&gt;</code></td>
-<td><code>-c</code></td>
-<td>Kubernetes configuration file  (default ``)</td>
-</tr>
-<tr>
-<td><code>--namespace &lt;string&gt;</code></td>
-<td><code>-n</code></td>
-<td>Config namespace  (default ``)</td>
-</tr>
-<tr>
-<td><code>--plaintext</code></td>
-<td></td>
-<td>Use plain-text HTTP/2 when connecting to server (no TLS). </td>
-</tr>
-<tr>
-<td><code>--revision &lt;string&gt;</code></td>
-<td><code>-r</code></td>
-<td>Control plane revision  (default ``)</td>
-</tr>
-<tr>
-<td><code>--timeout &lt;duration&gt;</code></td>
-<td></td>
-<td>The duration to wait before failing  (default `30s`)</td>
-</tr>
-<tr>
-<td><code>--xds-address &lt;string&gt;</code></td>
-<td></td>
-<td>XDS Endpoint  (default ``)</td>
-</tr>
-<tr>
-<td><code>--xds-label &lt;string&gt;</code></td>
-<td></td>
-<td>Istiod pod label selector  (default ``)</td>
-</tr>
-<tr>
-<td><code>--xds-port &lt;int&gt;</code></td>
-<td></td>
-<td>Istiod pod port  (default `15012`)</td>
-</tr>
-</tbody>
-</table>
-<h3 id="istioctl-experimental-debug Examples">Examples</h3>
-<pre class="language-bash"><code>  # Retrieve sync status for all Envoys in a mesh
-  istioctl x debug syncz
-
-  # Retrieve sync diff for a single Envoy and Istiod
-  istioctl x debug syncz istio-egressgateway-59585c5b9c-ndc59.istio-system
-
-  # SECURITY OPTIONS
-
-  # Retrieve syncz debug information directly from the control plane, using token security
-  # (This is the usual way to get the debug information with an out-of-cluster control plane.)
-  istioctl x debug syncz --xds-address istio.cloudprovider.example.com:15012
-
-  # Retrieve syncz debug information via Kubernetes config, using token security
-  # (This is the usual way to get the debug information with an in-cluster control plane.)
-  istioctl x debug syncz
-
-  # Retrieve syncz debug information directly from the control plane, using RSA certificate security
-  # (Certificates must be obtained before this step.  The --cert-dir flag lets istioctl bypass the Kubernetes API server.)
-  istioctl x debug syncz --xds-address istio.example.com:15012 --cert-dir ~/.istio-certs
-
-  # Retrieve syncz information via XDS from specific control plane in multi-control plane in-cluster configuration
-  # (Select a specific control plane in an in-cluster canary Istio configuration.)
-  istioctl x debug syncz --xds-label istio.io/rev=default
-
-</code></pre>
 <h2 id="istioctl-experimental-describe">istioctl experimental describe</h2>
 <p>Describe resource and related Istio configuration</p>
 <pre class="language-bash"><code>istioctl experimental describe [flags]
@@ -1969,6 +1859,116 @@ the configuration objects that affect that service.</p>
 </table>
 <h3 id="istioctl-experimental-injector-list Examples">Examples</h3>
 <pre class="language-bash"><code>  istioctl experimental injector list
+</code></pre>
+<h2 id="istioctl-experimental-internal-debug">istioctl experimental internal-debug</h2>
+<p>
+Retrieves the debug information from Istiod or Pods in the mesh using the service account from the pod if --cert-dir is empty.
+By default it will use the default serviceAccount from (istio-system) namespace if the pod is not specified.</p>
+<p>
+THIS COMMAND IS UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE.</p>
+<pre class="language-bash"><code>istioctl experimental internal-debug [&lt;type&gt;/]&lt;name&gt;[.&lt;namespace&gt;] [flags]
+</code></pre>
+<table class="command-flags">
+<thead>
+<tr>
+<th>Flags</th>
+<th>Shorthand</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td><code>--authority &lt;string&gt;</code></td>
+<td></td>
+<td>XDS Subject Alternative Name (for example istiod.istio-system.svc)  (default ``)</td>
+</tr>
+<tr>
+<td><code>--cert-dir &lt;string&gt;</code></td>
+<td></td>
+<td>XDS Endpoint certificate directory  (default ``)</td>
+</tr>
+<tr>
+<td><code>--context &lt;string&gt;</code></td>
+<td></td>
+<td>The name of the kubeconfig context to use  (default ``)</td>
+</tr>
+<tr>
+<td><code>--insecure</code></td>
+<td></td>
+<td>Skip server certificate and domain verification. (NOT SECURE!) </td>
+</tr>
+<tr>
+<td><code>--istioNamespace &lt;string&gt;</code></td>
+<td><code>-i</code></td>
+<td>Istio system namespace  (default `istio-system`)</td>
+</tr>
+<tr>
+<td><code>--kubeconfig &lt;string&gt;</code></td>
+<td><code>-c</code></td>
+<td>Kubernetes configuration file  (default ``)</td>
+</tr>
+<tr>
+<td><code>--namespace &lt;string&gt;</code></td>
+<td><code>-n</code></td>
+<td>Config namespace  (default ``)</td>
+</tr>
+<tr>
+<td><code>--plaintext</code></td>
+<td></td>
+<td>Use plain-text HTTP/2 when connecting to server (no TLS). </td>
+</tr>
+<tr>
+<td><code>--revision &lt;string&gt;</code></td>
+<td><code>-r</code></td>
+<td>Control plane revision  (default ``)</td>
+</tr>
+<tr>
+<td><code>--timeout &lt;duration&gt;</code></td>
+<td></td>
+<td>The duration to wait before failing  (default `30s`)</td>
+</tr>
+<tr>
+<td><code>--xds-address &lt;string&gt;</code></td>
+<td></td>
+<td>XDS Endpoint  (default ``)</td>
+</tr>
+<tr>
+<td><code>--xds-label &lt;string&gt;</code></td>
+<td></td>
+<td>Istiod pod label selector  (default ``)</td>
+</tr>
+<tr>
+<td><code>--xds-port &lt;int&gt;</code></td>
+<td></td>
+<td>Istiod pod port  (default `15012`)</td>
+</tr>
+</tbody>
+</table>
+<h3 id="istioctl-experimental-internal-debug Examples">Examples</h3>
+<pre class="language-bash"><code>  # Retrieve sync status for all Envoys in a mesh
+  istioctl x internal-debug syncz
+
+  # Retrieve sync diff for a single Envoy and Istiod
+  istioctl x internal-debug syncz istio-egressgateway-59585c5b9c-ndc59.istio-system
+
+  # SECURITY OPTIONS
+
+  # Retrieve syncz debug information directly from the control plane, using token security
+  # (This is the usual way to get the debug information with an out-of-cluster control plane.)
+  istioctl x internal-debug syncz --xds-address istio.cloudprovider.example.com:15012
+
+  # Retrieve syncz debug information via Kubernetes config, using token security
+  # (This is the usual way to get the debug information with an in-cluster control plane.)
+  istioctl x internal-debug syncz
+
+  # Retrieve syncz debug information directly from the control plane, using RSA certificate security
+  # (Certificates must be obtained before this step.  The --cert-dir flag lets istioctl bypass the Kubernetes API server.)
+  istioctl x internal-debug syncz --xds-address istio.example.com:15012 --cert-dir ~/.istio-certs
+
+  # Retrieve syncz information via XDS from specific control plane in multi-control plane in-cluster configuration
+  # (Select a specific control plane in an in-cluster canary Istio configuration.)
+  istioctl x internal-debug syncz --xds-label istio.io/rev=default
+
 </code></pre>
 <h2 id="istioctl-experimental-kube-uninject">istioctl experimental kube-uninject</h2>
 <p>

content/en/docs/reference/config/networking/virtual-service/index.html

@@ -701,13 +701,19 @@ No
 <td><code><a href="#Delegate">Delegate</a></code></td>
 <td>
 <p>Delegate is used to specify the particular VirtualService which
-can be used to define delegate HTTPRoute.
+can be used to define delegate HTTPRoute.</p>
-It can be set only when <code>Route</code> and <code>Redirect</code> are empty, and the route rules of the
+
-delegate VirtualService will be merged with that in the current one.
+<p>It can be set only when <code>Route</code> and <code>Redirect</code> are empty, and the route
-<strong>NOTE</strong>:
+rules of the delegate VirtualService will be merged with that in the
-   1. Only one level delegation is supported.
+current one.</p>
-   2. The delegate&rsquo;s HTTPMatchRequest must be a strict subset of the root&rsquo;s,
+
-      otherwise there is a conflict and the HTTPRoute will not take effect.</p>
+<p><strong>NOTE</strong>:</p>
+
+<ol>
+<li>Only one level delegation is supported.</li>
+<li>The delegate&rsquo;s HTTPMatchRequest must be a strict subset of the root&rsquo;s,
+otherwise there is a conflict and the HTTPRoute will not take effect.</li>
+</ol>
 
 </td>
 <td>
@@ -1470,14 +1476,19 @@ No
 <td>
 <p>Query parameters for matching.</p>
 
-<p>Ex:
+<p>Ex:</p>
-- For a query parameter like &ldquo;?key=true&rdquo;, the map key would be &ldquo;key&rdquo; and
+
-  the string match could be defined as <code>exact: &quot;true&quot;</code>.
+<ul>
-- For a query parameter like &ldquo;?key&rdquo;, the map key would be &ldquo;key&rdquo; and the
+<li><p>For a query parameter like &ldquo;?key=true&rdquo;, the map key would be &ldquo;key&rdquo; and
-  string match could be defined as <code>exact: &quot;&quot;</code>.
+the string match could be defined as <code>exact: &quot;true&quot;</code>.</p></li>
-- For a query parameter like &ldquo;?key=123&rdquo;, the map key would be &ldquo;key&rdquo; and the
+
-  string match could be defined as <code>regex: &quot;\d+$&quot;</code>. Note that this
+<li><p>For a query parameter like &ldquo;?key&rdquo;, the map key would be &ldquo;key&rdquo; and the
-  configuration will only match values like &ldquo;123&rdquo; but not &ldquo;a123&rdquo; or &ldquo;123a&rdquo;.</p>
+string match could be defined as <code>exact: &quot;&quot;</code>.</p></li>
+
+<li><p>For a query parameter like &ldquo;?key=123&rdquo;, the map key would be &ldquo;key&rdquo; and the
+string match could be defined as <code>regex: &quot;\d+$&quot;</code>. Note that this
+configuration will only match values like &ldquo;123&rdquo; but not &ldquo;a123&rdquo; or &ldquo;123a&rdquo;.</p></li>
+</ul>
 
 <p><strong>Note:</strong> <code>prefix</code> matching is currently not supported.</p>
 

content/en/docs/reference/config/security/peer_authentication/index.html

@@ -130,7 +130,8 @@ No
 <td><code>portLevelMtls</code></td>
 <td><code>map&lt;uint32,&nbsp;<a href="#PeerAuthentication-MutualTLS">MutualTLS</a>&gt;</code></td>
 <td>
-<p>Port specific mutual TLS settings.</p>
+<p>Port specific mutual TLS settings. These only apply when a workload selector
+is specified.</p>
 
 </td>
 <td>