Automator: update istio.io@ reference docs (#14296)

content/en/docs/reference/config/security/authorization-policy/index.html

@@ -396,6 +396,27 @@ will additionally match with workloads in all namespaces.</p>
 <p>If the selector and the targetRef are not set, the selector will match all workloads. At most one of the selector
 and targetRef can be set.</p>
 
+</td>
+<td>
+No
+</td>
+</tr>
+<tr id="AuthorizationPolicy-targetRef">
+<td><code>targetRef</code></td>
+<td><code><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference</a></code></td>
+<td>
+<p>Optional. The targetRef specifies the gateway the policy should be
+applied to. The targeted resource specified will determine which
+workloads the authorization policy applies to. The targeted resource
+must be a <code>Gateway</code> in the group <code>gateway.networking.k8s.io</code>. The
+gateway must be in the same namespace as the authorization policy.</p>
+<p>If not set, the policy is applied as defined by the selector.
+At most one of the selector and targetRef can be set.</p>
+<p>NOTE: If you are using the <code>targetRef</code> field in a multi-revision environment with Istio versions prior to 1.20,
+it is highly recommended that you pin the authorization policy to a revision running 1.20+ via the istio.io/rev label.
+This is to prevent proxies connected to older istiod control planes (that don&rsquo;t know about the targetRef field)
+from misinterpreting the policy as namespace-wide during the upgrade process.</p>
+
 </td>
 <td>
 No

content/en/docs/reference/config/security/request_authentication/index.html

@@ -407,6 +407,25 @@ in the same namespace as the request authentication policy. If the request authe
 the selector will additionally match with workloads in all namespaces.</p>
 <p>If not set, the selector will match all workloads. At most one of the selector and targetRef can be set.</p>
 
+</td>
+<td>
+No
+</td>
+</tr>
+<tr id="RequestAuthentication-targetRef">
+<td><code>targetRef</code></td>
+<td><code><a href="/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference</a></code></td>
+<td>
+<p>Optional. The targetRef specifies the gateway the policy should be
+applied to. The targeted resource specified will determine which
+workloads the request authentication policy to. The targeted resource
+must be a <code>Gateway</code> in the group <code>gateway.networking.k8s.io</code>. The
+gateway must be in the same namespace as the request authentication
+policy.</p>
+<p>If not set, the policy is applied as defined by the selector.
+At most one of the selector and targetRef can be set.
+Waypoint proxies will not respect selectors even if they match.</p>
+
 </td>
 <td>
 No

content/zh/docs/reference/config/security/authorization-policy/index.html

@@ -396,6 +396,27 @@ will additionally match with workloads in all namespaces.</p>
 <p>If the selector and the targetRef are not set, the selector will match all workloads. At most one of the selector
 and targetRef can be set.</p>
 
+</td>
+<td>
+No
+</td>
+</tr>
+<tr id="AuthorizationPolicy-targetRef">
+<td><code>targetRef</code></td>
+<td><code><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference</a></code></td>
+<td>
+<p>Optional. The targetRef specifies the gateway the policy should be
+applied to. The targeted resource specified will determine which
+workloads the authorization policy applies to. The targeted resource
+must be a <code>Gateway</code> in the group <code>gateway.networking.k8s.io</code>. The
+gateway must be in the same namespace as the authorization policy.</p>
+<p>If not set, the policy is applied as defined by the selector.
+At most one of the selector and targetRef can be set.</p>
+<p>NOTE: If you are using the <code>targetRef</code> field in a multi-revision environment with Istio versions prior to 1.20,
+it is highly recommended that you pin the authorization policy to a revision running 1.20+ via the istio.io/rev label.
+This is to prevent proxies connected to older istiod control planes (that don&rsquo;t know about the targetRef field)
+from misinterpreting the policy as namespace-wide during the upgrade process.</p>
+
 </td>
 <td>
 No

content/zh/docs/reference/config/security/request_authentication/index.html

@@ -407,6 +407,25 @@ in the same namespace as the request authentication policy. If the request authe
 the selector will additionally match with workloads in all namespaces.</p>
 <p>If not set, the selector will match all workloads. At most one of the selector and targetRef can be set.</p>
 
+</td>
+<td>
+No
+</td>
+</tr>
+<tr id="RequestAuthentication-targetRef">
+<td><code>targetRef</code></td>
+<td><code><a href="/zh/docs/reference/config/type/workload-selector/#PolicyTargetReference">PolicyTargetReference</a></code></td>
+<td>
+<p>Optional. The targetRef specifies the gateway the policy should be
+applied to. The targeted resource specified will determine which
+workloads the request authentication policy to. The targeted resource
+must be a <code>Gateway</code> in the group <code>gateway.networking.k8s.io</code>. The
+gateway must be in the same namespace as the request authentication
+policy.</p>
+<p>If not set, the policy is applied as defined by the selector.
+At most one of the selector and targetRef can be set.
+Waypoint proxies will not respect selectors even if they match.</p>
+
 </td>
 <td>
 No