From dab6c9adb9501ec88ffb986eda497ddfab1e02bd Mon Sep 17 00:00:00 2001 From: Eric Van Norman Date: Tue, 28 Apr 2020 11:20:17 -0500 Subject: [PATCH] Manual ref doc update from release 1.6 with galley removed. (#7171) * Run SOURCE_BRANCH_NAME=release-1.6 make update_ref_docs * Fix galley reference doc being removed. --- .../en/docs/concepts/observability/index.md | 1 - .../docs/reference/commands/galley/index.html | 609 ---- .../reference/commands/istioctl/index.html | 353 +-- .../docs/reference/commands/mixs/index.html | 252 ++ .../reference/commands/operator/index.html | 295 +- .../reference/commands/pilot-agent/index.html | 127 +- .../commands/pilot-discovery/index.html | 108 +- .../reference/config/annotations/index.html | 10 + .../reference/config/attributegen/index.html | 281 ++ .../config/istio.mesh.v1alpha1/index.html | 116 +- .../config/istio.operator.v1alpha1/index.html | 2 +- .../config/networking/envoy-filter/index.html | 2 +- .../config/networking/gateway/index.html | 2 +- .../networking/service-entry/index.html | 6 +- .../networking/virtual-service/index.html | 2677 ++++++++++------- .../config/proxy_extensions/stats/index.html | 57 +- .../request_authentication/index.html | 110 +- .../announcing-1.2/change-notes/index.md | 2 +- data/analysis.yaml | 35 + 19 files changed, 3040 insertions(+), 2005 deletions(-) delete mode 100644 content/en/docs/reference/commands/galley/index.html create mode 100644 content/en/docs/reference/config/attributegen/index.html diff --git a/content/en/docs/concepts/observability/index.md b/content/en/docs/concepts/observability/index.md index e17a5fd9f6..5cbd7568c7 100644 --- a/content/en/docs/concepts/observability/index.md +++ b/content/en/docs/concepts/observability/index.md @@ -117,7 +117,6 @@ of Istio itself (as distinct from that of the services within the mesh). For more information on which metrics are maintained, please refer to the reference documentation for each of the components: - [Pilot](/docs/reference/commands/pilot-discovery/#metrics) -- [Galley](/docs/reference/commands/galley/#metrics) - [Mixer](/docs/reference/commands/mixs/#metrics) ## Distributed traces diff --git a/content/en/docs/reference/commands/galley/index.html b/content/en/docs/reference/commands/galley/index.html deleted file mode 100644 index 929cb63654..0000000000 --- a/content/en/docs/reference/commands/galley/index.html +++ /dev/null @@ -1,609 +0,0 @@ ---- -WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/istio' REPO -source_repo: https://github.com/istio/istio -title: galley -description: Galley provides configuration management services for Istio. -generator: pkg-collateral-docs -number_of_entries: 5 -max_toc_level: 2 -remove_toc_prefix: 'galley ' ---- -

Galley provides configuration management services for Istio.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsShorthandDescription
--config <string>-cConfig file containing args (default ``)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
-

galley probe

-

Check the liveness or readiness of a locally-running server

-
galley probe [flags]
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsShorthandDescription
--config <string>-cConfig file containing args (default ``)
--interval <duration>Duration used for checking the target file's last modified time. (default `0s`)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--probe-path <string>Path of the file for checking the availability. (default ``)
-

galley server

-

Starts Galley as a server

-
galley server [flags]
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsShorthandDescription
--accessListFile <string>The access list yaml file that contains the allowed mTLS peer ids. (default `/etc/config/accesslist.yaml`)
--caCertFile <string>File containing the caBundle that signed the cert/key specified by --tlsCertFile and --tlsKeyFile. (default `/etc/certs/root-cert.pem`)
--config <string>-cConfig file containing args (default ``)
--configPath <string>Istio config file path (default ``)
--ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses. (default `localhost`)
--ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility (default `9876`)
--deployment-name <string>Name of the deployment for the validation pod (default `istio-galley`)
--deployment-namespace <string>Namespace of the deployment for the validation pod (default `istio-system`)
--disableResourceReadyCheckDisable resource readiness checks. This allows Galley to start if not all resource types are supported
--domain <string>DNS domain suffix (default `cluster.local`)
--enable-reconcileWebhookConfigurationEnable reconciliation for webhook configuration.
--enable-serverRun galley server mode
--enable-validationRun galley validation mode
--enableAnalysisEnable config analysis service
--enableProfilingEnable profiling for Galley
--enableServiceDiscoveryEnable service discovery processing in Galley
--excludedResourceKinds <stringSlice>Comma-separated list of resource kinds that should not generate source events (default `[Endpoints,Namespace,Node,Pod,Service]`)
--insecureUse insecure gRPC communication
--kubeconfig <string>Use a Kubernetes configuration file instead of in-cluster configuration (default ``)
--livenessProbeInterval <duration>Interval of updating file for the Galley liveness probe. (default `2s`)
--livenessProbePath <string>Path to the file for the Galley liveness probe. (default `/healthLiveness`)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--meshConfigFile <string>Path to the mesh config file (default `/etc/mesh-config/mesh`)
--monitoringPort <uint>Port to use for exposing self-monitoring information (default `15014`)
--pprofPort <uint>Port to use for exposing profiling (default `9094`)
--readinessProbeInterval <duration>Interval of updating file for the Galley readiness probe. (default `2s`)
--readinessProbePath <string>Path to the file for the Galley readiness probe. (default `/healthReadiness`)
--resyncPeriod <duration>Resync period for rescanning Kubernetes resources (default `0s`)
--server-address <string>Address to use for Galley's gRPC API, e.g. tcp://localhost:9092 or unix:///path/to/file (default `tcp://0.0.0.0:9901`)
--server-maxConcurrentStreams <uint>Maximum number of outstanding RPCs per connection (default `1024`)
--server-maxReceivedMessageSize <uint>Maximum size of individual gRPC messages (default `1048576`)
--service-name <string>Name of the validation service running in the same namespace as the deployment (default `istio-galley`)
--sinkAddress <string>Address of MCP Resource Sink server for Galley to connect to. Ex: 'foo.com:1234' (default ``)
--sinkAuthMode <string>Name of authentication plugin to use for connection to sink server. (default ``)
--sinkMeta <stringSlice>Comma-separated list of key=values to attach as metadata to outgoing sink connections. Ex: 'key=value,key2=value2' (default `[]`)
--tlsCertFile <string>File containing the x509 Certificate for HTTPS. (default `/etc/certs/cert-chain.pem`)
--tlsKeyFile <string>File containing the x509 private key matching --tlsCertFile. (default `/etc/certs/key.pem`)
--validation-port <uint>HTTPS port of the validation service. (default `9443`)
--validation.tls.caCertificates <string>File containing the caBundle that signed the cert/key specified by --validation.tls.clientCertificate and --validation.tls.privateKey. (default `/etc/certs/root-cert.pem`)
--validation.tls.clientCertificate <string>File containing the x509 Certificate for HTTPS validation. (default `/etc/certs/cert-chain.pem`)
--validation.tls.privateKey <string>File containing the x509 private key matching --validation.tls.clientCertificate. (default `/etc/certs/key.pem`)
--watchConfigFilesEnable the Fsnotify for watching config source files on the disk and implicit signaling on a config change. Explicit signaling will still be enabled
--webhook-name <string>Name of the k8s validatingwebhookconfiguration (default `istio-galley`)
-

Accepts deep config files, like: -

general:
-  introspection:
-    address: --ctrlz_address
-    port: --ctrlz_port
-  kubeconfig: --kubeconfig
-processing:
-  domainsuffix: --domain
-  server:
-    address: --server-address
-    auth:
-      insecure: --insecure
-    enable: --enable-server
-validation:
-  deploymentname: --deployment-name
-  deploymentnamespace: --deployment-namespace
-  enable: --enable-validation
-  servicename: --service-name
-  tls:
-    caCertificates: --validation.tls.caCertificates
-    clientCertificate: --validation.tls.clientCertificate
-    privateKey: --validation.tls.privateKey
-  webhookconfigfile: --validation-webhook-config-file
-  webhookname: --webhook-name
-  webhookport: --validation-port
-
-
-

galley version

-

Prints out build version information

-
galley version [flags]
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsShorthandDescription
--config <string>-cConfig file containing args (default ``)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:info`)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, analysis, attributes, authorization, default, grpcAdapter, mcp, model, processing, resource, server, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default `[stdout]`)
--output <string>-oOne of 'yaml' or 'json'. (default ``)
--short-sUse --short=false to generate full version information
-

Environment variables

-These environment variables affect the behavior of the galley command. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Variable NameTypeDefault ValueDescription
AUTHZ_FAILURE_LOG_BURST_SIZEInteger1
AUTHZ_FAILURE_LOG_FREQTime Duration1m0s
MCP_SOURCE_REQ_BURST_SIZEInteger100
MCP_SOURCE_REQ_FREQTime Duration1s
SOURCE_SERVER_STREAM_BURST_SIZEInteger100
SOURCE_SERVER_STREAM_FREQTime Duration1s
-

Exported metrics

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Metric NameTypeDescription
galley_runtime_processor_event_span_duration_millisecondsDistributionThe duration between each incoming event
galley_runtime_processor_events_processed_totalCountThe number of events that have been processed
galley_runtime_processor_snapshot_events_totalDistributionThe number of events per snapshot
galley_runtime_processor_snapshot_lifetime_duration_millisecondsDistributionThe duration of each snapshot
galley_runtime_processor_snapshots_published_totalCountThe number of snapshots that have been published
galley_runtime_state_type_instances_totalLastValueThe number of type instances per type URL
galley_runtime_strategy_on_change_totalCountThe number of times the strategy's onChange has been called
galley_runtime_strategy_timer_max_time_reached_totalCountThe number of times the max time has been reached
galley_runtime_strategy_timer_quiesce_reached_totalCountThe number of times a quiesce has been reached
galley_runtime_strategy_timer_resets_totalCountThe number of times the timer has been reset
galley_source_kube_dynamic_converter_failure_totalCountThe number of times a dynamnic kubernetes source failed converting a resources
galley_source_kube_dynamic_converter_success_totalCountThe number of times a dynamic kubernetes source successfully converted a resource
galley_source_kube_event_error_totalCountThe number of times a kubernetes source encountered errored while handling an event
galley_source_kube_event_success_totalCountThe number of times a kubernetes source successfully handled an event
galley_validation_cert_key_update_errorsCountGalley validation webhook certificate updates errors
galley_validation_cert_key_updatesCountGalley validation webhook certificate updates
galley_validation_config_delete_errorCountk8s webhook configuration delete error
galley_validation_config_loadCountk8s webhook configuration (re)loads
galley_validation_config_load_errorCountk8s webhook configuration (re)load error
galley_validation_config_update_errorCountk8s webhook configuration update error
galley_validation_config_updatesCountk8s webhook configuration updates
galley_validation_failedCountResource validation failed
galley_validation_http_errorCountResource validation http serve errors
galley_validation_passedCountResource is valid
istio_buildLastValueIstio component build info
istio_mcp_clients_totalLastValueThe number of streams currently connected.
istio_mcp_message_sizes_bytesDistributionSize of messages received from clients.
istio_mcp_reconnectionsSumThe number of times the sink has reconnected.
istio_mcp_recv_failures_totalSumThe number of recv failures in the source.
istio_mcp_request_acks_totalSumThe number of request acks received by the source.
istio_mcp_request_nacks_totalSumThe number of request nacks received by the source.
istio_mcp_send_failures_totalSumThe number of send failures in the source.
diff --git a/content/en/docs/reference/commands/istioctl/index.html b/content/en/docs/reference/commands/istioctl/index.html index 657bea6301..e635137312 100644 --- a/content/en/docs/reference/commands/istioctl/index.html +++ b/content/en/docs/reference/commands/istioctl/index.html @@ -1132,7 +1132,6 @@ istioctl analyze -L

istioctl experimental authz

Commands to inspect and interact with the authorization policies check - check Envoy config dump for authorization configuration - convert - convert v1alpha1 RBAC policies to v1beta1 authorization policies

@@ -1169,12 +1168,6 @@ istioctl analyze -L 
  # Check Envoy authorization configuration for pod httpbin-88ddbcfdd-nt5jb:
   istioctl x authz check httpbin-88ddbcfdd-nt5jb
 
-  # Convert the v1alpha1 RBAC policies in the current cluster:
-  istioctl x authz convert > authorization-policies.yaml
-
-  # Convert the v1alpha1 RBAC policies in the file with the given services and root namespace:
-  istioctl x authz convert -f rbac-policies.yaml -s my-service.yaml -r istio-system > authorization-policies.yaml
-

istioctl experimental authz check

Check reads the Envoy config dump and checks the filter configuration @@ -1234,82 +1227,6 @@ with authorization and the rules used in the authorization.

# Check Envoy authorization configuration from a config dump file: istioctl x authz check -f httpbin_config_dump.json -

istioctl experimental authz convert

-

Convert Istio v1alpha1 RBAC policy to v1beta1 authorization policy. By default, -The command talks to Istio Pilot and Kubernetes API server to get all the information -needed for the conversion, including the v1alpha1 RBAC policies in the current cluster, -the value of the root namespace and the Kubernetes services that provide the mapping from the -service name to workload selector.

-

The tool can also be used in an offline mode when specified with flag -f. In this mode, -the tool doesn't access the network and all needed information is provided -through the command line.

-

Note: The converter tool makes a best effort attempt to keep the syntax unchanged during -the conversion. However, in some cases, strict mapping with equivalent syntax is not -possible (e.g., constraints no longer supported in the new workload oriented model).

-

PLEASE ALWAYS REVIEW THE CONVERTED POLICIES BEFORE APPLYING. -

-
istioctl experimental authz convert [flags]
-
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsShorthandDescription
--allowNoClusterRbacConfigContinue the conversion even if there is no ClusterRbacConfig in the cluster
--context <string>The name of the kubeconfig context to use (default ``)
--file <stringSlice>-fThe yaml file with v1alpha1 RBAC policies to be converted (default `[]`)
--istioNamespace <string>-iIstio system namespace (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file (default ``)
--namespace <string>-nConfig namespace (default ``)
--rootNamespace <string>-rOverride the root namespace used in the conversion (default `istio-system`)
--service <stringSlice>-sThe yaml file with Kubernetes services for the mapping from the service name to workload selector, used with -f (default `[]`)
-

Examples

-
  # Convert the v1alpha1 RBAC policy in the current cluster:
-  istioctl x authz convert > authorization-policies.yaml
-
-  # Convert the v1alpha1 RBAC policy in the given file: 
-  istioctl x authz convert -f v1alpha1-policy-1.yaml,v1alpha1-policy-2.yaml
-  -s my-services.yaml -r my-root-namespace > authorization-policies.yaml
-
-

istioctl experimental convert-ingress

(convert-ingress has graduated. Use `istioctl convert-ingress`)

istioctl experimental convert-ingress [flags]
@@ -2165,6 +2082,70 @@ istioctl experimental post-install webhook status --validation --validation-conf
 istioctl experimental post-install webhook status --validation --validation-config istio-galley 
   --injection --injection-config istio-sidecar-injector
 
+
+

istioctl experimental precheck

+

+ precheck inspects a Kubernetes cluster for Istio install requirements. +

+
istioctl experimental precheck [-f <deployment or istio operator file>] [flags]
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FlagsShorthandDescription
--context <string>The name of the kubeconfig context to use (default ``)
--filename <stringSlice>-fIstio YAML installation file. (default `[]`)
--istioNamespace <string>-iIstio system namespace (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file (default ``)
--namespace <string>-nConfig namespace (default ``)
--recursive-RProcess the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory.
--revision <string>control plane revision (default ``)
+

Examples

+

+		# Verify that Istio can be installed
+		istioctl experimental precheck
+
+		# Verify the deployment matches a custom Istio deployment configuration
+		istioctl x precheck --set profile=demo
+
+		# Verify the deployment matches the Istio Operator deployment definition
+		istioctl x precheck -f iop.yaml
+

istioctl experimental remove-from-mesh

Remove workloads from Istio service mesh

@@ -2370,11 +2351,6 @@ THIS COMMAND IS STILL UNDER ACTIVE DEVELOPMENT AND NOT READY FOR PRODUCTION USE. Kubernetes configuration file (default ``) ---logtostderr - -Send logs to stderr. - - --namespace <string> -n Config namespace (default ``) @@ -2453,6 +2429,11 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl wait for a specific version of config to become current, rather than using whatever is latest in kubernetes (default ``) +--revision <string> + +control plane revision (default ``) + + --threshold <float32> the ratio of distribution required for success (default `1`) @@ -2487,6 +2468,14 @@ istioctl experimental wait --for=distribution --threshold=.99 --timeout=300 virt +--charts <string> +-d +Specify a path to a directory of charts and profiles +(e.g. ~/Downloads/istio-1.5.0/install/kubernetes/operator) +or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.5.1/istio-1.5.1-linux.tar.gz). + (default ``) + + --context <string> The name of the kubeconfig context to use (default ``) @@ -2518,11 +2507,6 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi Kubernetes configuration file (default ``) ---logtostderr - -Send logs to stderr. - - --namespace <string> -n Config namespace (default ``) @@ -2715,11 +2699,6 @@ istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml \ Kubernetes configuration file (default ``) ---logtostderr - -Send logs to stderr. - - --namespace <string> -n Config namespace (default ``) @@ -2745,6 +2724,14 @@ istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml \ +--charts <string> +-d +Specify a path to a directory of charts and profiles +(e.g. ~/Downloads/istio-1.5.0/install/kubernetes/operator) +or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.5.1/istio-1.5.1-linux.tar.gz). + (default ``) + + --context <string> The name of the kubeconfig context to use (default ``) @@ -2776,11 +2763,6 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi Kubernetes configuration file (default ``) ---logtostderr - -Send logs to stderr. - - --namespace <string> -n Config namespace (default ``) @@ -2874,11 +2856,6 @@ If set to true, the user is not prompted and a Yes response is assumed in all ca Kubernetes configuration file (default ``) ---logtostderr - -Send logs to stderr. - - --namespace <string> -n Config namespace (default ``) @@ -2920,6 +2897,14 @@ e.g. +--charts <string> +-d +Specify a path to a directory of charts and profiles +(e.g. ~/Downloads/istio-1.5.0/install/kubernetes/operator) +or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.5.1/istio-1.5.1-linux.tar.gz). + (default ``) + + --context <string> The name of the kubeconfig context to use (default ``) @@ -2951,11 +2936,6 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi Kubernetes configuration file (default ``) ---logtostderr - -Send logs to stderr. - - --namespace <string> -n Config namespace (default ``) @@ -3033,11 +3013,6 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl Kubernetes configuration file (default ``) ---logtostderr - -Send logs to stderr. - - --namespace <string> -n Config namespace (default ``) @@ -3083,11 +3058,6 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl Kubernetes configuration file (default ``) ---logtostderr - -Send logs to stderr. - - --namespace <string> -n Config namespace (default ``) @@ -3151,6 +3121,14 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl +--charts <string> +-d +Specify a path to a directory of charts and profiles +(e.g. ~/Downloads/istio-1.5.0/install/kubernetes/operator) +or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.5.1/istio-1.5.1-linux.tar.gz). + (default ``) + + --context <string> The name of the kubeconfig context to use (default ``) @@ -3176,11 +3154,6 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl Kubernetes configuration file (default ``) ---logtostderr - -Send logs to stderr. - - --namespace <string> -n Config namespace (default ``) @@ -3216,6 +3189,14 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl +--charts <string> +-d +Specify a path to a directory of charts and profiles +(e.g. ~/Downloads/istio-1.5.0/install/kubernetes/operator) +or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.5.1/istio-1.5.1-linux.tar.gz). + (default ``) + + --context <string> The name of the kubeconfig context to use (default ``) @@ -3246,11 +3227,6 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl Kubernetes configuration file (default ``) ---logtostderr - -Send logs to stderr. - - --namespace <string> -n Config namespace (default ``) @@ -3296,6 +3272,14 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl +--charts <string> +-d +Specify a path to a directory of charts and profiles +(e.g. ~/Downloads/istio-1.5.0/install/kubernetes/operator) +or release tar URL (e.g. https://github.com/istio/istio/releases/download/1.5.1/istio-1.5.1-linux.tar.gz). + (default ``) + + --context <string> The name of the kubeconfig context to use (default ``) @@ -3331,11 +3315,6 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl Kubernetes configuration file (default ``) ---logtostderr - -Send logs to stderr. - - --namespace <string> -n Config namespace (default ``) @@ -3432,11 +3411,6 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl Kubernetes configuration file (default ``) ---logtostderr - -Send logs to stderr. - - --namespace <string> -n Config namespace (default ``) @@ -3486,11 +3460,6 @@ istioctl manifest apply --set profile=demo # Use a profile from the list Kubernetes configuration file (default ``) ---logtostderr - -Send logs to stderr. - - --namespace <string> -n Config namespace (default ``) @@ -3518,7 +3487,7 @@ istioctl manifest apply --set profile=demo # Use a profile from the list --config-path <string> -p -The path the root of the configuration subtree to dump e.g. trafficManagement.components.pilot. By default, dump whole tree (default ``) +The path the root of the configuration subtree to dump e.g. components.pilot. By default, dump whole tree (default ``) --context <string> @@ -3547,11 +3516,6 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi Kubernetes configuration file (default ``) ---logtostderr - -Send logs to stderr. - - --namespace <string> -n Config namespace (default ``) @@ -3602,11 +3566,6 @@ This flag can be specified multiple times to overlay multiple files. Multiple fi Kubernetes configuration file (default ``) ---logtostderr - -Send logs to stderr. - - --namespace <string> -n Config namespace (default ``) @@ -4203,6 +4162,11 @@ Retrieves last sent and last acknowledged xDS sync from Pilot to each Envoy in t Config namespace (default ``) +--revision <string> + +control plane revision (default ``) + + --sds -s (experimental) Retrieve synchronization between active secrets on Envoy instance with those on corresponding node agents @@ -4316,11 +4280,6 @@ Retrieves last sent and last acknowledged xDS sync from Pilot to each Envoy in t Kubernetes configuration file (default ``) ---logtostderr - -Send logs to stderr. - - --namespace <string> -n Config namespace (default ``) @@ -4424,7 +4383,7 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl

If you do not specify installation file it will perform pre-check for your cluster and report whether the cluster is ready for Istio installation.

-
istioctl verify-install [flags]
+
istioctl verify-install [-f <deployment or istio operator file>] [--revision <revision>] [flags]
 

 
@@ -4470,16 +4429,24 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl
 
+
+
+
+
+

 
-R
 Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. 
 
--revision <string>control plane revision  (default ``)

 
 

 
Examples

 

 		# Verify that Istio can be freshly installed
 		istioctl verify-install
-		
+
 		# Verify the deployment matches a custom Istio deployment configuration
 		istioctl verify-install -f $HOME/istio.yaml
 
+		# Verify the deployment matches the Istio Operator deployment definition
+		istioctl verify-install --revision <canary>
+
 

 
istioctl version

 
Prints out build version information

@@ -4525,6 +4492,11 @@ https://istio.io/docs/reference/config/istio.operator.v1alpha12.pb/#IstioControl
 Use --remote=false to suppress control plane check 
 
 
+--revision <string>
+
+control plane revision  (default ``)
+
+
 --short
 -s
 Use --short=false to generate full version information 
@@ -4550,6 +4522,12 @@ These environment variables affect the behavior of the istioctl com
 Whether or not to validate SANs for out-of-process adapters auth.
 
 
+CENTRAL_ISTIOD
+Boolean
+false
+If this is set to true, one Istiod will control remote clusters including CA.
+
+
 CLUSTER_ID
 String
 Kubernetes
@@ -4604,6 +4582,12 @@ These environment variables affect the behavior of the istioctl com
 Selects the attribute expression language runtime for Mixer.
 
 
+ISTIO_PROMETHEUS_ANNOTATIONS
+String
+
+
+
+
 JWT_POLICY
 String
 third-party-jwt
@@ -4622,12 +4606,6 @@ These environment variables affect the behavior of the istioctl com
 namespace that nodeagent/citadel run in
 
 
-PILOT_BLOCK_HTTP_ON_443
-Boolean
-true
-If enabled, any HTTP services will be blocked on HTTPS port (443). If this is disabled, any HTTP service on port 443 could block all external traffic
-
-
 PILOT_CERT_DIR
 String
 
@@ -4706,6 +4684,12 @@ These environment variables affect the behavior of the istioctl com
 If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
 
 
+PILOT_ENABLE_INCREMENTAL_MCP
+Boolean
+false
+If enabled, pilot will set the incremental flag of the options in the mcp controller to true, and then galley may push data incrementally, it depends on whether the resource supports incremental. By default, this is false.
+
+
 PILOT_ENABLE_MYSQL_FILTER
 Boolean
 false
@@ -4730,6 +4714,12 @@ These environment variables affect the behavior of the istioctl com
 EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
 
 
+PILOT_ENABLE_STATUS
+Boolean
+false
+If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.
+
+
 PILOT_ENABLE_TCP_METADATA_EXCHANGE
 Boolean
 true
@@ -4742,6 +4732,12 @@ These environment variables affect the behavior of the istioctl com
 EnableThriftFilter enables injection of `envoy.filters.network.thrift_proxy` in the filter chain.
 
 
+PILOT_ENABLE_VIRTUAL_SERVICE_DELEGATE
+Boolean
+false
+If enabled, Pilot will merge virtual services with delegates. By default, this is false, and virtualService with delegate will be ignored
+
+
 PILOT_FILTER_GATEWAY_CLUSTER_CONFIG
 Boolean
 false
@@ -4790,6 +4786,18 @@ These environment variables affect the behavior of the istioctl com
 Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy
 
 
+PILOT_STATUS_BURST
+Integer
+500
+If status is enabled, controls the Burst rate with which status will be updated.  See https://godoc.org/k8s.io/client-go/rest#Config Burst
+
+
+PILOT_STATUS_QPS
+Floating-Point
+100
+If status is enabled, controls the QPS with which status will be updated.  See https://godoc.org/k8s.io/client-go/rest#Config QPS
+
+
 PILOT_TRACE_SAMPLING
 Floating-Point
 100
@@ -4887,7 +4895,6 @@ These environment variables affect the behavior of the istioctl com
 outgoing_latencySumThe latency of outgoing requests (e.g. to a token exchange server, CA, etc.) in milliseconds.
 pilot_conflict_inbound_listenerLastValueNumber of conflicting inbound listeners.
 pilot_conflict_outbound_listener_http_over_current_tcpLastValueNumber of conflicting wildcard http listeners with current wildcard tcp listener.
-pilot_conflict_outbound_listener_http_over_httpsLastValueNumber of conflicting HTTP listeners with well known HTTPS ports
 pilot_conflict_outbound_listener_tcp_over_current_httpLastValueNumber of conflicting wildcard tcp listeners with current wildcard http listener.
 pilot_conflict_outbound_listener_tcp_over_current_tcpLastValueNumber of conflicting tcp listeners with current tcp listener.
 pilot_destrule_subsetsLastValueDuplicate subsets across destination rules for same host
diff --git a/content/en/docs/reference/commands/mixs/index.html b/content/en/docs/reference/commands/mixs/index.html
index 67262f0a97..5cab120d54 100644
--- a/content/en/docs/reference/commands/mixs/index.html
+++ b/content/en/docs/reference/commands/mixs/index.html
@@ -347,23 +347,275 @@ These environment variables affect the behavior of the mixs command
 Whether or not to validate SANs for out-of-process adapters auth.
 
 
+CENTRAL_ISTIOD
+Boolean
+false
+If this is set to true, one Istiod will control remote clusters including CA.
+
+
+CLUSTER_ID
+String
+Kubernetes
+Defines the cluster and service registry that this Istiod instance is belongs to
+
+
+ISTIOD_ADDR
+String
+
+Service name of istiod. If empty the istiod listener, certs will be disabled.
+
+
+ISTIO_DEFAULT_REQUEST_TIMEOUT
+Time Duration
+0s
+Default Http and gRPC Request timeout
+
+
+ISTIO_GPRC_MAXRECVMSGSIZE
+Integer
+4194304
+Sets the max receive buffer size of gRPC stream in bytes.
+
+
+ISTIO_GPRC_MAXSTREAMS
+Integer
+100000
+Sets the maximum number of concurrent grpc streams.
+
+
 ISTIO_LANG
 String
 
 Selects the attribute expression language runtime for Mixer.
 
 
+JWT_POLICY
+String
+third-party-jwt
+The JWT validation policy.
+
+
 KUBECONFIG
 String
 
 Path for a kubeconfig file.
 
 
+PILOT_CERT_DIR
+String
+
+
+
+
+PILOT_CERT_PROVIDER
+String
+istiod
+the provider of Pilot DNS certificate.
+
+
+PILOT_DEBOUNCE_AFTER
+Time Duration
+100ms
+The delay added to config/registry events for debouncing. This will delay the push by at least this internal. If no change is detected within this period, the push will happen,  otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.
+
+
+PILOT_DEBOUNCE_MAX
+Time Duration
+10s
+The maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we'll trigger a push.
+
+
+PILOT_DEBUG_ADSZ_CONFIG
+Boolean
+false
+
+
+
+PILOT_DISTRIBUTION_HISTORY_RETENTION
+Time Duration
+1m0s
+If enabled, Pilot will keep track of old versions of distributed config for this duration.
+
+
+PILOT_ENABLED_SERVICE_APIS
+Boolean
+false
+If this is set to true, support for Kubernetes service-apis (github.com/kubernetes-sigs/service-apis) will  be enabled. This feature is currently experimental, and is off by default.
+
+
+PILOT_ENABLE_ANALYSIS
+Boolean
+false
+If enabled, pilot will run istio analyzers and write analysis errors to the Status field of any Istio Resources
+
+
+PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING
+Boolean
+true
+If enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface.
+
+
+PILOT_ENABLE_CRD_VALIDATION
+Boolean
+false
+If enabled, pilot will validate CRDs while retrieving CRDs from kubernetes cache.Use this flag to enable validation of CRDs in Pilot, especially in deployments that do not have galley installed.
+
+
+PILOT_ENABLE_EDS_DEBOUNCE
+Boolean
+true
+If enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled
+
+
+PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICES
+Boolean
+false
+If enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.
+
+
+PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERS
+Boolean
+true
+If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
+
+
+PILOT_ENABLE_INCREMENTAL_MCP
+Boolean
+false
+If enabled, pilot will set the incremental flag of the options in the mcp controller to true, and then galley may push data incrementally, it depends on whether the resource supports incremental. By default, this is false.
+
+
+PILOT_ENABLE_MYSQL_FILTER
+Boolean
+false
+EnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.
+
+
+PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND
+Boolean
+true
+If enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported
+
+
+PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND
+Boolean
+true
+If enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported
+
+
+PILOT_ENABLE_REDIS_FILTER
+Boolean
+false
+EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
+
+
+PILOT_ENABLE_STATUS
+Boolean
+false
+If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.
+
+
+PILOT_ENABLE_TCP_METADATA_EXCHANGE
+Boolean
+true
+If enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy
+
+
+PILOT_ENABLE_THRIFT_FILTER
+Boolean
+false
+EnableThriftFilter enables injection of `envoy.filters.network.thrift_proxy` in the filter chain.
+
+
+PILOT_ENABLE_VIRTUAL_SERVICE_DELEGATE
+Boolean
+false
+If enabled, Pilot will merge virtual services with delegates. By default, this is false, and virtualService with delegate will be ignored
+
+
+PILOT_FILTER_GATEWAY_CLUSTER_CONFIG
+Boolean
+false
+
+
+
+PILOT_HTTP10
+Boolean
+false
+Enables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.
+
+
+PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUT
+Time Duration
+1s
+Protocol detection timeout for inbound listener
+
+
+PILOT_INITIAL_FETCH_TIMEOUT
+Time Duration
+0s
+Specifies the initial_fetch_timeout for config. If this time is reached without a response to the config requested by Envoy, the Envoy will move on with the init phase. This prevents envoy from getting stuck waiting on config during startup.
+
+
+PILOT_PUSH_THROTTLE
+Integer
+100
+Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes
+
+
+PILOT_SCOPE_GATEWAY_TO_NAMESPACE
+Boolean
+false
+If enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.
+
+
+PILOT_SIDECAR_USE_REMOTE_ADDRESS
+Boolean
+false
+UseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.
+
+
+PILOT_SKIP_VALIDATE_TRUST_DOMAIN
+Boolean
+false
+Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy
+
+
+PILOT_STATUS_BURST
+Integer
+500
+If status is enabled, controls the Burst rate with which status will be updated.  See https://godoc.org/k8s.io/client-go/rest#Config Burst
+
+
+PILOT_STATUS_QPS
+Floating-Point
+100
+If status is enabled, controls the QPS with which status will be updated.  See https://godoc.org/k8s.io/client-go/rest#Config QPS
+
+
+PILOT_TRACE_SAMPLING
+Floating-Point
+100
+Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.
+
+
+PILOT_USE_ENDPOINT_SLICE
+Boolean
+false
+If enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used
+
+
 POD_NAMESPACE
 String
 istio-system
 Namespace for the Mixer pod (Downward API).
 
+
+TERMINATION_DRAIN_DURATION_SECONDS
+Integer
+5
+The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes.
+
 
 
 
Exported metrics

diff --git a/content/en/docs/reference/commands/operator/index.html b/content/en/docs/reference/commands/operator/index.html
index 0f9733d20b..2706e4809a 100644
--- a/content/en/docs/reference/commands/operator/index.html
+++ b/content/en/docs/reference/commands/operator/index.html
@@ -40,10 +40,6 @@ remove_toc_prefix: 'operator '
 
 
 
---base-chart-path <string>
-The absolute path to a directory containing nested charts, e.g. /etc/istio-operator/helm.  This will be used as the base path for any IstioOperator instances specifying a relative ChartPath.  (default ``)
-
-
 --ctrlz_address <string>
 The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses.  (default `localhost`)
 
@@ -52,10 +48,6 @@ remove_toc_prefix: 'operator '
 The IP port to use for the ControlZ introspection facility  (default `9876`)
 
 
---default-chart-path <string>
-A path relative to base-chart-path containing charts to be used when no ChartPath is specified by an IstioOperator resource, e.g. 1.1.0/istio  (default ``)
-
-
 --kubeconfig <string>
 Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
 
@@ -65,11 +57,11 @@ remove_toc_prefix: 'operator '
 
 
 --log_caller <string>
-Comma-separated list of scopes for which to include caller information, scopes can be any of [all, default, installer, patch, tpath, translator, util, validation]  (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authorization, default, installer, model, patch, tpath, translator, util, validation]  (default ``)
 
 
 --log_output_level <string>
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, default, installer, patch, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authorization, default, installer, model, patch, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 
 
 --log_rotate <string>
@@ -89,7 +81,7 @@ remove_toc_prefix: 'operator '
 
 
 --log_stacktrace_level <string>
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, default, installer, patch, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authorization, default, installer, model, patch, tpath, translator, util, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 
 
 --log_target <stringArray>
@@ -136,12 +128,293 @@ remove_toc_prefix: 'operator '
 
 
 
+
Environment variables

+These environment variables affect the behavior of the operator command.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
Variable NameTypeDefault ValueDescription
CENTRAL_ISTIODBooleanfalseIf this is set to true, one Istiod will control remote clusters including CA.
CLUSTER_IDStringKubernetesDefines the cluster and service registry that this Istiod instance is belongs to
ISTIOD_ADDRStringService name of istiod. If empty the istiod listener, certs will be disabled.
ISTIO_DEFAULT_REQUEST_TIMEOUTTime Duration0sDefault Http and gRPC Request timeout
ISTIO_GPRC_MAXRECVMSGSIZEInteger4194304Sets the max receive buffer size of gRPC stream in bytes.
ISTIO_GPRC_MAXSTREAMSInteger100000Sets the maximum number of concurrent grpc streams.
JWT_POLICYStringthird-party-jwtThe JWT validation policy.
PILOT_CERT_DIRString
PILOT_CERT_PROVIDERStringistiodthe provider of Pilot DNS certificate.
PILOT_DEBOUNCE_AFTERTime Duration100msThe delay added to config/registry events for debouncing. This will delay the push by at least this internal. If no change is detected within this period, the push will happen,  otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.
PILOT_DEBOUNCE_MAXTime Duration10sThe maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we'll trigger a push.
PILOT_DEBUG_ADSZ_CONFIGBooleanfalse
PILOT_DISTRIBUTION_HISTORY_RETENTIONTime Duration1m0sIf enabled, Pilot will keep track of old versions of distributed config for this duration.
PILOT_ENABLED_SERVICE_APISBooleanfalseIf this is set to true, support for Kubernetes service-apis (github.com/kubernetes-sigs/service-apis) will  be enabled. This feature is currently experimental, and is off by default.
PILOT_ENABLE_ANALYSISBooleanfalseIf enabled, pilot will run istio analyzers and write analysis errors to the Status field of any Istio Resources
PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKINGBooleantrueIf enabled, Pilot will assign meaningful nonces to each Envoy configuration message, and allow users to interrogate which envoy has which config from the debug interface.
PILOT_ENABLE_CRD_VALIDATIONBooleanfalseIf enabled, pilot will validate CRDs while retrieving CRDs from kubernetes cache.Use this flag to enable validation of CRDs in Pilot, especially in deployments that do not have galley installed.
PILOT_ENABLE_EDS_DEBOUNCEBooleantrueIf enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled
PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICESBooleanfalseIf enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.
PILOT_ENABLE_HEADLESS_SERVICE_POD_LISTENERSBooleantrueIf enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
PILOT_ENABLE_INCREMENTAL_MCPBooleanfalseIf enabled, pilot will set the incremental flag of the options in the mcp controller to true, and then galley may push data incrementally, it depends on whether the resource supports incremental. By default, this is false.
PILOT_ENABLE_MYSQL_FILTERBooleanfalseEnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUNDBooleantrueIf enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported
PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUNDBooleantrueIf enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported
PILOT_ENABLE_REDIS_FILTERBooleanfalseEnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
PILOT_ENABLE_STATUSBooleanfalseIf enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.
PILOT_ENABLE_TCP_METADATA_EXCHANGEBooleantrueIf enabled, metadata exchange will be enabled for TCP using ALPN and Network Metadata Exchange filters in Envoy
PILOT_ENABLE_THRIFT_FILTERBooleanfalseEnableThriftFilter enables injection of `envoy.filters.network.thrift_proxy` in the filter chain.
PILOT_ENABLE_VIRTUAL_SERVICE_DELEGATEBooleanfalseIf enabled, Pilot will merge virtual services with delegates. By default, this is false, and virtualService with delegate will be ignored
PILOT_FILTER_GATEWAY_CLUSTER_CONFIGBooleanfalse
PILOT_HTTP10BooleanfalseEnables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.
PILOT_INBOUND_PROTOCOL_DETECTION_TIMEOUTTime Duration1sProtocol detection timeout for inbound listener
PILOT_INITIAL_FETCH_TIMEOUTTime Duration0sSpecifies the initial_fetch_timeout for config. If this time is reached without a response to the config requested by Envoy, the Envoy will move on with the init phase. This prevents envoy from getting stuck waiting on config during startup.
PILOT_PUSH_THROTTLEInteger100Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes
PILOT_SCOPE_GATEWAY_TO_NAMESPACEBooleanfalseIf enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.
PILOT_SIDECAR_USE_REMOTE_ADDRESSBooleanfalseUseRemoteAddress sets useRemoteAddress to true for side car outbound listeners.
PILOT_SKIP_VALIDATE_TRUST_DOMAINBooleanfalseSkip validating the peer is from the same trust domain when mTLS is enabled in authentication policy
PILOT_STATUS_BURSTInteger500If status is enabled, controls the Burst rate with which status will be updated.  See https://godoc.org/k8s.io/client-go/rest#Config Burst
PILOT_STATUS_QPSFloating-Point100If status is enabled, controls the QPS with which status will be updated.  See https://godoc.org/k8s.io/client-go/rest#Config QPS
PILOT_TRACE_SAMPLINGFloating-Point100Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 100, not recommended for production use.
PILOT_USE_ENDPOINT_SLICEBooleanfalseIf enabled, Pilot will use EndpointSlices as the source of endpoints for Kubernetes services. By default, this is false, and Endpoints will be used. This requires the Kubernetes EndpointSlice controller to be enabled. Currently this is mutual exclusive - either Endpoints or EndpointSlices will be used
TERMINATION_DRAIN_DURATION_SECONDSInteger5The amount of time allowed for connections to complete on pilot-agent shutdown. On receiving SIGTERM or SIGINT, pilot-agent tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the TerminationDrainDuration and then kills any remaining active Envoy processes.

 
Exported metrics

 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 
Metric NameTypeDescription

 
 
endpoint_no_podLastValueEndpoints without an associated pod.

 
istio_buildLastValueIstio component build info
pilot_conflict_inbound_listenerLastValueNumber of conflicting inbound listeners.
pilot_conflict_outbound_listener_http_over_current_tcpLastValueNumber of conflicting wildcard http listeners with current wildcard tcp listener.
pilot_conflict_outbound_listener_tcp_over_current_httpLastValueNumber of conflicting wildcard tcp listeners with current wildcard http listener.
pilot_conflict_outbound_listener_tcp_over_current_tcpLastValueNumber of conflicting tcp listeners with current tcp listener.
pilot_destrule_subsetsLastValueDuplicate subsets across destination rules for same host
pilot_duplicate_envoy_clustersLastValueDuplicate envoy clusters caused by service entries with same hostname
pilot_eds_no_instancesLastValueNumber of clusters without instances.
pilot_endpoint_not_readyLastValueEndpoint found in unready state.
pilot_jwks_resolver_network_fetch_fail_totalSumTotal number of failed network fetch by pilot jwks resolver
pilot_jwks_resolver_network_fetch_success_totalSumTotal number of successfully network fetch by pilot jwks resolver
pilot_no_ipLastValuePods not found in the endpoint table, possibly invalid.
pilot_total_rejected_configsSumTotal number of configs that Pilot had to reject or ignore.
pilot_virt_servicesLastValueTotal virtual services known to pilot.
pilot_vservice_dup_domainLastValueVirtual services with dup domains.

 
 

diff --git a/content/en/docs/reference/commands/pilot-agent/index.html b/content/en/docs/reference/commands/pilot-agent/index.html
index 930d44f996..2e1eb9059a 100644
--- a/content/en/docs/reference/commands/pilot-agent/index.html
+++ b/content/en/docs/reference/commands/pilot-agent/index.html
@@ -23,11 +23,11 @@ remove_toc_prefix: 'pilot-agent '
 
 
 --log_caller <string>
-Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault]  (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault]  (default ``)
 
 
 --log_output_level <string>
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 
 
 --log_rotate <string>
@@ -47,7 +47,7 @@ remove_toc_prefix: 'pilot-agent '
 
 
 --log_stacktrace_level <string>
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 
 
 --log_target <stringArray>
@@ -81,12 +81,12 @@ remove_toc_prefix: 'pilot-agent '
 
 --log_caller <string>
 
-Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault]  (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault]  (default ``)
 
 
 --log_output_level <string>
 
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 
 
 --log_rotate <string>
@@ -111,7 +111,7 @@ remove_toc_prefix: 'pilot-agent '
 
 --log_stacktrace_level <string>
 
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 
 
 --log_target <stringArray>
@@ -206,12 +206,12 @@ remove_toc_prefix: 'pilot-agent '
 
 --log_caller <string>
 
-Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault]  (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault]  (default ``)
 
 
 --log_output_level <string>
 
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 
 
 --log_rotate <string>
@@ -236,7 +236,7 @@ remove_toc_prefix: 'pilot-agent '
 
 --log_stacktrace_level <string>
 
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 
 
 --log_target <stringArray>
@@ -313,11 +313,11 @@ remove_toc_prefix: 'pilot-agent '
 
 
 --log_caller <string>
-Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault]  (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault]  (default ``)
 
 
 --log_output_level <string>
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 
 
 --log_rotate <string>
@@ -337,7 +337,7 @@ remove_toc_prefix: 'pilot-agent '
 
 
 --log_stacktrace_level <string>
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 
 
 --log_target <stringArray>
@@ -345,7 +345,7 @@ remove_toc_prefix: 'pilot-agent '
 
 
 --meshConfig <string>
-File name for Istio mesh configuration. If not specified, a default mesh will be used. MESH_CONFIG environment variable takes precedence.  (default `/etc/istio/config/mesh`)
+File name for Istio mesh configuration. If not specified, a default mesh will be used. This may be overridden by PROXY_CONFIG environment variable or istio.io/proxyConfig annotation.  (default `./etc/istio/config/mesh`)
 
 
 --mixerIdentity <string>
@@ -411,11 +411,11 @@ remove_toc_prefix: 'pilot-agent '
 
 
 --log_caller <string>
-Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault]  (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault]  (default ``)
 
 
 --log_output_level <string>
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 
 
 --log_rotate <string>
@@ -435,7 +435,7 @@ remove_toc_prefix: 'pilot-agent '
 
 
 --log_stacktrace_level <string>
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 
 
 --log_target <stringArray>
@@ -464,12 +464,12 @@ remove_toc_prefix: 'pilot-agent '
 
 --log_caller <string>
 
-Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault]  (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault]  (default ``)
 
 
 --log_output_level <string>
 
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 
 
 --log_rotate <string>
@@ -494,7 +494,7 @@ remove_toc_prefix: 'pilot-agent '
 
 --log_stacktrace_level <string>
 
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authn, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [all, authorization, cache, citadelclient, configmapcontroller, default, googleca, model, sds, secretfetcher, stsclient, stsserver, token, validation, vault] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 
 
 --log_target <stringArray>
@@ -538,12 +538,42 @@ These environment variables affect the behavior of the pilot-agent
 
 
 
+CENTRAL_ISTIOD
+Boolean
+false
+If this is set to true, one Istiod will control remote clusters including CA.
+
+
 CLUSTER_ID
 String
 Kubernetes
 Defines the cluster and service registry that this Istiod instance is belongs to
 
 
+DNS_ADDR
+String
+:15053
+DNS listen address
+
+
+DNS_AGENT
+String
+
+DNS-over-TLS upstream server
+
+
+DNS_CAPTURE
+String
+
+If set, enable the capture of outgoing DNS packets on port 53, redirecting to :15013
+
+
+DNS_SERVER
+String
+
+Protocol and DNS server to use. Currently only tcp-tls: is supported.
+
+
 ENABLE_INGRESS_GATEWAY_SDS
 Boolean
 false
@@ -640,18 +670,18 @@ These environment variables affect the behavior of the pilot-agent
 
 
 
+ISTIO_PROMETHEUS_ANNOTATIONS
+String
+
+
+
+
 JWT_POLICY
 String
 third-party-jwt
 The JWT validation policy.
 
 
-MESH_CONFIG
-String
-
-The mesh configuration
-
-
 NAMESPACE
 String
 istio-system
@@ -664,12 +694,6 @@ These environment variables affect the behavior of the pilot-agent
 The output directory for the key and certificate. If empty, key and certificate will not be saved. Must be set for VMs using provisioning certificates.
 
 
-PILOT_BLOCK_HTTP_ON_443
-Boolean
-true
-If enabled, any HTTP services will be blocked on HTTPS port (443). If this is disabled, any HTTP service on port 443 could block all external traffic
-
-
 PILOT_CERT_DIR
 String
 
@@ -748,6 +772,12 @@ These environment variables affect the behavior of the pilot-agent
 If enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
 
 
+PILOT_ENABLE_INCREMENTAL_MCP
+Boolean
+false
+If enabled, pilot will set the incremental flag of the options in the mcp controller to true, and then galley may push data incrementally, it depends on whether the resource supports incremental. By default, this is false.
+
+
 PILOT_ENABLE_MYSQL_FILTER
 Boolean
 false
@@ -772,6 +802,12 @@ These environment variables affect the behavior of the pilot-agent
 EnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
 
 
+PILOT_ENABLE_STATUS
+Boolean
+false
+If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.
+
+
 PILOT_ENABLE_TCP_METADATA_EXCHANGE
 Boolean
 true
@@ -784,6 +820,12 @@ These environment variables affect the behavior of the pilot-agent
 EnableThriftFilter enables injection of `envoy.filters.network.thrift_proxy` in the filter chain.
 
 
+PILOT_ENABLE_VIRTUAL_SERVICE_DELEGATE
+Boolean
+false
+If enabled, Pilot will merge virtual services with delegates. By default, this is false, and virtualService with delegate will be ignored
+
+
 PILOT_FILTER_GATEWAY_CLUSTER_CONFIG
 Boolean
 false
@@ -832,6 +874,18 @@ These environment variables affect the behavior of the pilot-agent
 Skip validating the peer is from the same trust domain when mTLS is enabled in authentication policy
 
 
+PILOT_STATUS_BURST
+Integer
+500
+If status is enabled, controls the Burst rate with which status will be updated.  See https://godoc.org/k8s.io/client-go/rest#Config Burst
+
+
+PILOT_STATUS_QPS
+Floating-Point
+100
+If status is enabled, controls the QPS with which status will be updated.  See https://godoc.org/k8s.io/client-go/rest#Config QPS
+
+
 PILOT_TRACE_SAMPLING
 Floating-Point
 100
@@ -874,6 +928,12 @@ These environment variables affect the behavior of the pilot-agent
 Set to a directory containing provisioned certs, for VMs
 
 
+PROXY_CONFIG
+String
+
+The proxy configuration. This will be set by the injection - gateways will use file mounts.
+
+
 SECRET_GRACE_PERIOD_RATIO
 Floating-Point
 0.5
@@ -931,7 +991,6 @@ These environment variables affect the behavior of the pilot-agent
 outgoing_latencySumThe latency of outgoing requests (e.g. to a token exchange server, CA, etc.) in milliseconds.
 pilot_conflict_inbound_listenerLastValueNumber of conflicting inbound listeners.
 pilot_conflict_outbound_listener_http_over_current_tcpLastValueNumber of conflicting wildcard http listeners with current wildcard tcp listener.
-pilot_conflict_outbound_listener_http_over_httpsLastValueNumber of conflicting HTTP listeners with well known HTTPS ports
 pilot_conflict_outbound_listener_tcp_over_current_httpLastValueNumber of conflicting wildcard tcp listeners with current wildcard http listener.
 pilot_conflict_outbound_listener_tcp_over_current_tcpLastValueNumber of conflicting tcp listeners with current tcp listener.
 pilot_destrule_subsetsLastValueDuplicate subsets across destination rules for same host
@@ -944,6 +1003,10 @@ These environment variables affect the behavior of the pilot-agent
 pilot_total_rejected_configsSumTotal number of configs that Pilot had to reject or ignore.
 pilot_virt_servicesLastValueTotal virtual services known to pilot.
 pilot_vservice_dup_domainLastValueVirtual services with dup domains.
+sidecar_injection_failure_totalSumTotal number of failed Side car injection requests.
+sidecar_injection_requests_totalSumTotal number of Side car injection requests.
+sidecar_injection_skip_totalSumTotal number of skipped injection requests.
+sidecar_injection_success_totalSumTotal number of successful Side car injection requests.
 total_active_connectionsSumThe total number of active SDS connections.
 total_push_errorsSumThe total number of failed SDS pushes.
 total_pushesSumThe total number of SDS pushes.
diff --git a/content/en/docs/reference/commands/pilot-discovery/index.html b/content/en/docs/reference/commands/pilot-discovery/index.html
index c98e454383..06b8204738 100644
--- a/content/en/docs/reference/commands/pilot-discovery/index.html
+++ b/content/en/docs/reference/commands/pilot-discovery/index.html
@@ -43,11 +43,11 @@ remove_toc_prefix: 'pilot-discovery '
 
 
 --log_caller <string>
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer]  (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer]  (default ``)
 
 
 --log_output_level <string>
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 
 
 --log_rotate <string>
@@ -67,7 +67,7 @@ remove_toc_prefix: 'pilot-discovery '
 
 
 --log_stacktrace_level <string>
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 
 
 --log_target <stringArray>
@@ -94,6 +94,11 @@ remove_toc_prefix: 'pilot-discovery '
 Restrict the applications namespace the controller manages; if not set, controller watches all namespaces  (default ``)
 
 
+--clusterID <string>
+
+The ID of the cluster that this Istiod instance resides  (default `Kubernetes`)
+
+
 --clusterRegistriesNamespace <string>
 
 Namespace for ConfigMap which stores clusters configs  (default `istio-system`)
@@ -166,12 +171,12 @@ remove_toc_prefix: 'pilot-discovery '
 
 --log_caller <string>
 
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer]  (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer]  (default ``)
 
 
 --log_output_level <string>
 
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 
 
 --log_rotate <string>
@@ -196,7 +201,7 @@ remove_toc_prefix: 'pilot-discovery '
 
 --log_stacktrace_level <string>
 
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 
 
 --log_target <stringArray>
@@ -303,11 +308,11 @@ remove_toc_prefix: 'pilot-discovery '
 
 
 --log_caller <string>
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer]  (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer]  (default ``)
 
 
 --log_output_level <string>
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 
 
 --log_rotate <string>
@@ -327,7 +332,7 @@ remove_toc_prefix: 'pilot-discovery '
 
 
 --log_stacktrace_level <string>
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 
 
 --log_target <stringArray>
@@ -381,12 +386,12 @@ remove_toc_prefix: 'pilot-discovery '
 
 --log_caller <string>
 
-Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer]  (default ``)
+Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer]  (default ``)
 
 
 --log_output_level <string>
 
-Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
+Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:info`)
 
 
 --log_rotate <string>
@@ -411,7 +416,7 @@ remove_toc_prefix: 'pilot-discovery '
 
 --log_stacktrace_level <string>
 
-Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
+Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, attributes, authn, authorization, configmapcontroller, default, grpcAdapter, kube, mcp, model, pkica, processing, resource, rootcertrotator, secretcontroller, server, serverca, source, status, validation, validationController, validationServer] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 
 
 --log_target <stringArray>
@@ -467,6 +472,12 @@ These environment variables affect the behavior of the pilot-discoveryWhether or not to validate SANs for out-of-process adapters auth.
 
 
+CENTRAL_ISTIOD
+Boolean
+false
+If this is set to true, one Istiod will control remote clusters including CA.
+
+
 CITADEL_ENABLE_JITTER_FOR_ROOT_CERT_ROTATOR
 Boolean
 true
@@ -503,6 +514,30 @@ These environment variables affect the behavior of the pilot-discoveryThe default TTL of issued workload certificates. Applied when the client sets a non-positive TTL in the CSR.
 
 
+DNS_ADDR
+String
+:15053
+DNS listen address
+
+
+DNS_AGENT
+String
+
+DNS-over-TLS upstream server
+
+
+DNS_SERVER
+String
+
+Protocol and DNS server to use. Currently only tcp-tls: is supported.
+
+
+ENABLE_INCREMENTAL_MCP
+Boolean
+false
+
+
+
 INJECTION_WEBHOOK_CONFIG_NAME
 String
 istio-sidecar-injector
@@ -539,6 +574,12 @@ These environment variables affect the behavior of the pilot-discoverySelects the attribute expression language runtime for Mixer.
 
 
+ISTIO_PROMETHEUS_ANNOTATIONS
+String
+
+
+
+
 JWT_POLICY
 String
 third-party-jwt
@@ -557,12 +598,6 @@ These environment variables affect the behavior of the pilot-discoveryKuberenetes service host, set automatically when running in-cluster
 
 
-MASTER_ELECTION
-Boolean
-true
-Enable master election
-
-
 MAX_WORKLOAD_CERT_TTL
 Time Duration
 2160h0m0s
@@ -581,12 +616,6 @@ These environment variables affect the behavior of the pilot-discovery
 
 
-PILOT_BLOCK_HTTP_ON_443
-Boolean
-true
-If enabled, any HTTP services will be blocked on HTTPS port (443). If this is disabled, any HTTP service on port 443 could block all external traffic
-
-
 PILOT_CERT_DIR
 String
 
@@ -665,6 +694,12 @@ These environment variables affect the behavior of the pilot-discoveryIf enabled, for a headless service/stateful set in Kubernetes, pilot will generate an outbound listener for each pod in a headless service. This feature should be disabled if headless services have a large number of pods.
 
 
+PILOT_ENABLE_INCREMENTAL_MCP
+Boolean
+false
+If enabled, pilot will set the incremental flag of the options in the mcp controller to true, and then galley may push data incrementally, it depends on whether the resource supports incremental. By default, this is false.
+
+
 PILOT_ENABLE_MYSQL_FILTER
 Boolean
 false
@@ -689,6 +724,12 @@ These environment variables affect the behavior of the pilot-discoveryEnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
 
 
+PILOT_ENABLE_STATUS
+Boolean
+false
+If enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.
+
+
 PILOT_ENABLE_TCP_METADATA_EXCHANGE
 Boolean
 true
@@ -701,6 +742,12 @@ These environment variables affect the behavior of the pilot-discoveryEnableThriftFilter enables injection of `envoy.filters.network.thrift_proxy` in the filter chain.
 
 
+PILOT_ENABLE_VIRTUAL_SERVICE_DELEGATE
+Boolean
+false
+If enabled, Pilot will merge virtual services with delegates. By default, this is false, and virtualService with delegate will be ignored
+
+
 PILOT_FILTER_GATEWAY_CLUSTER_CONFIG
 Boolean
 false
@@ -749,6 +796,18 @@ These environment variables affect the behavior of the pilot-discoverySkip validating the peer is from the same trust domain when mTLS is enabled in authentication policy
 
 
+PILOT_STATUS_BURST
+Integer
+500
+If status is enabled, controls the Burst rate with which status will be updated.  See https://godoc.org/k8s.io/client-go/rest#Config Burst
+
+
+PILOT_STATUS_QPS
+Floating-Point
+100
+If status is enabled, controls the QPS with which status will be updated.  See https://godoc.org/k8s.io/client-go/rest#Config QPS
+
+
 PILOT_TRACE_SAMPLING
 Floating-Point
 100
@@ -895,7 +954,6 @@ These environment variables affect the behavior of the pilot-discoverymixer_runtime_dispatches_totalCountTotal number of adapter dispatches handled by Mixer.
 pilot_conflict_inbound_listenerLastValueNumber of conflicting inbound listeners.
 pilot_conflict_outbound_listener_http_over_current_tcpLastValueNumber of conflicting wildcard http listeners with current wildcard tcp listener.
-pilot_conflict_outbound_listener_http_over_httpsLastValueNumber of conflicting HTTP listeners with well known HTTPS ports
 pilot_conflict_outbound_listener_tcp_over_current_httpLastValueNumber of conflicting wildcard tcp listeners with current wildcard http listener.
 pilot_conflict_outbound_listener_tcp_over_current_tcpLastValueNumber of conflicting tcp listeners with current tcp listener.
 pilot_destrule_subsetsLastValueDuplicate subsets across destination rules for same host
diff --git a/content/en/docs/reference/config/annotations/index.html b/content/en/docs/reference/config/annotations/index.html
index 397d7a9df8..ef85cecd68 100644
--- a/content/en/docs/reference/config/annotations/index.html
+++ b/content/en/docs/reference/config/annotations/index.html
@@ -139,6 +139,16 @@ Istio supports to control its behavior.
 		
 			
 				
+					
+				
+					prometheus.istio.io/merge-metrics
+					[Pod]
+					Specifies if application Prometheus metric will be merged with Envoy metrics for this workload.
+				
+			
+		
+			
+				
 					
 				
 					readiness.status.sidecar.istio.io/applicationPorts
diff --git a/content/en/docs/reference/config/attributegen/index.html b/content/en/docs/reference/config/attributegen/index.html
new file mode 100644
index 0000000000..b8c7b51bae
--- /dev/null
+++ b/content/en/docs/reference/config/attributegen/index.html
@@ -0,0 +1,281 @@
+---
+WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/proxy' REPO
+source_repo: https://github.com/istio/proxy
+title: AttributeGen Config
+description: Configuration for Attribute Generation plugin.
+location: https://istio.io/docs/reference/config/attributegen.html
+layout: protoc-gen-docs
+generator: protoc-gen-docs
+schema: istio.attributegen
+weight: 20
+number_of_entries: 3
+---
+
AttributeGen plugin uses builtin attributes
+as inputs and produces new attributes that can be used by downstream plugins.

+
+
The following is an example of a configuration that produces one attribute
+named istio.operationId using request.url_path and request.method.

+
+
{{}}
+{{}}

+
+
{
+  "attributes": [
+    {
+      "output_attribute": "istio.operationId",
+      "match": [
+        {
+          "value": "ListBooks",
+          "condition": "request.url_path == '/books' && request.method ==
+          'GET'"
+        },
+        {
+          "value": "GetBook",
+          "condition":
+          "request.url_path.matches('^/shelves/[[:alnum:]]*/books/[[:alnum:]]*$')
+          && request.method == 'GET'"
+        },
+        {
+          "value": "CreateBook",
+          "condition": "request.url_path == '/books/' && request.method ==
+          'POST'"
+        }
+      ]
+    }
+  ]
+}
+
+

+
+
{{}}
+{{}}

+
+
If the Stats plugin runs after AttributeGen, it can use istio.operationId
+to populate a dimension on a metric.

+
+
The following is an example of response codes being mapped into a smaller
+number of response classes as the istio.responseClass attribute. For
+example, all response codes in 200s are mapped to 2xx.

+
+
{{}}
+{{}}

+
+
{
+  "attributes": [
+    {
+      "output_attribute": "istio.responseClass",
+      "match": [
+        {
+          "value": "2xx",
+          "condition": "response.code >= 200 && response.code <= 299"
+        },
+        {
+          "value": "3xx",
+          "condition": "response.code >= 300 && response.code <= 399"
+        },
+        {
+          "value": "404",
+          "condition": "response.code == 404"
+        },
+        {
+          "value": "429",
+          "condition": "response.code == 429"
+        },
+        {
+          "value": "503",
+          "condition": "response.code == 503"
+        },
+        {
+          "value": "5xx",
+          "condition": "response.code >= 500 && response.code <= 599"
+        },
+        {
+          "value": "4xx",
+          "condition": "response.code >= 400 && response.code <= 499"
+        }
+      ]
+    }
+  ]
+}
+
+

+
+
{{}}
+{{}}

+
+
If multiple AttributeGene configurations produce the same attribute, the
+result of the last configuration will be visible to downstream filters.

+
+
PluginConfig

+

+
Top level configuration to generate new attributes based on attributes of the
+proxied traffic.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
debugbool
+
The following settings should be rarely used.
+Enable debug for this filter.

+
+		
+No
+
attributesAttributeGeneration[]
+
Multiple independent attribute generation configurations.

+
+		
+No
+

+

+
AttributeGeneration

+

+
AttributeGeneration define generation of one attribute.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
outputAttributestring
+
The name of the attribute that is populated on a successful match.

+
+
Example: istio.operationId

+
+
istio. attribute namespace is reserved by Istio.

+
+
AttributeGeneration may fail to evaluate when an attribute is not
+available. For example, response.code may not be available when a request
+ends abruptly. When attribute generation fails, it will not populate the
+attribute.

+
+
If the generated attribute is used by an authz plugin, it should account
+for the possibility that the attribute may be missing. Use
+has(attribute_name) function to check for presence of an attribute before
+using its value, and provide appropriate defaults. For example the
+following is a safe use of response.code

+
+
has(response.code)?response.code:200

+
+		
+No
+
matchMatch[]
+
Matches are evaluated in order until the first successful match.
+The value specified by the successful match is assgined to the
+output_attribute.

+
+		
+No
+

+

+
Match

+

+
If the condition evaluates to true then the Match returns the specified
+value.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
conditionstring
+
The condition is a CEL
+expression
+that may use builtin attributes.

+
+
Example:

+
+
{{}}
+{{}}

+
+
   {
+     "value": "GetBook",
+     "condition":
+     "request.url_path.matches('^/shelves/[[:alnum:]]*/books/[[:alnum:]]*$')
+     && request.method == 'GET'"
+   },
+

+
+
Note: CEL uses re2 regex
+library. Use anchors {^, $} to ensure that the regex evaluates
+efficiently.

+
+
Note: request.url_path is normalized and stripped of query params.

+
+
a Read only operation on books

+
+
{ "value": "ReadOnlyBooks",
+  "condition": "request.url_path.startsWith('/books/') &&
+  in(request.method, ['GET', 'HEAD'])"}
+

+
+
{{}}
+{{}}

+
+
An empty condition evaluates to true and should be used to provide a
+default value.

+
+		
+No
+
valuestring
+
If condition evaluates to true, return the value.

+
+		
+No
+

+

diff --git a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
index 0d9ce172e6..4553a2932c 100644
--- a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
+++ b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
@@ -7,7 +7,7 @@ location: https://istio.io/docs/reference/config/istio.mesh.v1alpha1.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
 weight: 20
-number_of_entries: 24
+number_of_entries: 25
 ---
 
Configuration affecting the service mesh as a whole.

 
@@ -64,6 +64,19 @@ No
 
 
Use a Stackdriver tracer.

 
+
+
+No
+
+
+
+tlsSettings
+ClientTLSSettings
+
+
Use the tls_settings to specify the tls mode to use. If the remote tracing service
+uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
+mode as ISTIO_MUTUAL.

+
 
 
 No
@@ -359,6 +372,20 @@ No
 
 
Port on which the agent should listen for administrative commands such as readiness probe.

 
+
+
+No
+
+
+
+extraStatTags
+string[]
+
+
An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be
+added by configuring the telemetry extension. Each additional tag needs to be present in this list.
+Extra tags emitted by the telemetry extensions must be listed here so that they can be processed
+and exposed as Prometheus metrics.

+
 
 
 No
@@ -490,28 +517,6 @@ No
 
 
The Lightstep access token.

 
-
-
-No
-
-
-
-secure
-bool
-
-
True if a secure connection should be used when communicating with the pool.

-
-
-
-No
-
-
-
-cacertPath
-string
-
-
Path to the trusted cacert used to authenticate the pool.

-
 
 
 No
@@ -1165,6 +1170,25 @@ No
 
 
Set configuration for Thrift protocol

 
+
+
+No
+
+
+
+enablePrometheusMerge
+BoolValue
+
+
If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
+and Istio agent. The sidecar injection will replace prometheus.io annotations present on the pod
+and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
+This relies on the annotations prometheus.io/scrape, prometheus.io/port, and
+prometheus.io/path annotations.
+If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide.
+In this case, it is recommended to disable aggregation on that deployment with the
+prometheus.istio.io/merge-metrics: "false" annotation.
+If not specified, this will be enabled by default.

+
 
 
 No
@@ -1339,6 +1363,52 @@ No
 
 
Specify thrift rate limit service timeout, in milliseconds. Default is 50ms

 
+
+
+No
+
+
+
+
+
+
MeshConfig.ServiceSettings.Settings

+

+
Settings for the selected services.

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
diff --git a/content/en/docs/reference/config/networking/service-entry/index.html b/content/en/docs/reference/config/networking/service-entry/index.html
index 2ccf7eb226..034b87e3db 100644
--- a/content/en/docs/reference/config/networking/service-entry/index.html
+++ b/content/en/docs/reference/config/networking/service-entry/index.html
@@ -564,13 +564,13 @@ spec:
   endpoints:
   - address: us.foo.bar.com
     ports:
-      https: 8080
+      http: 8080
   - address: uk.foo.bar.com
     ports:
-      https: 9080
+      http: 9080
   - address: in.foo.bar.com
     ports:
-      https: 7080
+      http: 7080
 
{{}}

diff --git a/content/en/docs/reference/config/networking/virtual-service/index.html b/content/en/docs/reference/config/networking/virtual-service/index.html
index d1b0fe69ef..fcf908930b 100644
--- a/content/en/docs/reference/config/networking/virtual-service/index.html
+++ b/content/en/docs/reference/config/networking/virtual-service/index.html
@@ -6,9 +6,9 @@ description: Configuration affecting label/content routing, sni routing, etc.
 location: https://istio.io/docs/reference/config/networking/virtual-service.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
-schema: istio.networking.v1beta1.VirtualService
-aliases: [/docs/reference/config/networking/v1beta1/virtual-service]
-number_of_entries: 23
+schema: istio.networking.v1alpha3.VirtualService
+aliases: [/docs/reference/config/networking/v1alpha3/virtual-service]
+number_of_entries: 24
 ---
 
Configuration affecting traffic routing. Here are a few terms useful to define
 in the context of traffic routing.

@@ -52,6 +52,40 @@ pods of the reviews service with label “version: v1”. In addition,
 HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will
 be rewritten to /newcatalog and sent to pods with label “version: v2”.

 
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: reviews-route
+spec:
+  hosts:
+  - reviews.prod.svc.cluster.local
+  http:
+  - name: "reviews-v2-routes"
+    match:
+    - uri:
+        prefix: "/wpcatalog"
+    - uri:
+        prefix: "/consumercatalog"
+    rewrite:
+      uri: "/newcatalog"
+    route:
+    - destination:
+        host: reviews.prod.svc.cluster.local
+        subset: v2
+  - name: "reviews-v1-route"
+    route:
+    - destination:
+        host: reviews.prod.svc.cluster.local
+        subset: v1
+

+
+
{{}}

+
+
{{}}

+
 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -79,10 +113,35 @@ spec:
         subset: v1
 

 
+
{{}}
+{{}}

+
 
A subset/version of a route destination is identified with a reference
 to a named service subset which must be declared in a corresponding
 DestinationRule.

 
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: reviews-destination
+spec:
+  host: reviews.prod.svc.cluster.local
+  subsets:
+  - name: v1
+    labels:
+      version: v1
+  - name: v2
+    labels:
+      version: v2
+

+
+
{{}}

+
+
{{}}

+
 
apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -98,39 +157,12 @@ spec:
       version: v2
 

 
-
CorsPolicy

-

-
Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
-service. Refer to CORS
-for further details about cross origin resource sharing. For example,
-the following rule restricts cross origin requests to those originating
-from example.com domain using HTTP POST/GET, and sets the
-Access-Control-Allow-Credentials header to false. In addition, it only
-exposes X-Foo-bar header and sets an expiry period of 1 day.

+
{{}}
+{{}}

 
-
apiVersion: networking.istio.io/v1beta1
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - route:
-    - destination:
-        host: ratings.prod.svc.cluster.local
-        subset: v1
-    corsPolicy:
-      allowOrigin:
-      - example.com
-      allowMethods:
-      - POST
-      - GET
-      allowCredentials: false
-      allowHeaders:
-      - X-Foo-Bar
-      maxAge: "24h"
-

+
VirtualService

+

+
Configuration affecting traffic routing.

 
 
FieldTypeDescriptionRequired
clusterLocalbool
+
If true, specifies that the client and service endpoints must reside in the same cluster.
+By default, in multi-cluster deployments, the Istio control plane assumes all service
+endpoints to be reachable from any client in any of the clusters which are part of the
+mesh. This configuration option limits the set of service endpoints visible to a client
+to be cluster scoped.

+
+
There are some common scenarios when this can be useful:

+
+
    
+
  • A service (or group of services) is inherently local to the cluster and has local storage
+for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).
    • 
+
  • A mesh administrator wants to slowly migrate services to Istio. They might start by first
+having services cluster-local and then slowly transition them to mesh-wide. They could do
+this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group
+(e.g. *.myns.svc.cluster.local).
    • 
+

+
+
By default, Istio will consider all services in the kube-system namespace to be cluster-local,
+unless explicitly overridden here.

+
 		
 
 No
diff --git a/content/en/docs/reference/config/istio.operator.v1alpha1/index.html b/content/en/docs/reference/config/istio.operator.v1alpha1/index.html
index 9d45c422df..7ca625775f 100644
--- a/content/en/docs/reference/config/istio.operator.v1alpha1/index.html
+++ b/content/en/docs/reference/config/istio.operator.v1alpha1/index.html
@@ -2715,7 +2715,7 @@ No
 

 

 meshConfigMeshConfigTypeMapStringInterface2
 
 
Config used by control plane components internally.

 
diff --git a/content/en/docs/reference/config/networking/envoy-filter/index.html b/content/en/docs/reference/config/networking/envoy-filter/index.html
index 8f0c3263e5..d756225c8f 100644
--- a/content/en/docs/reference/config/networking/envoy-filter/index.html
+++ b/content/en/docs/reference/config/networking/envoy-filter/index.html
@@ -121,7 +121,7 @@ spec:
       value: # lua filter specification
        name: envoy.lua
        typed_config:
-          "@type": "type.googleapis.com/envoy.config.filter.http.lua.v2.Lua"
+         "@type": "type.googleapis.com/envoy.config.filter.http.lua.v2.Lua"
          inlineCode: |
            function envoy_on_request(request_handle)
              -- Make an HTTP call to an upstream host with the following headers, body, and timeout.
diff --git a/content/en/docs/reference/config/networking/gateway/index.html b/content/en/docs/reference/config/networking/gateway/index.html
index 6af86b7462..7fcbbd280c 100644
--- a/content/en/docs/reference/config/networking/gateway/index.html
+++ b/content/en/docs/reference/config/networking/gateway/index.html
@@ -656,7 +656,7 @@ Yes
 
 		
 
-No
+Yes
 
 

 
 
 

@@ -142,74 +174,134 @@ spec:
 
-
-
-
-
-
-
-
-
+
+
-
-
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-

 
 
 
allowOriginsStringMatch[]
-
String patterns that match allowed origins.
-An origin is allowed if any of the string matchers match.
-If a match is found, then the outgoing Access-Control-Allow-Origin would be set to the origin as provided by the client.

-
-		
-No
-
allowMethods
hosts
 string[]
 
-
List of HTTP methods allowed to access the resource. The content will
-be serialized into the Access-Control-Allow-Methods header.

+
The destination hosts to which traffic is being sent. Could
+be a DNS name with wildcard prefix or an IP address.  Depending on the
+platform, short-names can also be used instead of a FQDN (i.e. has no
+dots in the name). In such a scenario, the FQDN of the host would be
+derived based on the underlying platform.

+
+
A single VirtualService can be used to describe all the traffic
+properties of the corresponding hosts, including those for multiple
+HTTP and TCP ports. Alternatively, the traffic properties of a host
+can be defined using more than one VirtualService, with certain
+caveats. Refer to the
+Operations Guide
+for details.

+
+
Note for Kubernetes users: When short names are used (e.g. “reviews”
+instead of “reviews.default.svc.cluster.local”), Istio will interpret
+the short name based on the namespace of the rule, not the service. A
+rule in the “default” namespace containing a host “reviews” will be
+interpreted as “reviews.default.svc.cluster.local”, irrespective of
+the actual namespace associated with the reviews service. To avoid
+potential misconfigurations, it is recommended to always use fully
+qualified domain names over short names.

+
+
The hosts field applies to both HTTP and TCP services. Service inside
+the mesh, i.e., those found in the service registry, must always be
+referred to using their alphanumeric names. IP addresses are allowed
+only for services defined via the Gateway.

+
+
Note: It must be empty for a delegate VirtualService.

 
 		
 
 No
 
 
allowHeaders
gateways
 string[]
 
-
List of HTTP headers that can be used when requesting the
-resource. Serialized to Access-Control-Allow-Headers header.

+
The names of gateways and sidecars that should apply these routes.
+Gateways in other namespaces may be referred to by
+<gateway namespace>/<gateway name>; specifying a gateway with no
+namespace qualifier is the same as specifying the VirtualService’s
+namespace. A single VirtualService is used for sidecars inside the mesh as
+well as for one or more gateways. The selection condition imposed by this
+field can be overridden using the source field in the match conditions
+of protocol-specific routes. The reserved word mesh is used to imply
+all the sidecars in the mesh. When this field is omitted, the default
+gateway (mesh) will be used, which would apply the rule to all
+sidecars in the mesh. If a list of gateway names is provided, the
+rules will apply only to the gateways. To apply the rules to both
+gateways and sidecars, specify mesh as one of the gateway names.

 
 		
 
 No
 
 
exposeHeaders
httpHTTPRoute[]
+
An ordered list of route rules for HTTP traffic. HTTP routes will be
+applied to platform service ports named ‘http-’/‘http2-’/‘grpc-*’, gateway
+ports with protocol HTTP/HTTP2/GRPC/ TLS-terminated-HTTPS and service
+entry ports using HTTP/HTTP2/GRPC protocols.  The first rule matching
+an incoming request is used.

+
+		
+No
+
tlsTLSRoute[]
+
An ordered list of route rule for non-terminated TLS & HTTPS
+traffic. Routing is typically performed using the SNI value presented
+by the ClientHello message. TLS routes will be applied to platform
+service ports named ‘https-’, ‘tls-’, unterminated gateway ports using
+HTTPS/TLS protocols (i.e. with “passthrough” TLS mode) and service
+entry ports using HTTPS/TLS protocols.  The first rule matching an
+incoming request is used.  NOTE: Traffic ‘https-’ or ‘tls-’ ports
+without associated virtual service will be treated as opaque TCP
+traffic.

+
+		
+No
+
tcpTCPRoute[]
+
An ordered list of route rules for opaque TCP traffic. TCP routes will
+be applied to any port that is not a HTTP or TLS port. The first rule
+matching an incoming request is used.

+
+		
+No
+
exportTo
 string[]
 
-
A white list of HTTP headers that the browsers are allowed to
-access. Serialized into Access-Control-Expose-Headers header.

+
A list of namespaces to which this virtual service is exported. Exporting a
+virtual service allows it to be used by sidecars and gateways defined in
+other namespaces. This feature provides a mechanism for service owners
+and mesh administrators to control the visibility of virtual services
+across namespace boundaries.

 
-		
-No
-
maxAgeDuration
-
Specifies how long the results of a preflight request can be
-cached. Translates to the Access-Control-Max-Age header.

+
If no namespaces are specified then the virtual service is exported to all
+namespaces by default.

 
-		
-No
-
allowCredentialsBoolValue
-
Indicates whether the caller is allowed to send the actual request
-(not the preflight) using credentials. Translates to
-Access-Control-Allow-Credentials header.

+
The value “.” is reserved and defines an export to the same namespace that
+the virtual service is declared in. Similarly the value “*” is reserved and
+defines an export to all namespaces.

+
+
NOTE: in the current release, the exportTo value is restricted to
+“.” or “*” (i.e., the current namespace or all namespaces).

 
 		
 
@@ -242,6 +334,39 @@ domain names over short names.

 of the reviews service with label “version: v1” (i.e., subset v1), and
 some to subset v2, in a Kubernetes environment.

 
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: reviews-route
+  namespace: foo
+spec:
+  hosts:
+  - reviews # interpreted as reviews.foo.svc.cluster.local
+  http:
+  - match:
+    - uri:
+        prefix: "/wpcatalog"
+    - uri:
+        prefix: "/consumercatalog"
+    rewrite:
+      uri: "/newcatalog"
+    route:
+    - destination:
+        host: reviews # interpreted as reviews.foo.svc.cluster.local
+        subset: v2
+  - route:
+    - destination:
+        host: reviews # interpreted as reviews.foo.svc.cluster.local
+        subset: v1
+

+
+
{{}}

+
+
{{}}

+
 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -268,8 +393,34 @@ spec:
         subset: v1
 

 
+
{{}}
+{{}}

+
 
And the associated DestinationRule

 
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: reviews-destination
+  namespace: foo
+spec:
+  host: reviews # interpreted as reviews.foo.svc.cluster.local
+  subsets:
+  - name: v1
+    labels:
+      version: v1
+  - name: v2
+    labels:
+      version: v2
+

+
+
{{}}

+
+
{{}}

+
 
apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -286,6 +437,9 @@ spec:
       version: v2
 

 
+
{{}}
+{{}}

+
 
The following VirtualService sets a timeout of 5s for all calls to
 productpage.prod.svc.cluster.local service in Kubernetes. Notice that
 there are no subsets defined in this rule. Istio will fetch all
@@ -296,6 +450,28 @@ qualified domain name of the productpage service,
 productpage.prod.svc.cluster.local. Therefore the rule’s namespace does
 not have an impact in resolving the name of the productpage service.

 
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: my-productpage-rule
+  namespace: istio-system
+spec:
+  hosts:
+  - productpage.prod.svc.cluster.local # ignores rule namespace
+  http:
+  - timeout: 5s
+    route:
+    - destination:
+        host: productpage.prod.svc.cluster.local
+

+
+
{{}}

+
+
{{}}

+
 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -311,12 +487,50 @@ spec:
         host: productpage.prod.svc.cluster.local
 

 
+
{{}}
+{{}}

+
 
To control routing for traffic bound to services outside the mesh, external
 services must first be added to Istio’s internal service registry using the
 ServiceEntry resource. VirtualServices can then be defined to control traffic
 bound to these external services. For example, the following rules define a
 Service for wikipedia.org and set a timeout of 5s for HTTP requests.

 
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: external-svc-wikipedia
+spec:
+  hosts:
+  - wikipedia.org
+  location: MESH_EXTERNAL
+  ports:
+  - number: 80
+    name: example-http
+    protocol: HTTP
+  resolution: DNS
+
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: my-wiki-rule
+spec:
+  hosts:
+  - wikipedia.org
+  http:
+  - timeout: 5s
+    route:
+    - destination:
+        host: wikipedia.org
+

+
+
{{}}

+
+
{{}}

+
 
apiVersion: networking.istio.io/v1beta1
 kind: ServiceEntry
 metadata:
@@ -331,7 +545,7 @@ spec:
     protocol: HTTP
   resolution: DNS
 
-apiVersion: networking.istio.io/v1beta1
+apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
   name: my-wiki-rule
@@ -345,6 +559,9 @@ spec:
         host: wikipedia.org
 

 
+
{{}}
+{{}}

+
 
@@ -408,16 +625,10 @@ No
 

 
 

 

 
-
HTTPFaultInjection

+
HTTPRoute

 

-
HTTPFaultInjection can be used to specify one or more faults to inject
-while forwarding HTTP requests to the destination specified in a route.
-Fault specification is part of a VirtualService rule. Faults include
-aborting the Http request from downstream service, and/or delaying
-proxying of requests. A fault rule MUST HAVE delay or abort or both.

-
-
Note: Delay and abort faults are independent of one another, even if
-both are specified simultaneously.

+
Describes match conditions and actions for routing HTTP/1.1, HTTP2, and
+gRPC traffic. See VirtualService for usage examples.

 
 
@@ -429,24 +640,187 @@ both are specified simultaneously.

-
-
-
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 
 
 
delayDelay
namestring
 
-
Delay requests before forwarding, emulating various failures such as
-network issues, overloaded upstream service, etc.

+
The name assigned to the route for debugging purposes. The
+route’s name will be concatenated with the match’s name and will
+be logged in the access logs for requests matching this
+route/match.

 
 		
 
 No
 
 
abortAbort
matchHTTPMatchRequest[]
 
-
Abort Http request attempts and return error codes back to downstream
-service, giving the impression that the upstream service is faulty.

+
Match conditions to be satisfied for the rule to be
+activated. All conditions inside a single match block have AND
+semantics, while the list of match blocks have OR semantics. The rule
+is matched if any one of the match blocks succeed.

+
+		
+No
+
routeHTTPRouteDestination[]
+
A HTTP rule can either redirect or forward (default) traffic. The
+forwarding target can be one of several versions of a service (see
+glossary in beginning of document). Weights associated with the
+service version determine the proportion of traffic it receives.

+
+		
+No
+
redirectHTTPRedirect
+
A HTTP rule can either redirect or forward (default) traffic. If
+traffic passthrough option is specified in the rule,
+route/redirect will be ignored. The redirect primitive can be used to
+send a HTTP 301 redirect to a different URI or Authority.

+
+		
+No
+
delegateDelegate
+
Delegate is used to specify the particular VirtualService which
+can be used to define delegate HTTPRoute.
+It can be set only when Route and Redirect are empty, and the route rules of the
+delegate VirtualService will be merged with that in the current one.
+NOTE:
+   1. Only one level delegation is supported.
+   2. The delegate’s HTTPMatchRequest must be a strict subset of the root’s,
+      otherwise there is a conflict and the HTTPRoute will not take effect.

+
+		
+No
+
rewriteHTTPRewrite
+
Rewrite HTTP URIs and Authority headers. Rewrite cannot be used with
+Redirect primitive. Rewrite will be performed before forwarding.

+
+		
+No
+
timeoutDuration
+
Timeout for HTTP requests.

+
+		
+No
+
retriesHTTPRetry
+
Retry policy for HTTP requests.

+
+		
+No
+
faultHTTPFaultInjection
+
Fault injection policy to apply on HTTP traffic at the client side.
+Note that timeouts or retries will not be enabled when faults are
+enabled on the client side.

+
+		
+No
+
mirrorDestination
+
Mirror HTTP traffic to a another destination in addition to forwarding
+the requests to the intended destination. Mirrored traffic is on a
+best effort basis where the sidecar/gateway will not wait for the
+mirrored cluster to respond before returning the response from the
+original destination.  Statistics will be generated for the mirrored
+destination.

+
+		
+No
+
mirrorPercentagePercent
+
Percentage of the traffic to be mirrored by the mirror field.
+If this field is absent, all the traffic (100%) will be mirrored.
+Max value is 100.

+
+		
+No
+
corsPolicyCorsPolicy
+
Cross-Origin Resource Sharing policy (CORS). Refer to
+CORS
+for further details about cross origin resource sharing.

+
+		
+No
+
headersHeaders
+
Header manipulation rules

+
+		
+No
+
mirrorPercentUInt32Value
+
Percentage of the traffic to be mirrored by the mirror field.
+Use of integer mirror_percent value is deprecated. Use the
+double mirror_percentage field instead

 
 		
 
@@ -456,36 +830,66 @@ No
 

 

 

-
HTTPFaultInjection.Abort

+
Delegate

 

-
Abort specification is used to prematurely abort a request with a
-pre-specified error code. The following example will return an HTTP 400
-error code for 1 out of every 1000 requests to the “ratings” service “v1”.

+
Describes the delegate VirtualService.
+The following routing rules forward the traffic to /productpage by a delegate VirtualService named productpage,
+forward the traffic to /reviews by a delegate VirtualService named reviews.

 
-
apiVersion: networking.istio.io/v1beta1
+
apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
-  name: ratings-route
+  name: bookinfo
 spec:
   hosts:
-  - ratings.prod.svc.cluster.local
+  - "bookinfo.com"
+  gateways:
+  - mygateway
+  http:
+  - match:
+    - uri:
+        prefix: "/productpage"
+    delegate:
+       name: productpage
+       namespace: nsA
+  - match:
+    - uri:
+        prefix: "/reviews"
+    delegate:
+        name: reviews
+        namespace: nsB
+

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: productpage
+  namespace: nsA
+spec:
+  http:
+  - match:
+     - uri:
+        prefix: "/productpage/v1/"
+    route:
+    - destination:
+        host: productpage-v1.nsA.svc.cluster.local
+  - route:
+    - destination:
+        host: productpage.nsA.svc.cluster.local
+

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: reviews
+  namespace: nsB
+spec:
   http:
   - route:
     - destination:
-        host: ratings.prod.svc.cluster.local
-        subset: v1
-    fault:
-      abort:
-        percentage:
-          value: 0.1
-        httpStatus: 400
+        host: reviews.nsB.svc.cluster.local
 

 
-
The httpStatus field is used to indicate the HTTP status code to
-return to the caller. The optional percentage field can be used to only
-abort a certain percentage of requests. If not specified, all requests are
-aborted.

-
 
@@ -496,22 +900,23 @@ aborted.

-
-
-
+
+
+
-
-
-
+
+
+

 
 

 

 
 
httpStatusint32 (oneof)
namestring
 
-
HTTP status code to use to abort the Http request.

+
Name specifies the name of the delegate VirtualService.

 
 		
 
-Yes
+No
 
 
percentagePercent
namespacestring
 
-
Percentage of requests to be aborted with the error code provided.

+
Namespace specifies the namespace where the delegate VirtualService resides.
+By default, it is same to the root’s.

 
 		
 
@@ -521,38 +926,113 @@ No
 

 

 

-
HTTPFaultInjection.Delay

+
Headers

 

-
Delay specification is used to inject latency into the request
-forwarding path. The following example will introduce a 5 second delay
-in 1 out of every 1000 requests to the “v1” version of the “reviews”
-service from all pods with label env: prod

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
requestHeaderOperations
+
Header manipulation rules to apply before forwarding a request
+to the destination service

+
+		
+No
+
responseHeaderOperations
+
Header manipulation rules to apply before returning a response
+to the caller

+
+		
+No
+

+

+
TLSRoute

+

+
Describes match conditions and actions for routing unterminated TLS
+traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
+traffic arriving at port 443 of gateway called “mygateway” to internal
+services in the mesh based on the SNI value.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: bookinfo-sni
+spec:
+  hosts:
+  - "*.bookinfo.com"
+  gateways:
+  - mygateway
+  tls:
+  - match:
+    - port: 443
+      sniHosts:
+      - login.bookinfo.com
+    route:
+    - destination:
+        host: login.prod.svc.cluster.local
+  - match:
+    - port: 443
+      sniHosts:
+      - reviews.bookinfo.com
+    route:
+    - destination:
+        host: reviews.prod.svc.cluster.local
+

+
+
{{}}

+
+
{{}}

 
 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
-  name: reviews-route
+  name: bookinfo-sni
 spec:
   hosts:
-  - reviews.prod.svc.cluster.local
-  http:
+  - "*.bookinfo.com"
+  gateways:
+  - mygateway
+  tls:
   - match:
-    - sourceLabels:
-        env: prod
+    - port: 443
+      sniHosts:
+      - login.bookinfo.com
+    route:
+    - destination:
+        host: login.prod.svc.cluster.local
+  - match:
+    - port: 443
+      sniHosts:
+      - reviews.bookinfo.com
     route:
     - destination:
         host: reviews.prod.svc.cluster.local
-        subset: v1
-    fault:
-      delay:
-        percentage:
-          value: 0.1
-        fixedDelay: 5s
 

 
-
The fixedDelay field is used to indicate the amount of delay in seconds.
-The optional percentage field can be used to only delay a certain
-percentage of requests. If left unspecified, all request will be delayed.

+
{{}}
+{{}}

 
 
@@ -564,36 +1044,113 @@ percentage of requests. If left unspecified, all request will be delayed.

-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
+
+

 
 
 
 
fixedDelayDuration (oneof)
matchTLSMatchAttributes[]
 
-
Add a fixed delay before forwarding the request. Format:
-1h/1m/1s/1ms. MUST be >=1ms.

+
Match conditions to be satisfied for the rule to be
+activated. All conditions inside a single match block have AND
+semantics, while the list of match blocks have OR semantics. The rule
+is matched if any one of the match blocks succeed.

 
 		
 
 Yes
 
 
percentagePercent
routeRouteDestination[]
 
-
Percentage of requests on which the delay will be injected.

+
The destination to which the connection should be forwarded to.

 
 		
 
 No
 
 
percentint32

+

+
TCPRoute

+

+
Describes match conditions and actions for routing TCP traffic. The
+following routing rule forwards traffic arriving at port 27017 for
+mongo.prod.svc.cluster.local to another Mongo server on port 5555.

+
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: bookinfo-Mongo
+spec:
+  hosts:
+  - mongo.prod.svc.cluster.local
+  tcp:
+  - match:
+    - port: 27017
+    route:
+    - destination:
+        host: mongo.backup.svc.cluster.local
+        port:
+          number: 5555
+

+
+
{{}}

+
+
{{}}

+
+
apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: bookinfo-Mongo
+spec:
+  hosts:
+  - mongo.prod.svc.cluster.local
+  tcp:
+  - match:
+    - port: 27017
+    route:
+    - destination:
+        host: mongo.backup.svc.cluster.local
+        port:
+          number: 5555
+

+
+
{{}}
+{{}}

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
FieldTypeDescriptionRequired
matchL4MatchAttributes[]
 
-
Percentage of requests on which the delay will be injected (0-100).
-Use of integer percent value is deprecated. Use the double percentage
-field instead.

+
Match conditions to be satisfied for the rule to be
+activated. All conditions inside a single match block have AND
+semantics, while the list of match blocks have OR semantics. The rule
+is matched if any one of the match blocks succeed.

+
+		
+No
+
routeRouteDestination[]
+
The destination to which the connection should be forwarded to.

 
 		
 
@@ -611,6 +1168,33 @@ restricts the rule to match only requests where the URL path
 starts with /ratings/v2/ and the request contains a custom end-user header
 with value jason.

 
+
{{}}
+{{}}

+
+
apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: ratings-route
+spec:
+  hosts:
+  - ratings.prod.svc.cluster.local
+  http:
+  - match:
+    - headers:
+        end-user:
+          exact: jason
+      uri:
+        prefix: "/ratings/v2/"
+      ignoreUriCase: true
+    route:
+    - destination:
+        host: ratings.prod.svc.cluster.local
+

+
+
{{}}

+
+
{{}}

+
 
apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -631,7 +1215,11 @@ spec:
         host: ratings.prod.svc.cluster.local
 

 
-
HTTPMatchRequest CANNOT be empty.

+
{{}}
+{{}}

+
+
HTTPMatchRequest CANNOT be empty.
+Note: No regex string match can be set when delegate VirtualService is specified.

 
 
@@ -756,7 +1344,8 @@ e.g. x-request-id.
  • regex: "value" for ECMAscript style regex-based match
    • 
 
-
    Note: The keys uri, scheme, method, and authority will be ignored.
    
+
    If the value is empty and only the name of header is specfied, presence of the header is checked.
+Note: The keys uri, scheme, method, and authority will be ignored.
    
+
+
+
+
+
+
-
-
-
-
    
 
 
 
 
 
 
    
@@ -834,6 +1423,18 @@ No
 
    Note: The case will be ignored only in the case of exact and prefix
 URI matches.
    
 
+    		
+No
+
    withoutHeadersmap<string, StringMatch>
+
    withoutHeader has the same syntax with the header, but has opposite meaning.
+If a header is matched with a matching rule among withoutHeader, the traffic becomes not matched one.
    
+
     		
 
 No
@@ -847,408 +1448,6 @@ No
 If the VirtualService has a list of gateways specified in the top-level gateways field,
 it must include the reserved gateway mesh for this field to be applicable.
    
 
-    		
-No
-
    
-
-
    HTTPRedirect
    
-
    
-
    HTTPRedirect can be used to send a 301 redirect response to the caller,
-where the Authority/Host and the URI in the response can be swapped with
-the specified values. For example, the following rule redirects
-requests for /v1/getProductRatings API on the ratings service to
-/v1/bookRatings provided by the bookratings service.
    
-
-
    apiVersion: networking.istio.io/v1beta1
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - match:
-    - uri:
-        exact: /v1/getProductRatings
-    redirect:
-      uri: /v1/bookRatings
-      authority: newratings.default.svc.cluster.local
-  ...
-
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    uristring
-
    On a redirect, overwrite the Path portion of the URL with this
-value. Note that the entire path will be replaced, irrespective of the
-request URI being matched as an exact path or prefix.
    
-
-    		
-No
-
    authoritystring
-
    On a redirect, overwrite the Authority/Host portion of the URL with
-this value.
    
-
-    		
-No
-
    redirectCodeuint32
-
    On a redirect, Specifies the HTTP status code to use in the redirect
-response. The default response code is MOVED_PERMANENTLY (301).
    
-
-    		
-No
-
    
-
    
-
    HTTPRetry
    
-
    
-
    Describes the retry policy to use when a HTTP request fails. For
-example, the following rule sets the maximum number of retries to 3 when
-calling ratings:v1 service, with a 2s timeout per retry attempt.
    
-
-
    apiVersion: networking.istio.io/v1beta1
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - route:
-    - destination:
-        host: ratings.prod.svc.cluster.local
-        subset: v1
-    retries:
-      attempts: 3
-      perTryTimeout: 2s
-      retryOn: gateway-error,connect-failure,refused-stream
-
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    attemptsint32
-
    Number of retries for a given request. The interval
-between retries will be determined automatically (25ms+). Actual
-number of retries attempted depends on the request timeout of the
-HTTP route.
    
-
-    		
-Yes
-
    perTryTimeoutDuration
-
    Timeout per retry attempt for a given request. format: 1h/1m/1s/1ms. MUST BE >=1ms.
    
-
-    		
-No
-
    retryOnstring
-
    Specifies the conditions under which retry takes place.
-One or more policies can be specified using a ‘,’ delimited list.
-See the retry policies
-and gRPC retry policies for more details.
    
-
-    		
-No
-
    
-
    
-
    HTTPRewrite
    
-
    
-
    HTTPRewrite can be used to rewrite specific parts of a HTTP request
-before forwarding the request to the destination. Rewrite primitive can
-be used only with HTTPRouteDestination. The following example
-demonstrates how to rewrite the URL prefix for api call (/ratings) to
-ratings service before making the actual API call.
    
-
-
    apiVersion: networking.istio.io/v1beta1
-kind: VirtualService
-metadata:
-  name: ratings-route
-spec:
-  hosts:
-  - ratings.prod.svc.cluster.local
-  http:
-  - match:
-    - uri:
-        prefix: /ratings
-    rewrite:
-      uri: /v1/bookRatings
-    route:
-    - destination:
-        host: ratings.prod.svc.cluster.local
-        subset: v1
-
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    uristring
-
    rewrite the path (or the prefix) portion of the URI with this
-value. If the original URI was matched based on prefix, the value
-provided in this field will replace the corresponding matched prefix.
    
-
-    		
-No
-
    authoritystring
-
    rewrite the Authority/Host header with this value.
    
-
-    		
-No
-
    
-
    
-
    HTTPRoute
    
-
    
-
    Describes match conditions and actions for routing HTTP/1.1, HTTP2, and
-gRPC traffic. See VirtualService for usage examples.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    namestring
-
    The name assigned to the route for debugging purposes. The
-route’s name will be concatenated with the match’s name and will
-be logged in the access logs for requests matching this
-route/match.
    
-
-    		
-No
-
    matchHTTPMatchRequest[]
-
    Match conditions to be satisfied for the rule to be
-activated. All conditions inside a single match block have AND
-semantics, while the list of match blocks have OR semantics. The rule
-is matched if any one of the match blocks succeed.
    
-
-    		
-No
-
    routeHTTPRouteDestination[]
-
    A HTTP rule can either redirect or forward (default) traffic. The
-forwarding target can be one of several versions of a service (see
-glossary in beginning of document). Weights associated with the
-service version determine the proportion of traffic it receives.
    
-
-    		
-No
-
    redirectHTTPRedirect
-
    A HTTP rule can either redirect or forward (default) traffic. If
-traffic passthrough option is specified in the rule,
-route/redirect will be ignored. The redirect primitive can be used to
-send a HTTP 301 redirect to a different URI or Authority.
    
-
-    		
-No
-
    rewriteHTTPRewrite
-
    Rewrite HTTP URIs and Authority headers. Rewrite cannot be used with
-Redirect primitive. Rewrite will be performed before forwarding.
    
-
-    		
-No
-
    timeoutDuration
-
    Timeout for HTTP requests.
    
-
-    		
-No
-
    retriesHTTPRetry
-
    Retry policy for HTTP requests.
    
-
-    		
-No
-
    faultHTTPFaultInjection
-
    Fault injection policy to apply on HTTP traffic at the client side.
-Note that timeouts or retries will not be enabled when faults are
-enabled on the client side.
    
-
-    		
-No
-
    mirrorDestination
-
    Mirror HTTP traffic to a another destination in addition to forwarding
-the requests to the intended destination. Mirrored traffic is on a
-best effort basis where the sidecar/gateway will not wait for the
-mirrored cluster to respond before returning the response from the
-original destination.  Statistics will be generated for the mirrored
-destination.
    
-
-    		
-No
-
    mirrorPercentagePercent
-
    Percentage of the traffic to be mirrored by the mirror field.
-If this field is absent, all the traffic (100%) will be mirrored.
-Max value is 100.
    
-
-    		
-No
-
    corsPolicyCorsPolicy
-
    Cross-Origin Resource Sharing policy (CORS). Refer to
-CORS
-for further details about cross origin resource sharing.
    
-
-    		
-No
-
    headersHeaders
-
    Header manipulation rules
    
-
-    		
-No
-
    mirrorPercentUInt32Value
-
    Percentage of the traffic to be mirrored by the mirror field.
-Use of integer mirror_percent value is deprecated. Use the
-double mirror_percentage field instead
    
-
     		
 
 No
@@ -1266,6 +1465,32 @@ following rule will route 25% of traffic for the “reviews” service t
 instances with the “v2” tag and the remaining traffic (i.e., 75%) to
 “v1”.
    
 
+
    {{}}
+{{}}
    
+
+
    apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: reviews-route
+spec:
+  hosts:
+  - reviews.prod.svc.cluster.local
+  http:
+  - route:
+    - destination:
+        host: reviews.prod.svc.cluster.local
+        subset: v2
+      weight: 25
+    - destination:
+        host: reviews.prod.svc.cluster.local
+        subset: v1
+      weight: 75
+
    
+
+
    {{}}
    
+
+
    {{}}
    
+
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1285,8 +1510,33 @@ spec:
       weight: 75
 
    
 
+
    {{}}
+{{}}
    
+
 
    And the associated DestinationRule
    
 
+
    {{}}
+{{}}
    
+
+
    apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: reviews-destination
+spec:
+  host: reviews.prod.svc.cluster.local
+  subsets:
+  - name: v1
+    labels:
+      version: v1
+  - name: v2
+    labels:
+      version: v2
+
    
+
+
    {{}}
    
+
+
    {{}}
    
+
 
    apiVersion: networking.istio.io/v1beta1
 kind: DestinationRule
 metadata:
@@ -1302,10 +1552,37 @@ spec:
       version: v2
 
    
 
+
    {{}}
+{{}}
    
+
 
    Traffic can also be split across two entirely different services without
 having to define new subsets. For example, the following rule forwards 25% of
 traffic to reviews.com to dev.reviews.com
    
 
+
    {{}}
+{{}}
    
+
+
    apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: reviews-route-two-domains
+spec:
+  hosts:
+  - reviews.com
+  http:
+  - route:
+    - destination:
+        host: dev.reviews.com
+      weight: 25
+    - destination:
+        host: reviews.com
+      weight: 75
+
    
+
+
    {{}}
    
+
+
    {{}}
    
+
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
@@ -1323,6 +1600,9 @@ spec:
       weight: 75
 
    
 
+
    {{}}
+{{}}
    
+
 
@@ -1373,42 +1653,9 @@ No
 
    
 
 
    
 
    
 
-
    Headers
    
+
    RouteDestination
    
 
    
-
    Message headers can be manipulated when Envoy forwards requests to,
-or responses from, a destination service. Header manipulation rules can
-be specified for a specific route destination or for all destinations.
-The following VirtualService adds a test header with the value true
-to requests that are routed to any reviews service destination.
-It also romoves the foo response header, but only from responses
-coming from the v1 subset (version) of the reviews service.
    
-
-
    apiVersion: networking.istio.io/v1beta1
-kind: VirtualService
-metadata:
-  name: reviews-route
-spec:
-  hosts:
-  - reviews.prod.svc.cluster.local
-  http:
-  - headers:
-      request:
-        set:
-          test: true
-    route:
-    - destination:
-        host: reviews.prod.svc.cluster.local
-        subset: v2
-      weight: 25
-    - destination:
-        host: reviews.prod.svc.cluster.local
-        subset: v1
-      headers:
-        response:
-          remove:
-          - foo
-      weight: 75
-
    
+
    L4 routing rule weighted destination.
    
 
 
@@ -1420,75 +1667,25 @@ spec:
 
-
-
-
+
+
+
-
-
-
+
+
+
-
-
-
-
    
 
 
 
    requestHeaderOperations
    destinationDestination
 
-
    Header manipulation rules to apply before forwarding a request
-to the destination service
    
+
    Destination uniquely identifies the instances of a service
+to which the request/connection should be forwarded to.
    
 
     		
 
-No
+Yes
 
 
    responseHeaderOperations
    weightint32
 
-
    Header manipulation rules to apply before returning a response
-to the caller
    
-
-    		
-No
-
    
-
    
-
    Headers.HeaderOperations
    
-
    
-
    HeaderOperations Describes the header manipulations to apply
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    setmap<string, string>
-
    Overwrite the headers specified by key with the given values
    
-
-    		
-No
-
    addmap<string, string>
-
    Append the given values to the headers specified by keys
-(will create a comma-separated list of values)
    
-
-    		
-No
-
    removestring[]
-
    Remove a the specified headers
    
+
    The proportion of traffic to be forwarded to the service
+version. If there is only one destination in a rule, all traffic will be
+routed to it irrespective of the weight.
    
 
     		
 
@@ -1573,215 +1770,6 @@ No
 If the VirtualService has a list of gateways specified in the top-level gateways field,
 it must include the reserved gateway mesh for this field to be applicable.
    
 
-    		
-No
-
    
-
    
-
    Percent
    
-
    
-
    Percent specifies a percentage in the range of [0.0, 100.0].
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    valuedouble
-
-No
-
    
-
    
-
    PortSelector
    
-
    
-
    PortSelector specifies the number of a port to be used for
-matching or selection for final routing.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    numberuint32
-
    Valid port number
    
-
-    		
-No
-
    
-
    
-
    RouteDestination
    
-
    
-
    L4 routing rule weighted destination.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    destinationDestination
-
    Destination uniquely identifies the instances of a service
-to which the request/connection should be forwarded to.
    
-
-    		
-Yes
-
    weightint32
-
    The proportion of traffic to be forwarded to the service
-version. If there is only one destination in a rule, all traffic will be
-routed to it irrespective of the weight.
    
-
-    		
-No
-
    
-
    
-
    StringMatch
    
-
    
-
    Describes how to match a given string in HTTP headers. Match is
-case-sensitive.
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    exactstring (oneof)
-
    exact string match
    
-
-    		
-Yes
-
    prefixstring (oneof)
-
    prefix-based match
    
-
-    		
-Yes
-
    regexstring (oneof)
-
    ECMAscript style regex-based match
    
-
-    		
-Yes
-
    
-
    
-
    TCPRoute
    
-
    
-
    Describes match conditions and actions for routing TCP traffic. The
-following routing rule forwards traffic arriving at port 27017 for
-mongo.prod.svc.cluster.local to another Mongo server on port 5555.
    
-
-
    apiVersion: networking.istio.io/v1beta1
-kind: VirtualService
-metadata:
-  name: bookinfo-Mongo
-spec:
-  hosts:
-  - mongo.prod.svc.cluster.local
-  tcp:
-  - match:
-    - port: 27017
-    route:
-    - destination:
-        host: mongo.backup.svc.cluster.local
-        port:
-          number: 5555
-
    
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
    FieldTypeDescriptionRequired
    matchL4MatchAttributes[]
-
    Match conditions to be satisfied for the rule to be
-activated. All conditions inside a single match block have AND
-semantics, while the list of match blocks have OR semantics. The rule
-is matched if any one of the match blocks succeed.
    
-
-    		
-No
-
    routeRouteDestination[]
-
    The destination to which the connection should be forwarded to.
    
-
     		
 
 No
@@ -1887,39 +1875,58 @@ No
 
    
 
    
 
    
-
    TLSRoute
    
+
    HTTPRedirect
    
 
    
-
    Describes match conditions and actions for routing unterminated TLS
-traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS
-traffic arriving at port 443 of gateway called “mygateway” to internal
-services in the mesh based on the SNI value.
    
+
    HTTPRedirect can be used to send a 301 redirect response to the caller,
+where the Authority/Host and the URI in the response can be swapped with
+the specified values. For example, the following rule redirects
+requests for /v1/getProductRatings API on the ratings service to
+/v1/bookRatings provided by the bookratings service.
    
+
+
    {{}}
+{{}}
    
+
+
    apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: ratings-route
+spec:
+  hosts:
+  - ratings.prod.svc.cluster.local
+  http:
+  - match:
+    - uri:
+        exact: /v1/getProductRatings
+    redirect:
+      uri: /v1/bookRatings
+      authority: newratings.default.svc.cluster.local
+  ...
+
    
+
+
    {{}}
    
+
+
    {{}}
    
 
 
    apiVersion: networking.istio.io/v1beta1
 kind: VirtualService
 metadata:
-  name: bookinfo-sni
+  name: ratings-route
 spec:
   hosts:
-  - "*.bookinfo.com"
-  gateways:
-  - mygateway
-  tls:
+  - ratings.prod.svc.cluster.local
+  http:
   - match:
-    - port: 443
-      sniHosts:
-      - login.bookinfo.com
-    route:
-    - destination:
-        host: login.prod.svc.cluster.local
-  - match:
-    - port: 443
-      sniHosts:
-      - reviews.bookinfo.com
-    route:
-    - destination:
-        host: reviews.prod.svc.cluster.local
+    - uri:
+        exact: /v1/getProductRatings
+    redirect:
+      uri: /v1/bookRatings
+      authority: newratings.default.svc.cluster.local
+  ...
 
    
 
+
    {{}}
+{{}}
    
+
 
@@ -1930,25 +1937,37 @@ spec:
 
-
-
-
+
+
+
-
-
-
+
+
+
+
+
+
+
+
+
    
 
 
    
     
 
    matchTLSMatchAttributes[]
    uristring
 
-
    Match conditions to be satisfied for the rule to be
-activated. All conditions inside a single match block have AND
-semantics, while the list of match blocks have OR semantics. The rule
-is matched if any one of the match blocks succeed.
    
+
    On a redirect, overwrite the Path portion of the URL with this
+value. Note that the entire path will be replaced, irrespective of the
+request URI being matched as an exact path or prefix.
    
 
     		
 
-Yes
+No
 
 
    routeRouteDestination[]
    authoritystring
 
-
    The destination to which the connection should be forwarded to.
    
+
    On a redirect, overwrite the Authority/Host portion of the URL with
+this value.
    
+
+    		
+No
+
    redirectCodeuint32
+
    On a redirect, Specifies the HTTP status code to use in the redirect
+response. The default response code is MOVED_PERMANENTLY (301).
    
 
     		
 
@@ -1958,9 +1977,61 @@ No
 
    
 
    
 
    
-
    VirtualService
    
+
    HTTPRewrite
    
 
    
-
    Configuration affecting traffic routing.
    
+
    HTTPRewrite can be used to rewrite specific parts of a HTTP request
+before forwarding the request to the destination. Rewrite primitive can
+be used only with HTTPRouteDestination. The following example
+demonstrates how to rewrite the URL prefix for api call (/ratings) to
+ratings service before making the actual API call.
    
+
+
    {{}}
+{{}}
    
+
+
    apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: ratings-route
+spec:
+  hosts:
+  - ratings.prod.svc.cluster.local
+  http:
+  - match:
+    - uri:
+        prefix: /ratings
+    rewrite:
+      uri: /v1/bookRatings
+    route:
+    - destination:
+        host: ratings.prod.svc.cluster.local
+        subset: v1
+
    
+
+
    {{}}
    
+
+
    {{}}
    
+
+
    apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: ratings-route
+spec:
+  hosts:
+  - ratings.prod.svc.cluster.local
+  http:
+  - match:
+    - uri:
+        prefix: /ratings
+    rewrite:
+      uri: /v1/bookRatings
+    route:
+    - destination:
+        host: ratings.prod.svc.cluster.local
+        subset: v1
+
    
+
+
    {{}}
+{{}}
    
 
 
@@ -1972,132 +2043,708 @@ No
 
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
    
 
 
 
    hostsstring[]
    uristring
 
-
    The destination hosts to which traffic is being sent. Could
-be a DNS name with wildcard prefix or an IP address.  Depending on the
-platform, short-names can also be used instead of a FQDN (i.e. has no
-dots in the name). In such a scenario, the FQDN of the host would be
-derived based on the underlying platform.
    
+
    rewrite the path (or the prefix) portion of the URI with this
+value. If the original URI was matched based on prefix, the value
+provided in this field will replace the corresponding matched prefix.
    
 
-
    A single VirtualService can be used to describe all the traffic
-properties of the corresponding hosts, including those for multiple
-HTTP and TCP ports. Alternatively, the traffic properties of a host
-can be defined using more than one VirtualService, with certain
-caveats. Refer to the
-Operations Guide
-for details.
    
+    		
+No
+
    authoritystring
+
    rewrite the Authority/Host header with this value.
    
 
-
    Note for Kubernetes users: When short names are used (e.g. “reviews”
-instead of “reviews.default.svc.cluster.local”), Istio will interpret
-the short name based on the namespace of the rule, not the service. A
-rule in the “default” namespace containing a host “reviews” will be
-interpreted as “reviews.default.svc.cluster.local”, irrespective of
-the actual namespace associated with the reviews service. To avoid
-potential misconfigurations, it is recommended to always use fully
-qualified domain names over short names.
    
+    		
+No
+
    
+
    
+
    StringMatch
    
+
    
+
    Describes how to match a given string in HTTP headers. Match is
+case-sensitive.
    
 
-
    The hosts field applies to both HTTP and TCP services. Service inside
-the mesh, i.e., those found in the service registry, must always be
-referred to using their alphanumeric names. IP addresses are allowed
-only for services defined via the Gateway.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    exactstring (oneof)
+
    exact string match
    
+
+    		
+No
+
    prefixstring (oneof)
+
    prefix-based match
    
+
+    		
+No
+
    regexstring (oneof)
+
    RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
    
+
+    		
+No
+
    
+
    
+
    HTTPRetry
    
+
    
+
    Describes the retry policy to use when a HTTP request fails. For
+example, the following rule sets the maximum number of retries to 3 when
+calling ratings:v1 service, with a 2s timeout per retry attempt.
    
+
+
    {{}}
+{{}}
    
+
+
    apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: ratings-route
+spec:
+  hosts:
+  - ratings.prod.svc.cluster.local
+  http:
+  - route:
+    - destination:
+        host: ratings.prod.svc.cluster.local
+        subset: v1
+    retries:
+      attempts: 3
+      perTryTimeout: 2s
+      retryOn: gateway-error,connect-failure,refused-stream
+
    
+
+
    {{}}
    
+
+
    {{}}
    
+
+
    apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: ratings-route
+spec:
+  hosts:
+  - ratings.prod.svc.cluster.local
+  http:
+  - route:
+    - destination:
+        host: ratings.prod.svc.cluster.local
+        subset: v1
+    retries:
+      attempts: 3
+      perTryTimeout: 2s
+      retryOn: gateway-error,connect-failure,refused-stream
+
    
+
+
    {{}}
+{{}}
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    attemptsint32
+
    Number of retries for a given request. The interval
+between retries will be determined automatically (25ms+). Actual
+number of retries attempted depends on the request timeout of the
+HTTP route.
    
 
     		
 
 Yes
 
 
    gateways
    perTryTimeoutDuration
+
    Timeout per retry attempt for a given request. format: 1h/1m/1s/1ms. MUST BE >=1ms.
    
+
+    		
+No
+
    retryOnstring
+
    Specifies the conditions under which retry takes place.
+One or more policies can be specified using a ‘,’ delimited list.
+See the retry policies
+and gRPC retry policies for more details.
    
+
+    		
+No
+
    retryRemoteLocalitiesBoolValue
+
    Flag to specify whether the retries should retry to other localities.
+See the retry plugin configuration for more details.
    
+
+    		
+No
+
    
+
    
+
    CorsPolicy
    
+
    
+
    Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
+service. Refer to CORS
+for further details about cross origin resource sharing. For example,
+the following rule restricts cross origin requests to those originating
+from example.com domain using HTTP POST/GET, and sets the
+Access-Control-Allow-Credentials header to false. In addition, it only
+exposes X-Foo-bar header and sets an expiry period of 1 day.
    
+
+
    {{}}
+{{}}
    
+
+
    apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: ratings-route
+spec:
+  hosts:
+  - ratings.prod.svc.cluster.local
+  http:
+  - route:
+    - destination:
+        host: ratings.prod.svc.cluster.local
+        subset: v1
+    corsPolicy:
+      allowOrigin:
+      - example.com
+      allowMethods:
+      - POST
+      - GET
+      allowCredentials: false
+      allowHeaders:
+      - X-Foo-Bar
+      maxAge: "24h"
+
    
+
+
    {{}}
    
+
+
    {{}}
    
+
+
    apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: ratings-route
+spec:
+  hosts:
+  - ratings.prod.svc.cluster.local
+  http:
+  - route:
+    - destination:
+        host: ratings.prod.svc.cluster.local
+        subset: v1
+    corsPolicy:
+      allowOrigin:
+      - example.com
+      allowMethods:
+      - POST
+      - GET
+      allowCredentials: false
+      allowHeaders:
+      - X-Foo-Bar
+      maxAge: "24h"
+
    
+
+
    {{}}
+{{}}
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    allowOriginsStringMatch[]
+
    String patterns that match allowed origins.
+An origin is allowed if any of the string matchers match.
+If a match is found, then the outgoing Access-Control-Allow-Origin would be set to the origin as provided by the client.
    
+
+    		
+No
+
    allowMethods
 string[]
 
-
    The names of gateways and sidecars that should apply these routes.
-Gateways in other namespaces may be referred to by
-<gateway namespace>/<gateway name>; specifying a gateway with no
-namespace qualifier is the same as specifying the VirtualService’s
-namespace. A single VirtualService is used for sidecars inside the mesh as
-well as for one or more gateways. The selection condition imposed by this
-field can be overridden using the source field in the match conditions
-of protocol-specific routes. The reserved word mesh is used to imply
-all the sidecars in the mesh. When this field is omitted, the default
-gateway (mesh) will be used, which would apply the rule to all
-sidecars in the mesh. If a list of gateway names is provided, the
-rules will apply only to the gateways. To apply the rules to both
-gateways and sidecars, specify mesh as one of the gateway names.
    
+
    List of HTTP methods allowed to access the resource. The content will
+be serialized into the Access-Control-Allow-Methods header.
    
 
     		
 
 No
 
 
    httpHTTPRoute[]
-
    An ordered list of route rules for HTTP traffic. HTTP routes will be
-applied to platform service ports named ‘http-’/‘http2-’/‘grpc-*’, gateway
-ports with protocol HTTP/HTTP2/GRPC/ TLS-terminated-HTTPS and service
-entry ports using HTTP/HTTP2/GRPC protocols.  The first rule matching
-an incoming request is used.
    
-
-    		
-No
-
    tlsTLSRoute[]
-
    An ordered list of route rule for non-terminated TLS & HTTPS
-traffic. Routing is typically performed using the SNI value presented
-by the ClientHello message. TLS routes will be applied to platform
-service ports named ‘https-’, ‘tls-’, unterminated gateway ports using
-HTTPS/TLS protocols (i.e. with “passthrough” TLS mode) and service
-entry ports using HTTPS/TLS protocols.  The first rule matching an
-incoming request is used.  NOTE: Traffic ‘https-’ or ‘tls-’ ports
-without associated virtual service will be treated as opaque TCP
-traffic.
    
-
-    		
-No
-
    tcpTCPRoute[]
-
    An ordered list of route rules for opaque TCP traffic. TCP routes will
-be applied to any port that is not a HTTP or TLS port. The first rule
-matching an incoming request is used.
    
-
-    		
-No
-
    exportTo
    allowHeaders
 string[]
 
-
    A list of namespaces to which this virtual service is exported. Exporting a
-virtual service allows it to be used by sidecars and gateways defined in
-other namespaces. This feature provides a mechanism for service owners
-and mesh administrators to control the visibility of virtual services
-across namespace boundaries.
    
+
    List of HTTP headers that can be used when requesting the
+resource. Serialized to Access-Control-Allow-Headers header.
    
 
-
    If no namespaces are specified then the virtual service is exported to all
-namespaces by default.
    
+    		
+No
+
    exposeHeadersstring[]
+
    A white list of HTTP headers that the browsers are allowed to
+access. Serialized into Access-Control-Expose-Headers header.
    
 
-
    The value “.” is reserved and defines an export to the same namespace that
-the virtual service is declared in. Similarly the value “*” is reserved and
-defines an export to all namespaces.
    
+    		
+No
+
    maxAgeDuration
+
    Specifies how long the results of a preflight request can be
+cached. Translates to the Access-Control-Max-Age header.
    
 
-
    NOTE: in the current release, the exportTo value is restricted to
-“.” or “*” (i.e., the current namespace or all namespaces).
    
+    		
+No
+
    allowCredentialsBoolValue
+
    Indicates whether the caller is allowed to send the actual request
+(not the preflight) using credentials. Translates to
+Access-Control-Allow-Credentials header.
    
+
+    		
+No
+
    
+
    
+
    HTTPFaultInjection
    
+
    
+
    HTTPFaultInjection can be used to specify one or more faults to inject
+while forwarding HTTP requests to the destination specified in a route.
+Fault specification is part of a VirtualService rule. Faults include
+aborting the Http request from downstream service, and/or delaying
+proxying of requests. A fault rule MUST HAVE delay or abort or both.
    
+
+
    Note: Delay and abort faults are independent of one another, even if
+both are specified simultaneously.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    delayDelay
+
    Delay requests before forwarding, emulating various failures such as
+network issues, overloaded upstream service, etc.
    
+
+    		
+No
+
    abortAbort
+
    Abort Http request attempts and return error codes back to downstream
+service, giving the impression that the upstream service is faulty.
    
+
+    		
+No
+
    
+
    
+
    PortSelector
    
+
    
+
    PortSelector specifies the number of a port to be used for
+matching or selection for final routing.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    numberuint32
+
    Valid port number
    
+
+    		
+No
+
    
+
    
+
    Percent
    
+
    
+
    Percent specifies a percentage in the range of [0.0, 100.0].
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    valuedouble
+
+No
+
    
+
    
+
    Headers.HeaderOperations
    
+
    
+
    HeaderOperations Describes the header manipulations to apply
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    setmap<string, string>
+
    Overwrite the headers specified by key with the given values
    
+
+    		
+No
+
    addmap<string, string>
+
    Append the given values to the headers specified by keys
+(will create a comma-separated list of values)
    
+
+    		
+No
+
    removestring[]
+
    Remove a the specified headers
    
+
+    		
+No
+
    
+
    
+
    HTTPFaultInjection.Delay
    
+
    
+
    Delay specification is used to inject latency into the request
+forwarding path. The following example will introduce a 5 second delay
+in 1 out of every 1000 requests to the “v1” version of the “reviews”
+service from all pods with label env: prod
    
+
+
    {{}}
+{{}}
    
+
+
    apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: reviews-route
+spec:
+  hosts:
+  - reviews.prod.svc.cluster.local
+  http:
+  - match:
+    - sourceLabels:
+        env: prod
+    route:
+    - destination:
+        host: reviews.prod.svc.cluster.local
+        subset: v1
+    fault:
+      delay:
+        percentage:
+          value: 0.1
+        fixedDelay: 5s
+
    
+
+
    {{}}
    
+
+
    {{}}
    
+
+
    apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: reviews-route
+spec:
+  hosts:
+  - reviews.prod.svc.cluster.local
+  http:
+  - match:
+    - sourceLabels:
+        env: prod
+    route:
+    - destination:
+        host: reviews.prod.svc.cluster.local
+        subset: v1
+    fault:
+      delay:
+        percentage:
+          value: 0.1
+        fixedDelay: 5s
+
    
+
+
    {{}}
+{{}}
    
+
+
    The fixedDelay field is used to indicate the amount of delay in seconds.
+The optional percentage field can be used to only delay a certain
+percentage of requests. If left unspecified, all request will be delayed.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    FieldTypeDescriptionRequired
    fixedDelayDuration (oneof)
+
    Add a fixed delay before forwarding the request. Format:
+1h/1m/1s/1ms. MUST be >=1ms.
    
+
+    		
+Yes
+
    percentagePercent
+
    Percentage of requests on which the delay will be injected.
    
+
+    		
+No
+
    percentint32
+
    Percentage of requests on which the delay will be injected (0-100).
+Use of integer percent value is deprecated. Use the double percentage
+field instead.
    
+
+    		
+No
+
    
+
    
+
    HTTPFaultInjection.Abort
    
+
    
+
    Abort specification is used to prematurely abort a request with a
+pre-specified error code. The following example will return an HTTP 400
+error code for 1 out of every 1000 requests to the “ratings” service “v1”.
    
+
+
    {{}}
+{{}}
    
+
+
    apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: ratings-route
+spec:
+  hosts:
+  - ratings.prod.svc.cluster.local
+  http:
+  - route:
+    - destination:
+        host: ratings.prod.svc.cluster.local
+        subset: v1
+    fault:
+      abort:
+        percentage:
+          value: 0.1
+        httpStatus: 400
+
    
+
+
    {{}}
    
+
+
    {{}}
    
+
+
    apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: ratings-route
+spec:
+  hosts:
+  - ratings.prod.svc.cluster.local
+  http:
+  - route:
+    - destination:
+        host: ratings.prod.svc.cluster.local
+        subset: v1
+    fault:
+      abort:
+        percentage:
+          value: 0.1
+        httpStatus: 400
+
    
+
+
    {{}}
+{{}}
    
+
+
    The httpStatus field is used to indicate the HTTP status code to
+return to the caller. The optional percentage field can be used to only
+abort a certain percentage of requests. If not specified, all requests are
+aborted.
    
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
@@ -36,9 +35,6 @@ path.
    
 metric. Conflicts are resolved by the tag name by overriding previously
 supplied values.
    
 
-
-
@@ -48,9 +44,6 @@ No
 
    (Optional) Metric name to restrict the override to a metric. If not
 specified, applies to all.
    
 
-
-
@@ -59,9 +52,6 @@ No
 
-
@@ -70,9 +60,6 @@ No
 
-
@@ -86,7 +73,6 @@ No
 
-
@@ -96,9 +82,6 @@ No
 
-
@@ -107,9 +90,6 @@ No
 
-
@@ -118,9 +98,6 @@ No
 
-
@@ -162,7 +139,6 @@ No
 
-
@@ -174,9 +150,6 @@ No
 The following settings should be rarely used.
 Enable debug for this filter.
    
 
-
-
@@ -187,9 +160,6 @@ No
 A long lived proxy that connects with many transient peers can build up a
 large cache. To turn off the cache, set this field to a negative value.
    
 
-
-
@@ -198,9 +168,6 @@ No
 
-
@@ -209,12 +176,9 @@ No
 
-
@@ -223,9 +187,6 @@ No
 
-
@@ -236,21 +197,15 @@ No
 not available from the controlplane. Disable the fallback if the host
 header originates outsides the mesh, like at ingress.
    
 
-
-
-
+
-
@@ -259,9 +214,6 @@ No
 
-
@@ -270,9 +222,6 @@ No
 
-
diff --git a/content/en/docs/reference/config/security/request_authentication/index.html b/content/en/docs/reference/config/security/request_authentication/index.html
index 99393203ed..3d3bc6d3eb 100644
--- a/content/en/docs/reference/config/security/request_authentication/index.html
+++ b/content/en/docs/reference/config/security/request_authentication/index.html
@@ -54,68 +54,68 @@ spec:
 
      
 
    • The next example shows how to set a different JWT requirement for a different host. The RequestAuthentication
 declares it can accpet JWTs issuer by either issuer-foo or issuer-bar (the public key set is implicitly
-set from the OpenID Connect spec).
-“`yaml
-apiVersion: security.istio.io/v1beta1
+set from the OpenID Connect spec).
      • 
+
    
+
+
    apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
-name: httpbin
-namespace: foo
+  name: httpbin
+  namespace: foo
 spec:
-selector:
-matchLabels:
-  app: httpbin
-jwtRules:
+  selector:
+    matchLabels:
+      app: httpbin
+  jwtRules:
+  - issuer: "issuer-foo"
+  - issuer: "issuer-bar"
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: httpbin
+  namespace: foo
+spec:
+  selector:
+    matchLabels:
+      app: httpbin
+ rules:
+ - from:
+   - source:
+       requestPrincipals: ["issuer-foo/*"]
+   to:
+     hosts: ["example.com"]
+ - from:
+   - source:
+       requestPrincipals: ["issuer-bar/*"]
+   to:
+     hosts: ["another-host.com"]
+
      
-
    • issuer: “issuer-foo”
      • 
-
    • issuer: “issuer-bar”
-—
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-name: httpbin
-namespace: foo
-spec:
-selector:
-matchLabels:
-app: httpbin
-rules:
      • 
-
    • from:
      • 
-
    • source:
-requestPrincipals: [“issuer-foo/*”]
-to:
-hosts: [“example.com”]
      • 
-
    • from:
      • 
-
    • source:
-requestPrincipals: [“issuer-bar/”]
-to:
-hosts: [“another-host.com”]
-
-- You can fine tune the authorization policy to set different requirement per path. For example,
-to require JWT on all paths, except /healthz, the same `RequestAuthentication` can be used, but the
-authorization policy could be:
-yaml
-apiVersion: security.istio.io/v1beta1
-kind: AuthorizationPolicy
-metadata:
-name: httpbin
-namespace: foo
-spec:
-selector:
-matchLabels:
-app: httpbin
-rules:
-- from:
-- source:
-requestPrincipals: [””]
-- to:
-- operation:
-paths: [“/healthz]
-“`
      • 
-
    
+
  • You can fine tune the authorization policy to set different requirement per path. For example,
+to require JWT on all paths, except /healthz, the same RequestAuthentication can be used, but the
+authorization policy could be:
    • 
 
+
    apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+  name: httpbin
+  namespace: foo
+spec:
+  selector:
+    matchLabels:
+      app: httpbin
+ rules:
+ - from:
+   - source:
+       requestPrincipals: ["*"]
+ - to:
+   - operation:
+       paths: ["/healthz]
+
    
+
 
    FieldTypeDescriptionRequired
    httpStatusint32 (oneof)
+
    HTTP status code to use to abort the Http request.
    
+
+    		
+Yes
+
    percentagePercent
+
    Percentage of requests to be aborted with the error code provided.
    
 
     		
 
diff --git a/content/en/docs/reference/config/proxy_extensions/stats/index.html b/content/en/docs/reference/config/proxy_extensions/stats/index.html
index 9b9bad7ef9..0188c52c49 100644
--- a/content/en/docs/reference/config/proxy_extensions/stats/index.html
+++ b/content/en/docs/reference/config/proxy_extensions/stats/index.html
@@ -24,7 +24,6 @@ path.
    
     		Field
 Type
 DescriptionRequired
 
    
 
 
    
-No
 
 
    
 
    
-No
 
 
    
 
    
 
    (Optional) A list of tags to remove.
    
 
-    		
-No
 
 
    
 
    
 
    NOT IMPLEMENTED. (Optional) Conditional enabling the override.
    
 
-    		
-No
 
 
    
 
    Field
 Type
 DescriptionRequired
 
    
 
 
    
 
    Metric name.
    
 
-    		
-No
 
 
    
 
    
 
    Metric value expression.
    
 
-    		
-No
 
 
    
 
    
 
    NOT IMPLEMENTED (Optional) Metric type.
    
 
-    		
-No
 
 
    
 
    Field
 Type
 DescriptionRequired
 
    
 
 
    
-No
 
 
    
 
    
-No
 
 
    
 
    
 
    prefix to add to stats emitted by the plugin.
    
 
-    		
-No
 
 
    
 
    
 
    Stats api squashes dimensions in a single string.
 The squashed string is parsed at prometheus scrape time to recover
-dimensions. The following 2 fields set the field and value separators {key:
-value} –>  key{valueseparator}value{fieldseparator}
    
+dimensions. The following 2 fields set the field and value separators {key:
+value} –>  key{valueseparator}value{fieldseparator}
    
 
-    		
-No
 
 
    
 
    
 
    default: “==”
    
 
-    		
-No
 
 
    
 
    
-No
 
 
    
 
    
 tcpReportingDurationDurationgoogle.protobuf.Duration
 
 
    Optional. Allows configuration of the time between calls out to for TCP
 metrics reporting. The default duration is 15s.
    
 
-    		
-No
 
 
    
 
    
 
    Metric overrides.
    
 
-    		
-No
 
 
    
 
    
 
    Metric definitions.
    
 
-    		
-No
 
 
    
     
 
 
 
    
diff --git a/content/en/news/releases/1.2.x/announcing-1.2/change-notes/index.md b/content/en/news/releases/1.2.x/announcing-1.2/change-notes/index.md
index 9b4ac92c95..b6d2e0f2dc 100644
--- a/content/en/news/releases/1.2.x/announcing-1.2/change-notes/index.md
+++ b/content/en/news/releases/1.2.x/announcing-1.2/change-notes/index.md
@@ -76,6 +76,6 @@ Refer to the [installation option change page](/news/releases/1.2.x/announcing-1
 - **Added** a new experimental ['a-la-carte' Istio installer](https://github.com/istio/installer/wiki) to enable users to install and upgrade Istio with desired isolation and security.
 - **Added** [environment variable and configuration file support](https://docs.google.com/document/d/1M-qqBMNbhbAxl3S_8qQfaeOLAiRqSBpSgfWebFBRuu8/edit) for configuring Galley, in addition to command-line flags.
 - **Added** [ControlZ](/docs/ops/diagnostic-tools/controlz/) support to visualize the state of the MCP Server in Galley.
-- **Added** the [`enableServiceDiscovery` command-line flag](/docs/reference/commands/galley/#galley-server) to control the service discovery module in Galley.
+- **Added** the [`enableServiceDiscovery` command-line flag](https://archive.istio.io/v1.2/docs/reference/commands/galley/#galley-server) to control the service discovery module in Galley.
 - **Added** `InitialWindowSize` and `InitialConnWindowSize` parameters to Galley and Pilot to allow fine-tuning of MCP (gRPC) connection settings.
 - **Graduated** configuration processing with Galley from Alpha to Beta.
diff --git a/data/analysis.yaml b/data/analysis.yaml
index ed596847b5..bc7ceecffb 100644
--- a/data/analysis.yaml
+++ b/data/analysis.yaml
@@ -255,3 +255,38 @@ messages:
         type: string
       - name: problem
         type: string
+
+  - name: "NamespaceMultipleInjectionLabels"
+    code: IST0123
+    level: Warning
+    description: "A namespace has both new and legacy injection labels"
+    template: "The namespace has both new and legacy injection labels. Run 'kubectl label namespace %s istio.io/rev-' or 'kubectl label namespace %s istio-injection-'"
+    args:
+      - name: namespace
+        type: string
+      - name: namespace2
+        type: string
+
+  - name: "NamespaceInvalidInjectorRevision"
+    code: IST0124
+    level: Warning
+    description: "A namespace is labeled to inject from unknown control plane."
+    template: "The namespace is labeled to inject from %q but that namespace doesn't exist. Run 'kubectl label namespace %s istio.io/rev=' where  is one of %s"
+    args:
+      - name: unknownrevision
+        type: string
+      - name: namespace
+        type: string
+      - name: revisions
+        type: string
+
+  - name: "InvalidAnnotation"
+    code: IST0125
+    level: Warning
+    description: "An Istio annotation that is not valid"
+    template: "Invalid annotation %s: %s"
+    args:
+      - name: annotation
+        type: string
+      - name: problem
+        type: string
\ No newline at end of file