From cf38cac32b7deadab6669df27135b2da2250e080 Mon Sep 17 00:00:00 2001
From: Istio Automation <istio-testing-bot@google.com>
Date: Mon, 4 Oct 2021 19:48:22 -0700
Subject: [PATCH] Automator: update istio.io@ reference docs (#10401)

---
 .../config/networking/envoy-filter/index.html |  7 +-
 .../request_authentication/index.html         | 65 +++++++++++++++++++
 2 files changed, 66 insertions(+), 6 deletions(-)

diff --git a/content/en/docs/reference/config/networking/envoy-filter/index.html b/content/en/docs/reference/config/networking/envoy-filter/index.html
index 7fce90b7cb..22049ce7d7 100644
--- a/content/en/docs/reference/config/networking/envoy-filter/index.html
+++ b/content/en/docs/reference/config/networking/envoy-filter/index.html
@@ -340,12 +340,7 @@ spec:
         name: my-wasm-extension # This must match the name above
         config_discovery:
           config_source:
-            api_config_source:
-              api_type: GRPC
-              transport_api_version: V3
-              grpc_services:
-              - envoy_grpc:
-                  cluster_name: xds-grpc
+            ads: {}
           type_urls: [&quot;envoy.extensions.filters.http.wasm.v3.Wasm&quot;]
 </code></pre>
 
diff --git a/content/en/docs/reference/config/security/request_authentication/index.html b/content/en/docs/reference/config/security/request_authentication/index.html
index 32fa68e0d2..995ecc1d78 100644
--- a/content/en/docs/reference/config/security/request_authentication/index.html
+++ b/content/en/docs/reference/config/security/request_authentication/index.html
@@ -146,6 +146,71 @@ spec:
         paths: [&quot;/healthz&quot;]
 </code></pre>
 
+<ul>
+<li>When applied on a Gateway, you can also use the special header name <code>x-jwt-claim</code> for matching JWT claims in
+the VirtualService. Claims of type string or list of string are supported and nested claims are also supported using
+<code>.</code> as a separator for claim names. Examples: <code>x-jwt-claim.admin</code> matches the claim &ldquo;admin&rdquo; and <code>x-jwt-claim.group.id</code>
+matches the nested claims &ldquo;group&rdquo; and &ldquo;id&rdquo;.</li>
+</ul>
+
+<p>The following example creates the request authentication and authorization policies for JWT validation on ingress
+gateway and routes requests based on the &ldquo;version&rdquo; claim in the validated JWT.</p>
+
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
+kind: RequestAuthentication
+metadata:
+  name: jwt-on-ingress
+  namespace: istio-system
+spec:
+ selector:
+   matchLabels:
+     app: istio-ingressgateway
+  jwtRules:
+  - issuer: &quot;issuer-foo&quot;
+    jwksUri: https://example.com/.well-known/jwks.json
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: require-jwt
+  namespace: istio-system
+spec:
+ selector:
+   matchLabels:
+     app: istio-ingressgateway
+  rules:
+  - from:
+    - source:
+        requestPrincipals: [&quot;*&quot;]
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: route-jwt
+spec:
+  hosts:
+  - foo.prod.svc.cluster.local
+  gateways:
+  - istio-ingressgateway
+  http:
+  - name: &quot;v2-route&quot;
+    match:
+    - headers:
+        x-jwt-claim.version:
+          exact: &quot;v2&quot;
+    route:
+    - destination:
+        host: foo.prod.svc.cluster.local
+        subset: v2
+  - name: &quot;default-route&quot;
+    route:
+    - destination:
+        host: foo.prod.svc.cluster.local
+        subset: v1
+</code></pre>
+
+<p><strong>Note:</strong> This routing is only supported on Gateways and proper request authentication must first be applied to validate the JWT.</p>
+
 <table class="message-fields">
 <thead>
 <tr>