Update reference docs. (#4552)

.github/pull_request_template.md

@@ -1,12 +1,5 @@
----
-name: Pull Request
-about: Add some features, do some cleanup, or fix some bugs.
----
-
 Please provide a description for what this PR is for.
 
-<description>
-
 And to help us figure out who should review this PR, please 
 put an X in all the areas that this PR affects.
 
@@ -19,4 +12,4 @@ put an X in all the areas that this PR affects.
 [ ] Security
 [ ] Test and Release
 [ ] User Experience
-[ ] Developer Infrastrcture
+[ ] Developer Infrastructure

content/docs/reference/commands/galley/index.html

@@ -486,7 +486,7 @@ validation:
 <tr>
 <td><code>--short</code></td>
 <td><code>-s</code></td>
-<td>Displays a short form of the version information </td>
+<td>Use --short=false to generate full version information </td>
 </tr>
 </tbody>
 </table>
@@ -560,7 +560,7 @@ These resource annotations are used by the <code>galley</code> command.
 </tr>
 </tbody>
 </table>
-<h2 id="metrics">Exported Metrics</h2>
+<h2 id="metrics">Exported metrics</h2>
 <table class="metrics">
 <thead>
 <tr><th>Metric Name</th><th>Type</th><th>Description</th></tr>

content/docs/reference/commands/istio_ca/index.html

@@ -337,7 +337,7 @@ number_of_entries: 4
 <tr>
 <td><code>--short</code></td>
 <td><code>-s</code></td>
-<td>Displays a short form of the version information </td>
+<td>Use --short=false to generate full version information </td>
 </tr>
 </tbody>
 </table>
@@ -389,7 +389,7 @@ These resource annotations are used by the <code>istio_ca</code> command.
 </tr>
 </tbody>
 </table>
-<h2 id="metrics">Exported Metrics</h2>
+<h2 id="metrics">Exported metrics</h2>
 <table class="metrics">
 <thead>
 <tr><th>Metric Name</th><th>Type</th><th>Description</th></tr>

content/docs/reference/commands/istioctl/index.html

@@ -863,7 +863,7 @@ istioctl experimental metrics productpage-v1.foo reviews-v1.bar ratings-v1.baz
 <p>kube-inject manually injects the Envoy sidecar into Kubernetes
 workloads. Unsupported resources are left unmodified so it is safe to
 run kube-inject over a single file that contains multiple Service,
-ConfigMap, Deployment, etc. definitions for a complex application. Its
+ConfigMap, Deployment, etc. definitions for a complex application. It&#39;s
 best to do this when the resource is initially created.</p>
 <p>k8s.io/docs/concepts/workloads/pods/pod-overview/#pod-templates is
 updated for Job, DaemonSet, ReplicaSet, Pod and Deployment YAML resource
@@ -871,11 +871,7 @@ documents. Support for additional pod-based resource types can be
 added as necessary.</p>
 <p>The Istio project is continually evolving so the Istio sidecar
 configuration may change unannounced. When in doubt re-run istioctl
-kube-inject on deployments to get the most up-to-date changes.</p>
-<p>To override the sidecar injection template from kubernetes configmap
-&#39;istio-inject&#39;, the parameters --injectConfigFile or --injectConfigMapName
-can be used. Either of options would typically be used with the
-file/configmap created with a new Istio release.
+kube-inject on deployments to get the most up-to-date changes.
 </p>
 <pre class="language-bash"><code>istioctl kube-inject [flags]
 </code></pre>
@@ -962,9 +958,15 @@ istioctl kube-inject -f deployment.yaml -o deployment-injected.yaml
 # Update an existing deployment.
 kubectl get deployment -o yaml | istioctl kube-inject -f - | kubectl apply -f -
 
-# Create a persistent version of the deployment with Envoy sidecar
-# injected configuration from Kubernetes configmap &#39;istio-inject&#39;
-istioctl kube-inject -f deployment.yaml -o deployment-injected.yaml --injectConfigMapName istio-inject
+# Capture cluster configuration for later use with kube-inject
+kubectl -n istio-system get cm istio-sidecar-injector  -o jsonpath=&#34;{.data.config}&#34; &gt; /tmp/inj-template.tmpl
+kubectl -n istio-system get cm istio -o jsonpath=&#34;{.data.mesh}&#34; &gt; /tmp/mesh.yaml
+kubectl -n istio-system get cm istio-sidecar-injector -o jsonpath=&#34;{.data.values}&#34; &gt; /tmp/values.json
+# Use kube-inject based on captured configuration
+istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml \
+	--injectConfigFile /tmp/inj-template.tmpl \
+	--meshConfigFile /tmp/mesh.yaml \
+	--valuesFile /tmp/values.json
 
 </code></pre>
 <h2 id="istioctl-proxy-config">istioctl proxy-config</h2>
@@ -1662,12 +1664,12 @@ Retrieves last sent and last acknowledged xDS sync from Pilot to each Envoy in t
 <tr>
 <td><code>--remote</code></td>
 <td></td>
-<td>Prints remote version information, from the control plane </td>
+<td>Use --remote=false to suppress control plane check </td>
 </tr>
 <tr>
 <td><code>--short</code></td>
 <td><code>-s</code></td>
-<td>Displays a short form of the version information </td>
+<td>Use --short=false to generate full version information </td>
 </tr>
 </tbody>
 </table>
@@ -1965,7 +1967,7 @@ These resource annotations are used by the <code>istioctl</code> command.
 </tr>
 </tbody>
 </table>
-<h2 id="metrics">Exported Metrics</h2>
+<h2 id="metrics">Exported metrics</h2>
 <table class="metrics">
 <thead>
 <tr><th>Metric Name</th><th>Type</th><th>Description</th></tr>

content/docs/reference/commands/mixs/index.html

@@ -317,7 +317,7 @@ nexus for policy evaluation and telemetry reporting.</p>
 <tr>
 <td><code>--short</code></td>
 <td><code>-s</code></td>
-<td>Displays a short form of the version information </td>
+<td>Use --short=false to generate full version information </td>
 </tr>
 </tbody>
 </table>
@@ -391,7 +391,7 @@ These resource annotations are used by the <code>mixs</code> command.
 </tr>
 </tbody>
 </table>
-<h2 id="metrics">Exported Metrics</h2>
+<h2 id="metrics">Exported metrics</h2>
 <table class="metrics">
 <thead>
 <tr><th>Metric Name</th><th>Type</th><th>Description</th></tr>

content/docs/reference/commands/node_agent/index.html

@@ -161,12 +161,12 @@ number_of_entries: 3
 <tr>
 <td><code>--short</code></td>
 <td><code>-s</code></td>
-<td>Displays a short form of the version information </td>
+<td>Use --short=false to generate full version information </td>
 </tr>
 </tbody>
 </table>
-<h2 id=\"metrics\">Exported Metrics</h2>
-<table class=\"metrics\">
+<h2 id="metrics">Exported metrics</h2>
+<table class="metrics">
 <thead>
 <tr><th>Metric Name</th><th>Type</th><th>Description</th></tr>
 </thead>

content/docs/reference/commands/pilot-agent/index.html

@@ -359,7 +359,7 @@ number_of_entries: 5
 <tr>
 <td><code>--short</code></td>
 <td><code>-s</code></td>
-<td>Displays a short form of the version information </td>
+<td>Use --short=false to generate full version information </td>
 </tr>
 </tbody>
 </table>
@@ -609,8 +609,8 @@ These resource annotations are used by the <code>pilot-agent</code> command.
 </tr>
 </tbody>
 </table>
-<h2 id=\"metrics\">Exported Metrics</h2>
-<table class=\"metrics\">
+<h2 id="metrics">Exported metrics</h2>
+<table class="metrics">
 <thead>
 <tr><th>Metric Name</th><th>Type</th><th>Description</th></tr>
 </thead>

content/docs/reference/commands/pilot-discovery/index.html

@@ -439,7 +439,7 @@ number_of_entries: 5
 <tr>
 <td><code>--short</code></td>
 <td><code>-s</code></td>
-<td>Displays a short form of the version information </td>
+<td>Use --short=false to generate full version information </td>
 </tr>
 </tbody>
 </table>
@@ -647,7 +647,7 @@ These resource annotations are used by the <code>pilot-discovery</code> command.
 </tr>
 </tbody>
 </table>
-<h2 id="metrics">Exported Metrics</h2>
+<h2 id="metrics">Exported metrics</h2>
 <table class="metrics">
 <thead>
 <tr><th>Metric Name</th><th>Type</th><th>Description</th></tr>

content/docs/reference/commands/sidecar-injector/index.html

@@ -315,7 +315,7 @@ number_of_entries: 4
 <tr>
 <td><code>--short</code></td>
 <td><code>-s</code></td>
-<td>Displays a short form of the version information </td>
+<td>Use --short=false to generate full version information </td>
 </tr>
 <tr>
 <td><code>--tlsCertFile &lt;string&gt;</code></td>
@@ -471,8 +471,8 @@ These resource annotations are used by the <code>sidecar-injector</code> command
 </tr>
 </tbody>
 </table>
-<h2 id=\"metrics\">Exported Metrics</h2>
-<table class=\"metrics\">
+<h2 id="metrics">Exported metrics</h2>
+<table class="metrics">
 <thead>
 <tr><th>Metric Name</th><th>Type</th><th>Description</th></tr>
 </thead>

content/docs/reference/config/istio.mesh.v1alpha1/index.html

@@ -490,6 +490,78 @@ can be configured for a single control plane.</p>
 Refer to <a href="https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain">SPIFEE-ID</a>
 Fallback to old identity format(without trust domain) if not set.</p>
 
+</td>
+</tr>
+<tr id="MeshConfig-default_service_export_to">
+<td><code>defaultServiceExportTo</code></td>
+<td><code>string[]</code></td>
+<td>
+<p>The default value for the ServiceEntry.export_to field and services
+imported through container registry integrations, e.g. this applies to
+Kubernetes Service resources. The value is a list of namespace names and
+reserved namespace aliases. The allowed namespace aliases are:</p>
+
+<ul>
+<li>- All Namespaces
+. - Current Namespace
+~ - No Namespace</li>
+</ul>
+
+<p>If not set the system will use &ldquo;*&rdquo; as the default value which implies that
+services are exported to all namespaces.</p>
+
+<p>&lsquo;All namespaces&rsquo; is a reasonable default for implementations that don&rsquo;t
+need to restrict access or visibility of services across namespace
+boundaries. If that requirement is present it is generally good practice to
+make the default &lsquo;Current namespace&rsquo; so that services are only visible
+within their own namespaces by default. Operators can then expand the
+visibility of services to other namespaces as needed. Use of &lsquo;No Namespace&rsquo;
+is expected to be rare but can have utility for deployments where
+dependency management needs to be precise even within the scope of a single
+namespace.</p>
+
+<p>For further discussion see the reference documentation for ServiceEntry,
+Sidecar, and Gateway.</p>
+
+</td>
+</tr>
+<tr id="MeshConfig-default_virtual_service_export_to">
+<td><code>defaultVirtualServiceExportTo</code></td>
+<td><code>string[]</code></td>
+<td>
+<p>The default value for the VirtualService.export<em>to field. Has the same
+syntax as &lsquo;default</em>service<em>export</em>to&rsquo;.</p>
+
+<p>If not set the system will use &ldquo;*&rdquo; as the default value which implies that
+virtual services are exported to all namespaces</p>
+
+</td>
+</tr>
+<tr id="MeshConfig-default_destination_rule_export_to">
+<td><code>defaultDestinationRuleExportTo</code></td>
+<td><code>string[]</code></td>
+<td>
+<p>The default value for the DestinationRule.export<em>to field. Has the same
+syntax as &lsquo;default</em>service<em>export</em>to&rsquo;.</p>
+
+<p>If not set the system will use &ldquo;*&rdquo; as the default value which implies that
+destination rules are exported to all namespaces</p>
+
+</td>
+</tr>
+<tr id="MeshConfig-root_namespace">
+<td><code>rootNamespace</code></td>
+<td><code>string</code></td>
+<td>
+<p>The namespace to treat as the administrative root namespace for
+Istio configuration. When processing a leaf namespace Istio will search for
+declarations in that namespace first and if none are found it will
+search in the root namespace. Any matching declaration found in the root
+namespace is processed as if it were declared in the leaf namespace.</p>
+
+<p>The precise semantics of this processing are documented on each resource
+type.</p>
+
 </td>
 </tr>
 <tr id="MeshConfig-locality_lb_setting">

content/docs/reference/config/networking/v1alpha3/sidecar/index.html

@@ -29,14 +29,38 @@ workload instsance, preference will be given to the resource with a
 workloadSelector that selects this workload instance, over a Sidecar resource
 without any workloadSelector.</p>
 
-<p>NOTE: <em><em>Each namespace can have only one Sidecar resource without any
+<p>NOTE 1: <em><em>Each namespace can have only one Sidecar resource without any
 workload selector</em></em>. The behavior of the system is undefined if more
 than one selector-less Sidecar resources exist in a given namespace. The
 behavior of the system is undefined if two or more Sidecar resources
 with a workload selector select the same workload instance.</p>
 
-<p>The example below declares a Sidecar resource in the prod-us1 namespace
-that configures the sidecars in the namespace to allow egress traffic to
+<p>NOTE 2: <em><em>A sidecar resource in the config <a href="/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig">root
+namespace</a>
+will be applied by default to all namespaces without a sidecar
+resource.</em></em>. This global default sidecar resource should not have
+any workload selector.</p>
+
+<p>The example below declares a global default Sidecar resource in the
+root namespace called <code>istio-config</code>, that configures sidecars in
+all namespaces to allow egress traffic only to other workloads in
+the same namespace, and to services in the istio-system namespace.</p>
+
+<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
+kind: Sidecar
+metadata:
+  name: default
+  namespace: istio-config
+spec:
+  egress:
+  - hosts:
+    - &quot;./*&quot;
+    - &quot;istio-system/*&quot;
+</code></pre>
+
+<p>The example below declares a Sidecar resource in the prod-us1
+namespace that overrides the global default defined above, and
+configures the sidecars in the namespace to allow egress traffic to
 public services in the prod-us1, prod-apis, and the istio-system
 namespaces.</p>
 
@@ -415,8 +439,8 @@ reach every service in the mesh that is visible to this namespace.</p>
 </section>
 <h2 id="WorkloadSelector">WorkloadSelector</h2>
 <section>
-<p>WorkloadSelector specifies the criteria used to determine if the Gateway
-or Sidecar resource can be applied to a proxy. The matching criteria
+<p>WorkloadSelector specifies the criteria used to determine if the Gateway,
+Sidecar, or EnvoyFilter resource can be applied to a proxy. The matching criteria
 includes the metadata associated with a proxy, workload instance info such as
 labels attached to the pod/VM, or any other info that the proxy provides
 to Istio during the initial handshake. If multiple conditions are