diff --git a/Makefile.core.mk b/Makefile.core.mk index 048b7e9203626..d12b5b5671a5b 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -27,7 +27,7 @@ export IN_BUILD_CONTAINER := $(IN_BUILD_CONTAINER) # ISTIO_IMAGE_VERSION stores the prefix used by default for the Docker images for Istio. # For example, a value of 1.6-alpha will assume a default TAG value of 1.6-dev. -ISTIO_IMAGE_VERSION ?= 1.23-alpha +ISTIO_IMAGE_VERSION ?= 1.24-alpha export ISTIO_IMAGE_VERSION # Determine the SHA for the Istio dependency by parsing the go.mod file. @@ -77,7 +77,7 @@ baseurl := "$(URL)" endif # Which branch of the Istio source code do we fetch stuff from -export SOURCE_BRANCH_NAME ?= release-1.23 +export SOURCE_BRANCH_NAME ?= master site: @scripts/gen_site.sh diff --git a/content/en/about/faq/setup/install-method-selection.md b/content/en/about/faq/setup/install-method-selection.md index e9bf92a3118f5..6926d1fffae8d 100644 --- a/content/en/about/faq/setup/install-method-selection.md +++ b/content/en/about/faq/setup/install-method-selection.md @@ -16,12 +16,11 @@ The following lists some of the pros and cons of each of the available methods: - Thorough configuration validation and health verification. - Uses the `IstioOperator` API which provides extensive configuration/customization options. - - No in-cluster privileged pods needed. Changes are actuated by running the `istioctl` command. Cons: - Multiple binaries must be managed, one per Istio minor version. - - The `istioctl` command can set values like `JWT_POLICY` based on your running environment, + - The `istioctl` command can set values automatically based on your running environment, thereby producing varying installations in different Kubernetes environments. 1. [istioctl manifest generate](/docs/setup/install/istioctl/#generate-a-manifest-before-installation) @@ -31,12 +30,12 @@ The following lists some of the pros and cons of each of the available methods: Pros: - - Resources are generated from the same `IstioOperator` API as used in `istioctl install` and Operator. + - Resources are generated from the same `IstioOperator` API as used in `istioctl install`. - Uses the `IstioOperator` API which provides extensive configuration/customization options. Cons: - - Some checks performed in `istioctl install` and Operator are not done. + - Some checks performed in `istioctl install` are not done. - UX is less streamlined compared to `istioctl install`. - Error reporting is not as robust as `istioctl install` for the apply step. @@ -51,28 +50,7 @@ The following lists some of the pros and cons of each of the available methods: Cons: - - Fewer checks and validations compared to `istioctl install` and Operator. + - Fewer checks and validations compared to `istioctl install`. - Some administrative tasks require more steps and have higher complexity. -1. [Istio Operator](/docs/setup/install/operator/) - - {{< warning >}} - Using the operator is not recommended for new installations. While the operator will continue to be supported, - new feature requests will not be prioritized. - {{< /warning >}} - - The Istio operator provides an installation path without needing the `istioctl` binary. - This can be used for simplified upgrade workflows where running an in-cluster privileged controller is not a concern. - This method is suitable where strict auditing or augmentation of output manifests is not needed. - - Pros: - - - Same API as `istioctl install` but actuation is through a controller pod in the cluster with a fully declarative operation. - - Uses the `IstioOperator` API which provides extensive configuration/customization options. - - No need to manage multiple `istioctl` binaries. - - Cons: - - - High privilege controller running in the cluster poses security risks. - Installation instructions for all of these methods are available on the [Istio install page](/docs/setup/install). diff --git a/content/en/boilerplates/helm-preamble.md b/content/en/boilerplates/helm-preamble.md index 6ba0571fa358a..3bcab523391b0 100644 --- a/content/en/boilerplates/helm-preamble.md +++ b/content/en/boilerplates/helm-preamble.md @@ -2,6 +2,5 @@ --- The Helm charts for `base` and `istiod` used in this guide are the same as those used when -installing Istio via [Istioctl](/docs/setup/install/istioctl/) or the -[Operator](/docs/setup/install/operator/). -However installations via Istioctl and the Operator use a different [gateway chart]({{< github_tree >}}/manifests/charts/gateways/istio-ingress) to the [chart]({{< github_tree >}}/manifests/charts/gateway) described in this guide +installing Istio via [Istioctl](/docs/setup/install/istioctl/). +However installations via Istioctl use a different [gateway chart]({{< github_tree >}}/manifests/charts/gateways/istio-ingress) to the [chart]({{< github_tree >}}/manifests/charts/gateway) described in this guide diff --git a/content/en/boilerplates/snips/args.sh b/content/en/boilerplates/snips/args.sh index 6dc7daf3604b2..a3d4c51576d4d 100644 --- a/content/en/boilerplates/snips/args.sh +++ b/content/en/boilerplates/snips/args.sh @@ -25,9 +25,9 @@ v1.1.0 ENDSNIP ! IFS=$'\n' read -r -d '' bpsnip_args_istio_previous_version <<\ENDSNIP -1.22 +1.23 ENDSNIP ! IFS=$'\n' read -r -d '' bpsnip_args_istio_full_version <<\ENDSNIP -1.23.0 +1.24.0 ENDSNIP diff --git a/content/en/boilerplates/snips/revision-tags-middle.sh b/content/en/boilerplates/snips/revision-tags-middle.sh index e8273915b3ba8..05a2ea1979b2a 100644 --- a/content/en/boilerplates/snips/revision-tags-middle.sh +++ b/content/en/boilerplates/snips/revision-tags-middle.sh @@ -26,7 +26,7 @@ istioctl tag list ! IFS=$'\n' read -r -d '' bpsnip_revision_tags_middle__1_out <<\ENDSNIP TAG REVISION NAMESPACES -default 1-22-1 ... -prod-canary 1-23-0 ... -prod-stable 1-22-1 ... +default 1-23-1 ... +prod-canary 1-24-0 ... +prod-stable 1-23-1 ... ENDSNIP diff --git a/content/en/docs/ambient/getting-started/cleanup/snips.sh b/content/en/docs/ambient/getting-started/cleanup/snips.sh index 53e79178a40f4..ad3c36c8f7a40 100644 --- a/content/en/docs/ambient/getting-started/cleanup/snips.sh +++ b/content/en/docs/ambient/getting-started/cleanup/snips.sh @@ -31,7 +31,7 @@ istioctl waypoint delete --all } snip_remove_the_sample_application_1() { -kubectl delete -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/bookinfo/platform/kube/bookinfo.yaml -kubectl delete -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/bookinfo/platform/kube/bookinfo-versions.yaml -kubectl delete -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/sleep/sleep.yaml +kubectl delete -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yaml +kubectl delete -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo-versions.yaml +kubectl delete -f https://raw.githubusercontent.com/istio/istio/master/samples/sleep/sleep.yaml } diff --git a/content/en/docs/ambient/getting-started/deploy-sample-app/snips.sh b/content/en/docs/ambient/getting-started/deploy-sample-app/snips.sh index 1909a40a4602b..70bf908457201 100644 --- a/content/en/docs/ambient/getting-started/deploy-sample-app/snips.sh +++ b/content/en/docs/ambient/getting-started/deploy-sample-app/snips.sh @@ -21,12 +21,12 @@ #################################################################################################### snip_deploy_the_bookinfo_application_1() { -kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/bookinfo/platform/kube/bookinfo.yaml -kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/bookinfo/platform/kube/bookinfo-versions.yaml +kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yaml +kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo-versions.yaml } snip_deploy_bookinfo_gateway() { -kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/bookinfo/gateway-api/bookinfo-gateway.yaml +kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/gateway-api/bookinfo-gateway.yaml } snip_annotate_bookinfo_gateway() { diff --git a/content/en/docs/ambient/getting-started/enforce-auth-policies/snips.sh b/content/en/docs/ambient/getting-started/enforce-auth-policies/snips.sh index 92236eac2d482..209d1901141e2 100644 --- a/content/en/docs/ambient/getting-started/enforce-auth-policies/snips.sh +++ b/content/en/docs/ambient/getting-started/enforce-auth-policies/snips.sh @@ -41,7 +41,7 @@ EOF } snip_deploy_sleep() { -kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/sleep/sleep.yaml +kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/sleep/sleep.yaml } snip_enforce_layer_4_authorization_policy_3() { diff --git a/content/en/docs/ambient/install/helm-installation/snips.sh b/content/en/docs/ambient/install/helm-installation/snips.sh index aa90abeaf8e46..0852f96f4616b 100644 --- a/content/en/docs/ambient/install/helm-installation/snips.sh +++ b/content/en/docs/ambient/install/helm-installation/snips.sh @@ -55,10 +55,10 @@ helm ls -n istio-system ! IFS=$'\n' read -r -d '' snip_show_components_out <<\ENDSNIP NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION -istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.23.0 1.23.0 -istio-cni istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed cni-1.23.0 1.23.0 -istiod istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.23.0 1.23.0 -ztunnel istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed ztunnel-1.23.0 1.23.0 +istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.24.0 1.24.0 +istio-cni istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed cni-1.24.0 1.24.0 +istiod istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.24.0 1.24.0 +ztunnel istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed ztunnel-1.24.0 1.24.0 ENDSNIP snip_check_pods() { @@ -78,10 +78,10 @@ helm ls -n istio-system ! IFS=$'\n' read -r -d '' snip_uninstall_1_out <<\ENDSNIP NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION -istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.23.0 1.23.0 -istio-cni istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed cni-1.23.0 1.23.0 -istiod istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.23.0 1.23.0 -ztunnel istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed ztunnel-1.23.0 1.23.0 +istio-base istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.24.0 1.24.0 +istio-cni istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed cni-1.24.0 1.24.0 +istiod istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.24.0 1.24.0 +ztunnel istio-system 1 2024-04-17 22:14:45.964722028 +0000 UTC deployed ztunnel-1.24.0 1.24.0 ENDSNIP snip_delete_ingress() { diff --git a/content/en/docs/ambient/usage/waypoint/index.md b/content/en/docs/ambient/usage/waypoint/index.md index fea244f1f0977..1a978abc32494 100644 --- a/content/en/docs/ambient/usage/waypoint/index.md +++ b/content/en/docs/ambient/usage/waypoint/index.md @@ -52,6 +52,7 @@ default Active 24h ambient {{< text syntax=bash snip_id=gen_waypoint_resource >}} $ istioctl waypoint generate --for service -n default +apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: labels: @@ -79,6 +80,7 @@ Or, you can deploy the generated Gateway resource: {{< text syntax=bash >}} $ kubectl apply -f - <Whether to install CNI plugin as a chained or standalone ---cni-conf-name <string> -Name of the CNI configuration file (default ``) - - ---cni-event-address <string> -The UDS server address which CNI plugin will forward ambient pod creation events to (default `/var/run/istio-cni/pluginevent.sock`) +--cni-agent-run-dir <string> +Location of the node agent writable path on the node (used for sockets, etc) (default `/var/run/istio-cni`) ---cni-net-dir <string> -Directory on the host where CNI network plugins are installed (default `/etc/cni/net.d`) +--cni-conf-name <string> +Name of the CNI configuration file (default ``) --cni-network-config <string> @@ -60,10 +56,6 @@ CA file for kubeconfig. Defaults to the same as install-cni pod (default ``) ---kubecfg-file-name <string> -Name of the kubeconfig file which CNI plugin will use when interacting with API server (default `ZZZ-istio-cni-kubeconfig`) - - --kubeconfig-mode <int> File mode of the kubeconfig file (default `384`) @@ -72,10 +64,6 @@ Fallback value for log level in CNI config file, if not specified in helm template (default `warn`) ---log-uds-address <string> -The UDS server address which CNI plugin will copy log output to (default `/var/run/istio-cni/log.sock`) - - --log_as_json Whether to format output as JSON or in plain console-friendly format @@ -88,22 +76,6 @@ Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``) ---log_rotate <string> -The path for the optional rotating log file (default ``) - - ---log_rotate_max_age <int> -The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`) - - ---log_rotate_max_backups <int> -The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) - - ---log_rotate_max_size <int> -The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) - - --log_stacktrace_level <string> Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) @@ -210,22 +182,6 @@

install-cni completion

Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``) ---log_rotate <string> -The path for the optional rotating log file (default ``) - - ---log_rotate_max_age <int> -The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`) - - ---log_rotate_max_backups <int> -The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`) - - ---log_rotate_max_size <int> -The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`) - - --log_stacktrace_level <string> Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`) @@ -240,14 +196,13 @@

install-cni completion bash

This script depends on the 'bash-completion' package. If it is not installed already, you can install it via your OS's package manager.

To load completions in your current shell session:

-

source <(install-cni completion bash)

+
source <(install-cni completion bash)

To load completions for every new session, execute once:

-

#### Linux:

-

install-cni completion bash > /etc/bash_completion.d/install-cni

-

#### macOS:

-

install-cni completion bash > $(brew --prefix)/etc/bash_completion.d/install-cni

-

You will need to start a new shell for this setup to take effect. -

+

Linux:

+
install-cni completion bash > /etc/bash_completion.d/install-cni
+

macOS:

+
install-cni completion bash > /usr/local/etc/bash_completion.d/install-cni
+

You will need to start a new shell for this setup to take effect.

install-cni completion bash
@@ -279,22 +234,6 @@

install-cni completion bash

- - - - - - - - - - - - - - - - @@ -311,11 +250,10 @@

install-cni completion bash

install-cni completion fish

Generate the autocompletion script for the fish shell.

To load completions in your current shell session:

-

install-cni completion fish | source

+
install-cni completion fish | source

To load completions for every new session, execute once:

-

install-cni completion fish > ~/.config/fish/completions/install-cni.fish

-

You will need to start a new shell for this setup to take effect. -

+
install-cni completion bash > ~/.config/fish/completions/install-cni.fish
+

You will need to start a new shell for this setup to take effect.

install-cni completion fish [flags]
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string> Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
@@ -347,22 +285,6 @@

install-cni completion fish

- - - - - - - - - - - - - - - - @@ -377,12 +299,10 @@

install-cni completion fish

Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string> Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)

install-cni completion powershell

-

Generate the autocompletion script for powershell.

+

Generate the autocompletion script for PowerShell.

To load completions in your current shell session:

-

install-cni completion powershell | Out-String | Invoke-Expression

-

To load completions for every new session, add the output of the above command -to your powershell profile. -

+
install-cni completion powershell | Out-String | Invoke-Expression
+

To load completions for every new session, add the output of the above command to your powershell profile.

install-cni completion powershell [flags]
@@ -414,22 +334,6 @@

install-cni completion powershell

Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``) - - - - - - - - - - - - - - - - @@ -445,18 +349,16 @@

install-cni completion powershell

install-cni completion zsh

Generate the autocompletion script for the zsh shell.

-

If shell completion is not already enabled in your environment you will need -to enable it. You can execute the following once:

-

echo "autoload -U compinit; compinit" >> ~/.zshrc

-

To load completions in your current shell session:

-

source <(install-cni completion zsh)

-

To load completions for every new session, execute once:

-

#### Linux:

-

install-cni completion zsh > "${fpath[1]}/_install-cni"

-

#### macOS:

-

install-cni completion zsh > $(brew --prefix)/share/zsh/site-functions/_install-cni

-

You will need to start a new shell for this setup to take effect. -

+

If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:

+ 
echo "autoload -U compinit; compinit" >> ~/.zshrc
+

To load completions in your current shell session:

+ 
source <(install-cni completion zsh)
+

To load completions for every new session, execute once:

+

Linux:

+ 
install-cni completion zsh > "${fpath[1]}/_install-cni"
+

macOS:

+ 
install-cni completion zsh > $(brew --prefix)/share/zsh/site-functions/_install-cni
+

You will need to start a new shell for this setup to take effect.

install-cni completion zsh [flags]
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string> Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
@@ -488,22 +390,6 @@

install-cni completion zsh

- - - - - - - - - - - - - - - - @@ -556,26 +442,6 @@

install-cni version

- - - - - - - - - - - - - - - - - - - - @@ -598,7 +464,7 @@

install-cni version

Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string> Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default ``)
--log_rotate <string>The path for the optional rotating log file (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit) (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated (default `104857600`)
--log_stacktrace_level <string> Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none] (default `default:none`)

Environment variables

-These environment variables affect the behavior of the install-cni command. Please use with caution as these environment variables are experimental and can change anytime. +These environment variables affect the behavior of the install-cni command. @@ -640,16 +506,16 @@

Environment variables

- + - - + + - + - - + + @@ -664,12 +530,6 @@

Environment variables

- - - - - - @@ -724,22 +584,22 @@

Environment variables

- + - + - + - + - + - + @@ -750,7 +610,7 @@

Environment variables

- + @@ -826,6 +686,12 @@

Environment variables

+ + + + + + @@ -980,12 +846,6 @@

Environment variables

- - - - - - @@ -1016,12 +876,6 @@

Environment variables

- - - - - - @@ -1076,12 +930,6 @@

Environment variables

- - - - - - @@ -1298,12 +1146,6 @@

Environment variables

- - - - - - @@ -1520,6 +1362,12 @@

Environment variables

+ + + + + + @@ -1658,12 +1506,6 @@

Environment variables

- - - - - - diff --git a/content/en/docs/reference/commands/istioctl/index.html b/content/en/docs/reference/commands/istioctl/index.html index b210ebf057858..71b45f2da37d6 100644 --- a/content/en/docs/reference/commands/istioctl/index.html +++ b/content/en/docs/reference/commands/istioctl/index.html @@ -4,7 +4,7 @@ title: istioctl description: Istio control interface. generator: pkg-collateral-docs -number_of_entries: 100 +number_of_entries: 90 max_toc_level: 2 remove_toc_prefix: 'istioctl ' --- @@ -665,14 +665,13 @@

istioctl completion bash

This script depends on the 'bash-completion' package. If it is not installed already, you can install it via your OS's package manager.

To load completions in your current shell session:

-

source <(istioctl completion bash)

+
source <(istioctl completion bash)

To load completions for every new session, execute once:

-

#### Linux:

-

istioctl completion bash > /etc/bash_completion.d/istioctl

-

#### macOS:

-

istioctl completion bash > $(brew --prefix)/etc/bash_completion.d/istioctl

-

You will need to start a new shell for this setup to take effect. -

+

Linux:

+
istioctl completion bash > /etc/bash_completion.d/istioctl
+

macOS:

+
istioctl completion bash > /usr/local/etc/bash_completion.d/istioctl
+

You will need to start a new shell for this setup to take effect.

istioctl completion bash
Defines the cluster and service registry that this Istiod instance belongs to
CNI_CONF_NAMECNI_AGENT_RUN_DIR StringName of the CNI configuration file/var/run/istio-cniLocation of the node agent writable path on the node (used for sockets, etc)
CNI_EVENT_ADDRESSCNI_CONF_NAME String/var/run/istio-cni/pluginevent.sockThe UDS server address which CNI plugin will forward ambient pod creation events toName of the CNI configuration file
CNI_NETWORK_CONFIG CNI config template as a file
CNI_NET_DIRString/etc/cni/net.dDirectory on the host where CNI network plugins are installed
COMPLIANCE_POLICY String If enabled, Istio will create clusters only when there are requests. This will save memory and CPU cycles in cases where there are lots of inactive clusters and > 1 worker thread
ENABLE_DELIMITED_STATS_TAG_REGEXENABLE_DEFERRED_STATS_CREATION Boolean trueIf true, pilot will use the new delimited stat tag regex to generate Envoy stats tags.If enabled, Istio will lazily initialize a subset of the stats
ENABLE_ENHANCED_RESOURCE_SCOPINGENABLE_DELIMITED_STATS_TAG_REGEX Boolean trueIf enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.If true, pilot will use the new delimited stat tag regex to generate Envoy stats tags.
ENABLE_EXTERNAL_NAME_ALIASENABLE_ENHANCED_RESOURCE_SCOPING Boolean trueIf enabled, ExternalName Services will be treated as simple aliases: anywhere where we would match the concrete service, we also match the ExternalName. In general, this mirrors Kubernetes behavior more closely. However, it means that policies (routes and DestinationRule) cannot be applied to the ExternalName service. If disabled, ExternalName behaves in fairly unexpected manner. Port matters, while it does not in Kubernetes. If it is a TCP port, all traffic on that port will be matched, which can have disastrous consequences. Additionally, the destination is seen as an opaque destination; even if it is another service in the mesh, policies such as mTLS and load balancing will not be used when connecting to it.If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.
ENABLE_HCM_INTERNAL_NETWORKS
ENABLE_INBOUND_RETRY_POLICY Booleanfalsetrue If true, enables retry policy for inbound routes which automatically retries requests that were reset before it reaches the service.
Envoy proxy username
EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRYBooleantrueIf true, excludes unsafe retry on 503 from default retry policy.
EXTERNAL_ISTIOD Boolean false If enabled, istiod will skip verifying the certificate of the JWKS server.
KUBECFG_FILE_NAMEStringZZZ-istio-cni-kubeconfigName of the kubeconfig file which CNI plugin will use when interacting with API server
KUBECONFIG_MODE Integer 384 Fallback value for log level in CNI config file, if not specified in helm template
LOG_UDS_ADDRESSString/var/run/istio-cni/log.sockThe UDS server address which CNI plugin will copy log output to
MCS_API_GROUP String multicluster.x-k8s.io
PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHINGBooleanfalseIf enabled, istiod will persist the oldest first heuristic for subtly conflicting traffic policy selection(such as with overlapping wildcard hosts)
PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE Boolean false If enabled, HBONE support can be configured for proxies.
PILOT_ENABLE_STATUSBooleanfalseIf enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.
PILOT_ENABLE_TELEMETRY_LABEL Boolean true pod's namespace
PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICESBooleantrueIf true, external services will prefer the TLS settings from DestinationRules over the metadata TLS settings.
REPAIR_BROKEN_POD_LABEL_KEY String cni.istio.io/uninitialized If not empty, the controller will automatically patch validatingwebhookconfiguration when the CA certificate changes. Only works in kubernetes environment.
VERIFY_CERTIFICATE_AT_CLIENTBooleantrueIf enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.
XDS_AUTH Boolean true
@@ -719,11 +718,10 @@

istioctl completion bash

istioctl completion fish

Generate the autocompletion script for the fish shell.

To load completions in your current shell session:

-

istioctl completion fish | source

+
istioctl completion fish | source

To load completions for every new session, execute once:

-

istioctl completion fish > ~/.config/fish/completions/istioctl.fish

-

You will need to start a new shell for this setup to take effect. -

+
istioctl completion bash > ~/.config/fish/completions/istioctl.fish
+

You will need to start a new shell for this setup to take effect.

istioctl completion fish [flags]
@@ -768,12 +766,10 @@

istioctl completion fish

istioctl completion powershell

-

Generate the autocompletion script for powershell.

+

Generate the autocompletion script for PowerShell.

To load completions in your current shell session:

-

istioctl completion powershell | Out-String | Invoke-Expression

-

To load completions for every new session, add the output of the above command -to your powershell profile. -

+
istioctl completion powershell | Out-String | Invoke-Expression
+

To load completions for every new session, add the output of the above command to your powershell profile.

istioctl completion powershell [flags]
@@ -819,18 +815,16 @@

istioctl completion powershell

istioctl completion zsh

Generate the autocompletion script for the zsh shell.

-

If shell completion is not already enabled in your environment you will need -to enable it. You can execute the following once:

-

echo "autoload -U compinit; compinit" >> ~/.zshrc

-

To load completions in your current shell session:

-

source <(istioctl completion zsh)

-

To load completions for every new session, execute once:

-

#### Linux:

-

istioctl completion zsh > "${fpath[1]}/_istioctl"

-

#### macOS:

-

istioctl completion zsh > $(brew --prefix)/share/zsh/site-functions/_istioctl

-

You will need to start a new shell for this setup to take effect. -

+

If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:

+ 
echo "autoload -U compinit; compinit" >> ~/.zshrc
+

To load completions in your current shell session:

+ 
source <(istioctl completion zsh)
+

To load completions for every new session, execute once:

+

Linux:

+ 
istioctl completion zsh > "${fpath[1]}/_istioctl"
+

macOS:

+ 
istioctl completion zsh > $(brew --prefix)/share/zsh/site-functions/_istioctl
+

You will need to start a new shell for this setup to take effect.

istioctl completion zsh [flags]
@@ -926,7 +920,7 @@

istioctl create-remote-secret

+(e.g. ~/Downloads/istio-1.24.0/manifests). (default ``) @@ -3221,7 +3215,7 @@

istioctl install

@@ -3244,7 +3238,7 @@

istioctl install

+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.24/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec (default `[]`) @@ -3388,730 +3382,52 @@

istioctl kube-inject

- - - - - - - - - - - - - - - - - - - - - -
--manifests <string> -d Specify a path to a directory of charts and profiles -(e.g. ~/Downloads/istio-1.23.0/manifests). (default ``)
--name <string> --manifests <string> -d Specify a path to a directory of charts and profiles -(e.g. ~/Downloads/istio-1.23.0/manifests). +(e.g. ~/Downloads/istio-1.24.0/manifests). (default ``)
-s Override an IstioOperator value, e.g. to choose a profile (--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio -settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.23/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec (default `[]`)
--skip-confirmation number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)
--webhookConfig <string>MutatingWebhookConfiguration name for Istio (default `istio-sidecar-injector`)
--xds-address <string>XDS Endpoint (default ``)
--xds-label <string>Istiod pod label selector (default ``)
--xds-port <int>Istiod pod port (default `15012`)
-

Examples

-
  # Update resources on the fly before applying.
-  kubectl apply -f <(istioctl kube-inject -f <resource.yaml>)
-
-  # Create a persistent version of the deployment with Istio sidecar injected.
-  istioctl kube-inject -f deployment.yaml -o deployment-injected.yaml
-
-  # Update an existing deployment.
-  kubectl get deployment -o yaml | istioctl kube-inject -f - | kubectl apply -f -
-
-  # Capture cluster configuration for later use with kube-inject
-  kubectl -n istio-system get cm istio-sidecar-injector  -o jsonpath="{.data.config}" > /tmp/inj-template.tmpl
-  kubectl -n istio-system get cm istio -o jsonpath="{.data.mesh}" > /tmp/mesh.yaml
-  kubectl -n istio-system get cm istio-sidecar-injector -o jsonpath="{.data.values}" > /tmp/values.json
-
-  # Use kube-inject based on captured configuration
-  istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml \
-    --injectConfigFile /tmp/inj-template.tmpl \
-    --meshConfigFile /tmp/mesh.yaml \
-    --valuesFile /tmp/values.json
-
-
-

istioctl manifest

-

The manifest command generates and diffs Istio manifests.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsShorthandDescription
--context <string>Kubernetes configuration context (default ``)
--dry-runConsole/log output only, make no changes.
--istioNamespace <string>-iIstio system namespace (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file (default ``)
--namespace <string>-nKubernetes namespace (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)
-

istioctl manifest diff

-

The diff subcommand compares manifests from two files or directories. The output is a list of -changed paths with the value changes shown as OLD-VALUE -> NEW-VALUE. -List order changes are shown as [OLD-INDEX->NEW-INDEX], with ? used where a list item is added or -removed.

-
istioctl manifest diff <file|dir> <file|dir> [flags]
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsShorthandDescription
--context <string>Kubernetes configuration context (default ``)
--directory-rCompare directory.
--dry-runConsole/log output only, make no changes.
--ignore <string>Ignore all listed items during comparison, using the same list format as selectResources. (default ``)
--istioNamespace <string>-iIstio system namespace (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file (default ``)
--namespace <string>-nKubernetes namespace (default ``)
--rename <string>Rename resources before comparison. -The format of each renaming pair is A->B, all renaming pairs are comma separated. -e.g. Service:*:istiod->Service:*:istio-control - rename istiod service into istio-control (default ``)
--select <string>Constrain the list of resources to compare to only the ones in this list, ignoring all others. -The format of each list item is "::" and the items are comma separated. The "*" character represents wildcard selection. -e.g. - Deployment:istio-system:* - compare all deployments in istio-system namespace - Service:*:istiod - compare Services called "istiod" in all namespaces (default `::`)
--verbose-vVerbose output.
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)
-

istioctl manifest generate

-

The generate subcommand generates an Istio install manifest and outputs to the console by default.

-
istioctl manifest generate [flags]
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsShorthandDescription
--charts <string>Deprecated, use --manifests instead. (default ``)
--cluster-specificIf enabled, the current cluster will be checked for cluster-specific setting detection.
--component <stringSlice>Specify which component to generate manifests for. (default `[]`)
--context <string>Kubernetes configuration context (default ``)
--dry-runConsole/log output only, make no changes.
--filename <stringSlice>-fPath to file containing IstioOperator custom resource -This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default `[]`)
--forceProceed even with validation errors.
--istioNamespace <string>-iIstio system namespace (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file (default ``)
--manifests <string>-dSpecify a path to a directory of charts and profiles -(e.g. ~/Downloads/istio-1.23.0/manifests). - (default ``)
--namespace <string>-nKubernetes namespace (default ``)
--output <string>-oManifest output directory path. (default ``)
--revision <string>-rTarget control plane revision for the command. (default ``)
--set <stringArray>-sOverride an IstioOperator value, e.g. to choose a profile -(--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio -settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.23/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec (default `[]`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)
-

Examples

-
  # Generate a default Istio installation
-  istioctl manifest generate
-
-  # Enable Tracing
-  istioctl manifest generate --set meshConfig.enableTracing=true
-
-  # Generate the demo profile
-  istioctl manifest generate --set profile=demo
-
-  # To override a setting that includes dots, escape them with a backslash (\).  Your shell may require enclosing quotes.
-  istioctl manifest generate --set "values.sidecarInjectorWebhook.injectedAnnotations.container\.apparmor\.security\.beta\.kubernetes\.io/istio-proxy=runtime/default"
-
-
-

istioctl manifest install

-

The install command generates an Istio install manifest and applies it to a cluster.

-
istioctl manifest install [flags]
-
-
-
istioctl manifest apply [flags]
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsShorthandDescription
--charts <string>Deprecated, use --manifests instead. (default ``)
--context <string>Kubernetes configuration context (default ``)
--dry-runConsole/log output only, make no changes.
--filename <stringSlice>-fPath to file containing IstioOperator custom resource -This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default `[]`)
--forceProceed even with validation errors.
--istioNamespace <string>-iIstio system namespace (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file (default ``)
--manifests <string>-dSpecify a path to a directory of charts and profiles -(e.g. ~/Downloads/istio-1.23.0/manifests). - (default ``)
--namespace <string>-nKubernetes namespace (default ``)
--readiness-timeout <duration>Maximum time to wait for Istio resources in each component to be ready. (default `5m0s`)
--revision <string>-rTarget control plane revision for the command. (default ``)
--set <stringArray>-sOverride an IstioOperator value, e.g. to choose a profile -(--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio -settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.23/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec (default `[]`)
--skip-confirmation-yThe skipConfirmation determines whether the user is prompted for confirmation. -If set to true, the user is not prompted and a Yes response is assumed in all cases.
--verifyVerify the Istio control plane after installation/in-place upgrade
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)
-

Examples

-
  # Apply a default Istio installation
-  istioctl install
-
-  # Enable Tracing
-  istioctl install --set meshConfig.enableTracing=true
-
-  # Generate the demo profile and don't wait for confirmation
-  istioctl install --set profile=demo --skip-confirmation
-
-  # To override a setting that includes dots, escape them with a backslash (\).  Your shell may require enclosing quotes.
-  istioctl install --set "values.sidecarInjectorWebhook.injectedAnnotations.container\.apparmor\.security\.beta\.kubernetes\.io/istio-proxy=runtime/default"
-
-
-

istioctl operator

-

The operator command installs, dumps, removes and shows the status of the operator controller.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsShorthandDescription
--context <string>Kubernetes configuration context (default ``)
--istioNamespace <string>-iIstio system namespace (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file (default ``)
--namespace <string>-nKubernetes namespace (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)
-

istioctl operator dump

-

The dump subcommand dumps the Istio operator controller manifest.

-
istioctl operator dump [flags]
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsShorthandDescription
--charts <string>Deprecated, use --manifests instead. (default ``)
--context <string>Kubernetes configuration context (default ``)
--dry-runConsole/log output only, make no changes.
--hub <string>The hub for the operator controller image. (default `unknown`)
--imagePullSecrets <stringSlice>The imagePullSecrets are used to pull the operator image from the private registry, -could be secret list separated by comma, eg. '--imagePullSecrets imagePullSecret1,imagePullSecret2' (default `[]`)
--istioNamespace <string>-iIstio system namespace (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file (default ``)
--manifests <string>-dSpecify a path to a directory of charts and profiles -(e.g. ~/Downloads/istio-1.23.0/manifests). - (default ``)
--namespace <string>-nKubernetes namespace (default ``)
--operatorNamespace <string>The namespace the operator controller is installed into. (default `istio-operator`)
--output <string>-oOutput format: one of json|yaml (default `yaml`)
--revision <string>-rTarget revision for the operator. (default ``)
--tag <string>The tag for the operator controller image. (default `unknown`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)
--watchedNamespaces <string>The namespaces the operator controller watches, could be namespace list separated by comma, eg. 'ns1,ns2' (default `istio-system`)
-

istioctl operator init

-

The init subcommand installs the Istio operator controller in the cluster.

-
istioctl operator init [flags]
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsShorthandDescription
--charts <string>Deprecated, use --manifests instead. (default ``)
--context <string>Kubernetes configuration context (default ``)
--dry-runConsole/log output only, make no changes.
--filename <string>-fPath to file containing IstioOperator custom resource -This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order. (default ``)
--hub <string>The hub for the operator controller image. (default `unknown`)
--imagePullSecrets <stringSlice>The imagePullSecrets are used to pull the operator image from the private registry, -could be secret list separated by comma, eg. '--imagePullSecrets imagePullSecret1,imagePullSecret2' (default `[]`)
--istioNamespace <string>-iIstio system namespace (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file (default ``)
--manifests <string>-dSpecify a path to a directory of charts and profiles -(e.g. ~/Downloads/istio-1.23.0/manifests). - (default ``)
--namespace <string>-nKubernetes namespace (default ``)
--operatorNamespace <string>The namespace the operator controller is installed into. (default `istio-operator`)
--revision <string>-rTarget revision for the operator. (default ``)
--tag <string>The tag for the operator controller image. (default `unknown`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)
--watchedNamespaces <string>The namespaces the operator controller watches, could be namespace list separated by comma, eg. 'ns1,ns2' (default `istio-system`)
-

istioctl operator remove

-

The remove subcommand removes the Istio operator controller from the cluster.

-
istioctl operator remove [flags]
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FlagsShorthandDescription
--context <string>Kubernetes configuration context (default ``)
--dry-runConsole/log output only, make no changes.
--forceProceed even with validation errors.
--istioNamespace <string>-iIstio system namespace (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file (default ``)
--namespace <string>-nKubernetes namespace (default ``)
--operatorNamespace <string>The namespace the operator controller is installed into. (default `istio-operator`)
--purgeRemove all versions of Istio operator.
--revision <string>-rTarget revision for the operator. (default ``)
--skip-confirmation-yThe skipConfirmation determines whether the user is prompted for confirmation. -If set to true, the user is not prompted and a Yes response is assumed in all cases.
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)
-

istioctl options

-

Displays istioctl global options

- - - - - - - - - - - - - - - - - - + + + + - - - + + + - - - + + + - + - +
FlagsShorthandDescription
--context <string>Kubernetes configuration context (default ``)
--istioNamespace <string>-iIstio system namespace (default `istio-system`)
--webhookConfig <string>MutatingWebhookConfiguration name for Istio (default `istio-sidecar-injector`)
--kubeconfig <string>-cKubernetes configuration file (default ``)--xds-address <string>XDS Endpoint (default ``)
--namespace <string>-nKubernetes namespace (default ``)--xds-label <string>Istiod pod label selector (default ``)
--vklog <Level>--xds-port <int> number for the log level verbosity. Like -v flag. ex: --vklog=9 (default `0`)Istiod pod port (default `15012`)
-

istioctl profile

-

The profile command lists, dumps or diffs Istio configuration profiles.

+

Examples

+
  # Update resources on the fly before applying.
+  kubectl apply -f <(istioctl kube-inject -f <resource.yaml>)
+
+  # Create a persistent version of the deployment with Istio sidecar injected.
+  istioctl kube-inject -f deployment.yaml -o deployment-injected.yaml
+
+  # Update an existing deployment.
+  kubectl get deployment -o yaml | istioctl kube-inject -f - | kubectl apply -f -
+
+  # Capture cluster configuration for later use with kube-inject
+  kubectl -n istio-system get cm istio-sidecar-injector  -o jsonpath="{.data.config}" > /tmp/inj-template.tmpl
+  kubectl -n istio-system get cm istio -o jsonpath="{.data.mesh}" > /tmp/mesh.yaml
+  kubectl -n istio-system get cm istio-sidecar-injector -o jsonpath="{.data.values}" > /tmp/values.json
+
+  # Use kube-inject based on captured configuration
+  istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml \
+    --injectConfigFile /tmp/inj-template.tmpl \
+    --meshConfigFile /tmp/mesh.yaml \
+    --valuesFile /tmp/values.json
+
+
+

istioctl manifest

+

The manifest command generates and diffs Istio manifests.

@@ -4153,13 +3469,9 @@

istioctl profile

-

Examples

-
istioctl profile list
-istioctl install --set profile=demo  # Use a profile from the list
-
-

istioctl profile diff

-

The diff subcommand displays the differences between two Istio configuration profiles.

-
istioctl profile diff <profile|file1.yaml> <profile|file2.yaml> [flags]
+
istioctl manifest generate

+
The generate subcommand generates an Istio install manifest and outputs to the console by default.

+
istioctl manifest generate [flags]
 

 
@@ -4176,6 +3488,16 @@ 
istioctl profile diff

+
+
+
+
+
+
+
+
+
+
@@ -4186,6 +3508,17 @@ 
istioctl profile diff

+
+
+
+
+
+
+
+
+
+
@@ -4199,7 +3532,7 @@ 
istioctl profile diff

@@ -4208,23 +3541,50 @@ 
istioctl profile diff

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 
Deprecated, use --manifests instead.  (default ``)
 

 
--cluster-specificIf enabled, the current cluster will be checked for cluster-specific setting detection. 
--component <stringSlice>Specify which component to generate manifests for.  (default `[]`)

 --context <string>
 
 Kubernetes configuration context  (default ``)
 Console/log output only, make no changes. 
 

 
--filename <stringSlice>-fPath to file containing IstioOperator custom resource
+This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.  (default `[]`)
--forceProceed even with validation errors. 

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).
+(e.g. ~/Downloads/istio-1.24.0/manifests).
   (default ``)
 

 

 Kubernetes namespace  (default ``)
 

 
--output <string>-oManifest output directory path.  (default ``)
--revision <string>-rTarget control plane revision for the command.  (default ``)
--set <stringArray>-sOverride an IstioOperator value, e.g. to choose a profile
+(--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.24/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)

 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-
  # Profile diff by providing yaml files
-  istioctl profile diff manifests/profiles/default.yaml manifests/profiles/demo.yaml
+
Examples

+
  # Generate a default Istio installation
+  istioctl manifest generate
+
+  # Enable Tracing
+  istioctl manifest generate --set meshConfig.enableTracing=true
+
+  # Generate the demo profile
+  istioctl manifest generate --set profile=demo
+
+  # To override a setting that includes dots, escape them with a backslash (\).  Your shell may require enclosing quotes.
+  istioctl manifest generate --set "values.sidecarInjectorWebhook.injectedAnnotations.container\.apparmor\.security\.beta\.kubernetes\.io/istio-proxy=runtime/default"
 
-  # Profile diff by providing a profile name
-  istioctl profile diff default demo
 

-
istioctl profile dump

-
The dump subcommand dumps the values in an Istio configuration profile.

-
istioctl profile dump [<profile>] [flags]
+
istioctl manifest install

+
The install command generates an Istio install manifest and applies it to a cluster.

+
istioctl manifest install [flags]
 

+

+
istioctl manifest apply [flags]
+

 
@@ -4240,11 +3600,6 @@ 
istioctl profile dump

-
-
-
-
-
@@ -4261,6 +3616,11 @@ 
istioctl profile dump

 This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.  (default `[]`)
+
+
+
+
+
@@ -4274,7 +3634,7 @@ 
istioctl profile dump

@@ -4283,9 +3643,32 @@ 
istioctl profile dump

-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4294,10 +3677,22 @@ 
istioctl profile dump

 
 

 Deprecated, use --manifests instead.  (default ``)
 

 
--config-path <string>-pThe path the root of the configuration subtree to dump e.g. components.pilot. By default, dump whole tree  (default ``)

 --context <string>
 
 Kubernetes configuration context  (default ``)
 

 
--forceProceed even with validation errors. 

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).
+(e.g. ~/Downloads/istio-1.24.0/manifests).
   (default ``)
 

 

 Kubernetes namespace  (default ``)
 

 
--output <string>-oOutput format: one of json|yaml|flags  (default `yaml`)--readiness-timeout <duration>Maximum time to wait for Istio resources in each component to be ready.  (default `5m0s`)
--revision <string>-rTarget control plane revision for the command.  (default ``)
--set <stringArray>-sOverride an IstioOperator value, e.g. to choose a profile
+(--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.24/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
--skip-confirmation-yThe skipConfirmation determines whether the user is prompted for confirmation.
+If set to true, the user is not prompted and a Yes response is assumed in all cases. 
--verifyVerify the Istio control plane after installation/in-place upgrade 
 

 

 --vklog <Level>
 

 
 

-
istioctl profile list

-
The list subcommand lists the available Istio configuration profiles.

-
istioctl profile list [flags]
+
Examples

+
  # Apply a default Istio installation
+  istioctl install
+
+  # Enable Tracing
+  istioctl install --set meshConfig.enableTracing=true
+
+  # Generate the demo profile and don't wait for confirmation
+  istioctl install --set profile=demo --skip-confirmation
+
+  # To override a setting that includes dots, escape them with a backslash (\).  Your shell may require enclosing quotes.
+  istioctl install --set "values.sidecarInjectorWebhook.injectedAnnotations.container\.apparmor\.security\.beta\.kubernetes\.io/istio-proxy=runtime/default"
+
 

+
istioctl options

+
Displays istioctl global options

 
@@ -4308,21 +3703,11 @@ 
istioctl profile list

-
-
-
-
-
-
-
-
-
-
@@ -4333,13 +3718,6 @@ 
istioctl profile list

-
-
-
-
-
@@ -5486,7 +4864,7 @@ 
istioctl tag generate

+(e.g. ~/Downloads/istio-1.24.0/manifests).  (default ``)
@@ -5575,7 +4953,7 @@ 
istioctl tag list

-
+
@@ -5585,7 +4963,7 @@ 
istioctl tag list

 
 

 

 
 
--charts <string>Deprecated, use --manifests instead.  (default ``)

 --context <string>
 
 Kubernetes configuration context  (default ``)
 

 
--dry-runConsole/log output only, make no changes. 

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 

 
--manifests <string>-dSpecify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).
-  (default ``)

 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).  (default ``)
 

 

 --namespace <string>
 

 --output <string>
 -oOutput format for tag description (available formats: table,json)  (default `table`)Output format for tag description (available formats: table,json,yaml)  (default `table`)
 

 

 --vklog <Level>
 

 

 
Examples

-
istioctl tag list
+
  istioctl tag list
 

 
istioctl tag remove

 
Remove Istio control plane revision tag.

@@ -5683,7 +5061,7 @@ 
istioctl tag set

 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).  (default ``)
+(e.g. ~/Downloads/istio-1.24.0/manifests).  (default ``)
 
 
 --namespace <string>
@@ -5784,7 +5162,7 @@ 
istioctl uninstall

 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).
+(e.g. ~/Downloads/istio-1.24.0/manifests).
   (default ``)
 
 
@@ -5807,7 +5185,7 @@ 
istioctl uninstall

 -s
 Override an IstioOperator value, e.g. to choose a profile
 (--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
-settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.23/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.24/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
 
 
 --skip-confirmation
@@ -5890,7 +5268,7 @@ 
istioctl upgrade

 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).
+(e.g. ~/Downloads/istio-1.24.0/manifests).
   (default ``)
 
 
@@ -5913,7 +5291,7 @@ 
istioctl upgrade

 -s
 Override an IstioOperator value, e.g. to choose a profile
 (--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
-settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.23/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.24/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
 
 
 --skip-confirmation
@@ -6001,84 +5379,6 @@ 
Examples

   istioctl analyze samples/bookinfo/networking/bookinfo-gateway.yaml
 
 

-
istioctl verify-install

-

-verify-install verifies Istio installation status against the installation file
-you specified when you installed Istio. It loops through all the installation
-resources defined in your installation file and reports whether all of them are
-in ready status. It will report failure when any of them are not ready.

-
If you do not specify an installation it will check for an IstioOperator resource
-and will verify if pods and services defined in it are present.

-
Note: For verifying whether your cluster is ready for Istio installation, see
-istioctl experimental precheck.
-

-
istioctl verify-install [-f <deployment or istio operator file>] [--revision <revision>] [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsShorthandDescription
--context <string>Kubernetes configuration context  (default ``)
--filename <stringSlice>-fIstio YAML installation file.  (default `[]`)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--manifests <string>-dSpecify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).  (default ``)
--namespace <string>-nKubernetes namespace  (default ``)
--revision <string>-rControl plane revision  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
Examples

-
  # Verify that Istio is installed correctly via Istio Operator
-  istioctl verify-install
-
-  # Verify the deployment matches a custom Istio deployment configuration
-  istioctl verify-install -f $HOME/istio.yaml
-
-  # Verify the deployment matches the Istio Operator deployment definition
-  istioctl verify-install --revision <canary>
-
-  # Verify the installation of specific revision
-  istioctl verify-install -r 1-9-0
-

 
istioctl version

 
Prints out build version information

 
istioctl version [flags]
@@ -7029,7 +6329,7 @@ 
Examples

 
 

 
Environment variables

-These environment variables affect the behavior of the istioctl command. Please use with caution as these environment variables are experimental and can change anytime.
+These environment variables affect the behavior of the istioctl command. 
 
@@ -7113,22 +6413,22 @@ 
Environment variables

-
+
-
+
-
+
-
+
-
+
-
+
@@ -7139,7 +6439,7 @@ 
Environment variables

-
+
@@ -7215,6 +6515,12 @@ 
Environment variables

+
+
+
+
+
+
@@ -7495,12 +6801,6 @@ 
Environment variables

-
-
-
-
-
-
@@ -7717,12 +7017,6 @@ 
Environment variables

-
-
-
-
-
-
@@ -7933,6 +7227,12 @@ 
Environment variables

+
+
+
+
+
+
@@ -8005,12 +7305,6 @@ 
Environment variables

-
-
-
-
-
-
@@ -8035,20 +7329,11 @@ 
Exported metrics

-
-
-
-
-
-
-
-
-
@@ -8093,13 +7378,7 @@ 
Exported metrics

-
-
-
-
-
-
@@ -8108,7 +7387,6 @@ 
Exported metrics

-
diff --git a/content/en/docs/reference/commands/operator/index.html b/content/en/docs/reference/commands/operator/index.html
deleted file mode 100644
index 55bb211d1d28c..0000000000000
--- a/content/en/docs/reference/commands/operator/index.html
+++ /dev/null
@@ -1,1347 +0,0 @@
----
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/istio' REPO
-source_repo: https://github.com/istio/istio
-title: operator
-description: The Istio operator.
-generator: pkg-collateral-docs
-number_of_entries: 9
-max_toc_level: 2
-remove_toc_prefix: 'operator '
----
-
The Istio operator.

-

 
 

 If enabled, Istio will create clusters only when there are requests. This will save memory and CPU cycles in cases where there are lots of inactive clusters and > 1 worker thread
 

 
ENABLE_DELIMITED_STATS_TAG_REGEXENABLE_DEFERRED_STATS_CREATION
 Boolean
 trueIf true, pilot will use the new delimited stat tag regex to generate Envoy stats tags.If enabled, Istio will lazily initialize a subset of the stats
 

 
ENABLE_ENHANCED_RESOURCE_SCOPINGENABLE_DELIMITED_STATS_TAG_REGEX
 Boolean
 trueIf enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.If true, pilot will use the new delimited stat tag regex to generate Envoy stats tags.
 

 
ENABLE_EXTERNAL_NAME_ALIASENABLE_ENHANCED_RESOURCE_SCOPING
 Boolean
 trueIf enabled, ExternalName Services will be treated as simple aliases: anywhere where we would match the concrete service, we also match the ExternalName. In general, this mirrors Kubernetes behavior more closely. However, it means that policies (routes and DestinationRule) cannot be applied to the ExternalName service. If disabled, ExternalName behaves in fairly unexpected manner. Port matters, while it does not in Kubernetes. If it is a TCP port, all traffic on that port will be matched, which can have disastrous consequences. Additionally, the destination is seen as an opaque destination; even if it is another service in the mesh, policies such as mTLS and load balancing will not be used when connecting to it.If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.
 

 

 ENABLE_HCM_INTERNAL_NETWORKS
 

 ENABLE_INBOUND_RETRY_POLICY
 Booleanfalsetrue
 If true, enables retry policy for inbound routes which automatically retries requests that were reset before it reaches the service.
 

 

 If true, will use optimized vtprotobuf based marshaling. Requires a build with -tags=vtprotobuf.
 

 
EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRYBooleantrueIf true, excludes unsafe retry on 503 from default retry policy.

 EXTERNAL_ISTIOD
 Boolean
 false
 If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, '1000' will record 0.1% of events. Set to 0 to disable entirely.
 

 
PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHINGBooleanfalseIf enabled, istiod will persist the oldest first heuristic for subtly conflicting traffic policy selection(such as with overlapping wildcard hosts)

 PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE
 Boolean
 false
 If enabled, HBONE support can be configured for proxies.
 

 
PILOT_ENABLE_STATUSBooleanfalseIf enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.

 PILOT_ENABLE_TELEMETRY_LABEL
 Boolean
 true
 Platform where Istio is deployed. Possible values are "openshift" and "gcp"
 

 
PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICESBooleantrueIf true, external services will prefer the TLS settings from DestinationRules over the metadata TLS settings.

 REQUIRE_3P_TOKEN
 Boolean
 false
 If not empty, the controller will automatically patch validatingwebhookconfiguration when the CA certificate changes. Only works in kubernetes environment.
 

 
VERIFY_CERTIFICATE_AT_CLIENTBooleantrueIf enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.

 XDS_AUTH
 Boolean
 true
 
auto_registration_success_totalSumTotal number of successful auto registrations.

 
auto_registration_unregister_totalSumTotal number of unregistrations.

 
auto_registration_updates_totalSumTotal number of auto registration updates.
cache_flush_totalSumnumber of times operator cache was flushed

 
controller_sync_errors_totalSumTotal number of errorMetric syncing controllers.
cr_deletion_totalSumNumber of IstioOperator CR deleted
cr_merge_failure_totalSumNumber of IstioOperator CR merge failures
cr_validation_error_totalSumNumber of IstioOperator CR validation failures

 
endpoint_no_podLastValueEndpoints without an associated pod.
get_cr_error_totalSumNumber of times fetching CR from apiserver failed

 
istio_buildLastValueIstio component build info

 
istiod_managed_clustersLastValueNumber of clusters managed by istiod
legacy_path_translation_totalSumNumber of times a legacy API path is translated
manifest_patch_error_totalSumNumber of times K8S patch overlays failed
manifest_render_error_totalSumNumber of times error occurred during rendering output manifest

 
num_outgoing_retriesSumNumber of outgoing retry requests (e.g. to a token exchange server, CA, etc.)
owned_resource_totalLastValueNumber of resources currently owned by the operator

 
pilot_conflict_inbound_listenerLastValueNumber of conflicting inbound listeners.

 
pilot_conflict_outbound_listener_tcp_over_current_tcpLastValueNumber of conflicting tcp listeners with current tcp listener.

 
pilot_debounce_timeDistributionDelay in seconds between the first config enters debouncing and the merged push request is pushed into the push queue.

 
pilot_xds_send_timeDistributionTotal time in seconds Pilot takes to send generated configuration.

 
pilot_xds_write_timeoutSumPilot XDS response write timeouts.

 
provider_lookup_cluster_failuresSumNumber of times a cluster lookup failed
reconcile_request_totalSumNumber of times requesting Reconcile

 
remote_cluster_sync_timeouts_totalSumNumber of times remote clusters took too long to sync, causing slow startup that excludes remote clusters.
render_manifest_totalSumNumber of component manifests rendered
resource_creation_totalSumNumber of resources created by the operator
resource_deletion_totalSumNumber of resources deleted by the operator
resource_prune_totalSumNumber of resources pruned by the operator
resource_update_totalSumNumber of resources updated by the operator

 
scrape_failures_totalSumThe total number of failed scrapes.

 
scrapes_totalSumThe total number of scrapes.

 
sidecar_injection_failure_totalSumTotal number of failed sidecar injection requests.

 
sidecar_injection_success_totalSumTotal number of successful sidecar injection requests.

 
sidecar_injection_time_secondsDistributionTotal time taken for injection in seconds.

 
startup_duration_secondsLastValueThe time from the process starting to being marked ready.
versionLastValueVersion of operator binary

 
wasm_cache_entriesLastValuenumber of Wasm remote fetch cache entries.

 
wasm_cache_lookup_countSumnumber of Wasm remote fetch cache lookups.

 
wasm_config_conversion_countSumnumber of Wasm config conversion count and results, including success, no remote load, marshal failure, remote fetch failure, miss remote fetch hint.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsDescription
--kubeconfig <string>Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
operator completion

-
Generate the autocompletion script for operator for the specified shell.
-See each sub-command's help for details on how to use the generated script.
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsDescription
--kubeconfig <string>Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
operator completion bash

-
Generate the autocompletion script for the bash shell.

-
This script depends on the 'bash-completion' package.
-If it is not installed already, you can install it via your OS's package manager.

-
To load completions in your current shell session:

-
	source <(operator completion bash)

-
To load completions for every new session, execute once:

-
#### Linux:

-
	operator completion bash > /etc/bash_completion.d/operator

-
#### macOS:

-
	operator completion bash > $(brew --prefix)/etc/bash_completion.d/operator

-
You will need to start a new shell for this setup to take effect.
-

-
operator completion bash
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsDescription
--kubeconfig <string>Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
--no-descriptionsdisable completion descriptions 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
operator completion fish

-
Generate the autocompletion script for the fish shell.

-
To load completions in your current shell session:

-
	operator completion fish | source

-
To load completions for every new session, execute once:

-
	operator completion fish > ~/.config/fish/completions/operator.fish

-
You will need to start a new shell for this setup to take effect.
-

-
operator completion fish [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsDescription
--kubeconfig <string>Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
--no-descriptionsdisable completion descriptions 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
operator completion powershell

-
Generate the autocompletion script for powershell.

-
To load completions in your current shell session:

-
	operator completion powershell | Out-String | Invoke-Expression

-
To load completions for every new session, add the output of the above command
-to your powershell profile.
-

-
operator completion powershell [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsDescription
--kubeconfig <string>Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
--no-descriptionsdisable completion descriptions 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
operator completion zsh

-
Generate the autocompletion script for the zsh shell.

-
If shell completion is not already enabled in your environment you will need
-to enable it.  You can execute the following once:

-
	echo "autoload -U compinit; compinit" >> ~/.zshrc

-
To load completions in your current shell session:

-
	source <(operator completion zsh)

-
To load completions for every new session, execute once:

-
#### Linux:

-
	operator completion zsh > "${fpath[1]}/_operator"

-
#### macOS:

-
	operator completion zsh > $(brew --prefix)/share/zsh/site-functions/_operator

-
You will need to start a new shell for this setup to take effect.
-

-
operator completion zsh [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsDescription
--kubeconfig <string>Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
--no-descriptionsdisable completion descriptions 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
operator server

-
Starts the Istio operator server

-
operator server [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsDescription
--ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses.  (default `localhost`)
--ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility  (default `9876`)
--forceProceed even with validation errors. 
--kubeconfig <string>Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format 
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, authn, authorization, ca, controllers, controlleruntime, default, delta, file, gateway, grpc, installer, klog, krt, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wasm, wle]  (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, authn, authorization, ca, controllers, controlleruntime, default, delta, file, gateway, grpc, installer, klog, krt, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, authn, authorization, ca, controllers, controlleruntime, default, delta, file, gateway, grpc, installer, klog, krt, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
--max-concurrent-reconciles <int>Defines the concurrency limit for operator to reconcile IstioOperatorSpec in parallel. Default value is 1.  (default `1`)
--monitoring-host <string>HTTP host to use for operator's self-monitoring information  (default `0.0.0.0`)
--monitoring-port <uint32>HTTP port to use for operator's self-monitoring information  (default `8383`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
operator version

-
Prints out build version information

-
operator version [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsShorthandDescription
--kubeconfig <string>Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
--output <string>-oOne of 'yaml' or 'json'.  (default ``)
--short-sUse --short=false to generate full version information 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
Environment variables

-These environment variables affect the behavior of the operator command. Please use with caution as these environment variables are experimental and can change anytime.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Variable NameTypeDefault ValueDescription
CA_TRUSTED_NODE_ACCOUNTSStringIf set, the list of service accounts that are allowed to use node authentication for CSRs. Node authentication allows an identity to create CSRs on behalf of other identities, but only if there is a pod running on the same node with that identity. This is intended for use with node proxies.
CERT_SIGNER_DOMAINStringThe cert signer domain info
CLOUD_PLATFORMStringCloud Platform on which proxy is running, if not specified, Istio will try to discover the platform. Valid platform values are aws, azure, gcp, none
CLUSTER_IDStringKubernetesDefines the cluster and service registry that this Istiod instance belongs to
COMPLIANCE_POLICYStringIf set, applies policy-specific restrictions over all existing TLS
-settings, including in-mesh mTLS and external TLS. Valid values are:
-
-* '' or unset places no additional restrictions.
-* 'fips-140-2' which enforces a version of the TLS protocol and a subset
-of cipher suites overriding any user preferences or defaults for all runtime
-components, including Envoy, gRPC Go SDK, and gRPC C++ SDK.
-
-WARNING: Setting compliance policy in the control plane is a necessary but
-not a sufficient requirement to achieve compliance. There are additional
-steps necessary to claim compliance, including using the validated
-cryptograhic modules (please consult
-https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2).
ENABLE_100_CONTINUE_HEADERSBooleantrueIf enabled, istiod will proxy 100-continue headers as is
ENABLE_AUTO_SNIBooleantrueIf enabled, automatically set SNI when `DestinationRules` do not specify the same
ENABLE_CA_SERVERBooleantrueIf this is set to false, will not create CA server in istiod.
ENABLE_DEBUG_ON_HTTPBooleantrueIf this is set to false, the debug interface will not be enabled, recommended for production
ENABLE_DEFERRED_CLUSTER_CREATIONBooleantrueIf enabled, Istio will create clusters only when there are requests. This will save memory and CPU cycles in cases where there are lots of inactive clusters and > 1 worker thread
ENABLE_DELIMITED_STATS_TAG_REGEXBooleantrueIf true, pilot will use the new delimited stat tag regex to generate Envoy stats tags.
ENABLE_ENHANCED_RESOURCE_SCOPINGBooleantrueIf enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.
ENABLE_EXTERNAL_NAME_ALIASBooleantrueIf enabled, ExternalName Services will be treated as simple aliases: anywhere where we would match the concrete service, we also match the ExternalName. In general, this mirrors Kubernetes behavior more closely. However, it means that policies (routes and DestinationRule) cannot be applied to the ExternalName service. If disabled, ExternalName behaves in fairly unexpected manner. Port matters, while it does not in Kubernetes. If it is a TCP port, all traffic on that port will be matched, which can have disastrous consequences. Additionally, the destination is seen as an opaque destination; even if it is another service in the mesh, policies such as mTLS and load balancing will not be used when connecting to it.
ENABLE_HCM_INTERNAL_NETWORKSBooleanfalseIf enable, endpoints defined in mesh networks will be configured as internal addresses in Http Connection Manager
ENABLE_INBOUND_RETRY_POLICYBooleanfalseIf true, enables retry policy for inbound routes which automatically retries requests that were reset before it reaches the service.
ENABLE_LEADER_ELECTIONBooleantrueIf enabled (default), starts a leader election client and gains leadership before executing controllers. If false, it assumes that only one instance of istiod is running and skips leader election.
ENABLE_MCS_AUTO_EXPORTBooleanfalseIf enabled, istiod will automatically generate Kubernetes Multi-Cluster Services (MCS) ServiceExport resources for every service in the mesh. Services defined to be cluster-local in MeshConfig are excluded.
ENABLE_MCS_CLUSTER_LOCALBooleanfalseIf enabled, istiod will treat the host `<svc>.<namespace>.svc.cluster.local` as defined by the Kubernetes Multi-Cluster Services (MCS) spec. In this mode, requests to `cluster.local` will be routed to only those endpoints residing within the same cluster as the client. Requires that both ENABLE_MCS_SERVICE_DISCOVERY and ENABLE_MCS_HOST also be enabled.
ENABLE_MCS_HOSTBooleanfalseIf enabled, istiod will configure a Kubernetes Multi-Cluster Services (MCS) host (<svc>.<namespace>.svc.clusterset.local) for each service exported (via ServiceExport) in at least one cluster. Clients must, however, be able to successfully lookup these DNS hosts. That means that either Istio DNS interception must be enabled or an MCS controller must be used. Requires that ENABLE_MCS_SERVICE_DISCOVERY also be enabled.
ENABLE_MCS_SERVICE_DISCOVERYBooleanfalseIf enabled, istiod will enable Kubernetes Multi-Cluster Services (MCS) service discovery mode. In this mode, service endpoints in a cluster will only be discoverable within the same cluster unless explicitly exported via ServiceExport.
ENABLE_MULTICLUSTER_HEADLESSBooleantrueIf true, the DNS name table for a headless service will resolve to same-network endpoints in any cluster.
ENABLE_NATIVE_SIDECARSBooleanfalseIf set, used Kubernetes native Sidecar container support. Requires SidecarContainer feature flag.
ENABLE_PROBE_KEEPALIVE_CONNECTIONSBooleanfalseIf enabled, readiness probes will keep the connection from pilot-agent to the application alive. This mirrors older Istio versions' behaviors, but not kubelet's.
ENABLE_RESOLUTION_NONE_TARGET_PORTBooleantrueIf enabled, targetPort will be supported for resolution=NONE ServiceEntry
ENABLE_SELECTOR_BASED_K8S_GATEWAY_POLICYBooleantrueIf disabled, Gateway API gateways will ignore workloadSelector policies, onlyapplying policies that select the gateway with a targetRef.
ENABLE_TLS_ON_SIDECAR_INGRESSBooleanfalseIf enabled, the TLS configuration on Sidecar.ingress will take effect
ENABLE_VTPROTOBUFBooleantrueIf true, will use optimized vtprotobuf based marshaling. Requires a build with -tags=vtprotobuf.
EXTERNAL_ISTIODBooleanfalseIf this is set to true, one Istiod will control remote clusters including CA.
GCP_METADATAStringPipe separated GCP metadata, schemed as PROJECT_ID|PROJECT_NUMBER|CLUSTER_NAME|CLUSTER_ZONE
GCP_QUOTA_PROJECTStringAllows specification of a quota project to be used in requests to GCP APIs.
GRPC_KEEPALIVE_INTERVALTime Duration30sgRPC Keepalive Interval
GRPC_KEEPALIVE_TIMEOUTTime Duration10sgRPC Keepalive Timeout
HTTP_STRIP_FRAGMENT_FROM_PATH_UNSAFE_IF_DISABLEDBooleantrue
INBOUND_INTERCEPTION_MODEStringThe mode used to redirect inbound connections to Envoy, either "REDIRECT" or "TPROXY"
INBOUND_TPROXY_MARKString
INJECTION_WEBHOOK_CONFIG_NAMEStringistio-sidecar-injectorName of the mutatingwebhookconfiguration to patch, if istioctl is not used.
ISTIOD_CUSTOM_HOSTStringCustom host name of istiod that istiod signs the server cert. Multiple custom host names are supported, and multiple values are separated by commas.
ISTIO_AGENT_ENABLE_WASM_REMOTE_LOAD_CONVERSIONBooleantrueIf enabled, Istio agent will intercept ECDS resource update, downloads Wasm module, and replaces Wasm module remote load with downloaded local module file.
ISTIO_BOOTSTRAPString
ISTIO_DELTA_XDSBooleantrueIf enabled, pilot will only send the delta configs as opposed to the state of the world on a Resource Request. This feature uses the delta xds api, but does not currently send the actual deltas.
ISTIO_DUAL_STACKBooleanfalseIf true, Istio will enable the Dual Stack feature.
ISTIO_ENABLE_CONTROLLER_QUEUE_METRICSBooleanfalseIf enabled, publishes metrics for queue depth, latency and processing times.
ISTIO_ENABLE_HTTP2_PROBINGBooleantrueIf enabled, HTTP2 probes will be enabled for HTTPS probes, following Kubernetes
ISTIO_ENABLE_IPV4_OUTBOUND_LISTENER_FOR_IPV6_CLUSTERSBooleanfalseIf true, pilot will configure an additional IPv4 listener for outbound traffic in IPv6 only clusters, e.g. AWS EKS IPv6 only clusters.
ISTIO_GPRC_MAXRECVMSGSIZEInteger4194304Sets the max receive buffer size of gRPC stream in bytes.
ISTIO_GPRC_MAXSTREAMSInteger100000Sets the maximum number of concurrent grpc streams.
ISTIO_KUBE_CLIENT_CONTENT_TYPEStringprotobufThe content type to use for Kubernetes clients. Defaults to protobuf. Valid options: [protobuf, json]
ISTIO_MULTIROOT_MESHBooleanfalseIf enabled, mesh will support certificates signed by more than one trustAnchor for ISTIO_MUTUAL mTLS
ISTIO_OUTBOUND_IPV4_LOOPBACK_CIDRString127.0.0.1/32IPv4 CIDR range used to identify outbound traffic on loopback interface intended for application container
ISTIO_OUTBOUND_OWNER_GROUPSString*Comma separated list of groups whose outgoing traffic is to be redirected to Envoy.
-A group can be specified either by name or by a numeric GID.
-The wildcard character "*" can be used to configure redirection of traffic from all groups.
ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDEStringComma separated list of groups whose outgoing traffic is to be excluded from redirection to Envoy.
-A group can be specified either by name or by a numeric GID.
-Only applies when traffic from all groups (i.e. "*") is being redirected to Envoy.
ISTIO_PROMETHEUS_ANNOTATIONSString
ISTIO_WATCH_NAMESPACEStringIf set, limit Kubernetes watches to a single namespace. Warning: only a single namespace can be set.
ISTIO_WORKLOAD_ENTRY_VALIDATE_IDENTITYBooleantrueIf enabled, will validate the identity of a workload matches the identity of the WorkloadEntry it is associating with for health checks and auto registration. This flag is added for backwards compatibility only and will be removed in future releases
JWKS_RESOLVER_INSECURE_SKIP_VERIFYBooleanfalseIf enabled, istiod will skip verifying the certificate of the JWKS server.
K_REVISIONStringKNative revision, set if running in knative
LABEL_CANONICAL_SERVICES_FOR_MESH_EXTERNAL_SERVICE_ENTRIESBooleanfalseIf enabled, metadata representing canonical services for ServiceEntry resources with a location of mesh_external will be populatedin the cluster metadata for those endpoints.
LOCAL_CLUSTER_SECRET_WATCHERBooleanfalseIf enabled, the cluster secret watcher will watch the namespace of the external cluster instead of config cluster
MCS_API_GROUPStringmulticluster.x-k8s.ioThe group to be used for the Kubernetes Multi-Cluster Services (MCS) API.
MCS_API_VERSIONStringv1alpha1The version to be used for the Kubernetes Multi-Cluster Services (MCS) API.
METRICS_LOCALHOST_ACCESS_ONLYBooleanfalseThis will disable metrics endpoint from outside of the pod, allowing only localhost access.
METRIC_GRACEFUL_DELETION_INTERVALTime Duration5m0sMetric expiry graceful deletion interval. No-op if METRIC_ROTATION_INTERVAL is disabled.
METRIC_ROTATION_INTERVALTime Duration0sMetric scope rotation interval, set to 0 to disable the metric scope rotation
MUTEX_PROFILE_FRACTIONInteger1000If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, '1000' will record 0.1% of events. Set to 0 to disable entirely.
PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHINGBooleanfalseIf enabled, istiod will persist the oldest first heuristic for subtly conflicting traffic policy selection(such as with overlapping wildcard hosts)
PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGEBooleanfalseIf set, it allows creating inbound listeners for service ports and sidecar ingress listeners 
PILOT_ANALYSIS_INTERVALTime Duration10sIf analysis is enabled, pilot will run istio analyzers using this value as interval in seconds Istio Resources
PILOT_AUTO_ALLOW_WAYPOINT_POLICYBooleanfalseIf enabled, zTunnel will receive synthetic authorization policies for each workload ALLOW the Waypoint's identity. Unless other ALLOW policies are created, this effectively denies traffic that doesn't go through the waypoint.
PILOT_CERT_PROVIDERStringistiodThe provider of Pilot DNS certificate. K8S RA will be used for k8s.io/NAME. 'istiod' value will sign using Istio build in CA. Other values will not not generate TLS certs, but still  distribute ./etc/certs/root-cert.pem. Only used if custom certificates are not mounted.
PILOT_CONVERT_SIDECAR_SCOPE_CONCURRENCYInteger1Used to adjust the concurrency of SidecarScope conversions. When istiod is deployed on a multi-core CPU server, increasing this value will help to use the CPU to accelerate configuration push, but it also means that istiod will consume more CPU resources.
PILOT_DEBOUNCE_AFTERTime Duration100msThe delay added to config/registry events for debouncing. This will delay the push by at least this interval. If no change is detected within this period, the push will happen,  otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.
PILOT_DEBOUNCE_MAXTime Duration10sThe maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we'll trigger a push.
PILOT_DISABLE_MX_ALPNBooleanfalseIf true, pilot will not put istio-peer-exchange ALPN into TLS handshake configuration.
PILOT_DRAINING_LABELStringistio.io/drainingIf not empty, endpoints with the label value present will be sent with status DRAINING.
PILOT_ENABLE_ALPHA_GATEWAY_APIBooleanfalseIf this is set to true, support for alpha APIs in the Kubernetes gateway-api (github.com/kubernetes-sigs/gateway-api) will  be enabled. In addition to this being enabled, the gateway-api CRDs need to be installed.
PILOT_ENABLE_ALPN_FILTERBooleantrueIf true, pilot will add Istio ALPN filters, required for proper protocol sniffing.
PILOT_ENABLE_AMBIENTBooleanfalseIf enabled, ambient mode can be used. Individual flags configure fine grained enablement; this must be enabled for any ambient functionality.
PILOT_ENABLE_AMBIENT_WAYPOINTSBooleanfalseIf enabled, controllers required for ambient will run. This is required to run ambient mesh.
PILOT_ENABLE_ANALYSISBooleanfalseIf enabled, pilot will run istio analyzers and write analysis errors to the Status field of any Istio Resources
PILOT_ENABLE_CDS_CACHEBooleantrueIf true, Pilot will cache CDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE.
PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRYBooleantrueIf enabled, pilot will read WorkloadEntry from other clusters, selectable by Services in that cluster.
PILOT_ENABLE_EDS_DEBOUNCEBooleantrueIf enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled
PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICESBooleanfalseIf enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.
PILOT_ENABLE_GATEWAY_APIBooleantrueIf this is set to true, support for Kubernetes gateway-api (github.com/kubernetes-sigs/gateway-api) will  be enabled. In addition to this being enabled, the gateway-api CRDs need to be installed.
PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLERBooleantrueIf this is set to true, gateway-api resources will automatically provision in cluster deployment, services, etc
PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLERBooleantrueIf this is set to true, istiod will create and manage its default GatewayClasses
PILOT_ENABLE_GATEWAY_API_STATUSBooleantrueIf this is set to true, gateway-api resources will have status written to them
PILOT_ENABLE_IP_AUTOALLOCATEBooleanfalseIf enabled, pilot will start a controller that assigns IP addresses to ServiceEntry which do not have a user-supplied IP. This, when combined with DNS capture allows for tcp routing of traffic sent to the ServiceEntry.
PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIESBooleantrueIf enabled, Kubernetes services with selectors will select workload entries with matching labels. It is safe to disable it if you are quite sure you don't need this feature
PILOT_ENABLE_METADATA_EXCHANGEBooleantrueIf true, pilot will add metadata exchange filters, which will be consumed by telemetry filter.
PILOT_ENABLE_MONGO_FILTERBooleantrueEnableMongoFilter enables injection of `envoy.filters.network.mongo_proxy` in the filter chain.
PILOT_ENABLE_MYSQL_FILTERBooleanfalseEnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.
PILOT_ENABLE_NODE_UNTAINT_CONTROLLERSBooleanfalseIf enabled, controller that untaints nodes with cni pods ready will run. This should be enabled if you disabled ambient init containers.
PILOT_ENABLE_PERSISTENT_SESSION_FILTERBooleanfalseIf enabled, Istiod sets up persistent session filter for listeners, if services have 'PILOT_PERSISTENT_SESSION_LABEL' set.
PILOT_ENABLE_QUIC_LISTENERSBooleanfalseIf true, QUIC listeners will be generated wherever there are listeners terminating TLS on gateways if the gateway service exposes a UDP port with the same number (for example 443/TCP and 443/UDP)
PILOT_ENABLE_RDS_CACHEBooleantrueIf true, Pilot will cache RDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE.
PILOT_ENABLE_REDIS_FILTERBooleanfalseEnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
PILOT_ENABLE_ROUTE_COLLAPSE_OPTIMIZATIONBooleantrueIf true, Pilot will merge virtual hosts with the same routes into a single virtual host, as an optimization.
PILOT_ENABLE_SENDING_HBONEBooleanfalseIf enabled, HBONE will be allowed when sending to destinations.
PILOT_ENABLE_SERVICEENTRY_SELECT_PODSBooleantrueIf enabled, service entries with selectors will select pods from the cluster. It is safe to disable it if you are quite sure you don't need this feature
PILOT_ENABLE_SIDECAR_LISTENING_HBONEBooleanfalseIf enabled, HBONE support can be configured for proxies.
PILOT_ENABLE_STATUSBooleanfalseIf enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.
PILOT_ENABLE_TELEMETRY_LABELBooleantrueIf true, pilot will add telemetry related metadata to cluster and endpoint resources, which will be consumed by telemetry filter.
PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATIONBooleantrueEnables auto-registering WorkloadEntries based on associated WorkloadGroups upon XDS connection by the workload.
PILOT_ENABLE_WORKLOAD_ENTRY_HEALTHCHECKSBooleantrueEnables automatic health checks of WorkloadEntries based on the config provided in the associated WorkloadGroup
PILOT_ENABLE_XDS_CACHEBooleantrueIf true, Pilot will cache XDS responses.
PILOT_ENABLE_XDS_IDENTITY_CHECKBooleantrueIf enabled, pilot will authorize XDS clients, to ensure they are acting only as namespaces they have permissions for.
PILOT_ENDPOINT_TELEMETRY_LABELBooleantrueIf true, pilot will add telemetry related metadata to Endpoint resource, which will be consumed by telemetry filter.
PILOT_ENVOY_FILTER_STATSBooleanfalseIf true, Pilot will collect metrics for envoy filter operations.
PILOT_FILTER_GATEWAY_CLUSTER_CONFIGBooleanfalseIf enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway
PILOT_GATEWAY_API_CONTROLLER_NAMEStringistio.io/gateway-controllerGateway API controller name. istiod will only reconcile Gateway API resources referencing a GatewayClass with this controller name
PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAMEStringistioName of the default GatewayClass
PILOT_HTTP10BooleanfalseEnables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.
PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONSStringComma separated list of potentially insecure kubeconfig authentication options that are allowed for multicluster authentication.Support values: all authProviders (`gcp`, `azure`, `exec`, `openstack`), `clientKey`, `clientCertificate`, `tokenFile`, and `exec`.
PILOT_JWT_ENABLE_REMOTE_JWKSStringfalseMode of fetching JWKs from JwksUri in RequestAuthentication. Supported value: istiod, false, hybrid, true, envoy. The client fetching JWKs is as following: istiod/false - Istiod; hybrid/true - Envoy and fallback to Istiod if JWKs server is external; envoy - Envoy.
PILOT_JWT_PUB_KEY_REFRESH_INTERVALTime Duration20m0sThe interval for istiod to fetch the jwks_uri for the jwks public key.
PILOT_MAX_REQUESTS_PER_SECONDFloating-Point0Limits the number of incoming XDS requests per second. On larger machines this can be increased to handle more proxies concurrently. If set to 0 or unset, the max will be automatically determined based on the machine size
PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_APIBooleantrueIf true, Pilot will discover labeled Kubernetes gateway objects as multi-network gateways.
PILOT_PERSISTENT_SESSION_HEADER_LABELStringistio.io/persistent-session-headerIf not empty, services with this label will use header based persistent sessions
PILOT_PERSISTENT_SESSION_LABELStringistio.io/persistent-sessionIf not empty, services with this label will use cookie based persistent sessions
PILOT_PREFER_SENDING_HBONEBooleanfalseIf enabled, HBONE will be preferred when sending to destinations. 
PILOT_PUSH_THROTTLEInteger0Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes. If set to 0 or unset, the max will be automatically determined based on the machine size
PILOT_REMOTE_CLUSTER_TIMEOUTTime Duration30sAfter this timeout expires, pilot can become ready without syncing data from clusters added via remote-secrets. Setting the timeout to 0 disables this behavior.
PILOT_SCOPE_GATEWAY_TO_NAMESPACEBooleanfalseIf enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.
PILOT_SEND_UNHEALTHY_ENDPOINTSBooleanfalseIf enabled, Pilot will include unhealthy endpoints in EDS pushes and even if they are sent Envoy does not use them for load balancing.  To avoid, sending traffic to non ready endpoints, enabling this flag, disables panic threshold in Envoy i.e. Envoy does not load balance requests to unhealthy/non-ready hosts even if the percentage of healthy hosts fall below minimum health percentage(panic threshold).
PILOT_SIDECAR_USE_REMOTE_ADDRESSBooleanfalseUseRemoteAddress sets useRemoteAddress to true for sidecar outbound listeners.
PILOT_SKIP_VALIDATE_TRUST_DOMAINBooleanfalseSkip validating the peer is from the same trust domain when mTLS is enabled in authentication policy
PILOT_STATUS_BURSTInteger500If status is enabled, controls the Burst rate with which status will be updated.  See https://godoc.org/k8s.io/client-go/rest#Config Burst
PILOT_STATUS_MAX_WORKERSInteger100The maximum number of workers Pilot will use to keep configuration status up to date.  Smaller numbers will result in higher status latency, but larger numbers may impact CPU in high scale environments.
PILOT_STATUS_QPSInteger100If status is enabled, controls the QPS with which status will be updated.  See https://godoc.org/k8s.io/client-go/rest#Config QPS
PILOT_STATUS_UPDATE_INTERVALTime Duration500msInterval to update the XDS distribution status.
PILOT_TRACE_SAMPLINGFloating-Point1Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 1.0.
PILOT_WORKLOAD_ENTRY_GRACE_PERIODTime Duration10sThe amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up.
PILOT_XDS_CACHE_INDEX_CLEAR_INTERVALTime Duration5sThe interval for xds cache index clearing.
PILOT_XDS_CACHE_SIZEInteger60000The maximum number of cache entries for the XDS cache.
PILOT_XDS_CACHE_STATSBooleanfalseIf true, Pilot will collect metrics for XDS cache efficiency.
PLATFORMStringPlatform where Istio is deployed. Possible values are "openshift" and "gcp"
REQUIRE_3P_TOKENBooleanfalseReject k8s default tokens, without audience. If false, default K8S token will be accepted
RESOLVE_HOSTNAME_GATEWAYSBooleantrueIf true, hostnames in the LoadBalancer addresses of a Service will be resolved at the control plane for use in cross-network gateways.
REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATIONBooleanfalseIf enabled, readiness probes will be sent to 'localhost'. Otherwise, they will be sent to the Pod's IP, matching Kubernetes' behavior.
SHARED_MESH_CONFIGStringAdditional config map to load for shared MeshConfig settings. The standard mesh config will take precedence.
TERMStringSpecifies terminal type.  Use 'dumb' to suppress color output
TOKEN_AUDIENCESStringistio-caA list of comma separated audiences to check in the JWT token before issuing a certificate. The token is accepted if it matches with one of the audiences
TRUSTED_GATEWAY_CIDRStringIf set, any connections from gateway to Istiod with this CIDR range are treated as trusted for using authentication mechanisms like XFCC. This can only be used when the network where Istiod and the authenticating gateways are running in a trusted/secure network
UNSAFE_ENABLE_ADMIN_ENDPOINTSBooleanfalseIf this is set to true, dangerous admin endpoints will be exposed on the debug interface. Not recommended for production.
UNSAFE_PILOT_ENABLE_DELTA_TESTBooleanfalseIf enabled, addition runtime tests for Delta XDS efficiency are added. These checks are extremely expensive, so this should be used only for testing, not production.
UNSAFE_PILOT_ENABLE_RUNTIME_ASSERTIONSBooleanfalseIf enabled, addition runtime asserts will be performed. These checks are both expensive and panic on failure. As a result, this should be used only for testing.
USE_CACERTS_FOR_SELF_SIGNED_CABooleanfalseIf enabled, istiod will use a secret named cacerts to store its self-signed istio-generated root certificate.
VALIDATION_WEBHOOK_CONFIG_NAMEStringistio-istio-systemIf not empty, the controller will automatically patch validatingwebhookconfiguration when the CA certificate changes. Only works in kubernetes environment.
VERIFY_CERTIFICATE_AT_CLIENTBooleantrueIf enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.
XDS_AUTHBooleantrueIf true, will authenticate XDS clients.
XDS_AUTH_PLAINTEXTBooleanfalseauthenticate plain text requests - used if Istiod is running on a secure/trusted network

-
Exported metrics

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Metric NameTypeDescription
auto_registration_deletes_totalSumTotal number of auto registration cleaned up by periodic timer.
auto_registration_errors_totalSumTotal number of auto registration errors.
auto_registration_success_totalSumTotal number of successful auto registrations.
auto_registration_unregister_totalSumTotal number of unregistrations.
auto_registration_updates_totalSumTotal number of auto registration updates.
cache_flush_totalSumnumber of times operator cache was flushed
controller_sync_errors_totalSumTotal number of errorMetric syncing controllers.
cr_deletion_totalSumNumber of IstioOperator CR deleted
cr_merge_failure_totalSumNumber of IstioOperator CR merge failures
cr_validation_error_totalSumNumber of IstioOperator CR validation failures
endpoint_no_podLastValueEndpoints without an associated pod.
get_cr_error_totalSumNumber of times fetching CR from apiserver failed
istio_buildLastValueIstio component build info
istiod_managed_clustersLastValueNumber of clusters managed by istiod
legacy_path_translation_totalSumNumber of times a legacy API path is translated
manifest_patch_error_totalSumNumber of times K8S patch overlays failed
manifest_render_error_totalSumNumber of times error occurred during rendering output manifest
num_outgoing_retriesSumNumber of outgoing retry requests (e.g. to a token exchange server, CA, etc.)
owned_resource_totalLastValueNumber of resources currently owned by the operator
pilot_conflict_inbound_listenerLastValueNumber of conflicting inbound listeners.
pilot_conflict_outbound_listener_tcp_over_current_tcpLastValueNumber of conflicting tcp listeners with current tcp listener.
pilot_debounce_timeDistributionDelay in seconds between the first config enters debouncing and the merged push request is pushed into the push queue.
pilot_destrule_subsetsLastValueDuplicate subsets across destination rules for same host
pilot_dns_cluster_without_endpointsLastValueDNS clusters without endpoints caused by the endpoint field in STRICT_DNS type cluster is not set or the corresponding subset cannot select any endpoint
pilot_duplicate_envoy_clustersLastValueDuplicate envoy clusters caused by service entries with same hostname
pilot_eds_no_instancesLastValueNumber of clusters without instances.
pilot_endpoint_not_readyLastValueEndpoint found in unready state.
pilot_envoy_filter_statusLastValueStatus of Envoy filters whether it was applied or errored.
pilot_inbound_updatesSumTotal number of updates received by pilot.
pilot_jwks_resolver_network_fetch_fail_totalSumTotal number of failed network fetch by pilot jwks resolver
pilot_jwks_resolver_network_fetch_success_totalSumTotal number of successfully network fetch by pilot jwks resolver
pilot_k8s_cfg_eventsSumEvents from k8s config.
pilot_k8s_endpoints_pending_podLastValueNumber of endpoints that do not currently have any corresponding pods.
pilot_k8s_endpoints_with_no_podsSumEndpoints that does not have any corresponding pods.
pilot_k8s_reg_eventsSumEvents from k8s registry.
pilot_no_ipLastValuePods not found in the endpoint table, possibly invalid.
pilot_proxy_convergence_timeDistributionDelay in seconds between config change and a proxy receiving all required configuration.
pilot_proxy_queue_timeDistributionTime in seconds, a proxy is in the push queue before being dequeued.
pilot_push_triggersSumTotal number of times a push was triggered, labeled by reason for the push.
pilot_pushcontext_init_secondsDistributionTotal time in seconds Pilot takes to init pushContext.
pilot_sds_certificate_errors_totalSumTotal number of failures to fetch SDS key and certificate.
pilot_servicesLastValueTotal services known to pilot.
pilot_total_rejected_configsSumTotal number of configs that Pilot had to reject or ignore.
pilot_total_xds_internal_errorsSumTotal number of internal XDS errors in pilot.
pilot_total_xds_rejectsSumTotal number of XDS responses from pilot rejected by proxy.
pilot_virt_servicesLastValueTotal virtual services known to pilot.
pilot_vservice_dup_domainLastValueVirtual services with dup domains.
pilot_worker_queue_depthLastValueDepth of the controller queues
pilot_worker_queue_durationDistributionTime taken to process an item
pilot_worker_queue_latencyDistributionLatency before the item is processed
pilot_xdsLastValueNumber of endpoints connected to this pilot using XDS.
pilot_xds_cds_rejectLastValuePilot rejected CDS configs.
pilot_xds_config_size_bytesDistributionDistribution of configuration sizes pushed to clients
pilot_xds_eds_rejectLastValuePilot rejected EDS.
pilot_xds_expired_nonceSumTotal number of XDS requests with an expired nonce.
pilot_xds_lds_rejectLastValuePilot rejected LDS.
pilot_xds_push_context_errorsSumNumber of errors (timeouts) initiating push context.
pilot_xds_push_timeDistributionTotal time in seconds Pilot takes to push lds, rds, cds and eds.
pilot_xds_pushesSumPilot build and send errors for lds, rds, cds and eds.
pilot_xds_rds_rejectLastValuePilot rejected RDS.
pilot_xds_send_timeDistributionTotal time in seconds Pilot takes to send generated configuration.
pilot_xds_write_timeoutSumPilot XDS response write timeouts.
provider_lookup_cluster_failuresSumNumber of times a cluster lookup failed
reconcile_request_totalSumNumber of times requesting Reconcile
remote_cluster_sync_timeouts_totalSumNumber of times remote clusters took too long to sync, causing slow startup that excludes remote clusters.
render_manifest_totalSumNumber of component manifests rendered
resource_creation_totalSumNumber of resources created by the operator
resource_deletion_totalSumNumber of resources deleted by the operator
resource_prune_totalSumNumber of resources pruned by the operator
resource_update_totalSumNumber of resources updated by the operator
scrape_failures_totalSumThe total number of failed scrapes.
scrapes_totalSumThe total number of scrapes.
sidecar_injection_failure_totalSumTotal number of failed sidecar injection requests.
sidecar_injection_requests_totalSumTotal number of sidecar injection requests.
sidecar_injection_skip_totalSumTotal number of skipped sidecar injection requests.
sidecar_injection_success_totalSumTotal number of successful sidecar injection requests.
sidecar_injection_time_secondsDistributionTotal time taken for injection in seconds.
startup_duration_secondsLastValueThe time from the process starting to being marked ready.
versionLastValueVersion of operator binary
wasm_cache_entriesLastValuenumber of Wasm remote fetch cache entries.
wasm_cache_lookup_countSumnumber of Wasm remote fetch cache lookups.
wasm_config_conversion_countSumnumber of Wasm config conversion count and results, including success, no remote load, marshal failure, remote fetch failure, miss remote fetch hint.
wasm_config_conversion_durationDistributionTotal time in milliseconds istio-agent spends on converting remote load in Wasm config.
wasm_remote_fetch_countSumnumber of Wasm remote fetches and results, including success, download failure, and checksum mismatch.
webhook_patch_attempts_totalSumWebhook patching attempts
webhook_patch_failures_totalSumWebhook patching total failures
webhook_patch_retries_totalSumWebhook patching retries
xds_cache_dependent_config_sizeLastValueCurrent size of dependent configs
xds_cache_evictionsSumTotal number of xds cache evictions.
xds_cache_readsSumTotal number of xds cache xdsCacheReads.
xds_cache_sizeLastValueCurrent size of xds cache

diff --git a/content/en/docs/reference/commands/pilot-agent/index.html b/content/en/docs/reference/commands/pilot-agent/index.html
index a27b945889ef4..9f3952afaf6b0 100644
--- a/content/en/docs/reference/commands/pilot-agent/index.html
+++ b/content/en/docs/reference/commands/pilot-agent/index.html
@@ -30,22 +30,6 @@
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 
 
---log_rotate <string>
-The path for the optional rotating log file  (default ``)
-
-
---log_rotate_max_age <int>
-The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
-
-
---log_rotate_max_backups <int>
-The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
-
-
---log_rotate_max_size <int>
-The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
-
-
 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 
@@ -84,22 +68,6 @@ 
pilot-agent completion

 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 
 
---log_rotate <string>
-The path for the optional rotating log file  (default ``)
-
-
---log_rotate_max_age <int>
-The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
-
-
---log_rotate_max_backups <int>
-The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
-
-
---log_rotate_max_size <int>
-The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
-
-
 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 
@@ -118,14 +86,13 @@ 
pilot-agent completion bash

 
This script depends on the 'bash-completion' package.
 If it is not installed already, you can install it via your OS's package manager.

 
To load completions in your current shell session:

-
	source <(pilot-agent completion bash)

+
source <(pilot-agent completion bash)

 
To load completions for every new session, execute once:

-
#### Linux:

-
	pilot-agent completion bash > /etc/bash_completion.d/pilot-agent

-
#### macOS:

-
	pilot-agent completion bash > $(brew --prefix)/etc/bash_completion.d/pilot-agent

-
You will need to start a new shell for this setup to take effect.
-

+
Linux:

+
pilot-agent completion bash > /etc/bash_completion.d/pilot-agent

+
macOS:

+
pilot-agent completion bash > /usr/local/etc/bash_completion.d/pilot-agent

+
You will need to start a new shell for this setup to take effect.

 
pilot-agent completion bash
 

 
@@ -149,22 +116,6 @@ 
pilot-agent completion bash

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -185,11 +136,10 @@ 
pilot-agent completion bash
pilot-agent completion fish
Generate the autocompletion script for the fish shell.
To load completions in your current shell session:

-
	pilot-agent completion fish | source

+
pilot-agent completion fish | source
To load completions for every new session, execute once:

-
	pilot-agent completion fish > ~/.config/fish/completions/pilot-agent.fish

-
You will need to start a new shell for this setup to take effect.
-

+
pilot-agent completion bash > ~/.config/fish/completions/pilot-agent.fish

+
You will need to start a new shell for this setup to take effect.
pilot-agent completion fish [flags]
 

 
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
 
 
 
 
 

@@ -213,22 +163,6 @@ 
pilot-agent completion fish

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -247,12 +181,10 @@ 
pilot-agent completion fish

 
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
 

 
pilot-agent completion powershell

-
Generate the autocompletion script for powershell.

+
Generate the autocompletion script for PowerShell.

 
To load completions in your current shell session:

-
	pilot-agent completion powershell | Out-String | Invoke-Expression

-
To load completions for every new session, add the output of the above command
-to your powershell profile.
-

+
pilot-agent completion powershell | Out-String | Invoke-Expression

+
To load completions for every new session, add the output of the above command to your powershell profile.

 
pilot-agent completion powershell [flags]
 

 
@@ -276,22 +208,6 @@ 
pilot-agent completion powershell
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -311,18 +227,16 @@ 
pilot-agent completion powershell
pilot-agent completion zsh
Generate the autocompletion script for the zsh shell.

-
If shell completion is not already enabled in your environment you will need
-to enable it.  You can execute the following once:

-
	echo "autoload -U compinit; compinit" >> ~/.zshrc

-
To load completions in your current shell session:

-
	source <(pilot-agent completion zsh)

-
To load completions for every new session, execute once:

-
#### Linux:

-
	pilot-agent completion zsh > "${fpath[1]}/_pilot-agent"

-
#### macOS:

-
	pilot-agent completion zsh > $(brew --prefix)/share/zsh/site-functions/_pilot-agent

-
You will need to start a new shell for this setup to take effect.
-

+	
If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:

+	
echo "autoload -U compinit; compinit" >> ~/.zshrc

+	
To load completions in your current shell session:

+	
source <(pilot-agent completion zsh)

+	
To load completions for every new session, execute once:

+	
Linux:

+	
pilot-agent completion zsh > "${fpath[1]}/_pilot-agent"

+	
macOS:

+	
pilot-agent completion zsh > $(brew --prefix)/share/zsh/site-functions/_pilot-agent

+	
You will need to start a new shell for this setup to take effect.
pilot-agent completion zsh [flags]
 

 
 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
 
 
 

@@ -346,22 +260,6 @@ 
pilot-agent completion zsh

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -428,26 +326,6 @@ 
pilot-agent istio-clean-iptables

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -613,26 +491,6 @@ 
pilot-agent istio-iptables

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -722,22 +580,6 @@ 
pilot-agent proxy

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -816,22 +658,6 @@ 
pilot-agent request

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -874,26 +700,6 @@ 
pilot-agent version

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -945,22 +751,6 @@ 
pilot-agent wait

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -991,7 +781,7 @@ 
pilot-agent wait

 
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
 

 
Environment variables

-These environment variables affect the behavior of the pilot-agent command. Please use with caution as these environment variables are experimental and can change anytime.
+These environment variables affect the behavior of the pilot-agent command. 
 
@@ -1141,22 +931,22 @@ 
Environment variables

-
+
-
+
-
+
-
+
-
+
-
+
@@ -1167,7 +957,7 @@ 
Environment variables

-
+
@@ -1261,6 +1051,12 @@ 
Environment variables

+
+
+
+
+
+
@@ -1595,12 +1391,6 @@ 
Environment variables

-
-
-
-
-
-
@@ -1817,12 +1607,6 @@ 
Environment variables

-
-
-
-
-
-
@@ -2045,6 +1829,12 @@ 
Environment variables

+
+
+
+
+
+
@@ -2099,6 +1889,12 @@ 
Environment variables

+
+
+
+
+
+
@@ -2165,12 +1961,6 @@ 
Environment variables

-
-
-
-
-
-
diff --git a/content/en/docs/reference/commands/pilot-discovery/index.html b/content/en/docs/reference/commands/pilot-discovery/index.html
index b1c3d60273155..a8ac463b82cdb 100644
--- a/content/en/docs/reference/commands/pilot-discovery/index.html
+++ b/content/en/docs/reference/commands/pilot-discovery/index.html
@@ -46,14 +46,13 @@ 
pilot-discovery completion bash
This script depends on the 'bash-completion' package.
 If it is not installed already, you can install it via your OS's package manager.
To load completions in your current shell session:

-
	source <(pilot-discovery completion bash)

+
source <(pilot-discovery completion bash)
To load completions for every new session, execute once:

-
#### Linux:

-
	pilot-discovery completion bash > /etc/bash_completion.d/pilot-discovery

-
#### macOS:

-
	pilot-discovery completion bash > $(brew --prefix)/etc/bash_completion.d/pilot-discovery

-
You will need to start a new shell for this setup to take effect.
-

+
Linux:

+
pilot-discovery completion bash > /etc/bash_completion.d/pilot-discovery

+
macOS:

+
pilot-discovery completion bash > /usr/local/etc/bash_completion.d/pilot-discovery

+
You will need to start a new shell for this setup to take effect.
pilot-discovery completion bash
 

 
 

 If enabled, Istio will create clusters only when there are requests. This will save memory and CPU cycles in cases where there are lots of inactive clusters and > 1 worker thread
 

 
ENABLE_DELIMITED_STATS_TAG_REGEXENABLE_DEFERRED_STATS_CREATION
 Boolean
 trueIf true, pilot will use the new delimited stat tag regex to generate Envoy stats tags.If enabled, Istio will lazily initialize a subset of the stats
 

 
ENABLE_ENHANCED_RESOURCE_SCOPINGENABLE_DELIMITED_STATS_TAG_REGEX
 Boolean
 trueIf enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.If true, pilot will use the new delimited stat tag regex to generate Envoy stats tags.
 

 
ENABLE_EXTERNAL_NAME_ALIASENABLE_ENHANCED_RESOURCE_SCOPING
 Boolean
 trueIf enabled, ExternalName Services will be treated as simple aliases: anywhere where we would match the concrete service, we also match the ExternalName. In general, this mirrors Kubernetes behavior more closely. However, it means that policies (routes and DestinationRule) cannot be applied to the ExternalName service. If disabled, ExternalName behaves in fairly unexpected manner. Port matters, while it does not in Kubernetes. If it is a TCP port, all traffic on that port will be matched, which can have disastrous consequences. Additionally, the destination is seen as an opaque destination; even if it is another service in the mesh, policies such as mTLS and load balancing will not be used when connecting to it.If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.
 

 

 ENABLE_HCM_INTERNAL_NETWORKS
 

 ENABLE_INBOUND_RETRY_POLICY
 Booleanfalsetrue
 If true, enables retry policy for inbound routes which automatically retries requests that were reset before it reaches the service.
 

 

 Envoy proxy username
 

 
EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRYBooleantrueIf true, excludes unsafe retry on 503 from default retry policy.

 EXIT_ON_ZERO_ACTIVE_CONNECTIONS
 Boolean
 false
 If set to true, enable the peer metadata discovery extension in Envoy
 

 
PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHINGBooleanfalseIf enabled, istiod will persist the oldest first heuristic for subtly conflicting traffic policy selection(such as with overlapping wildcard hosts)

 PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE
 Boolean
 false
 If enabled, HBONE support can be configured for proxies.
 

 
PILOT_ENABLE_STATUSBooleanfalseIf enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.

 PILOT_ENABLE_TELEMETRY_LABEL
 Boolean
 true
 
 

 
PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICESBooleantrueIf true, external services will prefer the TLS settings from DestinationRules over the metadata TLS settings.

 PROV_CERT
 String
 
 The grace period ratio for the cert rotation, by default 0.5.
 

 
SECRET_GRACE_PERIOD_RATIO_JITTERFloating-Point0.01Randomize the grace period ratio up or down by this amount to stagger cert renewals, by default .01 (~15 minutes over 24 hours).

 SECRET_TTL
 Time Duration
 24h0m0s
 If not empty, the controller will automatically patch validatingwebhookconfiguration when the CA certificate changes. Only works in kubernetes environment.
 

 
VERIFY_CERTIFICATE_AT_CLIENTBooleantrueIf enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.

 WASM_HTTP_REQUEST_MAX_RETRIES
 Integer
 5
 
 
 
 
 

@@ -77,11 +76,10 @@ 
pilot-discovery completion bash
pilot-discovery completion fish
Generate the autocompletion script for the fish shell.
To load completions in your current shell session:

-
	pilot-discovery completion fish | source

+
pilot-discovery completion fish | source
To load completions for every new session, execute once:

-
	pilot-discovery completion fish > ~/.config/fish/completions/pilot-discovery.fish

-
You will need to start a new shell for this setup to take effect.
-

+
pilot-discovery completion bash > ~/.config/fish/completions/pilot-discovery.fish

+
You will need to start a new shell for this setup to take effect.
pilot-discovery completion fish [flags]
 

 
 
 
 
 
 

@@ -103,12 +101,10 @@ 
pilot-discovery completion fish

 
 

 
pilot-discovery completion powershell

-
Generate the autocompletion script for powershell.

+
Generate the autocompletion script for PowerShell.

 
To load completions in your current shell session:

-
	pilot-discovery completion powershell | Out-String | Invoke-Expression

-
To load completions for every new session, add the output of the above command
-to your powershell profile.
-

+
pilot-discovery completion powershell | Out-String | Invoke-Expression

+
To load completions for every new session, add the output of the above command to your powershell profile.

 
pilot-discovery completion powershell [flags]
 

 
@@ -131,18 +127,16 @@ 
pilot-discovery completion powers
 

 
pilot-discovery completion zsh

 
Generate the autocompletion script for the zsh shell.

-
If shell completion is not already enabled in your environment you will need
-to enable it.  You can execute the following once:

-
	echo "autoload -U compinit; compinit" >> ~/.zshrc

-
To load completions in your current shell session:

-
	source <(pilot-discovery completion zsh)

-
To load completions for every new session, execute once:

-
#### Linux:

-
	pilot-discovery completion zsh > "${fpath[1]}/_pilot-discovery"

-
#### macOS:

-
	pilot-discovery completion zsh > $(brew --prefix)/share/zsh/site-functions/_pilot-discovery

-
You will need to start a new shell for this setup to take effect.
-

+	
If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:

+	
echo "autoload -U compinit; compinit" >> ~/.zshrc

+	
To load completions in your current shell session:

+	
source <(pilot-discovery completion zsh)

+	
To load completions for every new session, execute once:

+	
Linux:

+	
pilot-discovery completion zsh > "${fpath[1]}/_pilot-discovery"

+	
macOS:

+	
pilot-discovery completion zsh > $(brew --prefix)/share/zsh/site-functions/_pilot-discovery

+	
You will need to start a new shell for this setup to take effect.

 
pilot-discovery completion zsh [flags]
 

 
@@ -282,26 +276,6 @@ 
pilot-discovery discovery

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -424,7 +398,7 @@ 
pilot-discovery version

 
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpc, grpcgen, ingress status, ip-autoallocate, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, untaint, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpc, grpcgen, ingress status, ip-autoallocate, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, untaint, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 

 
Environment variables

-These environment variables affect the behavior of the pilot-discovery command. Please use with caution as these environment variables are experimental and can change anytime.
+These environment variables affect the behavior of the pilot-discovery command. 
 
@@ -550,22 +524,22 @@ 
Environment variables

-
+
-
+
-
+
-
+
-
+
-
+
@@ -576,7 +550,7 @@ 
Environment variables

-
+
@@ -652,6 +626,12 @@ 
Environment variables

+
+
+
+
+
+
@@ -920,12 +900,6 @@ 
Environment variables

-
-
-
-
-
-
@@ -1142,12 +1116,6 @@ 
Environment variables

-
-
-
-
-
-
@@ -1370,6 +1338,12 @@ 
Environment variables

+
+
+
+
+
+
@@ -1460,12 +1434,6 @@ 
Environment variables

-
-
-
-
-
-
@@ -1491,14 +1459,14 @@ 
Exported metrics

-
-
+
+
-
-
+
+
diff --git a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
index 8a0bb0d1f9487..2a4678006493c 100644
--- a/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
+++ b/content/en/docs/reference/config/istio.mesh.v1alpha1/index.html
@@ -231,17 +231,10 @@ 
MeshConfig

 
 

 If enabled, Istio will create clusters only when there are requests. This will save memory and CPU cycles in cases where there are lots of inactive clusters and > 1 worker thread
 

 
ENABLE_DELIMITED_STATS_TAG_REGEXENABLE_DEFERRED_STATS_CREATION
 Boolean
 trueIf true, pilot will use the new delimited stat tag regex to generate Envoy stats tags.If enabled, Istio will lazily initialize a subset of the stats
 

 
ENABLE_ENHANCED_RESOURCE_SCOPINGENABLE_DELIMITED_STATS_TAG_REGEX
 Boolean
 trueIf enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.If true, pilot will use the new delimited stat tag regex to generate Envoy stats tags.
 

 
ENABLE_EXTERNAL_NAME_ALIASENABLE_ENHANCED_RESOURCE_SCOPING
 Boolean
 trueIf enabled, ExternalName Services will be treated as simple aliases: anywhere where we would match the concrete service, we also match the ExternalName. In general, this mirrors Kubernetes behavior more closely. However, it means that policies (routes and DestinationRule) cannot be applied to the ExternalName service. If disabled, ExternalName behaves in fairly unexpected manner. Port matters, while it does not in Kubernetes. If it is a TCP port, all traffic on that port will be matched, which can have disastrous consequences. Additionally, the destination is seen as an opaque destination; even if it is another service in the mesh, policies such as mTLS and load balancing will not be used when connecting to it.If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.
 

 

 ENABLE_HCM_INTERNAL_NETWORKS
 

 ENABLE_INBOUND_RETRY_POLICY
 Booleanfalsetrue
 If true, enables retry policy for inbound routes which automatically retries requests that were reset before it reaches the service.
 

 

 If true, will use optimized vtprotobuf based marshaling. Requires a build with -tags=vtprotobuf.
 

 
EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRYBooleantrueIf true, excludes unsafe retry on 503 from default retry policy.

 EXTERNAL_CA
 String
 
 If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, '1000' will record 0.1% of events. Set to 0 to disable entirely.
 

 
PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHINGBooleanfalseIf enabled, istiod will persist the oldest first heuristic for subtly conflicting traffic policy selection(such as with overlapping wildcard hosts)

 PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE
 Boolean
 false
 If enabled, HBONE support can be configured for proxies.
 

 
PILOT_ENABLE_STATUSBooleanfalseIf enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.

 PILOT_ENABLE_TELEMETRY_LABEL
 Boolean
 true
 
 

 
PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICESBooleantrueIf true, external services will prefer the TLS settings from DestinationRules over the metadata TLS settings.

 REQUIRE_3P_TOKEN
 Boolean
 false
 If not empty, the controller will automatically patch validatingwebhookconfiguration when the CA certificate changes. Only works in kubernetes environment.
 

 
VERIFY_CERTIFICATE_AT_CLIENTBooleantrueIf enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.

 XDS_AUTH
 Boolean
 true
 
auto_registration_unregister_totalSumTotal number of unregistrations.

 
auto_registration_updates_totalSumTotal number of auto registration updates.

 
citadel_server_authentication_failure_countSumThe number of authentication failures.
citadel_server_cert_chain_expiry_secondsLastValueThe time remaining, in seconds, before the certificate chain will expire. A negative value indicates the cert is expired.
citadel_server_cert_chain_expiry_timestampLastValueThe unix timestamp, in seconds, when Citadel cert chain will expire. A negative time indicates the cert is expired.
citadel_server_cert_chain_expiry_secondsLastValueThe time remaining, in seconds, before the Istio Generated cert chain will expire. A negative value indicates the cert is expired.
citadel_server_cert_chain_expiry_timestampLastValueThe unix timestamp, in seconds, when Istio generated cert chain will expire.

 
citadel_server_csr_countSumThe number of CSRs received by Citadel server.

 
citadel_server_csr_parsing_err_countSumThe number of errors occurred when parsing the CSR.

 
citadel_server_csr_sign_err_countSumThe number of errors occurred when signing the CSR.

 
citadel_server_id_extraction_err_countSumThe number of errors occurred when extracting the ID from CSR.
citadel_server_root_cert_expiry_secondsLastValueThe time remaining, in seconds, before the root certificate will expire. A negative value indicates the cert is expired.
citadel_server_root_cert_expiry_timestampLastValueThe unix timestamp, in seconds, when Citadel root cert will expire. A negative time indicates the cert is expired.
citadel_server_root_cert_expiry_secondsLastValueThe time remaining, in seconds, before the root cert will expire. A negative value indicates the cert is expired.
citadel_server_root_cert_expiry_timestampLastValueThe unix timestamp, in seconds, when the root cert will expire.

 
citadel_server_success_cert_issuance_countSumThe number of certificates issuances that have succeeded.

 
controller_sync_errors_totalSumTotal number of errorMetric syncing controllers.

 
endpoint_no_podLastValueEndpoints without an associated pod.

 
OutboundTrafficPolicy
 
 
Set the default behavior of the sidecar for handling outbound
-traffic from the application.  If your application uses one or
-more external services that are not known apriori, setting the
-policy to ALLOW_ANY will cause the sidecars to route any unknown
-traffic originating from the application to its requested
-destination. Users are strongly encouraged to use ServiceEntries
-to explicitly declare any external dependencies, instead of using
-ALLOW_ANY, so that traffic to these services can be
-monitored. Can be overridden at a Sidecar level by setting the
-OutboundTrafficPolicy in the Sidecar
-API.
-Default mode is ALLOW_ANY which means outbound traffic to unknown destinations will be allowed.

+traffic from the application.

+
Can be overridden at a Sidecar level by setting the OutboundTrafficPolicy in the
+Sidecar API.

+
Default mode is ALLOW_ANY, which means outbound traffic to unknown destinations will be allowed.

 
 		
 
@@ -464,7 +457,8 @@ 
MeshConfig

 For example inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local. This can be used to override that pattern.

 
A Pattern can be composed of various pre-defined variables. The following variables are supported.

 
    
-
  • %SERVICE% - Will be substituted with name of the service.
    • 
+
  • %SERVICE% - Will be substituted with short hostname of the service.
    • 
+
  • %SERVICE_NAME% - Will be substituted with name of the service.
    • 
 
  • %SERVICE_FQDN% - Will be substituted with FQDN of the service.
    • 
 
  • %SERVICE_PORT% - Will be substituted with port of the service.
    • 
 
  • %TARGET_PORT%  - Will be substituted with the target port of the service.
    • 
@@ -491,7 +485,8 @@ 
    MeshConfig
    
 For example outbound|8080|v2|reviews.prod.svc.cluster.local. This can be used to override that pattern.
    
 
    A Pattern can be composed of various pre-defined variables. The following variables are supported.
    
 
      
-
    • %SERVICE% - Will be substituted with name of the service.
      • 
+
    • %SERVICE% - Will be substituted with short hostname of the service.
      • 
+
    • %SERVICE_NAME% - Will be substituted with name of the service.
      • 
 
    • %SERVICE_FQDN% - Will be substituted with FQDN of the service.
      • 
 
    • %SERVICE_PORT% - Will be substituted with port of the service.
      • 
 
    • %SERVICE_PORT_NAME% - Will be substituted with port name of the service.
      • 
@@ -815,6 +810,9 @@ 
      ConfigSource
      
 
 
      MeshConfig.OutboundTrafficPolicy
      
 
      
+
      OutboundTrafficPolicy sets the default behavior of the sidecar for
+handling unknown outbound traffic from the application.
      
+
 
@@ -4406,16 +4404,21 @@ 
      MeshConfig.OutboundTrafficPolicy.
 
      
diff --git a/content/en/docs/reference/config/istio.operator.v1alpha1/index.html b/content/en/docs/reference/config/istio.operator.v1alpha1/index.html
index 63434b96a4266..6e10c999361f0 100644
--- a/content/en/docs/reference/config/istio.operator.v1alpha1/index.html
+++ b/content/en/docs/reference/config/istio.operator.v1alpha1/index.html
@@ -1,5 +1,4 @@
 ---
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
 source_repo: https://github.com/istio/api
 title: IstioOperator Options
 description: Configuration affecting Istio control plane installation version and shape.
@@ -9,11 +8,9 @@
 weight: 20
 number_of_entries: 74
 ---
-
      Configuration affecting Istio control plane installation version and shape.
-Note: unlike other Istio protos, field names must use camelCase. This is asserted in tests.
-Without camelCase, the json tag on the Go struct will not match the user’s JSON representation.
-This leads to Kubernetes merge libraries, which rely on this tag, to fail.
-All other usages use jsonpb which does not use the json tag.
      
+
      Configuration affecting Istio control plane installation version and shape. This resource is passed as a file input
+to istioctl install and istioctl manifest generate; while it has a similar format as Kubernetes objects, it is not applied to the cluster.
+
      IstioOperatorSpec
      
@@ -181,19 +178,6 @@ 
      IstioOperatorSpec
      
 
      
-
-
-
-
-
-
      
 
 
      
 REGISTRY_ONLY
 
-
      outbound traffic will be restricted to services defined in the
-service registry as well as those defined through ServiceEntries
      
+
      In REGISTRY_ONLY mode, unknown outbound traffic will be dropped.
+Traffic destinations must be explicitly declared into the service registry through ServiceEntry configurations.
      
+
      Note: Istio does not offer an outbound traffic security policy.
+This option does not act as one, or as any form of an outbound firewall.
+Instead, this option exists primarily to offer users a way to detect missing ServiceEntry configurations by explicitly failing.
      
 
       		
 
      
 
      
 ALLOW_ANY
 
-
      outbound traffic to unknown destinations will be allowed, in case
-there are no services or ServiceEntries for the destination port
      
+
      In ALLOW_ANY mode, any traffic to unknown destinations will be allowed.
+Unknown destination traffic will have limited functionality, however, such as reduced observability.
+This mode allows users that do not have all possible egress destinations registered through ServiceEntry configurations to still connect
+to arbitrary destinations.
      
 
       		
 
      
 
 
 
      
 
      Unvalidated overrides for default values.yaml. Used for custom templates where new parameters are added.
      
 
-      		
-No
-
      addonComponentsmap<string, ExternalComponentSpec>
-
      Deprecated.
-Users should manage the installation of addon components on their own.
-Refer to samples/addons for demo installation of addon components.
      
-
       		
 
 No
@@ -202,65 +186,7 @@ 
      IstioOperatorSpec
      
 
 
      
 
      
-
      InstallStatus
      
-
      
-
      Observed state of IstioOperator
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      statusStatus
-
      Overall status of all components controlled by the operator.
      
-
        
-
      • If all components have status NONE, overall status is NONE.
        • 
-
      • If all components are HEALTHY, overall status is HEALTHY.
        • 
-
      • If one or more components are RECONCILING and others are HEALTHY, overall status is RECONCILING.
        • 
-
      • If one or more components are UPDATING and others are HEALTHY, overall status is UPDATING.
        • 
-
      • If components are a mix of RECONCILING, UPDATING and HEALTHY, overall status is UPDATING.
        • 
-
      • If any component is in ERROR state, overall status is ERROR.
        • 
-
      • If further action is needed for reconciliation to proceed, overall status is ACTION_REQUIRED.
        • 
-
      
-
-      		
-No
-
      messagestring
-
      Optional message providing additional information about the existing overall status.
      
 
-      		
-No
-
      componentStatusmap<string, VersionStatus>
-
      Individual status of each component controlled by the operator. The map key is the name of the component.
      
-
-      		
-No
-
      
-
      
 
      IstioComponentSetSpec
      
 
      
 
      IstioComponentSpec defines the desired installed state of Istio components.
      
@@ -465,89 +391,7 @@ 
      ComponentSpec
      
 
 

 
-
ExternalComponentSpec

-

-
Configuration for external components.

 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldTypeDescriptionRequired
enabledBoolValue
-
Selects whether this component is installed.

-
-		
-No
-
namespacestring
-
Namespace for the component.

-
-		
-No
-
specStruct
-
Arbitrary install time configuration for the component.

-
-		
-No
-
chartPathstring
-
Chart path for addon components.

-
-		
-No
-
schemaAny
-
Optional schema to validate spec against.

-
-		
-No
-
k8sKubernetesResourcesSpec
-
Kubernetes resource spec.

-
-		
-No
-

-

 
GatewaySpec

 

 
Configuration for gateways.

@@ -3699,50 +3543,7 @@ 
IntOrString

 
 
 

-
InstallStatus.VersionStatus

-

-
VersionStatus is the status and version of a component.

 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FieldTypeDescriptionRequired
versionstring
-
-No
-
statusStatus
-
-No
-
errorstring
-
-No
-

-

 
K8sObjectOverlay.PathValue

 

 
@@ -4052,62 +3853,3 @@ 
k8s.io.apimachinery.
 
 

 

-
InstallStatus.Status

-

-
Status describes the current state of a component.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
NameDescription
NONE
-
Component is not present.

-
-
UPDATING
-
Component is being updated to a different version.

-
-
RECONCILING
-
Controller has started but not yet completed reconciliation loop for the component.

-
-
HEALTHY
-
Component is healthy.

-
-
ERROR
-
Component is in an error state.

-
-
ACTION_REQUIRED
-
Overall status only and would not be set as a component status.
-Action is needed from the user for reconciliation to proceed
-e.g. There are proxies still pointing to the control plane revision when try to remove an IstioOperator CR.

-
-

-

diff --git a/content/en/docs/reference/config/networking/sidecar/index.html b/content/en/docs/reference/config/networking/sidecar/index.html
index c144e010e93a5..45dc2fbce24db 100644
--- a/content/en/docs/reference/config/networking/sidecar/index.html
+++ b/content/en/docs/reference/config/networking/sidecar/index.html
@@ -397,13 +397,9 @@ 
Sidecar

 outboundTrafficPolicy
 OutboundTrafficPolicy
 
-
Configuration for the outbound traffic policy.  If your
-application uses one or more external services that are not known
-apriori, setting the policy to ALLOW_ANY will cause the
-sidecars to route any unknown traffic originating from the
-application to its requested destination. If not specified,
-inherits the system detected defaults from the namespace-wide or
-the global default Sidecar.

+
Set the default behavior of the sidecar for handling outbound
+traffic from the application.

+
Default mode is ALLOW_ANY, which means outbound traffic to unknown destinations will be allowed.

 
 
 
@@ -661,14 +657,7 @@ 
WorkloadSelector

 
OutboundTrafficPolicy

 

 
OutboundTrafficPolicy sets the default behavior of the sidecar for
-handling outbound traffic from the application.
-If your application uses one or more external
-services that are not known apriori, setting the policy to ALLOW_ANY
-will cause the sidecars to route any unknown traffic originating from
-the application to its requested destination.  Users are strongly
-encouraged to use ServiceEntry configurations to explicitly declare any external
-dependencies, instead of using ALLOW_ANY, so that traffic to these
-services can be monitored.

+handling unknown outbound traffic from the application.

 
 
@@ -758,16 +747,21 @@ 
OutboundTrafficPolicy.Mode

diff --git a/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html b/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html
index 57c01ed448f7d..c9caf0f3759b6 100644
--- a/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html
+++ b/content/en/docs/reference/config/proxy_extensions/wasm-plugin/index.html
@@ -211,7 +211,7 @@ 
WasmPlugin
Currently, the following resource attachment types are supported:
    
 
  • kind: Gateway with group: gateway.networking.k8s.io in the same namespace.
    • 
-
  • kind: Service with "" in the same namespace. This type is only supported for waypoints.
    • 
+
  • kind: Service with group: "" or group: "core" in the same namespace. This type is only supported for waypoints.
    • 
 
If not set, the policy is applied as defined by the selector.
 At most one of the selector and targetRefs can be set.

diff --git a/content/en/docs/reference/config/security/authorization-policy/index.html b/content/en/docs/reference/config/security/authorization-policy/index.html
index 78c8ef9ca8d32..3ae3bc547046f 100644
--- a/content/en/docs/reference/config/security/authorization-policy/index.html
+++ b/content/en/docs/reference/config/security/authorization-policy/index.html
@@ -235,7 +235,7 @@ 
AuthorizationPolicy
Currently, the following resource attachment types are supported:
    
 
  • kind: Gateway with group: gateway.networking.k8s.io in the same namespace.
    • 
-
  • kind: Service with "" in the same namespace. This type is only supported for waypoints.
    • 
+
  • kind: Service with group: "" or group: "core" in the same namespace. This type is only supported for waypoints.
    • 
 
If not set, the policy is applied as defined by the selector.
 At most one of the selector and targetRefs can be set.

diff --git a/content/en/docs/reference/config/security/request_authentication/index.html b/content/en/docs/reference/config/security/request_authentication/index.html
index 0eb066fbe424e..496e30c048bb6 100644
--- a/content/en/docs/reference/config/security/request_authentication/index.html
+++ b/content/en/docs/reference/config/security/request_authentication/index.html
@@ -240,7 +240,7 @@ 
RequestAuthentication
Currently, the following resource attachment types are supported:
    
 
  • kind: Gateway with group: gateway.networking.k8s.io in the same namespace.
    • 
-
  • kind: Service with "" in the same namespace. This type is only supported for waypoints.
    • 
+
  • kind: Service with group: "" or group: "core" in the same namespace. This type is only supported for waypoints.
    • 
 
If not set, the policy is applied as defined by the selector.
 At most one of the selector and targetRefs can be set.

diff --git a/content/en/docs/reference/config/telemetry/index.html b/content/en/docs/reference/config/telemetry/index.html
index a06f1d9d982f4..15c1557ef3b79 100644
--- a/content/en/docs/reference/config/telemetry/index.html
+++ b/content/en/docs/reference/config/telemetry/index.html
@@ -229,7 +229,7 @@ 
Telemetry
Currently, the following resource attachment types are supported:
    
 
  • kind: Gateway with group: gateway.networking.k8s.io in the same namespace.
    • 
-
  • kind: Service with "" in the same namespace. This type is only supported for waypoints.
    • 
+
  • kind: Service with group: "" or group: "core" in the same namespace. This type is only supported for waypoints.
    • 
 
If not set, the policy is applied as defined by the selector.
 At most one of the selector and targetRefs can be set.

diff --git a/content/en/docs/setup/additional-setup/getting-started-istio-apis/snips.sh b/content/en/docs/setup/additional-setup/getting-started-istio-apis/snips.sh
index 9ccb603ded98e..d9b6d77d38ddd 100644
--- a/content/en/docs/setup/additional-setup/getting-started-istio-apis/snips.sh
+++ b/content/en/docs/setup/additional-setup/getting-started-istio-apis/snips.sh
@@ -26,7 +26,7 @@ curl -L https://istio.io/downloadIstio | sh -
 }
 
 snip_download_istio_2() {
-curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.23.0 TARGET_ARCH=x86_64 sh -
+curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.24.0 TARGET_ARCH=x86_64 sh -
 }
 
 snip_download_istio_4() {
diff --git a/content/en/docs/setup/getting-started/snips.sh b/content/en/docs/setup/getting-started/snips.sh
index b4ce1ac0b12db..ef790f00fd679 100644
--- a/content/en/docs/setup/getting-started/snips.sh
+++ b/content/en/docs/setup/getting-started/snips.sh
@@ -54,7 +54,7 @@ kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
 }
 
 snip_deploy_the_sample_application_1() {
-kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/bookinfo/platform/kube/bookinfo.yaml
+kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yaml
 }
 
 ! IFS=$'\n' read -r -d '' snip_deploy_the_sample_application_1_out <<\ENDSNIP
diff --git a/content/en/docs/setup/install/helm/index.md b/content/en/docs/setup/install/helm/index.md
index af644d1b643ad..9e3df4c6f381b 100644
--- a/content/en/docs/setup/install/helm/index.md
+++ b/content/en/docs/setup/install/helm/index.md
@@ -151,8 +151,7 @@ for example `helm show values istio/gateway`.
 
 ### Migrating from non-Helm installations
 
-If you're migrating from a version of Istio installed using `istioctl` or
-Operator to Helm (Istio 1.5 or earlier), you need to delete your current Istio
+If you're migrating from a version of Istio installed using `istioctl` to Helm (Istio 1.5 or earlier), you need to delete your current Istio
 control plane resources and re-install Istio using Helm as described above. When
 deleting your current Istio installation, you must not remove the Istio Custom Resource
 Definitions (CRDs) as that can lead to loss of your custom Istio resources.
@@ -162,10 +161,7 @@ It is highly recommended to take a backup of your Istio resources using steps
 described above before deleting current Istio installation in your cluster.
 {{< /warning >}}
 
-You can follow steps mentioned in the
-[Istioctl uninstall guide](/docs/setup/install/istioctl#uninstall-istio) or
-[Operator uninstall guide](/docs/setup/install/operator/#uninstall)
-depending upon your installation method.
+You can follow steps mentioned in the [Istioctl uninstall guide](/docs/setup/install/istioctl#uninstall-istio).
 
 ## Uninstall
 
diff --git a/content/en/docs/setup/install/helm/snips.sh b/content/en/docs/setup/install/helm/snips.sh
index c5c75ebdf6496..492bd80347436 100644
--- a/content/en/docs/setup/install/helm/snips.sh
+++ b/content/en/docs/setup/install/helm/snips.sh
@@ -35,7 +35,7 @@ helm ls -n istio-system
 
 ! IFS=$'\n' read -r -d '' snip_installation_steps_4_out <<\ENDSNIP
 NAME       NAMESPACE    REVISION UPDATED                                 STATUS   CHART        APP VERSION
-istio-base istio-system 1        2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.23.0  1.23.0
+istio-base istio-system 1        2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.24.0  1.24.0
 ENDSNIP
 
 snip_install_discovery() {
@@ -48,8 +48,8 @@ helm ls -n istio-system
 
 ! IFS=$'\n' read -r -d '' snip_installation_steps_6_out <<\ENDSNIP
 NAME       NAMESPACE    REVISION UPDATED                                 STATUS   CHART         APP VERSION
-istio-base istio-system 1        2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.23.0   1.23.0
-istiod     istio-system 1        2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.23.0 1.23.0
+istio-base istio-system 1        2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.24.0   1.24.0
+istiod     istio-system 1        2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.24.0 1.24.0
 ENDSNIP
 
 snip_installation_steps_7() {
@@ -93,7 +93,7 @@ kubectl get deployments -n istio-system --output wide
 
 ! IFS=$'\n' read -r -d '' snip_installation_steps_8_out <<\ENDSNIP
 NAME     READY   UP-TO-DATE   AVAILABLE   AGE   CONTAINERS   IMAGES                         SELECTOR
-istiod   1/1     1            1           10m   discovery    docker.io/istio/pilot:1.23.0   istio=pilot
+istiod   1/1     1            1           10m   discovery    docker.io/istio/pilot:1.24.0   istio=pilot
 ENDSNIP
 
 snip_install_ingressgateway() {
@@ -107,8 +107,8 @@ helm ls -n istio-system
 
 ! IFS=$'\n' read -r -d '' snip_helm_ls_out <<\ENDSNIP
 NAME       NAMESPACE    REVISION UPDATED                                 STATUS   CHART         APP VERSION
-istio-base istio-system 1        2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.23.0   1.23.0
-istiod     istio-system 1        2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.23.0 1.23.0
+istio-base istio-system 1        2024-04-17 22:14:45.964722028 +0000 UTC deployed base-1.24.0   1.24.0
+istiod     istio-system 1        2024-04-17 22:14:45.964722028 +0000 UTC deployed istiod-1.24.0 1.24.0
 ENDSNIP
 
 snip_delete_delete_gateway_charts() {
diff --git a/content/en/docs/setup/install/operator/index.md b/content/en/docs/setup/install/operator/index.md
deleted file mode 100644
index 53d338a99481c..0000000000000
--- a/content/en/docs/setup/install/operator/index.md
+++ /dev/null
@@ -1,357 +0,0 @@
----
-title: Istio Operator Install
-description: Instructions to install Istio in a Kubernetes cluster using the Istio operator.
-weight: 99
-keywords: [kubernetes, operator]
-aliases:
-    - /docs/setup/install/standalone-operator
-owner: istio/wg-environments-maintainers
-test: yes
-status: Beta
----
-
-{{< warning >}}
-Use of the operator for new Istio installations is discouraged in favor of the [Istioctl](/docs/setup/install/istioctl)
-and [Helm](/docs/setup/install/helm) installation methods. While the operator will continue to be supported,
-new feature requests will not be prioritized.
-{{< /warning >}}
-
-Instead of manually installing, upgrading, and uninstalling Istio,
-you can instead let the Istio [operator](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/)
-manage the installation for you.
-This relieves you of the burden of managing different `istioctl` versions.
-Simply update the operator {{}}custom resource (CR){{}} and the
-operator controller will apply the corresponding configuration changes for you.
-
-The same [`IstioOperator` API](/docs/reference/config/istio.operator.v1alpha1/) is used
-to install Istio with the operator as when using the [istioctl install instructions](/docs/setup/install/istioctl).
-In both cases, configuration is validated against a schema and the same correctness
-checks are performed.
-
-{{< warning >}}
-Using an operator does have a security implication.
-With the `istioctl install` command, the operation will run in the admin user’s security context,
-whereas with an operator, an in-cluster pod will run the operation in its security context.
-To avoid a vulnerability, ensure that the operator deployment is sufficiently secured.
-{{< /warning >}}
-
-## Prerequisites
-
-1. Perform any necessary [platform-specific setup](/docs/setup/platform-setup/).
-
-1. Check the [Requirements for Pods and Services](/docs/ops/deployment/application-requirements/).
-
-1. Install the [{{< istioctl >}} command](/docs/ops/diagnostic-tools/istioctl/).
-
-## Install
-
-### Deploy the Istio operator
-
-The `istioctl` command can be used to automatically deploy the Istio operator:
-
-{{< text syntax=bash snip_id=deploy_istio_operator >}}
-$ istioctl operator init
-{{< /text >}}
-
-This command runs the operator by creating the following resources in the `istio-operator` namespace:
-
-- The operator custom resource definition
-- The operator controller deployment
-- A service to access operator metrics
-- Necessary Istio operator RBAC rules
-
-You can configure which namespace the operator controller is installed in, the namespace(s) the operator watches, the installed Istio image sources and versions, and more. For example, you can pass one or more namespaces to watch using the `--watchedNamespaces` flag:
-
-{{< text syntax=bash snip_id=deploy_istio_operator_watch_ns >}}
-$ istioctl operator init --watchedNamespaces=istio-namespace1,istio-namespace2
-{{< /text >}}
-
-See the [`istioctl operator init` command reference](/docs/reference/commands/istioctl/#istioctl-operator-init) for details.
-
-{{< tip >}}
-You can alternatively deploy the operator using Helm:
-
-1. Create a namespace `istio-operator`.
-
-    {{< text syntax=bash snip_id=create_ns_istio_operator >}}
-    $ kubectl create namespace istio-operator
-    {{< /text >}}
-
-2) Install operator using Helm.
-
-    {{< text syntax=bash snip_id=deploy_istio_operator_helm >}}
-    $ helm install istio-operator manifests/charts/istio-operator \
-        --set watchedNamespaces="istio-namespace1\,istio-namespace2" \
-        -n istio-operator
-    {{< /text >}}
-
-Note that you need to [download the Istio release](/docs/setup/additional-setup/download-istio-release/)
-to run the above command.
-{{< /tip >}}
-
-{{< warning >}}
-Prior to Istio 1.10.0, the namespace `istio-system` needed to be created before installing the operator. As of Istio 1.10.0, the `istioctl operator init` will create the `istio-system` namespace.
-
-If you use something other than `istioctl operator init`, then the `istio-system` namespace needs to be created manually.
-{{< /warning >}}
-
-### Install Istio with the operator
-
-With the operator installed, you can now create a mesh by deploying an `IstioOperator` resource.
-To install the Istio `demo` [configuration profile](/docs/setup/additional-setup/config-profiles/)
-using the operator, run the following command:
-
-{{< text syntax=bash snip_id=install_istio_demo_profile >}}
-$ kubectl apply -f - <}}
-
-The controller will detect the `IstioOperator` resource and then install the Istio
-components corresponding to the specified (`demo`) configuration.
-
-{{< warning >}}
-If you used `--watchedNamespaces` when you initialized the Istio operator, apply the `IstioOperator` resource in one of the watched namespaces, instead of in `istio-system`.
-{{< /warning >}}
-
-The Istio control plane (istiod) will be installed in the `istio-system` namespace by default. To install it in a different location, specify the namespace using the `values.global.istioNamespace` field as follows:
-
-{{< text syntax=yaml snip_id=none >}}
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-...
-spec:
-  profile: demo
-  values:
-    global:
-      istioNamespace: istio-namespace1
-{{< /text >}}
-
-{{< tip >}}
-The Istio operator controller begins the process of installing Istio within 90 seconds of
-the creation of the `IstioOperator` resource. The Istio installation completes within 120
-seconds.
-{{< /tip >}}
-
-You can confirm the Istio control plane services have been deployed with the following commands:
-
-{{< text syntax=bash snip_id=kubectl_get_svc >}}
-$ kubectl get services -n istio-system
-NAME                   TYPE           CLUSTER-IP      EXTERNAL-IP      PORT(S)   AGE
-istio-egressgateway    ClusterIP      10.96.65.145               ...       30s
-istio-ingressgateway   LoadBalancer   10.96.189.244   192.168.11.156   ...       30s
-istiod                 ClusterIP      10.96.189.20               ...       37s
-{{< /text >}}
-
-{{< text syntax=bash snip_id=kubectl_get_pods >}}
-$ kubectl get pods -n istio-system
-NAME                                    READY   STATUS    RESTARTS   AGE
-istio-egressgateway-696cccb5-m8ndk      1/1     Running   0          68s
-istio-ingressgateway-86cb4b6795-9jlrk   1/1     Running   0          68s
-istiod-b47586647-sf6sw                  1/1     Running   0          74s
-{{< /text >}}
-
-## Update
-
-Now, with the controller running, you can change the Istio configuration by editing or replacing
-the `IstioOperator` resource. The controller will detect the change and respond by updating
-the Istio installation correspondingly.
-
-For example, you can switch the installation to the `default`
-profile with the following command:
-
-{{< text syntax=bash snip_id=update_to_default_profile >}}
-$ kubectl apply -f - <}}
-
-You can also enable or disable components and modify resource settings.
-For example, to enable the `istio-egressgateway` component and increase istiod memory requests:
-
-{{< text syntax=bash snip_id=update_to_default_profile_egress >}}
-$ kubectl apply -f - <}}
-
-You can observe the changes that the controller makes in the cluster in response to `IstioOperator` CR updates by
-checking the operator controller logs:
-
-{{< text syntax=bash snip_id=operator_logs >}}
-$ kubectl logs -f -n istio-operator "$(kubectl get pods -n istio-operator -lname=istio-operator -o jsonpath='{.items[0].metadata.name}')"
-{{< /text >}}
-
-Refer to the [`IstioOperator` API](/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec)
-for the complete set of configuration settings.
-
-## In-place Upgrade
-
-Download and extract the `istioctl` corresponding to the version of Istio you wish to upgrade to. Reinstall the operator
-at the target Istio version:
-
-{{< text syntax=bash snip_id=inplace_upgrade >}}
-$ /bin/istioctl operator init
-{{< /text >}}
-
-You should see that the `istio-operator` pod has restarted and its version has changed to the target version:
-
-{{< text syntax=bash snip_id=inplace_upgrade_get_pods_istio_operator >}}
-$ kubectl get pods --namespace istio-operator \
-  -o=jsonpath='{range .items[*]}{.metadata.name}{":\t"}{range .spec.containers[*]}{.image}{", "}{end}{"\n"}{end}'
-{{< /text >}}
-
-After a minute or two, the Istio control plane components should also be restarted at the new version:
-
-{{< text syntax=bash snip_id=inplace_upgrade_get_pods_istio_system >}}
-$ kubectl get pods --namespace istio-system \
-  -o=jsonpath='{range .items[*]}{"\n"}{.metadata.name}{":\t"}{range .spec.containers[*]}{.image}{", "}{end}{"\n"}{end}'
-{{< /text >}}
-
-## Canary Upgrade
-
-The process for canary upgrade is similar to the [canary upgrade with `istioctl`](/docs/setup/upgrade/canary/).
-
-For example, to upgrade Istio {{< istio_previous_version >}}.0 to {{< istio_full_version >}}, first install {{< istio_previous_version >}}.0 :
-
-{{< text syntax=bash snip_id=download_istio_previous_version >}}
-$ curl -L https://istio.io/downloadIstio | ISTIO_VERSION={{< istio_previous_version >}}.0 sh -
-{{< /text >}}
-
-Deploy the operator using Istio version {{< istio_previous_version >}}.0:
-
-{{< text syntax=bash snip_id=deploy_operator_previous_version >}}
-$ istio-{{< istio_previous_version >}}.0/bin/istioctl operator init
-{{< /text >}}
-
-Install Istio control plane demo profile:
-
-{{< text syntax=bash snip_id=install_istio_previous_version >}}
-$ kubectl apply -f - <}}-0
-spec:
-  profile: default
-EOF
-{{< /text >}}
-
-Verify that the `IstioOperator` CR named `example-istiocontrolplane` exists in your cluster:
-
-{{< text syntax=bash snip_id=verify_operator_cr >}}
-$ kubectl get iop --all-namespaces
-NAMESPACE      NAME                              REVISION   STATUS    AGE
-istio-system   example-istiocontrolplane{{< istio_previous_version_revision >}}-0              HEALTHY   11m
-{{< /text >}}
-
-Download and extract the `istioctl` corresponding to the version of Istio you wish to upgrade to.
-Then, run the following command to install the new target revision of the Istio control plane based on the in-cluster
-`IstioOperator` CR (here, we assume the target revision is {{< istio_full_version_revision >}}):
-
-{{< text syntax=bash snip_id=canary_upgrade_init >}}
-$ istio-{{< istio_full_version >}}/bin/istioctl operator init --revision {{< istio_full_version_revision >}}
-{{< /text >}}
-
-{{< tip >}}
-You can alternatively use Helm to deploy another operator with a different revision setting:
-
-{{< text syntax=bash snip_id=none >}}
-$ helm install istio-operator manifests/charts/istio-operator \
-  --set watchedNamespaces=istio-system \
-  -n istio-operator \
-  --set revision={{< istio_full_version_revision >}}
-{{< /text >}}
-
-Note that you need to [download the Istio release](/docs/setup/additional-setup/download-istio-release/)
-to run the above command.
-{{< /tip >}}
-
-Make a copy of the `example-istiocontrolplane` CR and save it in a file named `example-istiocontrolplane-{{< istio_full_version_revision >}}.yaml`.
-Change the name to `example-istiocontrolplane-{{< istio_full_version_revision >}}` and add `revision: {{< istio_full_version_revision >}}` to the CR.
-Your updated `IstioOperator` CR should look something like this:
-
-{{< text syntax=bash snip_id=cat_operator_yaml >}}
-$ cat example-istiocontrolplane-{{< istio_full_version_revision >}}.yaml
-apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-metadata:
-  namespace: istio-system
-  name: example-istiocontrolplane-{{< istio_full_version_revision >}}
-spec:
-  revision: {{< istio_full_version_revision >}}
-  profile: default
-{{< /text >}}
-
-Apply the updated `IstioOperator` CR to the cluster. After that, you will have two control plane deployments and services running side-by-side:
-
-{{< text syntax=bash snip_id=get_pods_istio_system >}}
-$ kubectl get pod -n istio-system -l app=istiod
-NAME                             READY   STATUS    RESTARTS   AGE
-istiod-{{< istio_full_version_revision >}}-597475f4f6-bgtcz   1/1     Running   0          64s
-istiod-6ffcc65b96-bxzv5          1/1     Running   0          2m11s
-{{< /text >}}
-
-{{< text syntax=bash snip_id=get_svc_istio_system >}}
-$ kubectl get services -n istio-system -l app=istiod
-NAME            TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                                         AGE
-istiod          ClusterIP   10.104.129.150           15010/TCP,15012/TCP,443/TCP,15014/TCP,853/TCP   2m35s
-istiod-{{< istio_full_version_revision >}}   ClusterIP   10.111.17.49             15010/TCP,15012/TCP,443/TCP,15014/TCP           88s
-{{< /text >}}
-
-To complete the upgrade, label the workload namespaces with `istio.io/rev={{< istio_full_version_revision >}}` and restart the workloads, as
-explained in the [Data plane upgrade](/docs/setup/upgrade/canary/#data-plane) documentation.
-
-## Uninstall
-
-If you used the operator to perform a canary upgrade of the control plane, you can uninstall the old control plane and keep the new one by deleting the old in-cluster `IstioOperator` CR, which will uninstall the old revision of Istio:
-
-{{< text syntax=bash snip_id=delete_example_istiocontrolplane >}}
-$ kubectl delete istiooperators.install.istio.io -n istio-system example-istiocontrolplane
-{{< /text >}}
-
-Wait until Istio is uninstalled - this may take some time.
-
-Then you can remove the Istio operator for the old revision by running the following command:
-
-{{< text syntax=bash snip_id=none >}}
-$ istioctl operator remove --revision 
-{{< /text >}}
-
-If you omit the `revision` flag, then all revisions of Istio operator will be removed.
-
-Note that deleting the operator before the `IstioOperator` CR and corresponding Istio revision are fully removed may result in leftover Istio resources.
-To clean up anything not removed by the operator:
-
-{{< text syntax=bash snip_id=cleanup >}}
-$ istioctl uninstall -y --purge
-$ kubectl delete ns istio-system istio-operator
- {{< /text >}}
diff --git a/content/en/docs/setup/install/operator/snips.sh b/content/en/docs/setup/install/operator/snips.sh
deleted file mode 100644
index f7ac09f0b5ccd..0000000000000
--- a/content/en/docs/setup/install/operator/snips.sh
+++ /dev/null
@@ -1,201 +0,0 @@
-#!/bin/bash
-# shellcheck disable=SC2034,SC2153,SC2155,SC2164
-
-# Copyright Istio Authors. All Rights Reserved.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-####################################################################################################
-# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
-#          docs/setup/install/operator/index.md
-####################################################################################################
-
-snip_deploy_istio_operator() {
-istioctl operator init
-}
-
-snip_deploy_istio_operator_watch_ns() {
-istioctl operator init --watchedNamespaces=istio-namespace1,istio-namespace2
-}
-
-snip_create_ns_istio_operator() {
-kubectl create namespace istio-operator
-}
-
-snip_deploy_istio_operator_helm() {
-helm install istio-operator manifests/charts/istio-operator \
-    --set watchedNamespaces="istio-namespace1\,istio-namespace2" \
-    -n istio-operator
-}
-
-snip_install_istio_demo_profile() {
-kubectl apply -f - <           ...       30s
-istio-ingressgateway   LoadBalancer   10.96.189.244   192.168.11.156   ...       30s
-istiod                 ClusterIP      10.96.189.20               ...       37s
-ENDSNIP
-
-snip_kubectl_get_pods() {
-kubectl get pods -n istio-system
-}
-
-! IFS=$'\n' read -r -d '' snip_kubectl_get_pods_out <<\ENDSNIP
-NAME                                    READY   STATUS    RESTARTS   AGE
-istio-egressgateway-696cccb5-m8ndk      1/1     Running   0          68s
-istio-ingressgateway-86cb4b6795-9jlrk   1/1     Running   0          68s
-istiod-b47586647-sf6sw                  1/1     Running   0          74s
-ENDSNIP
-
-snip_update_to_default_profile() {
-kubectl apply -f - </bin/istioctl operator init
-}
-
-snip_inplace_upgrade_get_pods_istio_operator() {
-kubectl get pods --namespace istio-operator \
-  -o=jsonpath='{range .items[*]}{.metadata.name}{":\t"}{range .spec.containers[*]}{.image}{", "}{end}{"\n"}{end}'
-}
-
-snip_inplace_upgrade_get_pods_istio_system() {
-kubectl get pods --namespace istio-system \
-  -o=jsonpath='{range .items[*]}{"\n"}{.metadata.name}{":\t"}{range .spec.containers[*]}{.image}{", "}{end}{"\n"}{end}'
-}
-
-snip_download_istio_previous_version() {
-curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.22.0 sh -
-}
-
-snip_deploy_operator_previous_version() {
-istio-1.22.0/bin/istioctl operator init
-}
-
-snip_install_istio_previous_version() {
-kubectl apply -f - <        15010/TCP,15012/TCP,443/TCP,15014/TCP,853/TCP   2m35s
-istiod-1-23-0   ClusterIP   10.111.17.49             15010/TCP,15012/TCP,443/TCP,15014/TCP           88s
-ENDSNIP
-
-snip_delete_example_istiocontrolplane() {
-kubectl delete istiooperators.install.istio.io -n istio-system example-istiocontrolplane
-}
-
-snip_cleanup() {
-istioctl uninstall -y --purge
-kubectl delete ns istio-system istio-operator
-}
diff --git a/content/en/docs/setup/install/operator/test.sh b/content/en/docs/setup/install/operator/test.sh
deleted file mode 100644
index 000fafd718dd8..0000000000000
--- a/content/en/docs/setup/install/operator/test.sh
+++ /dev/null
@@ -1,146 +0,0 @@
-#!/usr/bin/env bash
-# shellcheck disable=SC2154
-
-# Copyright Istio Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#    http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-# @setup profile=none
-
-set -e
-set -u
-set -o pipefail
-
-source "content/en/boilerplates/snips/args.sh"
-
-fullVersion="${bpsnip_args_istio_full_version}"
-fullVersionRevision="${fullVersion//./-}"
-previousVersion="${bpsnip_args_istio_previous_version}.0"
-previousVersionMinorUpgrade="${previousVersion%.0}.1"
-
-function testOperatorDeployWatchNs(){
-    # print out body of the function and execute with flag
-    # this is to avoid using the default public registry
-    $(type snip_deploy_istio_operator_watch_ns | sed '1,3d;$d') --hub "$HUB"
-    _wait_for_deployment istio-operator istio-operator
-
-    # cleanup required for next steps
-    istioctl uninstall -y --purge
-    kubectl delete ns istio-operator istio-namespace1 istio-namespace2
-}
-
-function testOperatorDeployHelm(){
-    snip_create_ns_istio_operator
-    snip_deploy_istio_operator_helm
-    _wait_for_deployment istio-operator istio-operator
-
-    # cleanup required for next steps
-    helm uninstall istio-operator -n istio-operator
-    kubectl delete ns istio-operator
-}
-
-function testOperatorDeploy(){
-    $(type snip_deploy_istio_operator | sed '1,3d;$d') --hub "$HUB"
-    _wait_for_deployment istio-operator istio-operator
-}
-
-function testInstallIstioDemo(){
-    snip_install_istio_demo_profile
-    sleep 30s
-    _wait_for_deployment istio-system istiod
-    _verify_like snip_kubectl_get_svc "$snip_kubectl_get_svc_out"
-    _verify_like snip_kubectl_get_pods "$snip_kubectl_get_pods_out"
-}
-
-function testUpdateProfileDefaultEgress(){
-    snip_update_to_default_profile_egress
-    sleep 30s
-    _verify_contains snip_kubectl_get_svc "egressgateway"
-}
-
-function testOperatorLogs(){
-    command=$(type snip_operator_logs | sed '1,3d;$d')
-    # prevent following log stream
-    command="${command/"logs -f"/"logs"}"
-    echo "$command" | sh -
-}
-
-function istioDownload(){
-    version="$1"
-    # downloadIstio takes a TARGET_OS env var, but it's exepected to be Linux or Darwin.
-    # Uppercase the first letter of the TARGET_OS used within the pipeline, which is linux or darwin
-    curl -L https://istio.io/downloadIstio | TARGET_OS=${TARGET_OS^} ISTIO_VERSION="$version" sh -
-}
-
-function operatorInit(){
-    version="$1"
-    istioDownload "$version"
-    istio-"$version"/bin/istioctl operator init
-    rm -rf "istio-$version"
-}
-
-function testInplaceUpgrade(){
-    operatorInit "$previousVersion"
-    operatorInit "$previousVersionMinorUpgrade"
-    snip_inplace_upgrade_get_pods_istio_operator
-    snip_inplace_upgrade_get_pods_istio_system
-}
-
-function testCanaryUpgrade(){
-    # downloadIstio takes a TARGET_OS env var, but it's exepected to be Linux or Darwin.
-    # Uppercase the first letter of the TARGET_OS used within the pipeline, which is linux or darwin
-    TARGET_OS=${TARGET_OS^} snip_download_istio_previous_version
-    snip_deploy_operator_previous_version
-    snip_install_istio_previous_version
-    _verify_like snip_verify_operator_cr "$snip_verify_operator_cr_out"
-    rm -rf "istio-$previousVersion"
-
-    istioctl operator init --revision "$fullVersionRevision"
-}
-
-function testTwoControlPlanes(){
-    echo "$snip_cat_operator_yaml_out" > example-istiocontrolplane-previous-version.yaml
-    _verify_like snip_cat_operator_yaml "$snip_cat_operator_yaml_out"
-    kubectl apply -f example-istiocontrolplane-previous-version.yaml
-    rm -f example-istiocontrolplane-previous-version.yaml
-
-    _verify_like snip_get_pods_istio_system "$snip_get_pods_istio_system_out"
-    _verify_like snip_get_svc_istio_system "$snip_get_svc_istio_system_out"
-}
-
-testOperatorDeployWatchNs
-
-testOperatorDeployHelm
-
-testOperatorDeploy
-
-testInstallIstioDemo
-
-snip_update_to_default_profile
-
-testUpdateProfileDefaultEgress
-
-testOperatorLogs
-
-snip_cleanup
-
-testInplaceUpgrade
-
-snip_cleanup
-
-testCanaryUpgrade
-
-# @cleanup
-snip_delete_example_istiocontrolplane
-snip_cleanup
diff --git a/content/en/docs/setup/upgrade/canary/snips.sh b/content/en/docs/setup/upgrade/canary/snips.sh
index a5d61b5248e4e..6ef3bcd8581cd 100644
--- a/content/en/docs/setup/upgrade/canary/snips.sh
+++ b/content/en/docs/setup/upgrade/canary/snips.sh
@@ -41,7 +41,7 @@ kubectl get pods -n istio-system -l app=istiod
 
 ! IFS=$'\n' read -r -d '' snip_control_plane_2_out <<\ENDSNIP
 NAME                             READY   STATUS    RESTARTS   AGE
-istiod-1-22-1-bdf5948d5-htddg    1/1     Running   0          47s
+istiod-1-23-1-bdf5948d5-htddg    1/1     Running   0          47s
 istiod-canary-84c8d4dcfb-skcfv   1/1     Running   0          25s
 ENDSNIP
 
@@ -51,7 +51,7 @@ kubectl get svc -n istio-system -l app=istiod
 
 ! IFS=$'\n' read -r -d '' snip_control_plane_3_out <<\ENDSNIP
 NAME            TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                                 AGE
-istiod-1-22-1   ClusterIP   10.96.93.151             15010/TCP,15012/TCP,443/TCP,15014/TCP   109s
+istiod-1-23-1   ClusterIP   10.96.93.151             15010/TCP,15012/TCP,443/TCP,15014/TCP   109s
 istiod-canary   ClusterIP   10.104.186.250           15010/TCP,15012/TCP,443/TCP,15014/TCP   87s
 ENDSNIP
 
@@ -61,7 +61,7 @@ kubectl get mutatingwebhookconfigurations
 
 ! IFS=$'\n' read -r -d '' snip_control_plane_4_out <<\ENDSNIP
 NAME                            WEBHOOKS   AGE
-istio-sidecar-injector-1-22-1   2          2m16s
+istio-sidecar-injector-1-23-1   2          2m16s
 istio-sidecar-injector-canary   2          114s
 ENDSNIP
 
@@ -98,13 +98,13 @@ istioctl proxy-status | grep "\.test-ns "
 }
 
 snip_usage_1() {
-istioctl install --set values.pilot.env.PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING=true --revision=1-22-1 --set profile=minimal --skip-confirmation
-istioctl install --set values.pilot.env.PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING=true --revision=1-23-0 --set profile=minimal --skip-confirmation
+istioctl install --set values.pilot.env.PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING=true --revision=1-23-1 --set profile=minimal --skip-confirmation
+istioctl install --set values.pilot.env.PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING=true --revision=1-24-0 --set profile=minimal --skip-confirmation
 }
 
 snip_usage_2() {
-istioctl tag set prod-stable --revision 1-22-1
-istioctl tag set prod-canary --revision 1-23-0
+istioctl tag set prod-stable --revision 1-23-1
+istioctl tag set prod-canary --revision 1-24-0
 }
 
 snip_usage_3() {
@@ -128,13 +128,13 @@ istioctl ps
 
 ! IFS=$'\n' read -r -d '' snip_usage_5_out <<\ENDSNIP
 NAME                                CLUSTER        CDS        LDS        EDS        RDS        ECDS         ISTIOD                             VERSION
-sleep-78ff5975c6-62pzf.app-ns-3     Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED     NOT SENT     istiod-1-23-0-7f6fc6cfd6-s8zfg     1.23.0
-sleep-78ff5975c6-8kxpl.app-ns-1     Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED     NOT SENT     istiod-1-22-1-bdf5948d5-n72r2      1.22.1
-sleep-78ff5975c6-8q7m6.app-ns-2     Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED     NOT SENT     istiod-1-22-1-bdf5948d5-n72r2      1-22.1
+sleep-78ff5975c6-62pzf.app-ns-3     Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED     NOT SENT     istiod-1-24-0-7f6fc6cfd6-s8zfg     1.24.0
+sleep-78ff5975c6-8kxpl.app-ns-1     Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED     NOT SENT     istiod-1-23-1-bdf5948d5-n72r2      1.23.1
+sleep-78ff5975c6-8q7m6.app-ns-2     Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED     NOT SENT     istiod-1-23-1-bdf5948d5-n72r2      1-23.1
 ENDSNIP
 
 snip_usage_6() {
-istioctl tag set prod-stable --revision 1-23-0 --overwrite
+istioctl tag set prod-stable --revision 1-24-0 --overwrite
 }
 
 snip_usage_7() {
@@ -148,17 +148,17 @@ istioctl ps
 
 ! IFS=$'\n' read -r -d '' snip_usage_8_out <<\ENDSNIP
 NAME                                                   CLUSTER        CDS        LDS        EDS        RDS          ECDS         ISTIOD                             VERSION
-sleep-5984f48bc7-kmj6x.app-ns-1                        Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-1-23-0-7f6fc6cfd6-jsktb     1.23.0
-sleep-78ff5975c6-jldk4.app-ns-3                        Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-1-23-0-7f6fc6cfd6-jsktb     1.23.0
-sleep-7cdd8dccb9-5bq5n.app-ns-2                        Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-1-23-0-7f6fc6cfd6-jsktb     1.23.0
+sleep-5984f48bc7-kmj6x.app-ns-1                        Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-1-24-0-7f6fc6cfd6-jsktb     1.24.0
+sleep-78ff5975c6-jldk4.app-ns-3                        Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-1-24-0-7f6fc6cfd6-jsktb     1.24.0
+sleep-7cdd8dccb9-5bq5n.app-ns-2                        Kubernetes     SYNCED     SYNCED     SYNCED     SYNCED       NOT SENT     istiod-1-24-0-7f6fc6cfd6-jsktb     1.24.0
 ENDSNIP
 
 snip_default_tag_1() {
-istioctl tag set default --revision 1-23-0
+istioctl tag set default --revision 1-24-0
 }
 
 snip_uninstall_old_control_plane_1() {
-istioctl uninstall --revision 1-22-1 -y
+istioctl uninstall --revision 1-23-1 -y
 }
 
 snip_uninstall_old_control_plane_2() {
diff --git a/content/en/docs/setup/upgrade/helm/snips.sh b/content/en/docs/setup/upgrade/helm/snips.sh
index 1cc6f4aa3b711..51600bdda2542 100644
--- a/content/en/docs/setup/upgrade/helm/snips.sh
+++ b/content/en/docs/setup/upgrade/helm/snips.sh
@@ -77,16 +77,16 @@ helm upgrade istio-base istio/base --set defaultRevision=canary -n istio-system
 }
 
 snip_usage_1() {
-helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-stable}" --set revision=1-22-1 -n istio-system | kubectl apply -f -
-helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-canary}" --set revision=1-23-0 -n istio-system | kubectl apply -f -
+helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-stable}" --set revision=1-23-1 -n istio-system | kubectl apply -f -
+helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-canary}" --set revision=1-24-0 -n istio-system | kubectl apply -f -
 }
 
 snip_usage_2() {
-helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-stable}" --set revision=1-23-0 -n istio-system | kubectl apply -f -
+helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{prod-stable}" --set revision=1-24-0 -n istio-system | kubectl apply -f -
 }
 
 snip_default_tag_1() {
-helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{default}" --set revision=1-23-0 -n istio-system | kubectl apply -f -
+helm template istiod istio/istiod -s templates/revision-tags.yaml --set revisionTags="{default}" --set revision=1-24-0 -n istio-system | kubectl apply -f -
 }
 
 snip_in_place_upgrade_1() {
diff --git a/content/en/docs/tasks/security/authentication/authn-policy/snips.sh b/content/en/docs/tasks/security/authentication/authn-policy/snips.sh
index 29440954349f6..f3bedd86442a6 100644
--- a/content/en/docs/tasks/security/authentication/authn-policy/snips.sh
+++ b/content/en/docs/tasks/security/authentication/authn-policy/snips.sh
@@ -298,7 +298,7 @@ spec:
       istio: ingressgateway
   jwtRules:
   - issuer: "testing@secure.istio.io"
-    jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/jwks.json"
+    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/jwks.json"
 EOF
 }
 
@@ -316,7 +316,7 @@ spec:
     name: httpbin-gateway
   jwtRules:
   - issuer: "testing@secure.istio.io"
-    jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/jwks.json"
+    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/jwks.json"
 EOF
 }
 
@@ -337,7 +337,7 @@ curl --header "Authorization: Bearer deadbeef" "$INGRESS_HOST:$INGRESS_PORT/head
 ENDSNIP
 
 snip_enduser_authentication_9() {
-TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/demo.jwt -s)
+TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/demo.jwt -s)
 curl --header "Authorization: Bearer $TOKEN" "$INGRESS_HOST:$INGRESS_PORT/headers" -s -o /dev/null -w "%{http_code}\n"
 }
 
@@ -346,11 +346,11 @@ curl --header "Authorization: Bearer $TOKEN" "$INGRESS_HOST:$INGRESS_PORT/header
 ENDSNIP
 
 snip_enduser_authentication_10() {
-wget --no-verbose https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/gen-jwt.py
+wget --no-verbose https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/gen-jwt.py
 }
 
 snip_enduser_authentication_11() {
-wget --no-verbose https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/key.pem
+wget --no-verbose https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/key.pem
 }
 
 snip_enduser_authentication_12() {
diff --git a/content/en/docs/tasks/security/authentication/claim-to-header/snips.sh b/content/en/docs/tasks/security/authentication/claim-to-header/snips.sh
index f653e43879a98..dee0fb8cb062d 100644
--- a/content/en/docs/tasks/security/authentication/claim-to-header/snips.sh
+++ b/content/en/docs/tasks/security/authentication/claim-to-header/snips.sh
@@ -48,7 +48,7 @@ spec:
       app: httpbin
   jwtRules:
   - issuer: "testing@secure.istio.io"
-    jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/jwks.json"
+    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/jwks.json"
     outputClaimToHeaders:
     - header: "x-jwt-claim-foo"
       claim: "foo"
@@ -64,7 +64,7 @@ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadat
 ENDSNIP
 
 snip_allow_requests_with_valid_jwt_and_listtyped_claims_3() {
-TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
+TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
 }
 
 ! IFS=$'\n' read -r -d '' snip_allow_requests_with_valid_jwt_and_listtyped_claims_3_out <<\ENDSNIP
diff --git a/content/en/docs/tasks/security/authentication/jwt-route/snips.sh b/content/en/docs/tasks/security/authentication/jwt-route/snips.sh
index 4557a2e37b838..1ed53e67053f8 100644
--- a/content/en/docs/tasks/security/authentication/jwt-route/snips.sh
+++ b/content/en/docs/tasks/security/authentication/jwt-route/snips.sh
@@ -47,7 +47,7 @@ spec:
       istio: ingressgateway
   jwtRules:
   - issuer: "testing@secure.istio.io"
-    jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/jwks.json"
+    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/jwks.json"
 EOF
 }
 
@@ -97,7 +97,7 @@ HTTP/1.1 401 Unauthorized
 ENDSNIP
 
 snip_validating_ingress_routing_based_on_jwt_claims_3() {
-TOKEN_GROUP=$(curl https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/groups-scope.jwt -s) && echo "$TOKEN_GROUP" | cut -d '.' -f2 - | base64 --decode
+TOKEN_GROUP=$(curl https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/groups-scope.jwt -s) && echo "$TOKEN_GROUP" | cut -d '.' -f2 - | base64 --decode
 }
 
 ! IFS=$'\n' read -r -d '' snip_validating_ingress_routing_based_on_jwt_claims_3_out <<\ENDSNIP
@@ -114,7 +114,7 @@ HTTP/1.1 200 OK
 ENDSNIP
 
 snip_validating_ingress_routing_based_on_jwt_claims_5() {
-TOKEN_NO_GROUP=$(curl https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN_NO_GROUP" | cut -d '.' -f2 - | base64 --decode
+TOKEN_NO_GROUP=$(curl https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN_NO_GROUP" | cut -d '.' -f2 - | base64 --decode
 }
 
 ! IFS=$'\n' read -r -d '' snip_validating_ingress_routing_based_on_jwt_claims_5_out <<\ENDSNIP
diff --git a/content/en/docs/tasks/security/authorization/authz-custom/snips.sh b/content/en/docs/tasks/security/authorization/authz-custom/snips.sh
index e0e047fb321bf..c7c6228fef5b0 100644
--- a/content/en/docs/tasks/security/authorization/authz-custom/snips.sh
+++ b/content/en/docs/tasks/security/authorization/authz-custom/snips.sh
@@ -36,7 +36,7 @@ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadat
 ENDSNIP
 
 snip_deploy_the_external_authorizer_1() {
-kubectl apply -n foo -f https://raw.githubusercontent.com/istio/istio/release-1.23/samples/extauthz/ext-authz.yaml
+kubectl apply -n foo -f https://raw.githubusercontent.com/istio/istio/master/samples/extauthz/ext-authz.yaml
 }
 
 ! IFS=$'\n' read -r -d '' snip_deploy_the_external_authorizer_1_out <<\ENDSNIP
diff --git a/content/en/docs/tasks/security/authorization/authz-jwt/snips.sh b/content/en/docs/tasks/security/authorization/authz-jwt/snips.sh
index 84b7f4dfb942f..9f92c228609c6 100644
--- a/content/en/docs/tasks/security/authorization/authz-jwt/snips.sh
+++ b/content/en/docs/tasks/security/authorization/authz-jwt/snips.sh
@@ -47,7 +47,7 @@ spec:
       app: httpbin
   jwtRules:
   - issuer: "testing@secure.istio.io"
-    jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/jwks.json"
+    jwksUri: "https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/jwks.json"
 EOF
 }
 
@@ -87,7 +87,7 @@ EOF
 }
 
 snip_allow_requests_with_valid_jwt_and_listtyped_claims_5() {
-TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
+TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
 }
 
 ! IFS=$'\n' read -r -d '' snip_allow_requests_with_valid_jwt_and_listtyped_claims_5_out <<\ENDSNIP
@@ -133,7 +133,7 @@ EOF
 }
 
 snip_allow_requests_with_valid_jwt_and_listtyped_claims_9() {
-TOKEN_GROUP=$(curl https://raw.githubusercontent.com/istio/istio/release-1.23/security/tools/jwt/samples/groups-scope.jwt -s) && echo "$TOKEN_GROUP" | cut -d '.' -f2 - | base64 --decode -
+TOKEN_GROUP=$(curl https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/groups-scope.jwt -s) && echo "$TOKEN_GROUP" | cut -d '.' -f2 - | base64 --decode -
 }
 
 ! IFS=$'\n' read -r -d '' snip_allow_requests_with_valid_jwt_and_listtyped_claims_9_out <<\ENDSNIP
diff --git a/content/en/docs/tasks/traffic-management/egress/egress-kubernetes-services/index.md b/content/en/docs/tasks/traffic-management/egress/egress-kubernetes-services/index.md
index 9ef9d605188a3..2002e5cb00d60 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-kubernetes-services/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-kubernetes-services/index.md
@@ -124,7 +124,7 @@ Kubernetes Services for egress traffic work with other protocols as well.
     {{< /text >}}
 
 1.  Access `httpbin.org` via the Kubernetes service's hostname from the source pod with Istio sidecar. Notice the
-    headers added by Istio sidecar, for example `X-Envoy-Decorator-Operation`. Also note that
+    headers added by Istio sidecar, for example `X-Envoy-Peer-Metadata`. Also note that
     the `Host` header equals to your service's hostname.
 
     {{< text bash >}}
@@ -138,7 +138,6 @@ Kubernetes Services for egress traffic work with other protocols as well.
         "X-B3-Sampled": "0",
         "X-B3-Spanid": "5795fab599dca0b8",
         "X-B3-Traceid": "5079ad3a4af418915795fab599dca0b8",
-        "X-Envoy-Decorator-Operation": "my-httpbin.default.svc.cluster.local:80/*",
         "X-Envoy-Peer-Metadata": "...",
         "X-Envoy-Peer-Metadata-Id": "sidecar~10.28.1.74~sleep-6bdb595bcb-drr45.default~default.svc.cluster.local"
       }
diff --git a/content/en/docs/tasks/traffic-management/egress/egress-kubernetes-services/snips.sh b/content/en/docs/tasks/traffic-management/egress/egress-kubernetes-services/snips.sh
index 790f6e1798886..def458fd81b80 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-kubernetes-services/snips.sh
+++ b/content/en/docs/tasks/traffic-management/egress/egress-kubernetes-services/snips.sh
@@ -109,7 +109,6 @@ kubectl exec "$SOURCE_POD" -c sleep -- curl -sS my-httpbin.default.svc.cluster.l
     "X-B3-Sampled": "0",
     "X-B3-Spanid": "5795fab599dca0b8",
     "X-B3-Traceid": "5079ad3a4af418915795fab599dca0b8",
-    "X-Envoy-Decorator-Operation": "my-httpbin.default.svc.cluster.local:80/*",
     "X-Envoy-Peer-Metadata": "...",
     "X-Envoy-Peer-Metadata-Id": "sidecar~10.28.1.74~sleep-6bdb595bcb-drr45.default~default.svc.cluster.local"
   }
diff --git a/content/en/docs/tasks/traffic-management/egress/egress-kubernetes-services/test.sh b/content/en/docs/tasks/traffic-management/egress/egress-kubernetes-services/test.sh
index 3e9dde301f78d..a8e9f312c47de 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-kubernetes-services/test.sh
+++ b/content/en/docs/tasks/traffic-management/egress/egress-kubernetes-services/test.sh
@@ -48,7 +48,7 @@ _verify_contains snip_kubernetes_externalname_service_to_access_an_external_serv
 snip_kubernetes_externalname_service_to_access_an_external_service_4
 _wait_for_istio destinationrule default my-httpbin
 
-_verify_contains snip_kubernetes_externalname_service_to_access_an_external_service_5 "\"X-Envoy-Decorator-Operation\": \"my-httpbin.default.svc.cluster.local:80/*\""
+_verify_contains snip_kubernetes_externalname_service_to_access_an_external_service_5 "\"X-Envoy-Peer-Metadata\":"
 
 # service wikipedia
 snip_use_a_kubernetes_service_with_endpoints_to_access_an_external_service_1
diff --git a/content/en/news/releases/1.5.x/announcing-1.5/_index.md b/content/en/news/releases/1.5.x/announcing-1.5/_index.md
index 15b059b22eb06..e18f85d565eeb 100644
--- a/content/en/news/releases/1.5.x/announcing-1.5/_index.md
+++ b/content/en/news/releases/1.5.x/announcing-1.5/_index.md
@@ -64,7 +64,7 @@ particular has some cool enhancements. Command line installation of Istio using
 [`istioctl`](/docs/reference/commands/istioctl) is now beta for installation and
 will work for most customers in most use cases. Managing your installation via
 an Operator is still alpha, but we continue to improve it with a new
-[`IstioOperator API`](/docs/reference/config/istio.operator.v1alpha1/).
+`IstioOperator` API.
 
 Speaking of `istioctl`, it has over a dozen improvements -- new items it can
 analyze, better validation rules, and better ability to integrate with CI
diff --git a/content/zh/docs/reference/commands/install-cni/index.html b/content/zh/docs/reference/commands/install-cni/index.html
index 75eebe17cf0fc..e5e1573e21751 100644
--- a/content/zh/docs/reference/commands/install-cni/index.html
+++ b/content/zh/docs/reference/commands/install-cni/index.html
@@ -28,16 +28,12 @@
 
-
-
-
-
-
-
+
+
-
-
+
+
@@ -60,10 +56,6 @@
 
-
-
-
-
@@ -72,10 +64,6 @@
 
-
-
-
-
@@ -88,22 +76,6 @@
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -210,22 +182,6 @@ 
install-cni completion

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -240,14 +196,13 @@ 
install-cni completion bash
This script depends on the 'bash-completion' package.
 If it is not installed already, you can install it via your OS's package manager.
To load completions in your current shell session:

-
	source <(install-cni completion bash)

+
source <(install-cni completion bash)
To load completions for every new session, execute once:

-
#### Linux:

-
	install-cni completion bash > /etc/bash_completion.d/install-cni

-
#### macOS:

-
	install-cni completion bash > $(brew --prefix)/etc/bash_completion.d/install-cni

-
You will need to start a new shell for this setup to take effect.
-

+
Linux:

+
install-cni completion bash > /etc/bash_completion.d/install-cni

+
macOS:

+
install-cni completion bash > /usr/local/etc/bash_completion.d/install-cni

+
You will need to start a new shell for this setup to take effect.
install-cni completion bash
 

 
 

 REGISTRY_ONLY
 
-
Outbound traffic will be restricted to services defined in the
-service registry as well as those defined through ServiceEntry configurations.

+
In REGISTRY_ONLY mode, unknown outbound traffic will be dropped.
+Traffic destinations must be explicitly declared into the service registry through ServiceEntry configurations.

+
Note: Istio does not offer an outbound traffic security policy.
+This option does not act as one, or as any form of an outbound firewall.
+Instead, this option exists primarily to offer users a way to detect missing ServiceEntry configurations by explicitly failing.

 
 		
 

 

 ALLOW_ANY
 
-
Outbound traffic to unknown destinations will be allowed, in case
-there are no services or ServiceEntry configurations for the destination port.

+
In ALLOW_ANY mode, any traffic to unknown destinations will be allowed.
+Unknown destination traffic will have limited functionality, however, such as reduced observability.
+This mode allows users that do not have all possible egress destinations registered through ServiceEntry configurations to still connect
+to arbitrary destinations.

 
 		
 

 
 
 
 
 
 
 
 
 
 
 
 
Whether to install CNI plugin as a chained or standalone 
 

 
--cni-conf-name <string>Name of the CNI configuration file  (default ``)
--cni-event-address <string>The UDS server address which CNI plugin will forward ambient pod creation events to  (default `/var/run/istio-cni/pluginevent.sock`)--cni-agent-run-dir <string>Location of the node agent writable path on the node (used for sockets, etc)  (default `/var/run/istio-cni`)
 

 
--cni-net-dir <string>Directory on the host where CNI network plugins are installed  (default `/etc/cni/net.d`)--cni-conf-name <string>Name of the CNI configuration file  (default ``)
 

 

 --cni-network-config <string>CA file for kubeconfig. Defaults to the same as install-cni pod  (default ``)
 

 
--kubecfg-file-name <string>Name of the kubeconfig file which CNI plugin will use when interacting with API server  (default `ZZZ-istio-cni-kubeconfig`)

 --kubeconfig-mode <int>
 File mode of the kubeconfig file  (default `384`)
 
Fallback value for log level in CNI config file, if not specified in helm template  (default `warn`)
 

 
--log-uds-address <string>The UDS server address which CNI plugin will copy log output to  (default `/var/run/istio-cni/log.sock`)

 --log_as_json
 Whether to format output as JSON or in plain console-friendly format 
 
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
 
 
 
 

@@ -279,22 +234,6 @@ 
install-cni completion bash

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -311,11 +250,10 @@ 
install-cni completion bash
install-cni completion fish
Generate the autocompletion script for the fish shell.
To load completions in your current shell session:

-
	install-cni completion fish | source

+
install-cni completion fish | source
To load completions for every new session, execute once:

-
	install-cni completion fish > ~/.config/fish/completions/install-cni.fish

-
You will need to start a new shell for this setup to take effect.
-

+
install-cni completion bash > ~/.config/fish/completions/install-cni.fish

+
You will need to start a new shell for this setup to take effect.
install-cni completion fish [flags]
 

 
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
 
 
 
 
 

@@ -347,22 +285,6 @@ 
install-cni completion fish

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -377,12 +299,10 @@ 
install-cni completion fish

 
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
 

 
install-cni completion powershell

-
Generate the autocompletion script for powershell.

+
Generate the autocompletion script for PowerShell.

 
To load completions in your current shell session:

-
	install-cni completion powershell | Out-String | Invoke-Expression

-
To load completions for every new session, add the output of the above command
-to your powershell profile.
-

+
install-cni completion powershell | Out-String | Invoke-Expression

+
To load completions for every new session, add the output of the above command to your powershell profile.

 
install-cni completion powershell [flags]
 

 
@@ -414,22 +334,6 @@ 
install-cni completion powershell
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -445,18 +349,16 @@ 
install-cni completion powershell
install-cni completion zsh
Generate the autocompletion script for the zsh shell.

-
If shell completion is not already enabled in your environment you will need
-to enable it.  You can execute the following once:

-
	echo "autoload -U compinit; compinit" >> ~/.zshrc

-
To load completions in your current shell session:

-
	source <(install-cni completion zsh)

-
To load completions for every new session, execute once:

-
#### Linux:

-
	install-cni completion zsh > "${fpath[1]}/_install-cni"

-
#### macOS:

-
	install-cni completion zsh > $(brew --prefix)/share/zsh/site-functions/_install-cni

-
You will need to start a new shell for this setup to take effect.
-

+	
If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:

+	
echo "autoload -U compinit; compinit" >> ~/.zshrc

+	
To load completions in your current shell session:

+	
source <(install-cni completion zsh)

+	
To load completions for every new session, execute once:

+	
Linux:

+	
install-cni completion zsh > "${fpath[1]}/_install-cni"

+	
macOS:

+	
install-cni completion zsh > $(brew --prefix)/share/zsh/site-functions/_install-cni

+	
You will need to start a new shell for this setup to take effect.
install-cni completion zsh [flags]
 

 
 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
 
 
 

@@ -488,22 +390,6 @@ 
install-cni completion zsh

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -556,26 +442,6 @@ 
install-cni version

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -598,7 +464,7 @@ 
install-cni version

 
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, cni-agent, cni-plugin, controllers, default, grpc, iptables, klog, model, monitoring, spiffe, trustBundle, validation] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 

 
Environment variables

-These environment variables affect the behavior of the install-cni command. Please use with caution as these environment variables are experimental and can change anytime.
+These environment variables affect the behavior of the install-cni command. 
 
@@ -640,16 +506,16 @@ 
Environment variables

-
+
-
-
+
+
-
+
-
-
+
+
@@ -664,12 +530,6 @@ 
Environment variables

-
-
-
-
-
-
@@ -724,22 +584,22 @@ 
Environment variables

-
+
-
+
-
+
-
+
-
+
-
+
@@ -750,7 +610,7 @@ 
Environment variables

-
+
@@ -826,6 +686,12 @@ 
Environment variables

+
+
+
+
+
+
@@ -980,12 +846,6 @@ 
Environment variables

-
-
-
-
-
-
@@ -1016,12 +876,6 @@ 
Environment variables

-
-
-
-
-
-
@@ -1076,12 +930,6 @@ 
Environment variables

-
-
-
-
-
-
@@ -1298,12 +1146,6 @@ 
Environment variables

-
-
-
-
-
-
@@ -1520,6 +1362,12 @@ 
Environment variables

+
+
+
+
+
+
@@ -1658,12 +1506,6 @@ 
Environment variables

-
-
-
-
-
-
diff --git a/content/zh/docs/reference/commands/istioctl/index.html b/content/zh/docs/reference/commands/istioctl/index.html
index b210ebf057858..71b45f2da37d6 100644
--- a/content/zh/docs/reference/commands/istioctl/index.html
+++ b/content/zh/docs/reference/commands/istioctl/index.html
@@ -4,7 +4,7 @@
 title: istioctl
 description: Istio control interface.
 generator: pkg-collateral-docs
-number_of_entries: 100
+number_of_entries: 90
 max_toc_level: 2
 remove_toc_prefix: 'istioctl '
 ---
@@ -665,14 +665,13 @@ 
istioctl completion bash
This script depends on the 'bash-completion' package.
 If it is not installed already, you can install it via your OS's package manager.
To load completions in your current shell session:

-
	source <(istioctl completion bash)

+
source <(istioctl completion bash)
To load completions for every new session, execute once:

-
#### Linux:

-
	istioctl completion bash > /etc/bash_completion.d/istioctl

-
#### macOS:

-
	istioctl completion bash > $(brew --prefix)/etc/bash_completion.d/istioctl

-
You will need to start a new shell for this setup to take effect.
-

+
Linux:

+
istioctl completion bash > /etc/bash_completion.d/istioctl

+
macOS:

+
istioctl completion bash > /usr/local/etc/bash_completion.d/istioctl

+
You will need to start a new shell for this setup to take effect.
istioctl completion bash
 

 
 

 Defines the cluster and service registry that this Istiod instance belongs to
 

 
CNI_CONF_NAMECNI_AGENT_RUN_DIR
 StringName of the CNI configuration file/var/run/istio-cniLocation of the node agent writable path on the node (used for sockets, etc)
 

 
CNI_EVENT_ADDRESSCNI_CONF_NAME
 String/var/run/istio-cni/pluginevent.sockThe UDS server address which CNI plugin will forward ambient pod creation events toName of the CNI configuration file
 

 

 CNI_NETWORK_CONFIG
 CNI config template as a file
 

 
CNI_NET_DIRString/etc/cni/net.dDirectory on the host where CNI network plugins are installed

 COMPLIANCE_POLICY
 String
 
 If enabled, Istio will create clusters only when there are requests. This will save memory and CPU cycles in cases where there are lots of inactive clusters and > 1 worker thread
 

 
ENABLE_DELIMITED_STATS_TAG_REGEXENABLE_DEFERRED_STATS_CREATION
 Boolean
 trueIf true, pilot will use the new delimited stat tag regex to generate Envoy stats tags.If enabled, Istio will lazily initialize a subset of the stats
 

 
ENABLE_ENHANCED_RESOURCE_SCOPINGENABLE_DELIMITED_STATS_TAG_REGEX
 Boolean
 trueIf enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.If true, pilot will use the new delimited stat tag regex to generate Envoy stats tags.
 

 
ENABLE_EXTERNAL_NAME_ALIASENABLE_ENHANCED_RESOURCE_SCOPING
 Boolean
 trueIf enabled, ExternalName Services will be treated as simple aliases: anywhere where we would match the concrete service, we also match the ExternalName. In general, this mirrors Kubernetes behavior more closely. However, it means that policies (routes and DestinationRule) cannot be applied to the ExternalName service. If disabled, ExternalName behaves in fairly unexpected manner. Port matters, while it does not in Kubernetes. If it is a TCP port, all traffic on that port will be matched, which can have disastrous consequences. Additionally, the destination is seen as an opaque destination; even if it is another service in the mesh, policies such as mTLS and load balancing will not be used when connecting to it.If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.
 

 

 ENABLE_HCM_INTERNAL_NETWORKS
 

 ENABLE_INBOUND_RETRY_POLICY
 Booleanfalsetrue
 If true, enables retry policy for inbound routes which automatically retries requests that were reset before it reaches the service.
 

 

 Envoy proxy username
 

 
EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRYBooleantrueIf true, excludes unsafe retry on 503 from default retry policy.

 EXTERNAL_ISTIOD
 Boolean
 false
 If enabled, istiod will skip verifying the certificate of the JWKS server.
 

 
KUBECFG_FILE_NAMEStringZZZ-istio-cni-kubeconfigName of the kubeconfig file which CNI plugin will use when interacting with API server

 KUBECONFIG_MODE
 Integer
 384
 Fallback value for log level in CNI config file, if not specified in helm template
 

 
LOG_UDS_ADDRESSString/var/run/istio-cni/log.sockThe UDS server address which CNI plugin will copy log output to

 MCS_API_GROUP
 String
 multicluster.x-k8s.io
 
 

 
PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHINGBooleanfalseIf enabled, istiod will persist the oldest first heuristic for subtly conflicting traffic policy selection(such as with overlapping wildcard hosts)

 PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE
 Boolean
 false
 If enabled, HBONE support can be configured for proxies.
 

 
PILOT_ENABLE_STATUSBooleanfalseIf enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.

 PILOT_ENABLE_TELEMETRY_LABEL
 Boolean
 true
 pod's namespace
 

 
PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICESBooleantrueIf true, external services will prefer the TLS settings from DestinationRules over the metadata TLS settings.

 REPAIR_BROKEN_POD_LABEL_KEY
 String
 cni.istio.io/uninitialized
 If not empty, the controller will automatically patch validatingwebhookconfiguration when the CA certificate changes. Only works in kubernetes environment.
 

 
VERIFY_CERTIFICATE_AT_CLIENTBooleantrueIf enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.

 XDS_AUTH
 Boolean
 true
 
 
 
 
 

@@ -719,11 +718,10 @@ 
istioctl completion bash
istioctl completion fish
Generate the autocompletion script for the fish shell.
To load completions in your current shell session:

-
	istioctl completion fish | source

+
istioctl completion fish | source
To load completions for every new session, execute once:

-
	istioctl completion fish > ~/.config/fish/completions/istioctl.fish

-
You will need to start a new shell for this setup to take effect.
-

+
istioctl completion bash > ~/.config/fish/completions/istioctl.fish

+
You will need to start a new shell for this setup to take effect.
istioctl completion fish [flags]
 

 
 
 
 
 
 

@@ -768,12 +766,10 @@ 
istioctl completion fish

 
 

 
istioctl completion powershell

-
Generate the autocompletion script for powershell.

+
Generate the autocompletion script for PowerShell.

 
To load completions in your current shell session:

-
	istioctl completion powershell | Out-String | Invoke-Expression

-
To load completions for every new session, add the output of the above command
-to your powershell profile.
-

+
istioctl completion powershell | Out-String | Invoke-Expression

+
To load completions for every new session, add the output of the above command to your powershell profile.

 
istioctl completion powershell [flags]
 

 
@@ -819,18 +815,16 @@ 
istioctl completion powershell

 

 
istioctl completion zsh

 
Generate the autocompletion script for the zsh shell.

-
If shell completion is not already enabled in your environment you will need
-to enable it.  You can execute the following once:

-
	echo "autoload -U compinit; compinit" >> ~/.zshrc

-
To load completions in your current shell session:

-
	source <(istioctl completion zsh)

-
To load completions for every new session, execute once:

-
#### Linux:

-
	istioctl completion zsh > "${fpath[1]}/_istioctl"

-
#### macOS:

-
	istioctl completion zsh > $(brew --prefix)/share/zsh/site-functions/_istioctl

-
You will need to start a new shell for this setup to take effect.
-

+	
If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:

+	
echo "autoload -U compinit; compinit" >> ~/.zshrc

+	
To load completions in your current shell session:

+	
source <(istioctl completion zsh)

+	
To load completions for every new session, execute once:

+	
Linux:

+	
istioctl completion zsh > "${fpath[1]}/_istioctl"

+	
macOS:

+	
istioctl completion zsh > $(brew --prefix)/share/zsh/site-functions/_istioctl

+	
You will need to start a new shell for this setup to take effect.

 
istioctl completion zsh [flags]
 

 
@@ -926,7 +920,7 @@ 
istioctl create-remote-secret

+(e.g. ~/Downloads/istio-1.24.0/manifests).  (default ``)
@@ -3221,7 +3215,7 @@ 
istioctl install

@@ -3244,7 +3238,7 @@ 
istioctl install

+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.24/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
@@ -3388,730 +3382,52 @@ 
istioctl kube-inject

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-

 
--manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).  (default ``)
 

 

 --name <string>
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).
+(e.g. ~/Downloads/istio-1.24.0/manifests).
   (default ``)
 

 

 -s
 Override an IstioOperator value, e.g. to choose a profile
 (--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
-settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.23/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
 

 

 --skip-confirmation
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 
--webhookConfig <string>MutatingWebhookConfiguration name for Istio  (default `istio-sidecar-injector`)
--xds-address <string>XDS Endpoint  (default ``)
--xds-label <string>Istiod pod label selector  (default ``)
--xds-port <int>Istiod pod port  (default `15012`)

-
Examples

-
  # Update resources on the fly before applying.
-  kubectl apply -f <(istioctl kube-inject -f <resource.yaml>)
-
-  # Create a persistent version of the deployment with Istio sidecar injected.
-  istioctl kube-inject -f deployment.yaml -o deployment-injected.yaml
-
-  # Update an existing deployment.
-  kubectl get deployment -o yaml | istioctl kube-inject -f - | kubectl apply -f -
-
-  # Capture cluster configuration for later use with kube-inject
-  kubectl -n istio-system get cm istio-sidecar-injector  -o jsonpath="{.data.config}" > /tmp/inj-template.tmpl
-  kubectl -n istio-system get cm istio -o jsonpath="{.data.mesh}" > /tmp/mesh.yaml
-  kubectl -n istio-system get cm istio-sidecar-injector -o jsonpath="{.data.values}" > /tmp/values.json
-
-  # Use kube-inject based on captured configuration
-  istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml \
-    --injectConfigFile /tmp/inj-template.tmpl \
-    --meshConfigFile /tmp/mesh.yaml \
-    --valuesFile /tmp/values.json
-
-

-
istioctl manifest

-
The manifest command generates and diffs Istio manifests.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsShorthandDescription
--context <string>Kubernetes configuration context  (default ``)
--dry-runConsole/log output only, make no changes. 
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nKubernetes namespace  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
istioctl manifest diff

-
The diff subcommand compares manifests from two files or directories. The output is a list of
-changed paths with the value changes shown as OLD-VALUE -> NEW-VALUE.
-List order changes are shown as [OLD-INDEX->NEW-INDEX], with ? used where a list item is added or
-removed.

-
istioctl manifest diff <file|dir> <file|dir> [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsShorthandDescription
--context <string>Kubernetes configuration context  (default ``)
--directory-rCompare directory. 
--dry-runConsole/log output only, make no changes. 
--ignore <string>Ignore all listed items during comparison, using the same list format as selectResources.  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nKubernetes namespace  (default ``)
--rename <string>Rename resources before comparison.
-The format of each renaming pair is A->B, all renaming pairs are comma separated.
-e.g. Service:*:istiod->Service:*:istio-control - rename istiod service into istio-control  (default ``)
--select <string>Constrain the list of resources to compare to only the ones in this list, ignoring all others.
-The format of each list item is "::" and the items are comma separated. The "*" character represents wildcard selection.
-e.g.
-    Deployment:istio-system:* - compare all deployments in istio-system namespace
-    Service:*:istiod - compare Services called "istiod" in all namespaces  (default `::`)
--verbose-vVerbose output. 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
istioctl manifest generate

-
The generate subcommand generates an Istio install manifest and outputs to the console by default.

-
istioctl manifest generate [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsShorthandDescription
--charts <string>Deprecated, use --manifests instead.  (default ``)
--cluster-specificIf enabled, the current cluster will be checked for cluster-specific setting detection. 
--component <stringSlice>Specify which component to generate manifests for.  (default `[]`)
--context <string>Kubernetes configuration context  (default ``)
--dry-runConsole/log output only, make no changes. 
--filename <stringSlice>-fPath to file containing IstioOperator custom resource
-This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.  (default `[]`)
--forceProceed even with validation errors. 
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--manifests <string>-dSpecify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).
-  (default ``)
--namespace <string>-nKubernetes namespace  (default ``)
--output <string>-oManifest output directory path.  (default ``)
--revision <string>-rTarget control plane revision for the command.  (default ``)
--set <stringArray>-sOverride an IstioOperator value, e.g. to choose a profile
-(--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
-settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.23/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
Examples

-
  # Generate a default Istio installation
-  istioctl manifest generate
-
-  # Enable Tracing
-  istioctl manifest generate --set meshConfig.enableTracing=true
-
-  # Generate the demo profile
-  istioctl manifest generate --set profile=demo
-
-  # To override a setting that includes dots, escape them with a backslash (\).  Your shell may require enclosing quotes.
-  istioctl manifest generate --set "values.sidecarInjectorWebhook.injectedAnnotations.container\.apparmor\.security\.beta\.kubernetes\.io/istio-proxy=runtime/default"
-
-

-
istioctl manifest install

-
The install command generates an Istio install manifest and applies it to a cluster.

-
istioctl manifest install [flags]
-

-

-
istioctl manifest apply [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsShorthandDescription
--charts <string>Deprecated, use --manifests instead.  (default ``)
--context <string>Kubernetes configuration context  (default ``)
--dry-runConsole/log output only, make no changes. 
--filename <stringSlice>-fPath to file containing IstioOperator custom resource
-This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.  (default `[]`)
--forceProceed even with validation errors. 
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--manifests <string>-dSpecify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).
-  (default ``)
--namespace <string>-nKubernetes namespace  (default ``)
--readiness-timeout <duration>Maximum time to wait for Istio resources in each component to be ready.  (default `5m0s`)
--revision <string>-rTarget control plane revision for the command.  (default ``)
--set <stringArray>-sOverride an IstioOperator value, e.g. to choose a profile
-(--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
-settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.23/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
--skip-confirmation-yThe skipConfirmation determines whether the user is prompted for confirmation.
-If set to true, the user is not prompted and a Yes response is assumed in all cases. 
--verifyVerify the Istio control plane after installation/in-place upgrade 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
Examples

-
  # Apply a default Istio installation
-  istioctl install
-
-  # Enable Tracing
-  istioctl install --set meshConfig.enableTracing=true
-
-  # Generate the demo profile and don't wait for confirmation
-  istioctl install --set profile=demo --skip-confirmation
-
-  # To override a setting that includes dots, escape them with a backslash (\).  Your shell may require enclosing quotes.
-  istioctl install --set "values.sidecarInjectorWebhook.injectedAnnotations.container\.apparmor\.security\.beta\.kubernetes\.io/istio-proxy=runtime/default"
-
-

-
istioctl operator

-
The operator command installs, dumps, removes and shows the status of the operator controller.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsShorthandDescription
--context <string>Kubernetes configuration context  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nKubernetes namespace  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
istioctl operator dump

-
The dump subcommand dumps the Istio operator controller manifest.

-
istioctl operator dump [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsShorthandDescription
--charts <string>Deprecated, use --manifests instead.  (default ``)
--context <string>Kubernetes configuration context  (default ``)
--dry-runConsole/log output only, make no changes. 
--hub <string>The hub for the operator controller image.  (default `unknown`)
--imagePullSecrets <stringSlice>The imagePullSecrets are used to pull the operator image from the private registry,
-could be secret list separated by comma, eg. '--imagePullSecrets imagePullSecret1,imagePullSecret2'  (default `[]`)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--manifests <string>-dSpecify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).
-  (default ``)
--namespace <string>-nKubernetes namespace  (default ``)
--operatorNamespace <string>The namespace the operator controller is installed into.  (default `istio-operator`)
--output <string>-oOutput format: one of json|yaml  (default `yaml`)
--revision <string>-rTarget revision for the operator.  (default ``)
--tag <string>The tag for the operator controller image.  (default `unknown`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
--watchedNamespaces <string>The namespaces the operator controller watches, could be namespace list separated by comma, eg. 'ns1,ns2'  (default `istio-system`)

-
istioctl operator init

-
The init subcommand installs the Istio operator controller in the cluster.

-
istioctl operator init [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsShorthandDescription
--charts <string>Deprecated, use --manifests instead.  (default ``)
--context <string>Kubernetes configuration context  (default ``)
--dry-runConsole/log output only, make no changes. 
--filename <string>-fPath to file containing IstioOperator custom resource
-This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.  (default ``)
--hub <string>The hub for the operator controller image.  (default `unknown`)
--imagePullSecrets <stringSlice>The imagePullSecrets are used to pull the operator image from the private registry,
-could be secret list separated by comma, eg. '--imagePullSecrets imagePullSecret1,imagePullSecret2'  (default `[]`)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--manifests <string>-dSpecify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).
-  (default ``)
--namespace <string>-nKubernetes namespace  (default ``)
--operatorNamespace <string>The namespace the operator controller is installed into.  (default `istio-operator`)
--revision <string>-rTarget revision for the operator.  (default ``)
--tag <string>The tag for the operator controller image.  (default `unknown`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
--watchedNamespaces <string>The namespaces the operator controller watches, could be namespace list separated by comma, eg. 'ns1,ns2'  (default `istio-system`)

-
istioctl operator remove

-
The remove subcommand removes the Istio operator controller from the cluster.

-
istioctl operator remove [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsShorthandDescription
--context <string>Kubernetes configuration context  (default ``)
--dry-runConsole/log output only, make no changes. 
--forceProceed even with validation errors. 
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--namespace <string>-nKubernetes namespace  (default ``)
--operatorNamespace <string>The namespace the operator controller is installed into.  (default `istio-operator`)
--purgeRemove all versions of Istio operator. 
--revision <string>-rTarget revision for the operator.  (default ``)
--skip-confirmation-yThe skipConfirmation determines whether the user is prompted for confirmation.
-If set to true, the user is not prompted and a Yes response is assumed in all cases. 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
istioctl options

-
Displays istioctl global options

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
-
-
-
+
+
+
-
-
-
+
+
+
-
+
-
+
FlagsShorthandDescription
--context <string>Kubernetes configuration context  (default ``)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--webhookConfig <string>MutatingWebhookConfiguration name for Istio  (default `istio-sidecar-injector`)
 

 
--kubeconfig <string>-cKubernetes configuration file  (default ``)--xds-address <string>XDS Endpoint  (default ``)
 

 
--namespace <string>-nKubernetes namespace  (default ``)--xds-label <string>Istiod pod label selector  (default ``)
 

 
--vklog <Level>--xds-port <int>
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)Istiod pod port  (default `15012`)
 

 
 

-
istioctl profile

-
The profile command lists, dumps or diffs Istio configuration profiles.

+
Examples

+
  # Update resources on the fly before applying.
+  kubectl apply -f <(istioctl kube-inject -f <resource.yaml>)
+
+  # Create a persistent version of the deployment with Istio sidecar injected.
+  istioctl kube-inject -f deployment.yaml -o deployment-injected.yaml
+
+  # Update an existing deployment.
+  kubectl get deployment -o yaml | istioctl kube-inject -f - | kubectl apply -f -
+
+  # Capture cluster configuration for later use with kube-inject
+  kubectl -n istio-system get cm istio-sidecar-injector  -o jsonpath="{.data.config}" > /tmp/inj-template.tmpl
+  kubectl -n istio-system get cm istio -o jsonpath="{.data.mesh}" > /tmp/mesh.yaml
+  kubectl -n istio-system get cm istio-sidecar-injector -o jsonpath="{.data.values}" > /tmp/values.json
+
+  # Use kube-inject based on captured configuration
+  istioctl kube-inject -f samples/bookinfo/platform/kube/bookinfo.yaml \
+    --injectConfigFile /tmp/inj-template.tmpl \
+    --meshConfigFile /tmp/mesh.yaml \
+    --valuesFile /tmp/values.json
+
+

+
istioctl manifest

+
The manifest command generates and diffs Istio manifests.

 
@@ -4153,13 +3469,9 @@ 
istioctl profile

 
 

 

 
 

-
Examples

-
istioctl profile list
-istioctl install --set profile=demo  # Use a profile from the list
-

-
istioctl profile diff

-
The diff subcommand displays the differences between two Istio configuration profiles.

-
istioctl profile diff <profile|file1.yaml> <profile|file2.yaml> [flags]
+
istioctl manifest generate

+
The generate subcommand generates an Istio install manifest and outputs to the console by default.

+
istioctl manifest generate [flags]
 

 
@@ -4176,6 +3488,16 @@ 
istioctl profile diff

+
+
+
+
+
+
+
+
+
+
@@ -4186,6 +3508,17 @@ 
istioctl profile diff

+
+
+
+
+
+
+
+
+
+
@@ -4199,7 +3532,7 @@ 
istioctl profile diff

@@ -4208,23 +3541,50 @@ 
istioctl profile diff

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 
 
Deprecated, use --manifests instead.  (default ``)
 

 
--cluster-specificIf enabled, the current cluster will be checked for cluster-specific setting detection. 
--component <stringSlice>Specify which component to generate manifests for.  (default `[]`)

 --context <string>
 
 Kubernetes configuration context  (default ``)
 Console/log output only, make no changes. 
 

 
--filename <stringSlice>-fPath to file containing IstioOperator custom resource
+This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.  (default `[]`)
--forceProceed even with validation errors. 

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).
+(e.g. ~/Downloads/istio-1.24.0/manifests).
   (default ``)
 

 

 Kubernetes namespace  (default ``)
 

 
--output <string>-oManifest output directory path.  (default ``)
--revision <string>-rTarget control plane revision for the command.  (default ``)
--set <stringArray>-sOverride an IstioOperator value, e.g. to choose a profile
+(--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.24/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)

 --vklog <Level>
 
 number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)
 

 
 

-
Examples

-
  # Profile diff by providing yaml files
-  istioctl profile diff manifests/profiles/default.yaml manifests/profiles/demo.yaml
+
Examples

+
  # Generate a default Istio installation
+  istioctl manifest generate
+
+  # Enable Tracing
+  istioctl manifest generate --set meshConfig.enableTracing=true
+
+  # Generate the demo profile
+  istioctl manifest generate --set profile=demo
+
+  # To override a setting that includes dots, escape them with a backslash (\).  Your shell may require enclosing quotes.
+  istioctl manifest generate --set "values.sidecarInjectorWebhook.injectedAnnotations.container\.apparmor\.security\.beta\.kubernetes\.io/istio-proxy=runtime/default"
 
-  # Profile diff by providing a profile name
-  istioctl profile diff default demo
 

-
istioctl profile dump

-
The dump subcommand dumps the values in an Istio configuration profile.

-
istioctl profile dump [<profile>] [flags]
+
istioctl manifest install

+
The install command generates an Istio install manifest and applies it to a cluster.

+
istioctl manifest install [flags]
 

+

+
istioctl manifest apply [flags]
+

 
@@ -4240,11 +3600,6 @@ 
istioctl profile dump

-
-
-
-
-
@@ -4261,6 +3616,11 @@ 
istioctl profile dump

 This flag can be specified multiple times to overlay multiple files. Multiple files are overlaid in left to right order.  (default `[]`)
+
+
+
+
+
@@ -4274,7 +3634,7 @@ 
istioctl profile dump

@@ -4283,9 +3643,32 @@ 
istioctl profile dump

-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -4294,10 +3677,22 @@ 
istioctl profile dump

 
 

 Deprecated, use --manifests instead.  (default ``)
 

 
--config-path <string>-pThe path the root of the configuration subtree to dump e.g. components.pilot. By default, dump whole tree  (default ``)

 --context <string>
 
 Kubernetes configuration context  (default ``)
 

 
--forceProceed even with validation errors. 

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).
+(e.g. ~/Downloads/istio-1.24.0/manifests).
   (default ``)
 

 

 Kubernetes namespace  (default ``)
 

 
--output <string>-oOutput format: one of json|yaml|flags  (default `yaml`)--readiness-timeout <duration>Maximum time to wait for Istio resources in each component to be ready.  (default `5m0s`)
--revision <string>-rTarget control plane revision for the command.  (default ``)
--set <stringArray>-sOverride an IstioOperator value, e.g. to choose a profile
+(--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.24/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
--skip-confirmation-yThe skipConfirmation determines whether the user is prompted for confirmation.
+If set to true, the user is not prompted and a Yes response is assumed in all cases. 
--verifyVerify the Istio control plane after installation/in-place upgrade 
 

 

 --vklog <Level>
 

 
 

-
istioctl profile list

-
The list subcommand lists the available Istio configuration profiles.

-
istioctl profile list [flags]
+
Examples

+
  # Apply a default Istio installation
+  istioctl install
+
+  # Enable Tracing
+  istioctl install --set meshConfig.enableTracing=true
+
+  # Generate the demo profile and don't wait for confirmation
+  istioctl install --set profile=demo --skip-confirmation
+
+  # To override a setting that includes dots, escape them with a backslash (\).  Your shell may require enclosing quotes.
+  istioctl install --set "values.sidecarInjectorWebhook.injectedAnnotations.container\.apparmor\.security\.beta\.kubernetes\.io/istio-proxy=runtime/default"
+
 

+
istioctl options

+
Displays istioctl global options

 
@@ -4308,21 +3703,11 @@ 
istioctl profile list

-
-
-
-
-
-
-
-
-
-
@@ -4333,13 +3718,6 @@ 
istioctl profile list

-
-
-
-
-
@@ -5486,7 +4864,7 @@ 
istioctl tag generate

+(e.g. ~/Downloads/istio-1.24.0/manifests).  (default ``)
@@ -5575,7 +4953,7 @@ 
istioctl tag list

-
+
@@ -5585,7 +4963,7 @@ 
istioctl tag list

 
 

 

 
 
--charts <string>Deprecated, use --manifests instead.  (default ``)

 --context <string>
 
 Kubernetes configuration context  (default ``)
 

 
--dry-runConsole/log output only, make no changes. 

 --istioNamespace <string>
 -i
 Istio system namespace  (default `istio-system`)
 Kubernetes configuration file  (default ``)
 

 
--manifests <string>-dSpecify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).
-  (default ``)

 --namespace <string>
 -n
 Kubernetes namespace  (default ``)
 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).  (default ``)
 

 

 --namespace <string>
 

 --output <string>
 -oOutput format for tag description (available formats: table,json)  (default `table`)Output format for tag description (available formats: table,json,yaml)  (default `table`)
 

 

 --vklog <Level>
 

 

 
Examples

-
istioctl tag list
+
  istioctl tag list
 

 
istioctl tag remove

 
Remove Istio control plane revision tag.

@@ -5683,7 +5061,7 @@ 
istioctl tag set

 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).  (default ``)
+(e.g. ~/Downloads/istio-1.24.0/manifests).  (default ``)
 
 
 --namespace <string>
@@ -5784,7 +5162,7 @@ 
istioctl uninstall

 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).
+(e.g. ~/Downloads/istio-1.24.0/manifests).
   (default ``)
 
 
@@ -5807,7 +5185,7 @@ 
istioctl uninstall

 -s
 Override an IstioOperator value, e.g. to choose a profile
 (--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
-settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.23/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.24/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
 
 
 --skip-confirmation
@@ -5890,7 +5268,7 @@ 
istioctl upgrade

 --manifests <string>
 -d
 Specify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).
+(e.g. ~/Downloads/istio-1.24.0/manifests).
   (default ``)
 
 
@@ -5913,7 +5291,7 @@ 
istioctl upgrade

 -s
 Override an IstioOperator value, e.g. to choose a profile
 (--set profile=demo), enable or disable components (--set components.cni.enabled=true), or override Istio
-settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.23/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
+settings (--set meshConfig.enableTracing=true). See documentation for more info:https://istio.io/v1.24/docs/reference/config/istio.operator.v1alpha1/#IstioOperatorSpec  (default `[]`)
 
 
 --skip-confirmation
@@ -6001,84 +5379,6 @@ 
Examples

   istioctl analyze samples/bookinfo/networking/bookinfo-gateway.yaml
 
 

-
istioctl verify-install

-

-verify-install verifies Istio installation status against the installation file
-you specified when you installed Istio. It loops through all the installation
-resources defined in your installation file and reports whether all of them are
-in ready status. It will report failure when any of them are not ready.

-
If you do not specify an installation it will check for an IstioOperator resource
-and will verify if pods and services defined in it are present.

-
Note: For verifying whether your cluster is ready for Istio installation, see
-istioctl experimental precheck.
-

-
istioctl verify-install [-f <deployment or istio operator file>] [--revision <revision>] [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsShorthandDescription
--context <string>Kubernetes configuration context  (default ``)
--filename <stringSlice>-fIstio YAML installation file.  (default `[]`)
--istioNamespace <string>-iIstio system namespace  (default `istio-system`)
--kubeconfig <string>-cKubernetes configuration file  (default ``)
--manifests <string>-dSpecify a path to a directory of charts and profiles
-(e.g. ~/Downloads/istio-1.23.0/manifests).  (default ``)
--namespace <string>-nKubernetes namespace  (default ``)
--revision <string>-rControl plane revision  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
Examples

-
  # Verify that Istio is installed correctly via Istio Operator
-  istioctl verify-install
-
-  # Verify the deployment matches a custom Istio deployment configuration
-  istioctl verify-install -f $HOME/istio.yaml
-
-  # Verify the deployment matches the Istio Operator deployment definition
-  istioctl verify-install --revision <canary>
-
-  # Verify the installation of specific revision
-  istioctl verify-install -r 1-9-0
-

 
istioctl version

 
Prints out build version information

 
istioctl version [flags]
@@ -7029,7 +6329,7 @@ 
Examples

 
 

 
Environment variables

-These environment variables affect the behavior of the istioctl command. Please use with caution as these environment variables are experimental and can change anytime.
+These environment variables affect the behavior of the istioctl command. 
 
@@ -7113,22 +6413,22 @@ 
Environment variables

-
+
-
+
-
+
-
+
-
+
-
+
@@ -7139,7 +6439,7 @@ 
Environment variables

-
+
@@ -7215,6 +6515,12 @@ 
Environment variables

+
+
+
+
+
+
@@ -7495,12 +6801,6 @@ 
Environment variables

-
-
-
-
-
-
@@ -7717,12 +7017,6 @@ 
Environment variables

-
-
-
-
-
-
@@ -7933,6 +7227,12 @@ 
Environment variables

+
+
+
+
+
+
@@ -8005,12 +7305,6 @@ 
Environment variables

-
-
-
-
-
-
@@ -8035,20 +7329,11 @@ 
Exported metrics

-
-
-
-
-
-
-
-
-
@@ -8093,13 +7378,7 @@ 
Exported metrics

-
-
-
-
-
-
@@ -8108,7 +7387,6 @@ 
Exported metrics

-
diff --git a/content/zh/docs/reference/commands/operator/index.html b/content/zh/docs/reference/commands/operator/index.html
deleted file mode 100644
index 55bb211d1d28c..0000000000000
--- a/content/zh/docs/reference/commands/operator/index.html
+++ /dev/null
@@ -1,1347 +0,0 @@
----
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/istio' REPO
-source_repo: https://github.com/istio/istio
-title: operator
-description: The Istio operator.
-generator: pkg-collateral-docs
-number_of_entries: 9
-max_toc_level: 2
-remove_toc_prefix: 'operator '
----
-
The Istio operator.

-

 
 

 If enabled, Istio will create clusters only when there are requests. This will save memory and CPU cycles in cases where there are lots of inactive clusters and > 1 worker thread
 

 
ENABLE_DELIMITED_STATS_TAG_REGEXENABLE_DEFERRED_STATS_CREATION
 Boolean
 trueIf true, pilot will use the new delimited stat tag regex to generate Envoy stats tags.If enabled, Istio will lazily initialize a subset of the stats
 

 
ENABLE_ENHANCED_RESOURCE_SCOPINGENABLE_DELIMITED_STATS_TAG_REGEX
 Boolean
 trueIf enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.If true, pilot will use the new delimited stat tag regex to generate Envoy stats tags.
 

 
ENABLE_EXTERNAL_NAME_ALIASENABLE_ENHANCED_RESOURCE_SCOPING
 Boolean
 trueIf enabled, ExternalName Services will be treated as simple aliases: anywhere where we would match the concrete service, we also match the ExternalName. In general, this mirrors Kubernetes behavior more closely. However, it means that policies (routes and DestinationRule) cannot be applied to the ExternalName service. If disabled, ExternalName behaves in fairly unexpected manner. Port matters, while it does not in Kubernetes. If it is a TCP port, all traffic on that port will be matched, which can have disastrous consequences. Additionally, the destination is seen as an opaque destination; even if it is another service in the mesh, policies such as mTLS and load balancing will not be used when connecting to it.If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.
 

 

 ENABLE_HCM_INTERNAL_NETWORKS
 

 ENABLE_INBOUND_RETRY_POLICY
 Booleanfalsetrue
 If true, enables retry policy for inbound routes which automatically retries requests that were reset before it reaches the service.
 

 

 If true, will use optimized vtprotobuf based marshaling. Requires a build with -tags=vtprotobuf.
 

 
EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRYBooleantrueIf true, excludes unsafe retry on 503 from default retry policy.

 EXTERNAL_ISTIOD
 Boolean
 false
 If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, '1000' will record 0.1% of events. Set to 0 to disable entirely.
 

 
PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHINGBooleanfalseIf enabled, istiod will persist the oldest first heuristic for subtly conflicting traffic policy selection(such as with overlapping wildcard hosts)

 PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE
 Boolean
 false
 If enabled, HBONE support can be configured for proxies.
 

 
PILOT_ENABLE_STATUSBooleanfalseIf enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.

 PILOT_ENABLE_TELEMETRY_LABEL
 Boolean
 true
 Platform where Istio is deployed. Possible values are "openshift" and "gcp"
 

 
PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICESBooleantrueIf true, external services will prefer the TLS settings from DestinationRules over the metadata TLS settings.

 REQUIRE_3P_TOKEN
 Boolean
 false
 If not empty, the controller will automatically patch validatingwebhookconfiguration when the CA certificate changes. Only works in kubernetes environment.
 

 
VERIFY_CERTIFICATE_AT_CLIENTBooleantrueIf enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.

 XDS_AUTH
 Boolean
 true
 
auto_registration_success_totalSumTotal number of successful auto registrations.

 
auto_registration_unregister_totalSumTotal number of unregistrations.

 
auto_registration_updates_totalSumTotal number of auto registration updates.
cache_flush_totalSumnumber of times operator cache was flushed

 
controller_sync_errors_totalSumTotal number of errorMetric syncing controllers.
cr_deletion_totalSumNumber of IstioOperator CR deleted
cr_merge_failure_totalSumNumber of IstioOperator CR merge failures
cr_validation_error_totalSumNumber of IstioOperator CR validation failures

 
endpoint_no_podLastValueEndpoints without an associated pod.
get_cr_error_totalSumNumber of times fetching CR from apiserver failed

 
istio_buildLastValueIstio component build info

 
istiod_managed_clustersLastValueNumber of clusters managed by istiod
legacy_path_translation_totalSumNumber of times a legacy API path is translated
manifest_patch_error_totalSumNumber of times K8S patch overlays failed
manifest_render_error_totalSumNumber of times error occurred during rendering output manifest

 
num_outgoing_retriesSumNumber of outgoing retry requests (e.g. to a token exchange server, CA, etc.)
owned_resource_totalLastValueNumber of resources currently owned by the operator

 
pilot_conflict_inbound_listenerLastValueNumber of conflicting inbound listeners.

 
pilot_conflict_outbound_listener_tcp_over_current_tcpLastValueNumber of conflicting tcp listeners with current tcp listener.

 
pilot_debounce_timeDistributionDelay in seconds between the first config enters debouncing and the merged push request is pushed into the push queue.

 
pilot_xds_send_timeDistributionTotal time in seconds Pilot takes to send generated configuration.

 
pilot_xds_write_timeoutSumPilot XDS response write timeouts.

 
provider_lookup_cluster_failuresSumNumber of times a cluster lookup failed
reconcile_request_totalSumNumber of times requesting Reconcile

 
remote_cluster_sync_timeouts_totalSumNumber of times remote clusters took too long to sync, causing slow startup that excludes remote clusters.
render_manifest_totalSumNumber of component manifests rendered
resource_creation_totalSumNumber of resources created by the operator
resource_deletion_totalSumNumber of resources deleted by the operator
resource_prune_totalSumNumber of resources pruned by the operator
resource_update_totalSumNumber of resources updated by the operator

 
scrape_failures_totalSumThe total number of failed scrapes.

 
scrapes_totalSumThe total number of scrapes.

 
sidecar_injection_failure_totalSumTotal number of failed sidecar injection requests.

 
sidecar_injection_success_totalSumTotal number of successful sidecar injection requests.

 
sidecar_injection_time_secondsDistributionTotal time taken for injection in seconds.

 
startup_duration_secondsLastValueThe time from the process starting to being marked ready.
versionLastValueVersion of operator binary

 
wasm_cache_entriesLastValuenumber of Wasm remote fetch cache entries.

 
wasm_cache_lookup_countSumnumber of Wasm remote fetch cache lookups.

 
wasm_config_conversion_countSumnumber of Wasm config conversion count and results, including success, no remote load, marshal failure, remote fetch failure, miss remote fetch hint.

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsDescription
--kubeconfig <string>Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
operator completion

-
Generate the autocompletion script for operator for the specified shell.
-See each sub-command's help for details on how to use the generated script.
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsDescription
--kubeconfig <string>Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
operator completion bash

-
Generate the autocompletion script for the bash shell.

-
This script depends on the 'bash-completion' package.
-If it is not installed already, you can install it via your OS's package manager.

-
To load completions in your current shell session:

-
	source <(operator completion bash)

-
To load completions for every new session, execute once:

-
#### Linux:

-
	operator completion bash > /etc/bash_completion.d/operator

-
#### macOS:

-
	operator completion bash > $(brew --prefix)/etc/bash_completion.d/operator

-
You will need to start a new shell for this setup to take effect.
-

-
operator completion bash
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsDescription
--kubeconfig <string>Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
--no-descriptionsdisable completion descriptions 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
operator completion fish

-
Generate the autocompletion script for the fish shell.

-
To load completions in your current shell session:

-
	operator completion fish | source

-
To load completions for every new session, execute once:

-
	operator completion fish > ~/.config/fish/completions/operator.fish

-
You will need to start a new shell for this setup to take effect.
-

-
operator completion fish [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsDescription
--kubeconfig <string>Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
--no-descriptionsdisable completion descriptions 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
operator completion powershell

-
Generate the autocompletion script for powershell.

-
To load completions in your current shell session:

-
	operator completion powershell | Out-String | Invoke-Expression

-
To load completions for every new session, add the output of the above command
-to your powershell profile.
-

-
operator completion powershell [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsDescription
--kubeconfig <string>Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
--no-descriptionsdisable completion descriptions 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
operator completion zsh

-
Generate the autocompletion script for the zsh shell.

-
If shell completion is not already enabled in your environment you will need
-to enable it.  You can execute the following once:

-
	echo "autoload -U compinit; compinit" >> ~/.zshrc

-
To load completions in your current shell session:

-
	source <(operator completion zsh)

-
To load completions for every new session, execute once:

-
#### Linux:

-
	operator completion zsh > "${fpath[1]}/_operator"

-
#### macOS:

-
	operator completion zsh > $(brew --prefix)/share/zsh/site-functions/_operator

-
You will need to start a new shell for this setup to take effect.
-

-
operator completion zsh [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsDescription
--kubeconfig <string>Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
--no-descriptionsdisable completion descriptions 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
operator server

-
Starts the Istio operator server

-
operator server [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsDescription
--ctrlz_address <string>The IP Address to listen on for the ControlZ introspection facility. Use '*' to indicate all addresses.  (default `localhost`)
--ctrlz_port <uint16>The IP port to use for the ControlZ introspection facility  (default `9876`)
--forceProceed even with validation errors. 
--kubeconfig <string>Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
--log_as_jsonWhether to format output as JSON or in plain console-friendly format 
--log_caller <string>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, all, analysis, authn, authorization, ca, controllers, controlleruntime, default, delta, file, gateway, grpc, installer, klog, krt, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wasm, wle]  (default ``)
--log_output_level <string>Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, analysis, authn, authorization, ca, controllers, controlleruntime, default, delta, file, gateway, grpc, installer, klog, krt, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
--log_stacktrace_level <string>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, analysis, authn, authorization, ca, controllers, controlleruntime, default, delta, file, gateway, grpc, installer, klog, krt, kube, model, monitoring, patch, processing, retry, security, serviceentry, spiffe, status, tpath, translator, trustBundle, util, validation, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
--log_target <stringArray>The set of paths where to output the log. This can be any path as well as the special values stdout and stderr  (default `[stdout]`)
--max-concurrent-reconciles <int>Defines the concurrency limit for operator to reconcile IstioOperatorSpec in parallel. Default value is 1.  (default `1`)
--monitoring-host <string>HTTP host to use for operator's self-monitoring information  (default `0.0.0.0`)
--monitoring-port <uint32>HTTP port to use for operator's self-monitoring information  (default `8383`)
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
operator version

-
Prints out build version information

-
operator version [flags]
-

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
FlagsShorthandDescription
--kubeconfig <string>Paths to a kubeconfig. Only required if out-of-cluster.  (default ``)
--output <string>-oOne of 'yaml' or 'json'.  (default ``)
--short-sUse --short=false to generate full version information 
--vklog <Level>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)

-
Environment variables

-These environment variables affect the behavior of the operator command. Please use with caution as these environment variables are experimental and can change anytime.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Variable NameTypeDefault ValueDescription
CA_TRUSTED_NODE_ACCOUNTSStringIf set, the list of service accounts that are allowed to use node authentication for CSRs. Node authentication allows an identity to create CSRs on behalf of other identities, but only if there is a pod running on the same node with that identity. This is intended for use with node proxies.
CERT_SIGNER_DOMAINStringThe cert signer domain info
CLOUD_PLATFORMStringCloud Platform on which proxy is running, if not specified, Istio will try to discover the platform. Valid platform values are aws, azure, gcp, none
CLUSTER_IDStringKubernetesDefines the cluster and service registry that this Istiod instance belongs to
COMPLIANCE_POLICYStringIf set, applies policy-specific restrictions over all existing TLS
-settings, including in-mesh mTLS and external TLS. Valid values are:
-
-* '' or unset places no additional restrictions.
-* 'fips-140-2' which enforces a version of the TLS protocol and a subset
-of cipher suites overriding any user preferences or defaults for all runtime
-components, including Envoy, gRPC Go SDK, and gRPC C++ SDK.
-
-WARNING: Setting compliance policy in the control plane is a necessary but
-not a sufficient requirement to achieve compliance. There are additional
-steps necessary to claim compliance, including using the validated
-cryptograhic modules (please consult
-https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ssl#fips-140-2).
ENABLE_100_CONTINUE_HEADERSBooleantrueIf enabled, istiod will proxy 100-continue headers as is
ENABLE_AUTO_SNIBooleantrueIf enabled, automatically set SNI when `DestinationRules` do not specify the same
ENABLE_CA_SERVERBooleantrueIf this is set to false, will not create CA server in istiod.
ENABLE_DEBUG_ON_HTTPBooleantrueIf this is set to false, the debug interface will not be enabled, recommended for production
ENABLE_DEFERRED_CLUSTER_CREATIONBooleantrueIf enabled, Istio will create clusters only when there are requests. This will save memory and CPU cycles in cases where there are lots of inactive clusters and > 1 worker thread
ENABLE_DELIMITED_STATS_TAG_REGEXBooleantrueIf true, pilot will use the new delimited stat tag regex to generate Envoy stats tags.
ENABLE_ENHANCED_RESOURCE_SCOPINGBooleantrueIf enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.
ENABLE_EXTERNAL_NAME_ALIASBooleantrueIf enabled, ExternalName Services will be treated as simple aliases: anywhere where we would match the concrete service, we also match the ExternalName. In general, this mirrors Kubernetes behavior more closely. However, it means that policies (routes and DestinationRule) cannot be applied to the ExternalName service. If disabled, ExternalName behaves in fairly unexpected manner. Port matters, while it does not in Kubernetes. If it is a TCP port, all traffic on that port will be matched, which can have disastrous consequences. Additionally, the destination is seen as an opaque destination; even if it is another service in the mesh, policies such as mTLS and load balancing will not be used when connecting to it.
ENABLE_HCM_INTERNAL_NETWORKSBooleanfalseIf enable, endpoints defined in mesh networks will be configured as internal addresses in Http Connection Manager
ENABLE_INBOUND_RETRY_POLICYBooleanfalseIf true, enables retry policy for inbound routes which automatically retries requests that were reset before it reaches the service.
ENABLE_LEADER_ELECTIONBooleantrueIf enabled (default), starts a leader election client and gains leadership before executing controllers. If false, it assumes that only one instance of istiod is running and skips leader election.
ENABLE_MCS_AUTO_EXPORTBooleanfalseIf enabled, istiod will automatically generate Kubernetes Multi-Cluster Services (MCS) ServiceExport resources for every service in the mesh. Services defined to be cluster-local in MeshConfig are excluded.
ENABLE_MCS_CLUSTER_LOCALBooleanfalseIf enabled, istiod will treat the host `<svc>.<namespace>.svc.cluster.local` as defined by the Kubernetes Multi-Cluster Services (MCS) spec. In this mode, requests to `cluster.local` will be routed to only those endpoints residing within the same cluster as the client. Requires that both ENABLE_MCS_SERVICE_DISCOVERY and ENABLE_MCS_HOST also be enabled.
ENABLE_MCS_HOSTBooleanfalseIf enabled, istiod will configure a Kubernetes Multi-Cluster Services (MCS) host (<svc>.<namespace>.svc.clusterset.local) for each service exported (via ServiceExport) in at least one cluster. Clients must, however, be able to successfully lookup these DNS hosts. That means that either Istio DNS interception must be enabled or an MCS controller must be used. Requires that ENABLE_MCS_SERVICE_DISCOVERY also be enabled.
ENABLE_MCS_SERVICE_DISCOVERYBooleanfalseIf enabled, istiod will enable Kubernetes Multi-Cluster Services (MCS) service discovery mode. In this mode, service endpoints in a cluster will only be discoverable within the same cluster unless explicitly exported via ServiceExport.
ENABLE_MULTICLUSTER_HEADLESSBooleantrueIf true, the DNS name table for a headless service will resolve to same-network endpoints in any cluster.
ENABLE_NATIVE_SIDECARSBooleanfalseIf set, used Kubernetes native Sidecar container support. Requires SidecarContainer feature flag.
ENABLE_PROBE_KEEPALIVE_CONNECTIONSBooleanfalseIf enabled, readiness probes will keep the connection from pilot-agent to the application alive. This mirrors older Istio versions' behaviors, but not kubelet's.
ENABLE_RESOLUTION_NONE_TARGET_PORTBooleantrueIf enabled, targetPort will be supported for resolution=NONE ServiceEntry
ENABLE_SELECTOR_BASED_K8S_GATEWAY_POLICYBooleantrueIf disabled, Gateway API gateways will ignore workloadSelector policies, onlyapplying policies that select the gateway with a targetRef.
ENABLE_TLS_ON_SIDECAR_INGRESSBooleanfalseIf enabled, the TLS configuration on Sidecar.ingress will take effect
ENABLE_VTPROTOBUFBooleantrueIf true, will use optimized vtprotobuf based marshaling. Requires a build with -tags=vtprotobuf.
EXTERNAL_ISTIODBooleanfalseIf this is set to true, one Istiod will control remote clusters including CA.
GCP_METADATAStringPipe separated GCP metadata, schemed as PROJECT_ID|PROJECT_NUMBER|CLUSTER_NAME|CLUSTER_ZONE
GCP_QUOTA_PROJECTStringAllows specification of a quota project to be used in requests to GCP APIs.
GRPC_KEEPALIVE_INTERVALTime Duration30sgRPC Keepalive Interval
GRPC_KEEPALIVE_TIMEOUTTime Duration10sgRPC Keepalive Timeout
HTTP_STRIP_FRAGMENT_FROM_PATH_UNSAFE_IF_DISABLEDBooleantrue
INBOUND_INTERCEPTION_MODEStringThe mode used to redirect inbound connections to Envoy, either "REDIRECT" or "TPROXY"
INBOUND_TPROXY_MARKString
INJECTION_WEBHOOK_CONFIG_NAMEStringistio-sidecar-injectorName of the mutatingwebhookconfiguration to patch, if istioctl is not used.
ISTIOD_CUSTOM_HOSTStringCustom host name of istiod that istiod signs the server cert. Multiple custom host names are supported, and multiple values are separated by commas.
ISTIO_AGENT_ENABLE_WASM_REMOTE_LOAD_CONVERSIONBooleantrueIf enabled, Istio agent will intercept ECDS resource update, downloads Wasm module, and replaces Wasm module remote load with downloaded local module file.
ISTIO_BOOTSTRAPString
ISTIO_DELTA_XDSBooleantrueIf enabled, pilot will only send the delta configs as opposed to the state of the world on a Resource Request. This feature uses the delta xds api, but does not currently send the actual deltas.
ISTIO_DUAL_STACKBooleanfalseIf true, Istio will enable the Dual Stack feature.
ISTIO_ENABLE_CONTROLLER_QUEUE_METRICSBooleanfalseIf enabled, publishes metrics for queue depth, latency and processing times.
ISTIO_ENABLE_HTTP2_PROBINGBooleantrueIf enabled, HTTP2 probes will be enabled for HTTPS probes, following Kubernetes
ISTIO_ENABLE_IPV4_OUTBOUND_LISTENER_FOR_IPV6_CLUSTERSBooleanfalseIf true, pilot will configure an additional IPv4 listener for outbound traffic in IPv6 only clusters, e.g. AWS EKS IPv6 only clusters.
ISTIO_GPRC_MAXRECVMSGSIZEInteger4194304Sets the max receive buffer size of gRPC stream in bytes.
ISTIO_GPRC_MAXSTREAMSInteger100000Sets the maximum number of concurrent grpc streams.
ISTIO_KUBE_CLIENT_CONTENT_TYPEStringprotobufThe content type to use for Kubernetes clients. Defaults to protobuf. Valid options: [protobuf, json]
ISTIO_MULTIROOT_MESHBooleanfalseIf enabled, mesh will support certificates signed by more than one trustAnchor for ISTIO_MUTUAL mTLS
ISTIO_OUTBOUND_IPV4_LOOPBACK_CIDRString127.0.0.1/32IPv4 CIDR range used to identify outbound traffic on loopback interface intended for application container
ISTIO_OUTBOUND_OWNER_GROUPSString*Comma separated list of groups whose outgoing traffic is to be redirected to Envoy.
-A group can be specified either by name or by a numeric GID.
-The wildcard character "*" can be used to configure redirection of traffic from all groups.
ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDEStringComma separated list of groups whose outgoing traffic is to be excluded from redirection to Envoy.
-A group can be specified either by name or by a numeric GID.
-Only applies when traffic from all groups (i.e. "*") is being redirected to Envoy.
ISTIO_PROMETHEUS_ANNOTATIONSString
ISTIO_WATCH_NAMESPACEStringIf set, limit Kubernetes watches to a single namespace. Warning: only a single namespace can be set.
ISTIO_WORKLOAD_ENTRY_VALIDATE_IDENTITYBooleantrueIf enabled, will validate the identity of a workload matches the identity of the WorkloadEntry it is associating with for health checks and auto registration. This flag is added for backwards compatibility only and will be removed in future releases
JWKS_RESOLVER_INSECURE_SKIP_VERIFYBooleanfalseIf enabled, istiod will skip verifying the certificate of the JWKS server.
K_REVISIONStringKNative revision, set if running in knative
LABEL_CANONICAL_SERVICES_FOR_MESH_EXTERNAL_SERVICE_ENTRIESBooleanfalseIf enabled, metadata representing canonical services for ServiceEntry resources with a location of mesh_external will be populatedin the cluster metadata for those endpoints.
LOCAL_CLUSTER_SECRET_WATCHERBooleanfalseIf enabled, the cluster secret watcher will watch the namespace of the external cluster instead of config cluster
MCS_API_GROUPStringmulticluster.x-k8s.ioThe group to be used for the Kubernetes Multi-Cluster Services (MCS) API.
MCS_API_VERSIONStringv1alpha1The version to be used for the Kubernetes Multi-Cluster Services (MCS) API.
METRICS_LOCALHOST_ACCESS_ONLYBooleanfalseThis will disable metrics endpoint from outside of the pod, allowing only localhost access.
METRIC_GRACEFUL_DELETION_INTERVALTime Duration5m0sMetric expiry graceful deletion interval. No-op if METRIC_ROTATION_INTERVAL is disabled.
METRIC_ROTATION_INTERVALTime Duration0sMetric scope rotation interval, set to 0 to disable the metric scope rotation
MUTEX_PROFILE_FRACTIONInteger1000If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, '1000' will record 0.1% of events. Set to 0 to disable entirely.
PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHINGBooleanfalseIf enabled, istiod will persist the oldest first heuristic for subtly conflicting traffic policy selection(such as with overlapping wildcard hosts)
PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGEBooleanfalseIf set, it allows creating inbound listeners for service ports and sidecar ingress listeners 
PILOT_ANALYSIS_INTERVALTime Duration10sIf analysis is enabled, pilot will run istio analyzers using this value as interval in seconds Istio Resources
PILOT_AUTO_ALLOW_WAYPOINT_POLICYBooleanfalseIf enabled, zTunnel will receive synthetic authorization policies for each workload ALLOW the Waypoint's identity. Unless other ALLOW policies are created, this effectively denies traffic that doesn't go through the waypoint.
PILOT_CERT_PROVIDERStringistiodThe provider of Pilot DNS certificate. K8S RA will be used for k8s.io/NAME. 'istiod' value will sign using Istio build in CA. Other values will not not generate TLS certs, but still  distribute ./etc/certs/root-cert.pem. Only used if custom certificates are not mounted.
PILOT_CONVERT_SIDECAR_SCOPE_CONCURRENCYInteger1Used to adjust the concurrency of SidecarScope conversions. When istiod is deployed on a multi-core CPU server, increasing this value will help to use the CPU to accelerate configuration push, but it also means that istiod will consume more CPU resources.
PILOT_DEBOUNCE_AFTERTime Duration100msThe delay added to config/registry events for debouncing. This will delay the push by at least this interval. If no change is detected within this period, the push will happen,  otherwise we'll keep delaying until things settle, up to a max of PILOT_DEBOUNCE_MAX.
PILOT_DEBOUNCE_MAXTime Duration10sThe maximum amount of time to wait for events while debouncing. If events keep showing up with no breaks for this time, we'll trigger a push.
PILOT_DISABLE_MX_ALPNBooleanfalseIf true, pilot will not put istio-peer-exchange ALPN into TLS handshake configuration.
PILOT_DRAINING_LABELStringistio.io/drainingIf not empty, endpoints with the label value present will be sent with status DRAINING.
PILOT_ENABLE_ALPHA_GATEWAY_APIBooleanfalseIf this is set to true, support for alpha APIs in the Kubernetes gateway-api (github.com/kubernetes-sigs/gateway-api) will  be enabled. In addition to this being enabled, the gateway-api CRDs need to be installed.
PILOT_ENABLE_ALPN_FILTERBooleantrueIf true, pilot will add Istio ALPN filters, required for proper protocol sniffing.
PILOT_ENABLE_AMBIENTBooleanfalseIf enabled, ambient mode can be used. Individual flags configure fine grained enablement; this must be enabled for any ambient functionality.
PILOT_ENABLE_AMBIENT_WAYPOINTSBooleanfalseIf enabled, controllers required for ambient will run. This is required to run ambient mesh.
PILOT_ENABLE_ANALYSISBooleanfalseIf enabled, pilot will run istio analyzers and write analysis errors to the Status field of any Istio Resources
PILOT_ENABLE_CDS_CACHEBooleantrueIf true, Pilot will cache CDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE.
PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRYBooleantrueIf enabled, pilot will read WorkloadEntry from other clusters, selectable by Services in that cluster.
PILOT_ENABLE_EDS_DEBOUNCEBooleantrueIf enabled, Pilot will include EDS pushes in the push debouncing, configured by PILOT_DEBOUNCE_AFTER and PILOT_DEBOUNCE_MAX. EDS pushes may be delayed, but there will be fewer pushes. By default this is enabled
PILOT_ENABLE_EDS_FOR_HEADLESS_SERVICESBooleanfalseIf enabled, for headless service in Kubernetes, pilot will send endpoints over EDS, allowing the sidecar to load balance among pods in the headless service. This feature should be enabled if applications access all services explicitly via a HTTP proxy port in the sidecar.
PILOT_ENABLE_GATEWAY_APIBooleantrueIf this is set to true, support for Kubernetes gateway-api (github.com/kubernetes-sigs/gateway-api) will  be enabled. In addition to this being enabled, the gateway-api CRDs need to be installed.
PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLERBooleantrueIf this is set to true, gateway-api resources will automatically provision in cluster deployment, services, etc
PILOT_ENABLE_GATEWAY_API_GATEWAYCLASS_CONTROLLERBooleantrueIf this is set to true, istiod will create and manage its default GatewayClasses
PILOT_ENABLE_GATEWAY_API_STATUSBooleantrueIf this is set to true, gateway-api resources will have status written to them
PILOT_ENABLE_IP_AUTOALLOCATEBooleanfalseIf enabled, pilot will start a controller that assigns IP addresses to ServiceEntry which do not have a user-supplied IP. This, when combined with DNS capture allows for tcp routing of traffic sent to the ServiceEntry.
PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIESBooleantrueIf enabled, Kubernetes services with selectors will select workload entries with matching labels. It is safe to disable it if you are quite sure you don't need this feature
PILOT_ENABLE_METADATA_EXCHANGEBooleantrueIf true, pilot will add metadata exchange filters, which will be consumed by telemetry filter.
PILOT_ENABLE_MONGO_FILTERBooleantrueEnableMongoFilter enables injection of `envoy.filters.network.mongo_proxy` in the filter chain.
PILOT_ENABLE_MYSQL_FILTERBooleanfalseEnableMysqlFilter enables injection of `envoy.filters.network.mysql_proxy` in the filter chain.
PILOT_ENABLE_NODE_UNTAINT_CONTROLLERSBooleanfalseIf enabled, controller that untaints nodes with cni pods ready will run. This should be enabled if you disabled ambient init containers.
PILOT_ENABLE_PERSISTENT_SESSION_FILTERBooleanfalseIf enabled, Istiod sets up persistent session filter for listeners, if services have 'PILOT_PERSISTENT_SESSION_LABEL' set.
PILOT_ENABLE_QUIC_LISTENERSBooleanfalseIf true, QUIC listeners will be generated wherever there are listeners terminating TLS on gateways if the gateway service exposes a UDP port with the same number (for example 443/TCP and 443/UDP)
PILOT_ENABLE_RDS_CACHEBooleantrueIf true, Pilot will cache RDS responses. Note: this depends on PILOT_ENABLE_XDS_CACHE.
PILOT_ENABLE_REDIS_FILTERBooleanfalseEnableRedisFilter enables injection of `envoy.filters.network.redis_proxy` in the filter chain.
PILOT_ENABLE_ROUTE_COLLAPSE_OPTIMIZATIONBooleantrueIf true, Pilot will merge virtual hosts with the same routes into a single virtual host, as an optimization.
PILOT_ENABLE_SENDING_HBONEBooleanfalseIf enabled, HBONE will be allowed when sending to destinations.
PILOT_ENABLE_SERVICEENTRY_SELECT_PODSBooleantrueIf enabled, service entries with selectors will select pods from the cluster. It is safe to disable it if you are quite sure you don't need this feature
PILOT_ENABLE_SIDECAR_LISTENING_HBONEBooleanfalseIf enabled, HBONE support can be configured for proxies.
PILOT_ENABLE_STATUSBooleanfalseIf enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.
PILOT_ENABLE_TELEMETRY_LABELBooleantrueIf true, pilot will add telemetry related metadata to cluster and endpoint resources, which will be consumed by telemetry filter.
PILOT_ENABLE_WORKLOAD_ENTRY_AUTOREGISTRATIONBooleantrueEnables auto-registering WorkloadEntries based on associated WorkloadGroups upon XDS connection by the workload.
PILOT_ENABLE_WORKLOAD_ENTRY_HEALTHCHECKSBooleantrueEnables automatic health checks of WorkloadEntries based on the config provided in the associated WorkloadGroup
PILOT_ENABLE_XDS_CACHEBooleantrueIf true, Pilot will cache XDS responses.
PILOT_ENABLE_XDS_IDENTITY_CHECKBooleantrueIf enabled, pilot will authorize XDS clients, to ensure they are acting only as namespaces they have permissions for.
PILOT_ENDPOINT_TELEMETRY_LABELBooleantrueIf true, pilot will add telemetry related metadata to Endpoint resource, which will be consumed by telemetry filter.
PILOT_ENVOY_FILTER_STATSBooleanfalseIf true, Pilot will collect metrics for envoy filter operations.
PILOT_FILTER_GATEWAY_CLUSTER_CONFIGBooleanfalseIf enabled, Pilot will send only clusters that referenced in gateway virtual services attached to gateway
PILOT_GATEWAY_API_CONTROLLER_NAMEStringistio.io/gateway-controllerGateway API controller name. istiod will only reconcile Gateway API resources referencing a GatewayClass with this controller name
PILOT_GATEWAY_API_DEFAULT_GATEWAYCLASS_NAMEStringistioName of the default GatewayClass
PILOT_HTTP10BooleanfalseEnables the use of HTTP 1.0 in the outbound HTTP listeners, to support legacy applications.
PILOT_INSECURE_MULTICLUSTER_KUBECONFIG_OPTIONSStringComma separated list of potentially insecure kubeconfig authentication options that are allowed for multicluster authentication.Support values: all authProviders (`gcp`, `azure`, `exec`, `openstack`), `clientKey`, `clientCertificate`, `tokenFile`, and `exec`.
PILOT_JWT_ENABLE_REMOTE_JWKSStringfalseMode of fetching JWKs from JwksUri in RequestAuthentication. Supported value: istiod, false, hybrid, true, envoy. The client fetching JWKs is as following: istiod/false - Istiod; hybrid/true - Envoy and fallback to Istiod if JWKs server is external; envoy - Envoy.
PILOT_JWT_PUB_KEY_REFRESH_INTERVALTime Duration20m0sThe interval for istiod to fetch the jwks_uri for the jwks public key.
PILOT_MAX_REQUESTS_PER_SECONDFloating-Point0Limits the number of incoming XDS requests per second. On larger machines this can be increased to handle more proxies concurrently. If set to 0 or unset, the max will be automatically determined based on the machine size
PILOT_MULTI_NETWORK_DISCOVER_GATEWAY_APIBooleantrueIf true, Pilot will discover labeled Kubernetes gateway objects as multi-network gateways.
PILOT_PERSISTENT_SESSION_HEADER_LABELStringistio.io/persistent-session-headerIf not empty, services with this label will use header based persistent sessions
PILOT_PERSISTENT_SESSION_LABELStringistio.io/persistent-sessionIf not empty, services with this label will use cookie based persistent sessions
PILOT_PREFER_SENDING_HBONEBooleanfalseIf enabled, HBONE will be preferred when sending to destinations. 
PILOT_PUSH_THROTTLEInteger0Limits the number of concurrent pushes allowed. On larger machines this can be increased for faster pushes. If set to 0 or unset, the max will be automatically determined based on the machine size
PILOT_REMOTE_CLUSTER_TIMEOUTTime Duration30sAfter this timeout expires, pilot can become ready without syncing data from clusters added via remote-secrets. Setting the timeout to 0 disables this behavior.
PILOT_SCOPE_GATEWAY_TO_NAMESPACEBooleanfalseIf enabled, a gateway workload can only select gateway resources in the same namespace. Gateways with same selectors in different namespaces will not be applicable.
PILOT_SEND_UNHEALTHY_ENDPOINTSBooleanfalseIf enabled, Pilot will include unhealthy endpoints in EDS pushes and even if they are sent Envoy does not use them for load balancing.  To avoid, sending traffic to non ready endpoints, enabling this flag, disables panic threshold in Envoy i.e. Envoy does not load balance requests to unhealthy/non-ready hosts even if the percentage of healthy hosts fall below minimum health percentage(panic threshold).
PILOT_SIDECAR_USE_REMOTE_ADDRESSBooleanfalseUseRemoteAddress sets useRemoteAddress to true for sidecar outbound listeners.
PILOT_SKIP_VALIDATE_TRUST_DOMAINBooleanfalseSkip validating the peer is from the same trust domain when mTLS is enabled in authentication policy
PILOT_STATUS_BURSTInteger500If status is enabled, controls the Burst rate with which status will be updated.  See https://godoc.org/k8s.io/client-go/rest#Config Burst
PILOT_STATUS_MAX_WORKERSInteger100The maximum number of workers Pilot will use to keep configuration status up to date.  Smaller numbers will result in higher status latency, but larger numbers may impact CPU in high scale environments.
PILOT_STATUS_QPSInteger100If status is enabled, controls the QPS with which status will be updated.  See https://godoc.org/k8s.io/client-go/rest#Config QPS
PILOT_STATUS_UPDATE_INTERVALTime Duration500msInterval to update the XDS distribution status.
PILOT_TRACE_SAMPLINGFloating-Point1Sets the mesh-wide trace sampling percentage. Should be 0.0 - 100.0. Precision to 0.01. Default is 1.0.
PILOT_WORKLOAD_ENTRY_GRACE_PERIODTime Duration10sThe amount of time an auto-registered workload can remain disconnected from all Pilot instances before the associated WorkloadEntry is cleaned up.
PILOT_XDS_CACHE_INDEX_CLEAR_INTERVALTime Duration5sThe interval for xds cache index clearing.
PILOT_XDS_CACHE_SIZEInteger60000The maximum number of cache entries for the XDS cache.
PILOT_XDS_CACHE_STATSBooleanfalseIf true, Pilot will collect metrics for XDS cache efficiency.
PLATFORMStringPlatform where Istio is deployed. Possible values are "openshift" and "gcp"
REQUIRE_3P_TOKENBooleanfalseReject k8s default tokens, without audience. If false, default K8S token will be accepted
RESOLVE_HOSTNAME_GATEWAYSBooleantrueIf true, hostnames in the LoadBalancer addresses of a Service will be resolved at the control plane for use in cross-network gateways.
REWRITE_PROBE_LEGACY_LOCALHOST_DESTINATIONBooleanfalseIf enabled, readiness probes will be sent to 'localhost'. Otherwise, they will be sent to the Pod's IP, matching Kubernetes' behavior.
SHARED_MESH_CONFIGStringAdditional config map to load for shared MeshConfig settings. The standard mesh config will take precedence.
TERMStringSpecifies terminal type.  Use 'dumb' to suppress color output
TOKEN_AUDIENCESStringistio-caA list of comma separated audiences to check in the JWT token before issuing a certificate. The token is accepted if it matches with one of the audiences
TRUSTED_GATEWAY_CIDRStringIf set, any connections from gateway to Istiod with this CIDR range are treated as trusted for using authentication mechanisms like XFCC. This can only be used when the network where Istiod and the authenticating gateways are running in a trusted/secure network
UNSAFE_ENABLE_ADMIN_ENDPOINTSBooleanfalseIf this is set to true, dangerous admin endpoints will be exposed on the debug interface. Not recommended for production.
UNSAFE_PILOT_ENABLE_DELTA_TESTBooleanfalseIf enabled, addition runtime tests for Delta XDS efficiency are added. These checks are extremely expensive, so this should be used only for testing, not production.
UNSAFE_PILOT_ENABLE_RUNTIME_ASSERTIONSBooleanfalseIf enabled, addition runtime asserts will be performed. These checks are both expensive and panic on failure. As a result, this should be used only for testing.
USE_CACERTS_FOR_SELF_SIGNED_CABooleanfalseIf enabled, istiod will use a secret named cacerts to store its self-signed istio-generated root certificate.
VALIDATION_WEBHOOK_CONFIG_NAMEStringistio-istio-systemIf not empty, the controller will automatically patch validatingwebhookconfiguration when the CA certificate changes. Only works in kubernetes environment.
VERIFY_CERTIFICATE_AT_CLIENTBooleantrueIf enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.
XDS_AUTHBooleantrueIf true, will authenticate XDS clients.
XDS_AUTH_PLAINTEXTBooleanfalseauthenticate plain text requests - used if Istiod is running on a secure/trusted network

-
Exported metrics

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Metric NameTypeDescription
auto_registration_deletes_totalSumTotal number of auto registration cleaned up by periodic timer.
auto_registration_errors_totalSumTotal number of auto registration errors.
auto_registration_success_totalSumTotal number of successful auto registrations.
auto_registration_unregister_totalSumTotal number of unregistrations.
auto_registration_updates_totalSumTotal number of auto registration updates.
cache_flush_totalSumnumber of times operator cache was flushed
controller_sync_errors_totalSumTotal number of errorMetric syncing controllers.
cr_deletion_totalSumNumber of IstioOperator CR deleted
cr_merge_failure_totalSumNumber of IstioOperator CR merge failures
cr_validation_error_totalSumNumber of IstioOperator CR validation failures
endpoint_no_podLastValueEndpoints without an associated pod.
get_cr_error_totalSumNumber of times fetching CR from apiserver failed
istio_buildLastValueIstio component build info
istiod_managed_clustersLastValueNumber of clusters managed by istiod
legacy_path_translation_totalSumNumber of times a legacy API path is translated
manifest_patch_error_totalSumNumber of times K8S patch overlays failed
manifest_render_error_totalSumNumber of times error occurred during rendering output manifest
num_outgoing_retriesSumNumber of outgoing retry requests (e.g. to a token exchange server, CA, etc.)
owned_resource_totalLastValueNumber of resources currently owned by the operator
pilot_conflict_inbound_listenerLastValueNumber of conflicting inbound listeners.
pilot_conflict_outbound_listener_tcp_over_current_tcpLastValueNumber of conflicting tcp listeners with current tcp listener.
pilot_debounce_timeDistributionDelay in seconds between the first config enters debouncing and the merged push request is pushed into the push queue.
pilot_destrule_subsetsLastValueDuplicate subsets across destination rules for same host
pilot_dns_cluster_without_endpointsLastValueDNS clusters without endpoints caused by the endpoint field in STRICT_DNS type cluster is not set or the corresponding subset cannot select any endpoint
pilot_duplicate_envoy_clustersLastValueDuplicate envoy clusters caused by service entries with same hostname
pilot_eds_no_instancesLastValueNumber of clusters without instances.
pilot_endpoint_not_readyLastValueEndpoint found in unready state.
pilot_envoy_filter_statusLastValueStatus of Envoy filters whether it was applied or errored.
pilot_inbound_updatesSumTotal number of updates received by pilot.
pilot_jwks_resolver_network_fetch_fail_totalSumTotal number of failed network fetch by pilot jwks resolver
pilot_jwks_resolver_network_fetch_success_totalSumTotal number of successfully network fetch by pilot jwks resolver
pilot_k8s_cfg_eventsSumEvents from k8s config.
pilot_k8s_endpoints_pending_podLastValueNumber of endpoints that do not currently have any corresponding pods.
pilot_k8s_endpoints_with_no_podsSumEndpoints that does not have any corresponding pods.
pilot_k8s_reg_eventsSumEvents from k8s registry.
pilot_no_ipLastValuePods not found in the endpoint table, possibly invalid.
pilot_proxy_convergence_timeDistributionDelay in seconds between config change and a proxy receiving all required configuration.
pilot_proxy_queue_timeDistributionTime in seconds, a proxy is in the push queue before being dequeued.
pilot_push_triggersSumTotal number of times a push was triggered, labeled by reason for the push.
pilot_pushcontext_init_secondsDistributionTotal time in seconds Pilot takes to init pushContext.
pilot_sds_certificate_errors_totalSumTotal number of failures to fetch SDS key and certificate.
pilot_servicesLastValueTotal services known to pilot.
pilot_total_rejected_configsSumTotal number of configs that Pilot had to reject or ignore.
pilot_total_xds_internal_errorsSumTotal number of internal XDS errors in pilot.
pilot_total_xds_rejectsSumTotal number of XDS responses from pilot rejected by proxy.
pilot_virt_servicesLastValueTotal virtual services known to pilot.
pilot_vservice_dup_domainLastValueVirtual services with dup domains.
pilot_worker_queue_depthLastValueDepth of the controller queues
pilot_worker_queue_durationDistributionTime taken to process an item
pilot_worker_queue_latencyDistributionLatency before the item is processed
pilot_xdsLastValueNumber of endpoints connected to this pilot using XDS.
pilot_xds_cds_rejectLastValuePilot rejected CDS configs.
pilot_xds_config_size_bytesDistributionDistribution of configuration sizes pushed to clients
pilot_xds_eds_rejectLastValuePilot rejected EDS.
pilot_xds_expired_nonceSumTotal number of XDS requests with an expired nonce.
pilot_xds_lds_rejectLastValuePilot rejected LDS.
pilot_xds_push_context_errorsSumNumber of errors (timeouts) initiating push context.
pilot_xds_push_timeDistributionTotal time in seconds Pilot takes to push lds, rds, cds and eds.
pilot_xds_pushesSumPilot build and send errors for lds, rds, cds and eds.
pilot_xds_rds_rejectLastValuePilot rejected RDS.
pilot_xds_send_timeDistributionTotal time in seconds Pilot takes to send generated configuration.
pilot_xds_write_timeoutSumPilot XDS response write timeouts.
provider_lookup_cluster_failuresSumNumber of times a cluster lookup failed
reconcile_request_totalSumNumber of times requesting Reconcile
remote_cluster_sync_timeouts_totalSumNumber of times remote clusters took too long to sync, causing slow startup that excludes remote clusters.
render_manifest_totalSumNumber of component manifests rendered
resource_creation_totalSumNumber of resources created by the operator
resource_deletion_totalSumNumber of resources deleted by the operator
resource_prune_totalSumNumber of resources pruned by the operator
resource_update_totalSumNumber of resources updated by the operator
scrape_failures_totalSumThe total number of failed scrapes.
scrapes_totalSumThe total number of scrapes.
sidecar_injection_failure_totalSumTotal number of failed sidecar injection requests.
sidecar_injection_requests_totalSumTotal number of sidecar injection requests.
sidecar_injection_skip_totalSumTotal number of skipped sidecar injection requests.
sidecar_injection_success_totalSumTotal number of successful sidecar injection requests.
sidecar_injection_time_secondsDistributionTotal time taken for injection in seconds.
startup_duration_secondsLastValueThe time from the process starting to being marked ready.
versionLastValueVersion of operator binary
wasm_cache_entriesLastValuenumber of Wasm remote fetch cache entries.
wasm_cache_lookup_countSumnumber of Wasm remote fetch cache lookups.
wasm_config_conversion_countSumnumber of Wasm config conversion count and results, including success, no remote load, marshal failure, remote fetch failure, miss remote fetch hint.
wasm_config_conversion_durationDistributionTotal time in milliseconds istio-agent spends on converting remote load in Wasm config.
wasm_remote_fetch_countSumnumber of Wasm remote fetches and results, including success, download failure, and checksum mismatch.
webhook_patch_attempts_totalSumWebhook patching attempts
webhook_patch_failures_totalSumWebhook patching total failures
webhook_patch_retries_totalSumWebhook patching retries
xds_cache_dependent_config_sizeLastValueCurrent size of dependent configs
xds_cache_evictionsSumTotal number of xds cache evictions.
xds_cache_readsSumTotal number of xds cache xdsCacheReads.
xds_cache_sizeLastValueCurrent size of xds cache

diff --git a/content/zh/docs/reference/commands/pilot-agent/index.html b/content/zh/docs/reference/commands/pilot-agent/index.html
index a27b945889ef4..9f3952afaf6b0 100644
--- a/content/zh/docs/reference/commands/pilot-agent/index.html
+++ b/content/zh/docs/reference/commands/pilot-agent/index.html
@@ -30,22 +30,6 @@
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 
 
---log_rotate <string>
-The path for the optional rotating log file  (default ``)
-
-
---log_rotate_max_age <int>
-The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
-
-
---log_rotate_max_backups <int>
-The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
-
-
---log_rotate_max_size <int>
-The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
-
-
 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 
@@ -84,22 +68,6 @@ 
pilot-agent completion

 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 
 
---log_rotate <string>
-The path for the optional rotating log file  (default ``)
-
-
---log_rotate_max_age <int>
-The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
-
-
---log_rotate_max_backups <int>
-The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
-
-
---log_rotate_max_size <int>
-The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)
-
-
 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 
@@ -118,14 +86,13 @@ 
pilot-agent completion bash

 
This script depends on the 'bash-completion' package.
 If it is not installed already, you can install it via your OS's package manager.

 
To load completions in your current shell session:

-
	source <(pilot-agent completion bash)

+
source <(pilot-agent completion bash)

 
To load completions for every new session, execute once:

-
#### Linux:

-
	pilot-agent completion bash > /etc/bash_completion.d/pilot-agent

-
#### macOS:

-
	pilot-agent completion bash > $(brew --prefix)/etc/bash_completion.d/pilot-agent

-
You will need to start a new shell for this setup to take effect.
-

+
Linux:

+
pilot-agent completion bash > /etc/bash_completion.d/pilot-agent

+
macOS:

+
pilot-agent completion bash > /usr/local/etc/bash_completion.d/pilot-agent

+
You will need to start a new shell for this setup to take effect.

 
pilot-agent completion bash
 

 
@@ -149,22 +116,6 @@ 
pilot-agent completion bash

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -185,11 +136,10 @@ 
pilot-agent completion bash
pilot-agent completion fish
Generate the autocompletion script for the fish shell.
To load completions in your current shell session:

-
	pilot-agent completion fish | source

+
pilot-agent completion fish | source
To load completions for every new session, execute once:

-
	pilot-agent completion fish > ~/.config/fish/completions/pilot-agent.fish

-
You will need to start a new shell for this setup to take effect.
-

+
pilot-agent completion bash > ~/.config/fish/completions/pilot-agent.fish

+
You will need to start a new shell for this setup to take effect.
pilot-agent completion fish [flags]
 

 
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
 
 
 
 
 

@@ -213,22 +163,6 @@ 
pilot-agent completion fish

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -247,12 +181,10 @@ 
pilot-agent completion fish

 
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
 

 
pilot-agent completion powershell

-
Generate the autocompletion script for powershell.

+
Generate the autocompletion script for PowerShell.

 
To load completions in your current shell session:

-
	pilot-agent completion powershell | Out-String | Invoke-Expression

-
To load completions for every new session, add the output of the above command
-to your powershell profile.
-

+
pilot-agent completion powershell | Out-String | Invoke-Expression

+
To load completions for every new session, add the output of the above command to your powershell profile.

 
pilot-agent completion powershell [flags]
 

 
@@ -276,22 +208,6 @@ 
pilot-agent completion powershell
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -311,18 +227,16 @@ 
pilot-agent completion powershell
pilot-agent completion zsh
Generate the autocompletion script for the zsh shell.

-
If shell completion is not already enabled in your environment you will need
-to enable it.  You can execute the following once:

-
	echo "autoload -U compinit; compinit" >> ~/.zshrc

-
To load completions in your current shell session:

-
	source <(pilot-agent completion zsh)

-
To load completions for every new session, execute once:

-
#### Linux:

-
	pilot-agent completion zsh > "${fpath[1]}/_pilot-agent"

-
#### macOS:

-
	pilot-agent completion zsh > $(brew --prefix)/share/zsh/site-functions/_pilot-agent

-
You will need to start a new shell for this setup to take effect.
-

+	
If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:

+	
echo "autoload -U compinit; compinit" >> ~/.zshrc

+	
To load completions in your current shell session:

+	
source <(pilot-agent completion zsh)

+	
To load completions for every new session, execute once:

+	
Linux:

+	
pilot-agent completion zsh > "${fpath[1]}/_pilot-agent"

+	
macOS:

+	
pilot-agent completion zsh > $(brew --prefix)/share/zsh/site-functions/_pilot-agent

+	
You will need to start a new shell for this setup to take effect.
pilot-agent completion zsh [flags]
 

 
 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
 
 
 

@@ -346,22 +260,6 @@ 
pilot-agent completion zsh

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -428,26 +326,6 @@ 
pilot-agent istio-clean-iptables

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -613,26 +491,6 @@ 
pilot-agent istio-iptables

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -722,22 +580,6 @@ 
pilot-agent proxy

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -816,22 +658,6 @@ 
pilot-agent request

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -874,26 +700,6 @@ 
pilot-agent version

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -945,22 +751,6 @@ 
pilot-agent wait

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -991,7 +781,7 @@ 
pilot-agent wait

 
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, all, ca, cache, citadelclient, default, dns, gcecred, grpc, healthcheck, iptables, klog, mockcred, monitoring, sds, security, spiffe, validation, wasm, xdsproxy] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 
 

 
Environment variables

-These environment variables affect the behavior of the pilot-agent command. Please use with caution as these environment variables are experimental and can change anytime.
+These environment variables affect the behavior of the pilot-agent command. 
 
@@ -1141,22 +931,22 @@ 
Environment variables

-
+
-
+
-
+
-
+
-
+
-
+
@@ -1167,7 +957,7 @@ 
Environment variables

-
+
@@ -1261,6 +1051,12 @@ 
Environment variables

+
+
+
+
+
+
@@ -1595,12 +1391,6 @@ 
Environment variables

-
-
-
-
-
-
@@ -1817,12 +1607,6 @@ 
Environment variables

-
-
-
-
-
-
@@ -2045,6 +1829,12 @@ 
Environment variables

+
+
+
+
+
+
@@ -2099,6 +1889,12 @@ 
Environment variables

+
+
+
+
+
+
@@ -2165,12 +1961,6 @@ 
Environment variables

-
-
-
-
-
-
diff --git a/content/zh/docs/reference/commands/pilot-discovery/index.html b/content/zh/docs/reference/commands/pilot-discovery/index.html
index b1c3d60273155..a8ac463b82cdb 100644
--- a/content/zh/docs/reference/commands/pilot-discovery/index.html
+++ b/content/zh/docs/reference/commands/pilot-discovery/index.html
@@ -46,14 +46,13 @@ 
pilot-discovery completion bash
This script depends on the 'bash-completion' package.
 If it is not installed already, you can install it via your OS's package manager.
To load completions in your current shell session:

-
	source <(pilot-discovery completion bash)

+
source <(pilot-discovery completion bash)
To load completions for every new session, execute once:

-
#### Linux:

-
	pilot-discovery completion bash > /etc/bash_completion.d/pilot-discovery

-
#### macOS:

-
	pilot-discovery completion bash > $(brew --prefix)/etc/bash_completion.d/pilot-discovery

-
You will need to start a new shell for this setup to take effect.
-

+
Linux:

+
pilot-discovery completion bash > /etc/bash_completion.d/pilot-discovery

+
macOS:

+
pilot-discovery completion bash > /usr/local/etc/bash_completion.d/pilot-discovery

+
You will need to start a new shell for this setup to take effect.
pilot-discovery completion bash
 

 
 

 If enabled, Istio will create clusters only when there are requests. This will save memory and CPU cycles in cases where there are lots of inactive clusters and > 1 worker thread
 

 
ENABLE_DELIMITED_STATS_TAG_REGEXENABLE_DEFERRED_STATS_CREATION
 Boolean
 trueIf true, pilot will use the new delimited stat tag regex to generate Envoy stats tags.If enabled, Istio will lazily initialize a subset of the stats
 

 
ENABLE_ENHANCED_RESOURCE_SCOPINGENABLE_DELIMITED_STATS_TAG_REGEX
 Boolean
 trueIf enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.If true, pilot will use the new delimited stat tag regex to generate Envoy stats tags.
 

 
ENABLE_EXTERNAL_NAME_ALIASENABLE_ENHANCED_RESOURCE_SCOPING
 Boolean
 trueIf enabled, ExternalName Services will be treated as simple aliases: anywhere where we would match the concrete service, we also match the ExternalName. In general, this mirrors Kubernetes behavior more closely. However, it means that policies (routes and DestinationRule) cannot be applied to the ExternalName service. If disabled, ExternalName behaves in fairly unexpected manner. Port matters, while it does not in Kubernetes. If it is a TCP port, all traffic on that port will be matched, which can have disastrous consequences. Additionally, the destination is seen as an opaque destination; even if it is another service in the mesh, policies such as mTLS and load balancing will not be used when connecting to it.If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.
 

 

 ENABLE_HCM_INTERNAL_NETWORKS
 

 ENABLE_INBOUND_RETRY_POLICY
 Booleanfalsetrue
 If true, enables retry policy for inbound routes which automatically retries requests that were reset before it reaches the service.
 

 

 Envoy proxy username
 

 
EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRYBooleantrueIf true, excludes unsafe retry on 503 from default retry policy.

 EXIT_ON_ZERO_ACTIVE_CONNECTIONS
 Boolean
 false
 If set to true, enable the peer metadata discovery extension in Envoy
 

 
PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHINGBooleanfalseIf enabled, istiod will persist the oldest first heuristic for subtly conflicting traffic policy selection(such as with overlapping wildcard hosts)

 PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE
 Boolean
 false
 If enabled, HBONE support can be configured for proxies.
 

 
PILOT_ENABLE_STATUSBooleanfalseIf enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.

 PILOT_ENABLE_TELEMETRY_LABEL
 Boolean
 true
 
 

 
PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICESBooleantrueIf true, external services will prefer the TLS settings from DestinationRules over the metadata TLS settings.

 PROV_CERT
 String
 
 The grace period ratio for the cert rotation, by default 0.5.
 

 
SECRET_GRACE_PERIOD_RATIO_JITTERFloating-Point0.01Randomize the grace period ratio up or down by this amount to stagger cert renewals, by default .01 (~15 minutes over 24 hours).

 SECRET_TTL
 Time Duration
 24h0m0s
 If not empty, the controller will automatically patch validatingwebhookconfiguration when the CA certificate changes. Only works in kubernetes environment.
 

 
VERIFY_CERTIFICATE_AT_CLIENTBooleantrueIf enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.

 WASM_HTTP_REQUEST_MAX_RETRIES
 Integer
 5
 
 
 
 
 

@@ -77,11 +76,10 @@ 
pilot-discovery completion bash
pilot-discovery completion fish
Generate the autocompletion script for the fish shell.
To load completions in your current shell session:

-
	pilot-discovery completion fish | source

+
pilot-discovery completion fish | source
To load completions for every new session, execute once:

-
	pilot-discovery completion fish > ~/.config/fish/completions/pilot-discovery.fish

-
You will need to start a new shell for this setup to take effect.
-

+
pilot-discovery completion bash > ~/.config/fish/completions/pilot-discovery.fish

+
You will need to start a new shell for this setup to take effect.
pilot-discovery completion fish [flags]
 

 
 
 
 
 
 

@@ -103,12 +101,10 @@ 
pilot-discovery completion fish

 
 

 
pilot-discovery completion powershell

-
Generate the autocompletion script for powershell.

+
Generate the autocompletion script for PowerShell.

 
To load completions in your current shell session:

-
	pilot-discovery completion powershell | Out-String | Invoke-Expression

-
To load completions for every new session, add the output of the above command
-to your powershell profile.
-

+
pilot-discovery completion powershell | Out-String | Invoke-Expression

+
To load completions for every new session, add the output of the above command to your powershell profile.

 
pilot-discovery completion powershell [flags]
 

 
@@ -131,18 +127,16 @@ 
pilot-discovery completion powers
 

 
pilot-discovery completion zsh

 
Generate the autocompletion script for the zsh shell.

-
If shell completion is not already enabled in your environment you will need
-to enable it.  You can execute the following once:

-
	echo "autoload -U compinit; compinit" >> ~/.zshrc

-
To load completions in your current shell session:

-
	source <(pilot-discovery completion zsh)

-
To load completions for every new session, execute once:

-
#### Linux:

-
	pilot-discovery completion zsh > "${fpath[1]}/_pilot-discovery"

-
#### macOS:

-
	pilot-discovery completion zsh > $(brew --prefix)/share/zsh/site-functions/_pilot-discovery

-
You will need to start a new shell for this setup to take effect.
-

+	
If shell completion is not already enabled in your environment you will need to enable it. You can execute the following once:

+	
echo "autoload -U compinit; compinit" >> ~/.zshrc

+	
To load completions in your current shell session:

+	
source <(pilot-discovery completion zsh)

+	
To load completions for every new session, execute once:

+	
Linux:

+	
pilot-discovery completion zsh > "${fpath[1]}/_pilot-discovery"

+	
macOS:

+	
pilot-discovery completion zsh > $(brew --prefix)/share/zsh/site-functions/_pilot-discovery

+	
You will need to start a new shell for this setup to take effect.

 
pilot-discovery completion zsh [flags]
 

 
@@ -282,26 +276,6 @@ 
pilot-discovery discovery

-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -424,7 +398,7 @@ 
pilot-discovery version

 
Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpc, grpcgen, ingress status, ip-autoallocate, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, untaint, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)
 

 
--log_rotate <string>The path for the optional rotating log file  (default ``)
--log_rotate_max_age <int>The maximum age in days of log file backups to keep before older files are deleted (0 indicates no limit)  (default `30`)
--log_rotate_max_backups <int>The maximum number of log file backups to keep before older files are deleted (0 indicates no limit)  (default `1000`)
--log_rotate_max_size <int>The maximum size in megabytes of a log file beyond which the file is rotated  (default `104857600`)

 --log_stacktrace_level <string>
 
 Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, gateway, grpc, grpcgen, ingress status, ip-autoallocate, klog, krt, kube, model, monitor, monitoring, pkica, pkira, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, untaint, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)
 

 

 
Environment variables

-These environment variables affect the behavior of the pilot-discovery command. Please use with caution as these environment variables are experimental and can change anytime.
+These environment variables affect the behavior of the pilot-discovery command. 
 
@@ -550,22 +524,22 @@ 
Environment variables

-
+
-
+
-
+
-
+
-
+
-
+
@@ -576,7 +550,7 @@ 
Environment variables

-
+
@@ -652,6 +626,12 @@ 
Environment variables

+
+
+
+
+
+
@@ -920,12 +900,6 @@ 
Environment variables

-
-
-
-
-
-
@@ -1142,12 +1116,6 @@ 
Environment variables

-
-
-
-
-
-
@@ -1370,6 +1338,12 @@ 
Environment variables

+
+
+
+
+
+
@@ -1460,12 +1434,6 @@ 
Environment variables

-
-
-
-
-
-
@@ -1491,14 +1459,14 @@ 
Exported metrics

-
-
+
+
-
-
+
+
diff --git a/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html b/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
index 12879e7ae3bf5..4db77b6f049e2 100644
--- a/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
+++ b/content/zh/docs/reference/config/istio.mesh.v1alpha1/index.html
@@ -231,17 +231,10 @@ 
MeshConfig

 
 

 If enabled, Istio will create clusters only when there are requests. This will save memory and CPU cycles in cases where there are lots of inactive clusters and > 1 worker thread
 

 
ENABLE_DELIMITED_STATS_TAG_REGEXENABLE_DEFERRED_STATS_CREATION
 Boolean
 trueIf true, pilot will use the new delimited stat tag regex to generate Envoy stats tags.If enabled, Istio will lazily initialize a subset of the stats
 

 
ENABLE_ENHANCED_RESOURCE_SCOPINGENABLE_DELIMITED_STATS_TAG_REGEX
 Boolean
 trueIf enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.If true, pilot will use the new delimited stat tag regex to generate Envoy stats tags.
 

 
ENABLE_EXTERNAL_NAME_ALIASENABLE_ENHANCED_RESOURCE_SCOPING
 Boolean
 trueIf enabled, ExternalName Services will be treated as simple aliases: anywhere where we would match the concrete service, we also match the ExternalName. In general, this mirrors Kubernetes behavior more closely. However, it means that policies (routes and DestinationRule) cannot be applied to the ExternalName service. If disabled, ExternalName behaves in fairly unexpected manner. Port matters, while it does not in Kubernetes. If it is a TCP port, all traffic on that port will be matched, which can have disastrous consequences. Additionally, the destination is seen as an opaque destination; even if it is another service in the mesh, policies such as mTLS and load balancing will not be used when connecting to it.If enabled, meshConfig.discoverySelectors will limit the CustomResource configurations(like Gateway,VirtualService,DestinationRule,Ingress, etc)that can be processed by pilot. This will also restrict the root-ca certificate distribution.
 

 

 ENABLE_HCM_INTERNAL_NETWORKS
 

 ENABLE_INBOUND_RETRY_POLICY
 Booleanfalsetrue
 If true, enables retry policy for inbound routes which automatically retries requests that were reset before it reaches the service.
 

 

 If true, will use optimized vtprotobuf based marshaling. Requires a build with -tags=vtprotobuf.
 

 
EXCLUDE_UNSAFE_503_FROM_DEFAULT_RETRYBooleantrueIf true, excludes unsafe retry on 503 from default retry policy.

 EXTERNAL_CA
 String
 
 If set to a non-zero value, enables mutex profiling a rate of 1/MUTEX_PROFILE_FRACTION events. For example, '1000' will record 0.1% of events. Set to 0 to disable entirely.
 

 
PERSIST_OLDEST_FIRST_HEURISTIC_FOR_VIRTUAL_SERVICE_HOST_MATCHINGBooleanfalseIf enabled, istiod will persist the oldest first heuristic for subtly conflicting traffic policy selection(such as with overlapping wildcard hosts)

 PILOT_ALLOW_SIDECAR_SERVICE_INBOUND_LISTENER_MERGE
 Boolean
 false
 If enabled, HBONE support can be configured for proxies.
 

 
PILOT_ENABLE_STATUSBooleanfalseIf enabled, pilot will update the CRD Status field of all istio resources with reconciliation status.

 PILOT_ENABLE_TELEMETRY_LABEL
 Boolean
 true
 
 

 
PREFER_DESTINATIONRULE_TLS_FOR_EXTERNAL_SERVICESBooleantrueIf true, external services will prefer the TLS settings from DestinationRules over the metadata TLS settings.

 REQUIRE_3P_TOKEN
 Boolean
 false
 If not empty, the controller will automatically patch validatingwebhookconfiguration when the CA certificate changes. Only works in kubernetes environment.
 

 
VERIFY_CERTIFICATE_AT_CLIENTBooleantrueIf enabled, certificates received by the proxy will be verified against the OS CA certificate bundle.

 XDS_AUTH
 Boolean
 true
 
auto_registration_unregister_totalSumTotal number of unregistrations.

 
auto_registration_updates_totalSumTotal number of auto registration updates.

 
citadel_server_authentication_failure_countSumThe number of authentication failures.
citadel_server_cert_chain_expiry_secondsLastValueThe time remaining, in seconds, before the certificate chain will expire. A negative value indicates the cert is expired.
citadel_server_cert_chain_expiry_timestampLastValueThe unix timestamp, in seconds, when Citadel cert chain will expire. A negative time indicates the cert is expired.
citadel_server_cert_chain_expiry_secondsLastValueThe time remaining, in seconds, before the Istio Generated cert chain will expire. A negative value indicates the cert is expired.
citadel_server_cert_chain_expiry_timestampLastValueThe unix timestamp, in seconds, when Istio generated cert chain will expire.

 
citadel_server_csr_countSumThe number of CSRs received by Citadel server.

 
citadel_server_csr_parsing_err_countSumThe number of errors occurred when parsing the CSR.

 
citadel_server_csr_sign_err_countSumThe number of errors occurred when signing the CSR.

 
citadel_server_id_extraction_err_countSumThe number of errors occurred when extracting the ID from CSR.
citadel_server_root_cert_expiry_secondsLastValueThe time remaining, in seconds, before the root certificate will expire. A negative value indicates the cert is expired.
citadel_server_root_cert_expiry_timestampLastValueThe unix timestamp, in seconds, when Citadel root cert will expire. A negative time indicates the cert is expired.
citadel_server_root_cert_expiry_secondsLastValueThe time remaining, in seconds, before the root cert will expire. A negative value indicates the cert is expired.
citadel_server_root_cert_expiry_timestampLastValueThe unix timestamp, in seconds, when the root cert will expire.

 
citadel_server_success_cert_issuance_countSumThe number of certificates issuances that have succeeded.

 
controller_sync_errors_totalSumTotal number of errorMetric syncing controllers.

 
endpoint_no_podLastValueEndpoints without an associated pod.

 
OutboundTrafficPolicy
 
 
Set the default behavior of the sidecar for handling outbound
-traffic from the application.  If your application uses one or
-more external services that are not known apriori, setting the
-policy to ALLOW_ANY will cause the sidecars to route any unknown
-traffic originating from the application to its requested
-destination. Users are strongly encouraged to use ServiceEntries
-to explicitly declare any external dependencies, instead of using
-ALLOW_ANY, so that traffic to these services can be
-monitored. Can be overridden at a Sidecar level by setting the
-OutboundTrafficPolicy in the Sidecar
-API.
-Default mode is ALLOW_ANY which means outbound traffic to unknown destinations will be allowed.

+traffic from the application.

+
Can be overridden at a Sidecar level by setting the OutboundTrafficPolicy in the
+Sidecar API.

+
Default mode is ALLOW_ANY, which means outbound traffic to unknown destinations will be allowed.

 
 		
 
@@ -464,7 +457,8 @@ 
MeshConfig

 For example inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local. This can be used to override that pattern.

 
A Pattern can be composed of various pre-defined variables. The following variables are supported.

 
    
-
  • %SERVICE% - Will be substituted with name of the service.
    • 
+
  • %SERVICE% - Will be substituted with short hostname of the service.
    • 
+
  • %SERVICE_NAME% - Will be substituted with name of the service.
    • 
 
  • %SERVICE_FQDN% - Will be substituted with FQDN of the service.
    • 
 
  • %SERVICE_PORT% - Will be substituted with port of the service.
    • 
 
  • %TARGET_PORT%  - Will be substituted with the target port of the service.
    • 
@@ -491,7 +485,8 @@ 
    MeshConfig
    
 For example outbound|8080|v2|reviews.prod.svc.cluster.local. This can be used to override that pattern.
    
 
    A Pattern can be composed of various pre-defined variables. The following variables are supported.
    
 
      
-
    • %SERVICE% - Will be substituted with name of the service.
      • 
+
    • %SERVICE% - Will be substituted with short hostname of the service.
      • 
+
    • %SERVICE_NAME% - Will be substituted with name of the service.
      • 
 
    • %SERVICE_FQDN% - Will be substituted with FQDN of the service.
      • 
 
    • %SERVICE_PORT% - Will be substituted with port of the service.
      • 
 
    • %SERVICE_PORT_NAME% - Will be substituted with port name of the service.
      • 
@@ -815,6 +810,9 @@ 
      ConfigSource
      
 
 
      MeshConfig.OutboundTrafficPolicy
      
 
      
+
      OutboundTrafficPolicy sets the default behavior of the sidecar for
+handling unknown outbound traffic from the application.
      
+
 
@@ -4406,16 +4404,21 @@ 
      MeshConfig.OutboundTrafficPolicy.
 
      
diff --git a/content/zh/docs/reference/config/istio.operator.v1alpha1/index.html b/content/zh/docs/reference/config/istio.operator.v1alpha1/index.html
deleted file mode 100644
index 63434b96a4266..0000000000000
--- a/content/zh/docs/reference/config/istio.operator.v1alpha1/index.html
+++ /dev/null
@@ -1,4113 +0,0 @@
----
-WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
-source_repo: https://github.com/istio/api
-title: IstioOperator Options
-description: Configuration affecting Istio control plane installation version and shape.
-location: https://istio.io/docs/reference/config/istio.operator.v1alpha1.html
-layout: protoc-gen-docs
-generator: protoc-gen-docs
-weight: 20
-number_of_entries: 74
----
-
      Configuration affecting Istio control plane installation version and shape.
-Note: unlike other Istio protos, field names must use camelCase. This is asserted in tests.
-Without camelCase, the json tag on the Go struct will not match the user’s JSON representation.
-This leads to Kubernetes merge libraries, which rely on this tag, to fail.
-All other usages use jsonpb which does not use the json tag.
      
-
-
      IstioOperatorSpec
      
-
      
-
      IstioOperatorSpec defines the desired installed state of Istio components.
-The spec is a used to define a customization of the default profile values that are supplied with each Istio release.
-Because the spec is a customization API, specifying an empty IstioOperatorSpec results in a default Istio
-component values.
      
-
      apiVersion: install.istio.io/v1alpha1
-kind: IstioOperator
-spec:
-  profile: default
-  hub: gcr.io/istio-testing
-  tag: latest
-  revision: 1-8-0
-  meshConfig:
-    accessLogFile: /dev/stdout
-    enableTracing: true
-  components:
-    egressGateways:
-    - name: istio-egressgateway
-      enabled: true
-
      
-
-
      
 
 
      
 REGISTRY_ONLY
 
-
      outbound traffic will be restricted to services defined in the
-service registry as well as those defined through ServiceEntries
      
+
      In REGISTRY_ONLY mode, unknown outbound traffic will be dropped.
+Traffic destinations must be explicitly declared into the service registry through ServiceEntry configurations.
      
+
      Note: Istio does not offer an outbound traffic security policy.
+This option does not act as one, or as any form of an outbound firewall.
+Instead, this option exists primarily to offer users a way to detect missing ServiceEntry configurations by explicitly failing.
      
 
       		
 
      
 
      
 ALLOW_ANY
 
-
      outbound traffic to unknown destinations will be allowed, in case
-there are no services or ServiceEntries for the destination port
      
+
      In ALLOW_ANY mode, any traffic to unknown destinations will be allowed.
+Unknown destination traffic will have limited functionality, however, such as reduced observability.
+This mode allows users that do not have all possible egress destinations registered through ServiceEntry configurations to still connect
+to arbitrary destinations.
      
 
       		
 
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      profilestring
-
      Path or name for the profile e.g.
      
-
        
-
      • minimal (looks in profiles dir for a file called minimal.yaml)
        • 
-
      • /tmp/istio/install/values/custom/custom-install.yaml (local file path)
        • 
-
      
-
      default profile is used if this field is unset.
      
-
-      		
-No
-
      installPackagePathstring
-
      Path for the install package. e.g.
      
-
        
-
      • /tmp/istio-installer/nightly (local file path)
        • 
-
      
-
-      		
-No
-
      hubstring
-
      Root for docker image paths e.g. docker.io/istio
      
-
-      		
-No
-
      tagValue
-
      Version tag for docker images e.g. 1.7.2
      
-
-      		
-No
-
      namespacestring
-
      Namespace to install control plane resources into. If unset, Istio will be installed into the same namespace
-as the IstioOperator CR. You must also set values.global.istioNamespace if you wish to install Istio in
-a custom namespace.
-If you have enabled CNI, you must  exclude this namespace by adding it to the list values.cni.excludeNamespaces.
      
-
-      		
-No
-
      revisionstring
-
      Identify the revision this installation is associated with.
-This option is currently experimental.
      
-
-      		
-No
-
      compatibilityVersionstring
-
      Compatibility version allows configuring Istio to behave like an older version by tuning various settings to align with a
-previous versions defaults. This accepts a major.minor format, such as 1.23.
-This option is currently experimental.
      
-
-      		
-No
-
      meshConfigStruct
-
      Config used by control plane components internally.
      
-
-      		
-No
-
      componentsIstioComponentSetSpec
-
      Kubernetes resource settings, enablement and component-specific settings that are not internal to the
-component.
      
-
-      		
-No
-
      valuesStruct
-
      Overrides for default values.yaml. This is a validated pass-through to Helm templates.
-See the Helm installation options for schema details.
-Anything that is available in IstioOperatorSpec should be set above rather than using the passthrough. This
-includes Kubernetes resource settings for components in KubernetesResourcesSpec.
      
-
-      		
-No
-
      unvalidatedValuesStruct
-
      Unvalidated overrides for default values.yaml. Used for custom templates where new parameters are added.
      
-
-      		
-No
-
      addonComponentsmap<string, ExternalComponentSpec>
-
      Deprecated.
-Users should manage the installation of addon components on their own.
-Refer to samples/addons for demo installation of addon components.
      
-
-      		
-No
-
      
-
      
-
      InstallStatus
      
-
      
-
      Observed state of IstioOperator
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      statusStatus
-
      Overall status of all components controlled by the operator.
      
-
        
-
      • If all components have status NONE, overall status is NONE.
        • 
-
      • If all components are HEALTHY, overall status is HEALTHY.
        • 
-
      • If one or more components are RECONCILING and others are HEALTHY, overall status is RECONCILING.
        • 
-
      • If one or more components are UPDATING and others are HEALTHY, overall status is UPDATING.
        • 
-
      • If components are a mix of RECONCILING, UPDATING and HEALTHY, overall status is UPDATING.
        • 
-
      • If any component is in ERROR state, overall status is ERROR.
        • 
-
      • If further action is needed for reconciliation to proceed, overall status is ACTION_REQUIRED.
        • 
-
      
-
-      		
-No
-
      messagestring
-
      Optional message providing additional information about the existing overall status.
      
-
-      		
-No
-
      componentStatusmap<string, VersionStatus>
-
      Individual status of each component controlled by the operator. The map key is the name of the component.
      
-
-      		
-No
-
      
-
      
-
      IstioComponentSetSpec
      
-
      
-
      IstioComponentSpec defines the desired installed state of Istio components.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      baseBaseComponentSpec
-
-No
-
      pilotComponentSpec
-
-No
-
      cniComponentSpec
-
-No
-
      ztunnelComponentSpec
-
-No
-
      istiodRemoteComponentSpec
-
      Remote cluster using an external control plane.
      
-
-      		
-No
-
      ingressGatewaysGatewaySpec[]
-
-No
-
      egressGatewaysGatewaySpec[]
-
-No
-
      
-
      
-
      BaseComponentSpec
      
-
      
-
      Configuration for base component.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      enabledBoolValue
-
      Selects whether this component is installed.
      
-
-      		
-No
-
      k8sKubernetesResourcesSpec
-
      Kubernetes resource spec.
      
-
-      		
-No
-
      
-
      
-
      ComponentSpec
      
-
      
-
      Configuration for internal components.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      enabledBoolValue
-
      Selects whether this component is installed.
      
-
-      		
-No
-
      namespacestring
-
      Namespace for the component.
      
-
-      		
-No
-
      hubstring
-
      Hub for the component (overrides top level hub setting).
      
-
-      		
-No
-
      tagValue
-
      Tag for the component (overrides top level tag setting).
      
-
-      		
-No
-
      specStruct
-
      Arbitrary install time configuration for the component.
      
-
-      		
-No
-
      k8sKubernetesResourcesSpec
-
      Kubernetes resource spec.
      
-
-      		
-No
-
      
-
      
-
      ExternalComponentSpec
      
-
      
-
      Configuration for external components.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      enabledBoolValue
-
      Selects whether this component is installed.
      
-
-      		
-No
-
      namespacestring
-
      Namespace for the component.
      
-
-      		
-No
-
      specStruct
-
      Arbitrary install time configuration for the component.
      
-
-      		
-No
-
      chartPathstring
-
      Chart path for addon components.
      
-
-      		
-No
-
      schemaAny
-
      Optional schema to validate spec against.
      
-
-      		
-No
-
      k8sKubernetesResourcesSpec
-
      Kubernetes resource spec.
      
-
-      		
-No
-
      
-
      
-
      GatewaySpec
      
-
      
-
      Configuration for gateways.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      enabledBoolValue
-
      Selects whether this gateway is installed.
      
-
-      		
-No
-
      namespacestring
-
      Namespace for the gateway.
      
-
-      		
-No
-
      namestring
-
      Name for the gateway.
      
-
-      		
-No
-
      labelmap<string, string>
-
      Labels for the gateway.
      
-
-      		
-No
-
      hubstring
-
      Hub for the component (overrides top level hub setting).
      
-
-      		
-No
-
      tagValue
-
      Tag for the component (overrides top level tag setting).
      
-
-      		
-No
-
      k8sKubernetesResourcesSpec
-
      Kubernetes resource spec.
      
-
-      		
-No
-
      
-
      
-
      KubernetesResourcesSpec
      
-
      
-
      KubernetesResourcesSpec is a common set of Kubernetes resource configs for components.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      affinityAffinity
-
      Kubernetes affinity.
-https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
      
-
-      		
-No
-
      envEnvVar[]
-
      Deployment environment variables.
-https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/
      
-
-      		
-No
-
      hpaSpecHorizontalPodAutoscalerSpec
-
      Kubernetes HorizontalPodAutoscaler settings.
-https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
      
-
-      		
-No
-
      imagePullPolicystring
-
      Kubernetes imagePullPolicy.
-https://kubernetes.io/docs/concepts/containers/images/
      
-
-      		
-No
-
      nodeSelectormap<string, string>
-
      Kubernetes nodeSelector.
-https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
      
-
-      		
-No
-
      podDisruptionBudgetPodDisruptionBudgetSpec
-
      Kubernetes PodDisruptionBudget settings.
-https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#how-disruption-budgets-work
      
-
-      		
-No
-
      podAnnotationsmap<string, string>
-
      Kubernetes pod annotations.
-https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
      
-
-      		
-No
-
      priorityClassNamestring
-
      Kubernetes priorityClassName. Default for all resources unless overridden.
-https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
      
-
-      		
-No
-
      readinessProbeReadinessProbe
-
      Kubernetes readinessProbe settings.
-https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
-k8s.io.api.core.v1.Probe readiness_probe = 9;
      
-
-      		
-No
-
      replicaCountuint32
-
      Kubernetes Deployment replicas setting.
-https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
      
-
-      		
-No
-
      resourcesResources
-
      Kubernetes resources settings.
-https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
      
-
-      		
-No
-
      serviceServiceSpec
-
      Kubernetes Service settings.
-https://kubernetes.io/docs/concepts/services-networking/service/
      
-
-      		
-No
-
      strategyDeploymentStrategy
-
      Kubernetes deployment strategy.
-https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
      
-
-      		
-No
-
      tolerationsToleration[]
-
      Kubernetes toleration
-https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
      
-
-      		
-No
-
      serviceAnnotationsmap<string, string>
-
      Kubernetes service annotations.
-https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
      
-
-      		
-No
-
      securityContextPodSecurityContext
-
      Kubernetes pod security context
-https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
      
-
-      		
-No
-
      volumesVolume[]
-
      Kubernetes volumes
-https://kubernetes.io/docs/concepts/storage/volumes/
-Volumes defines the collection of Volume to inject into the pod.
      
-
-      		
-No
-
      volumeMountsVolumeMount[]
-
      Kubernetes volumeMounts
-VolumeMounts defines the collection of VolumeMount to inject into containers.
      
-
-      		
-No
-
      overlaysK8sObjectOverlay[]
-
      Overlays for Kubernetes resources in rendered manifests.
      
-
-      		
-No
-
      
-
      
-
      K8sObjectOverlay
      
-
      
-
      Patch for an existing Kubernetes resource.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      apiVersionstring
-
      Resource API version.
      
-
-      		
-No
-
      kindstring
-
      Resource kind.
      
-
-      		
-No
-
      namestring
-
      Name of resource.
-Namespace is always the component namespace.
      
-
-      		
-No
-
      patchesPathValue[]
-
      List of patches to apply to resource.
      
-
-      		
-No
-
      
-
      
-
      Affinity
      
-
      
-
      See k8s.io.api.core.v1.Affinity.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      nodeAffinityNodeAffinity
-
-No
-
      podAffinityPodAffinity
-
-No
-
      podAntiAffinityPodAntiAffinity
-
-No
-
      
-
      
-
      ConfigMapKeySelector
      
-
      
-
      See k8s.io.api.core.v1.ConfigMapKeySelector.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      localObjectReferenceLocalObjectReference
-
-No
-
      keystring
-
-No
-
      optionalbool
-
-No
-
      
-
      
-
      ContainerResourceMetricSource
      
-
      
-
      See k8s.io.api.autoscaling.v2beta2.ContainerResourceMetricSource.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      namestring
-
-No
-
      targetMetricTarget
-
-No
-
      containerstring
-
-No
-
      
-
      
-
      ContainerResourceMetricStatus
      
-
      
-
      See k8s.io.api.autoscaling.v2beta2.ContainerResourceMetricStatus.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      namestring
-
-No
-
      currentMetricValueStatus
-
-No
-
      containerstring
-
-No
-
      
-
      
-
      ClientIPConfig
      
-
      
-
      See k8s.io.api.core.v1.ClientIPConfig.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      timeoutSecondsint32
-
-No
-
      
-
      
-
      CrossVersionObjectReference
      
-
      
-
      See k8s.io.api.autoscaling.v2beta2.CrossVersionObjectReference.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      kindstring
-
-No
-
      namestring
-
-No
-
      apiVersionstring
-
-No
-
      
-
      
-
      DeploymentStrategy
      
-
      
-
      See k8s.io.api.apps.v1.DeploymentStrategy.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      typestring
-
-No
-
      rollingUpdateRollingUpdateDeployment
-
-No
-
      
-
      
-
      EnvVar
      
-
      
-
      See k8s.io.api.core.v1.EnvVar.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      namestring
-
-No
-
      valuestring
-
-No
-
      valueFromEnvVarSource
-
-No
-
      
-
      
-
      EnvVarSource
      
-
      
-
      See k8s.io.api.core.v1.EnvVarSource.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      fieldRefObjectFieldSelector
-
-No
-
      resourceFieldRefResourceFieldSelector
-
-No
-
      configMapKeyRefConfigMapKeySelector
-
-No
-
      secretKeyRefSecretKeySelector
-
-No
-
      
-
      
-
      ExecAction
      
-
      
-
      See k8s.io.api.core.v1.ExecAction.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      commandstring[]
-
-No
-
      
-
      
-
      ExternalMetricSource
      
-
      
-
      See k8s.io.api.autoscaling.v2beta2.ExternalMetricSource.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      metricMetricIdentifier
-
-No
-
      targetMetricTarget
-
-No
-
      metricNamestring
-
-No
-
      metricSelectorLabelSelector
-
-No
-
      targetValueIntOrString
-
-No
-
      targetAverageValueIntOrString
-
-No
-
      
-
      
-
      ExternalMetricStatus
      
-
      
-
      See k8s.io.autoscaling.v2beta2.ExternalMetricStatus.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      metricMetricIdentifier
-
-No
-
      currentMetricValueStatus
-
-No
-
      
-
      
-
      HTTPGetAction
      
-
      
-
      See k8s.io.api.core.v1.HTTPGetAction.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      pathstring
-
-No
-
      portIntOrString
-
-No
-
      hoststring
-
-No
-
      schemestring
-
-No
-
      httpHeadersHTTPHeader[]
-
-No
-
      
-
      
-
      HTTPHeader
      
-
      
-
      See k8s.io.api.core.v1.HTTPHeader.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      namestring
-
-No
-
      valuestring
-
-No
-
      
-
      
-
      HorizontalPodAutoscalerSpec
      
-
      
-
      See k8s.io.api.autoscaling.v2beta1.HorizontalPodAutoscalerSpec.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      scaleTargetRefCrossVersionObjectReference
-
-No
-
      minReplicasint32
-
-No
-
      maxReplicasint32
-
-No
-
      metricsMetricSpec[]
-
-No
-
      behaviorHorizontalPodAutoScalerBehavior
-
-No
-
      
-
      
-
      HorizontalPodAutoScalerBehavior
      
-
      
-
      See k8s.io.autoscaling.v2beta2.HorizontalPodAutoScalerBehavior.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      scaleUpHPAScalingRules
-
-No
-
      scaleDownHPAScalingRules
-
-No
-
      
-
      
-
      HPAScalingRules
      
-
      
-
      See k8s.io.autoscaling.v2beta2.HPAScalingRules.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      stabilizationWindowSecondsint32
-
-No
-
      selectPolicystring
-
-No
-
      policiesHPAScalingPolicy[]
-
-No
-
      
-
      
-
      HPAScalingPolicy
      
-
      
-
      See k8s.io.autoscaling.v2beta2.HPAScalingPolicy.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      typestring
-
-No
-
      valueint32
-
-No
-
      periodSecondsint32
-
-No
-
      
-
      
-
      LocalObjectReference
      
-
      
-
      See k8s.io.api.core.v1.LocalObjectReference.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      namestring
-
-No
-
      
-
      
-
      MetricIdentifier
      
-
      
-
      See k8s.io.autoscaling.v2beta2.MetricIdentifier.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      namestring (oneof)
-
-No
-
      selectorLabelSelector
-
-No
-
      
-
      
-
      MetricSpec
      
-
      
-
      See k8s.io.autoscaling.v2beta2.MetricSpec.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      typestring
-
-No
-
      objectObjectMetricSource
-
-No
-
      podsPodsMetricSource
-
-No
-
      resourceResourceMetricSource
-
-No
-
      containerResourceContainerResourceMetricSource
-
-No
-
      externalExternalMetricSource
-
-No
-
      
-
      
-
      MetricStatus
      
-
      
-
      See k8s.io.autoscaling.v2beta2.MetricStatus.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      typestring
-
-No
-
      objectObjectMetricStatus
-
-No
-
      podsPodsMetricStatus
-
-No
-
      resourceResourceMetricStatus
-
-No
-
      containerResourceContainerResourceMetricStatus
-
-No
-
      externalExternalMetricStatus
-
-No
-
      
-
      
-
      MetricTarget
      
-
      
-
      See k8s.io.autoscaling.v2beta2.MetricTarget.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      typestring
-
-No
-
      valueIntOrString
-
-No
-
      averageValueIntOrString
-
-No
-
      averageUtilizationint32
-
-No
-
      
-
      
-
      MetricValueStatus
      
-
      
-
      See k8s.io.autoscaling.v2beta2.MetricValueStatus.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      valueIntOrString
-
-No
-
      averageValueIntOrString
-
-No
-
      averageUtilizationint32
-
-No
-
      
-
      
-
      NodeAffinity
      
-
      
-
      See k8s.io.api.core.v1.NodeAffinity.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      requiredDuringSchedulingIgnoredDuringExecutionNodeSelector
-
-No
-
      preferredDuringSchedulingIgnoredDuringExecutionPreferredSchedulingTerm[]
-
-No
-
      
-
      
-
      NodeSelector
      
-
      
-
      See k8s.io.api.core.v1.NodeSelector.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      nodeSelectorTermsNodeSelectorTerm[]
-
-No
-
      
-
      
-
      NodeSelectorTerm
      
-
      
-
      See k8s.io.api.core.v1.NodeSelectorTerm.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      matchExpressionsNodeSelectorRequirement[]
-
-No
-
      matchFieldsNodeSelectorRequirement[]
-
-No
-
      
-
      
-
      NodeSelectorRequirement
      
-
      
-
      See k8s.io.api.core.v1.NodeSelectorRequirement.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      keystring
-
-No
-
      operatorstring
-
-No
-
      valuesstring[]
-
-No
-
      
-
      
-
      ObjectFieldSelector
      
-
      
-
      See k8s.io.api.core.v1.ObjectFieldSelector.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      apiVersionstring
-
-No
-
      fieldPathstring
-
-No
-
      
-
      
-
      ObjectMeta
      
-
      
-
      From k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      namestring
-
-No
-
      namespacestring
-
-No
-
      
-
      
-
      ObjectMetricSource
      
-
      
-
      See k8s.io.autoscaling.v2beta2.ObjectMetricSource.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      targetValue
-
      Type changes from CrossVersionObjectReference to ResourceMetricTarget in autoscaling v2beta2/v2 compared with v2beta1
-Change it to dynamic type to keep backward compatible
      
-
-      		
-No
-
      describedObjectCrossVersionObjectReference
-
-No
-
      metricMetricIdentifier
-
-No
-
      metricNamestring
-
-No
-
      targetValueIntOrString
-
-No
-
      selectorLabelSelector
-
-No
-
      averageValueIntOrString
-
-No
-
      
-
      
-
      ObjectMetricStatus
      
-
      
-
      See k8s.io.autoscaling.v2beta2.ObjectMetricStatus.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      metricMetricIdentifier
-
-No
-
      currentMetricValueStatus
-
-No
-
      describedObjectCrossVersionObjectReference
-
-No
-
      
-
      
-
      PodAffinity
      
-
      
-
      See k8s.io.api.core.v1.PodAffinity.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      requiredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm[]
-
-No
-
      preferredDuringSchedulingIgnoredDuringExecutionWeightedPodAffinityTerm[]
-
-No
-
      
-
      
-
      PodAntiAffinity
      
-
      
-
      See k8s.io.api.core.v1.PodAntiAffinity.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      requiredDuringSchedulingIgnoredDuringExecutionPodAffinityTerm[]
-
-No
-
      preferredDuringSchedulingIgnoredDuringExecutionWeightedPodAffinityTerm[]
-
-No
-
      
-
      
-
      PodAffinityTerm
      
-
      
-
      See k8s.io.api.core.v1.PodAntiAffinity.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      labelSelectorLabelSelector
-
-No
-
      namespacesstring[]
-
-No
-
      topologyKeystring
-
-No
-
      
-
      
-
      PodDisruptionBudgetSpec
      
-
      
-
      See k8s.io.api.policy.v1beta1.PodDisruptionBudget.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      minAvailableIntOrString
-
-No
-
      selectorLabelSelector
-
-No
-
      maxUnavailableIntOrString
-
-No
-
      
-
      
-
      PodsMetricSource
      
-
      
-
      See k8s.io.autoscaling.v2beta2.PodsMetricSource.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      metricMetricIdentifier
-
      v2beta2/v2 fields
      
-
-      		
-No
-
      targetMetricTarget
-
-No
-
      metricNamestring
-
-No
-
      targetAverageValueIntOrString
-
-No
-
      selectorLabelSelector
-
-No
-
      
-
      
-
      PodsMetricStatus
      
-
      
-
      See k8s.io.autoscaling.v2beta2.PodsMetricStatus.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      metricMetricIdentifier
-
-No
-
      currentMetricValueStatus
-
-No
-
      
-
      
-
      PreferredSchedulingTerm
      
-
      
-
      See k8s.io.api.core.v1.PreferredSchedulingTerm.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      weightint32
-
-No
-
      preferenceNodeSelectorTerm
-
-No
-
      
-
      
-
      ReadinessProbe
      
-
      
-
      See k8s.io.api.core.v1.ReadinessProbe.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      execExecAction
-
-No
-
      httpGetHTTPGetAction
-
-No
-
      tcpSocketTCPSocketAction
-
-No
-
      initialDelaySecondsint32
-
-No
-
      timeoutSecondsint32
-
-No
-
      periodSecondsint32
-
-No
-
      successThresholdint32
-
-No
-
      failureThresholdint32
-
-No
-
      
-
      
-
      ResourceFieldSelector
      
-
      
-
      See k8s.io.api.core.v1..
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      containerNamestring
-
-No
-
      resourcestring
-
-No
-
      divisorIntOrString
-
-No
-
      
-
      
-
      ResourceMetricSource
      
-
      
-
      See k8s.io.autoscaling.v2beta2.ResourceMetricSource.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      namestring
-
-No
-
      targetMetricTarget
-
-No
-
      targetAverageUtilizationint32
-
-No
-
      targetAverageValueIntOrString
-
-No
-
      
-
      
-
      ResourceMetricStatus
      
-
      
-
      See k8s.io.autoscaling.v2beta2.ResourceMetricStatus.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      namestring
-
-No
-
      currentMetricValueStatus
-
-No
-
      
-
      
-
      Resources
      
-
      
-
      See k8s.io.api.core.v1.ResourceRequirements.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      limitsmap<string, string>
-
-No
-
      requestsmap<string, string>
-
-No
-
      
-
      
-
      RollingUpdateDeployment
      
-
      
-
      See k8s.io.api.apps.v1.RollingUpdateDeployment.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      maxUnavailableIntOrString
-
-No
-
      maxSurgeIntOrString
-
-No
-
      
-
      
-
      SecretKeySelector
      
-
      
-
      See k8s.io.api.core.v1.SecretKeySelector.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      localObjectReferenceLocalObjectReference
-
-No
-
      keystring
-
-No
-
      optionalbool
-
-No
-
      
-
      
-
      ServiceSpec
      
-
      
-
      See k8s.io.api.core.v1.ServiceSpec.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      portsServicePort[]
-
-No
-
      selectormap<string, string>
-
-No
-
      clusterIPstring
-
-No
-
      typestring
-
-No
-
      externalIPsstring[]
-
-No
-
      sessionAffinitystring
-
-No
-
      loadBalancerIPstring
-
-No
-
      loadBalancerSourceRangesstring[]
-
-No
-
      externalNamestring
-
-No
-
      externalTrafficPolicystring
-
-No
-
      healthCheckNodePortint32
-
-No
-
      publishNotReadyAddressesbool
-
-No
-
      sessionAffinityConfigSessionAffinityConfig
-
-No
-
      loadBalancerClassstring
-
-No
-
      
-
      
-
      ServicePort
      
-
      
-
      See k8s.io.api.core.v1..
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      namestring
-
-No
-
      protocolstring
-
-No
-
      portint32
-
-No
-
      targetPortIntOrString
-
-No
-
      nodePortint32
-
-No
-
      appProtocolstring
-
-No
-
      
-
      
-
      SessionAffinityConfig
      
-
      
-
      See k8s.io.api.core.v1.SessionAffinityConfig.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      clientIPClientIPConfig
-
-No
-
      
-
      
-
      TCPSocketAction
      
-
      
-
      See k8s.io.api.core.v1.TCPSocketAction.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      portIntOrString
-
-No
-
      hoststring
-
-No
-
      
-
      
-
      Toleration
      
-
      
-
      See k8s.io.api.core.v1.Toleration.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      keystring
-
-No
-
      operatorstring
-
-No
-
      valuestring
-
-No
-
      effectstring
-
-No
-
      tolerationSecondsint64
-
-No
-
      
-
      
-
      WeightedPodAffinityTerm
      
-
      
-
      See k8s.io.api.core.v1.WeightedPodAffinityTerm.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      weightint32
-
-No
-
      podAffinityTermPodAffinityTerm
-
-No
-
      
-
      
-
      PodSecurityContext
      
-
      
-
      See k8s.io.api.core.v1.PodSecurityContext.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      seLinuxOptionsSELinuxOptions
-
-No
-
      runAsUserint64
-
-No
-
      runAsNonRootbool
-
-No
-
      supplementalGroupsint64[]
-
-No
-
      fsGroupint64
-
-No
-
      runAsGroupint64
-
-No
-
      sysctlsSysctl[]
-
-No
-
      windowsOptionsWindowsSecurityContextOptions
-
-No
-
      fsGroupChangePolicystring
-
-No
-
      seccompProfileSeccompProfile
-
-No
-
      
-
      
-
      SELinuxOptions
      
-
      
-
      See k8s.io.api.core.v1.SELinuxOptions.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      userstring
-
-No
-
      rolestring
-
-No
-
      typestring
-
-No
-
      levelstring
-
-No
-
      
-
      
-
      Sysctl
      
-
      
-
      See k8s.io.api.core.v1.Sysctl.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      namestring
-
-No
-
      valuestring
-
-No
-
      
-
      
-
      WindowsSecurityContextOptions
      
-
      
-
      See k8s.io.api.core.v1.WindowsSecurityContextOptions.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      gmsaCredentialSpecNamestring
-
-No
-
      gmsaCredentialSpecstring
-
-No
-
      runAsUserNamestring
-
-No
-
      
-
      
-
      SeccompProfile
      
-
      
-
      See k8s.io.api.core.v1.SeccompProfile.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      typestring
-
-No
-
      localhostProfilestring
-
-No
-
      
-
      
-
      IntOrString
      
-
      
-
      IntOrString is a type that can hold an int32 or a string.  When used in
-JSON or YAML marshalling and unmarshalling, it produces or consumes the
-inner type.  This allows you to have, for example, a JSON field that can
-accept a name or number.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      typeint64
-
-No
-
      intValInt32Value
-
-No
-
      strValStringValue
-
-No
-
      
-
      
-
      InstallStatus.VersionStatus
      
-
      
-
      VersionStatus is the status and version of a component.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      versionstring
-
-No
-
      statusStatus
-
-No
-
      errorstring
-
-No
-
      
-
      
-
      K8sObjectOverlay.PathValue
      
-
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      pathstring
-
      Path of the form a.[key1:value1].b.[:value2]
-Where [key1:value1] is a selector for a key-value pair to identify a list element and [:value] is a value
-selector to identify a list element in a leaf list.
-All path intermediate nodes must exist.
      
-
-      		
-No
-
      valueValue
-
      Value to add, delete or replace.
-For add, the path should be a new leaf.
-For delete, value should be unset.
-For replace, path should reference an existing node.
-All values are strings but are converted into appropriate type based on schema.
      
-
-      		
-No
-
      
-
      
-
      google.protobuf.Value
      
-
      
-
      Value represents a dynamically typed value which can be either
-null, a number, a string, a boolean, a recursive struct value, or a
-list of values. A producer of value is expected to set one of that
-variants, absence of any variant indicates an error.
      
-
      The JSON representation for Value is JSON value.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      nullValueNullValue (oneof)
-
      Represents a null value.
      
-
-      		
-No
-
      numberValuedouble (oneof)
-
      Represents a double value.
      
-
-      		
-No
-
      stringValuestring (oneof)
-
      Represents a string value.
      
-
-      		
-No
-
      boolValuebool (oneof)
-
      Represents a boolean value.
      
-
-      		
-No
-
      structValueStruct (oneof)
-
      Represents a structured value.
      
-
-      		
-No
-
      listValueListValue (oneof)
-
      Represents a repeated Value.
      
-
-      		
-No
-
      
-
      
-
      k8s.io.api.core.v1.Volume
      
-
      
-
      Volume represents a named volume in a pod that may be accessed by any container in the pod.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      namestring
-
      name of the volume.
-Must be a DNS_LABEL and unique within the pod.
-More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
      
-
-      		
-No
-
      volumeSourceVolumeSource
-
      volumeSource represents the location and type of the mounted volume.
-If not specified, the Volume is implied to be an EmptyDir.
-This implied behavior is deprecated and will be removed in a future version.
      
-
-      		
-No
-
      
-
      
-
      k8s.io.api.core.v1.VolumeMount
      
-
      
-
      VolumeMount describes a mounting of a Volume within a container.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      namestring
-
      This must match the Name of a Volume.
      
-
-      		
-No
-
      readOnlybool
-
      Mounted read-only if true, read-write otherwise (false or unspecified).
-Defaults to false.
      
-
-      		
-No
-
      mountPathstring
-
      Path within the container at which the volume should be mounted.  Must
-not contain ‘:’.
      
-
-      		
-No
-
      subPathstring
-
      Path within the volume from which the container’s volume should be mounted.
-Defaults to "" (volume’s root).
      
-
-      		
-No
-
      mountPropagationstring
-
      mountPropagation determines how mounts are propagated from the host
-to container and the other way around.
-When not set, MountPropagationNone is used.
-This field is beta in 1.10.
      
-
-      		
-No
-
      subPathExprstring
-
      Expanded path within the volume from which the container’s volume should be mounted.
-Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container’s environment.
-Defaults to "" (volume’s root).
-SubPathExpr and SubPath are mutually exclusive.
      
-
-      		
-No
-
      
-
      
-
      k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector
      
-
      
-
      A label selector is a label query over a set of resources. The result of matchLabels and
-matchExpressions are ANDed. An empty label selector matches all objects. A null
-label selector matches no objects.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      FieldTypeDescriptionRequired
      matchLabelsmap<string, string>
-
      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-map is equivalent to an element of matchExpressions, whose key field is “key”, the
-operator is “In”, and the values array contains only “value”. The requirements are ANDed.
      
-
-      		
-No
-
      matchExpressionsLabelSelectorRequirement[]
-
      matchExpressions is a list of label selector requirements. The requirements are ANDed.
      
-
-      		
-No
-
      
-
      
-
      InstallStatus.Status
      
-
      
-
      Status describes the current state of a component.
      
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
      NameDescription
      NONE
-
      Component is not present.
      
-
-
      UPDATING
-
      Component is being updated to a different version.
      
-
-
      RECONCILING
-
      Controller has started but not yet completed reconciliation loop for the component.
      
-
-
      HEALTHY
-
      Component is healthy.
      
-
-
      ERROR
-
      Component is in an error state.
      
-
-
      ACTION_REQUIRED
-
      Overall status only and would not be set as a component status.
-Action is needed from the user for reconciliation to proceed
-e.g. There are proxies still pointing to the control plane revision when try to remove an IstioOperator CR.
      
-
-
      
-
      
diff --git a/content/zh/docs/reference/config/networking/sidecar/index.html b/content/zh/docs/reference/config/networking/sidecar/index.html
index b58d6006b09a7..cebc2e21a8da5 100644
--- a/content/zh/docs/reference/config/networking/sidecar/index.html
+++ b/content/zh/docs/reference/config/networking/sidecar/index.html
@@ -397,13 +397,9 @@ 
      Sidecar
      
 
outboundTrafficPolicy
 OutboundTrafficPolicy
 
-
Configuration for the outbound traffic policy.  If your
-application uses one or more external services that are not known
-apriori, setting the policy to ALLOW_ANY will cause the
-sidecars to route any unknown traffic originating from the
-application to its requested destination. If not specified,
-inherits the system detected defaults from the namespace-wide or
-the global default Sidecar.

+
Set the default behavior of the sidecar for handling outbound
+traffic from the application.

+
Default mode is ALLOW_ANY, which means outbound traffic to unknown destinations will be allowed.

 
 		
 
@@ -661,14 +657,7 @@ 
WorkloadSelector

 
OutboundTrafficPolicy

 

 
OutboundTrafficPolicy sets the default behavior of the sidecar for
-handling outbound traffic from the application.
-If your application uses one or more external
-services that are not known apriori, setting the policy to ALLOW_ANY
-will cause the sidecars to route any unknown traffic originating from
-the application to its requested destination.  Users are strongly
-encouraged to use ServiceEntry configurations to explicitly declare any external
-dependencies, instead of using ALLOW_ANY, so that traffic to these
-services can be monitored.

+handling unknown outbound traffic from the application.

 
 
@@ -758,16 +747,21 @@ 
OutboundTrafficPolicy.Mode

diff --git a/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html b/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html
index bbdb4bc41fb1c..68867bbb885c1 100644
--- a/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html
+++ b/content/zh/docs/reference/config/proxy_extensions/wasm-plugin/index.html
@@ -211,7 +211,7 @@ 
WasmPlugin
Currently, the following resource attachment types are supported:
    
 
  • kind: Gateway with group: gateway.networking.k8s.io in the same namespace.
    • 
-
  • kind: Service with "" in the same namespace. This type is only supported for waypoints.
    • 
+
  • kind: Service with group: "" or group: "core" in the same namespace. This type is only supported for waypoints.
    • 
 
If not set, the policy is applied as defined by the selector.
 At most one of the selector and targetRefs can be set.

diff --git a/content/zh/docs/reference/config/security/authorization-policy/index.html b/content/zh/docs/reference/config/security/authorization-policy/index.html
index d129bff1182d0..dce76ebdb9572 100644
--- a/content/zh/docs/reference/config/security/authorization-policy/index.html
+++ b/content/zh/docs/reference/config/security/authorization-policy/index.html
@@ -235,7 +235,7 @@ 
AuthorizationPolicy
Currently, the following resource attachment types are supported:
    
 
  • kind: Gateway with group: gateway.networking.k8s.io in the same namespace.
    • 
-
  • kind: Service with "" in the same namespace. This type is only supported for waypoints.
    • 
+
  • kind: Service with group: "" or group: "core" in the same namespace. This type is only supported for waypoints.
    • 
 
If not set, the policy is applied as defined by the selector.
 At most one of the selector and targetRefs can be set.

diff --git a/content/zh/docs/reference/config/security/request_authentication/index.html b/content/zh/docs/reference/config/security/request_authentication/index.html
index 664ddb592fd81..5ff07b042f3fc 100644
--- a/content/zh/docs/reference/config/security/request_authentication/index.html
+++ b/content/zh/docs/reference/config/security/request_authentication/index.html
@@ -240,7 +240,7 @@ 
RequestAuthentication
Currently, the following resource attachment types are supported:
    
 
  • kind: Gateway with group: gateway.networking.k8s.io in the same namespace.
    • 
-
  • kind: Service with "" in the same namespace. This type is only supported for waypoints.
    • 
+
  • kind: Service with group: "" or group: "core" in the same namespace. This type is only supported for waypoints.
    • 
 
If not set, the policy is applied as defined by the selector.
 At most one of the selector and targetRefs can be set.

diff --git a/content/zh/docs/reference/config/telemetry/index.html b/content/zh/docs/reference/config/telemetry/index.html
index 7c5769a6d9b2e..6de763993ec92 100644
--- a/content/zh/docs/reference/config/telemetry/index.html
+++ b/content/zh/docs/reference/config/telemetry/index.html
@@ -229,7 +229,7 @@ 
Telemetry
Currently, the following resource attachment types are supported:
    
 
  • kind: Gateway with group: gateway.networking.k8s.io in the same namespace.
    • 
-
  • kind: Service with "" in the same namespace. This type is only supported for waypoints.
    • 
+
  • kind: Service with group: "" or group: "core" in the same namespace. This type is only supported for waypoints.
    • 
 
If not set, the policy is applied as defined by the selector.
 At most one of the selector and targetRefs can be set.

diff --git a/data/args.yml b/data/args.yml
index 8ff6a471e2d99..6c4c31bf59f3f 100644
--- a/data/args.yml
+++ b/data/args.yml
@@ -1,11 +1,11 @@
 # The primary Istio version identifier the docs describe, used throughout the site
-version: "1.23"
+version: "1.24"
 
 # The full Istio version identifier the docs describe
-full_version: "1.23.0"
+full_version: "1.24.0"
 
 # The previous Istio version identifier the docs describe, used for upgrade documentation
-previous_version: "1.22"
+previous_version: "1.23"
 
 # The year to display in copyright notices
 copyright_year: 2024
@@ -25,7 +25,7 @@ archive_date: YYYY-MM-DD
 archive_search_refinement: "V1.1"
 
 # GitHub branch names used when the docs have links to GitHub
-source_branch_name: release-1.23
+source_branch_name: master
 doc_branch_name: master
 
 ####### Static values
diff --git a/data/features.yaml b/data/features.yaml
index 2f0e278b80a3e..aa455af2a512a 100644
--- a/data/features.yaml
+++ b/data/features.yaml
@@ -1,5 +1,7 @@
+# yaml-language-server: $schema=features_schema.json
+
 features:
-  - name: "Protocols:HTTP1.1/HTTP2/gRPC/TCP"
+  - name: "Protocols: HTTP1.1/HTTP2/gRPC/TCP"
     id: "traffic.http_protocols"
     link: "/docs/ops/configuration/traffic-management/protocol-selection/"
     level:
@@ -7,7 +9,7 @@ features:
       maturity: Stable
       nextExpectedPromotion: ""
     area: Traffic Management
-  - name: "Protocols:Websockets/MongoDB"
+  - name: "Protocols: Websockets/MongoDB"
     id: "traffic.websocket_protocols"
     level:
       checklist: ""
@@ -36,7 +38,7 @@ features:
       nextExpectedPromotion: ""
     area: Traffic Management
   - name: "Gateway Injection"
-    id: :"traffic.gateway_injection"
+    id: "traffic.gateway_injection"
     level:
       checklist: features/gateway_injection.md
       maturity: Beta
@@ -76,7 +78,7 @@ features:
     link: "/docs/reference/config/networking/sidecar/"
     level:
       checklist: ""
-      maturity: Beta
+      maturity: Stable
       nextExpectedPromotion: ""
     area: Traffic Management
   - name: "DNS Proxying"
@@ -96,23 +98,23 @@ features:
     area: Traffic Management
     id: "traffic.k8s_gateway_apis"
   - name: "Kubernetes Gateway APIs for mesh (`Service` `parentRef`) "
+    id: "traffic.k8s_gateway_apis_+mesh"
     link: "/docs/tasks/traffic-management/"
     level:
       checklist: features/k8s-gateway-apis.md
-      maturity: Beta
+      maturity: Stable
       nextExpectedPromotion: ""
     area: Traffic Management
-    id: "traffic.k8s_gateway_apis_+mesh"
-  - name: "Gateway Network Topology Configuration"
-    link: "/docs/ops/configuration/traffic-management/network-topologies/"
+  - name: "Gateway Network Topology configuration"
     id: "traffic.gateway_topology"
+    link: "/docs/ops/configuration/traffic-management/network-topologies/"
     level:
        checklist: features/configuring_gateway_network_topology.md
        maturity: Alpha
        nextExpectedPromotion: ""
     area: Traffic Management
   - name: "Kubernetes Multi-Cluster Service (MCS) Discovery"
-    id: :"traffic.kubernetes_mcs"
+    id: "traffic.kubernetes_mcs"
     level:
       checklist: features/kubernetes_mcs.md
       maturity: Experimental
@@ -235,7 +237,7 @@ features:
     link: "/docs/tasks/security/authentication/authn-policy/#auto-mutual-tls"
     level:
       checklist: features/auto_mtls.md
-      maturity: Beta
+      maturity: Stable
       nextExpectedPromotion: ""
     area: Security and policy enforcement
   - name: "VM: Service Credential Distribution"
@@ -346,10 +348,17 @@ features:
     level:
       checklist: features/ipv6-support.md
       maturity: Alpha
-      maturityNotes: Dual stack is experimental still.
       nextExpectedPromotion: ""
     area: Core
-  - name: "Distroless Base Images for Istio"
+  - name: "Dual Stack IPv4/IPv6"
+    id: "core.dual_stack"
+    level:
+      checklist: features/dual-stack-support.md
+      maturity: Alpha 
+      link: "https://istio.io/latest/docs/setup/additional-setup/dual-stack/"
+      nextExpectedPromotion: ""
+    area: Core
+  - name: "Distroless base images"
     id: "core.distroless"
     link: "/docs/ops/configuration/security/harden-docker-images/"
     level:
@@ -365,7 +374,7 @@ features:
       maturity: Beta
       nextExpectedPromotion: ""
     area: Core
-  - name: "Helm Based Installation"
+  - name: "Helm Installation"
     id: "core.helm_installation"
     link: "/docs/setup/install/helm/"
     level:
@@ -397,57 +406,58 @@ features:
       checklist: features/telemetry_api.md
       maturity: Stable
       nextExpectedPromotion: ""
-  - name: "Dual Stack Support in Istio"
-    id: "core.dual_stack"
-    level:
-      checklist: features/dual-stack-support.md
-      maturity: Experimental 
-      maturityNotes: Dual Stack IPv4 and IPv6 is supported.
-      link: "https://istio.io/latest/docs/setup/additional-setup/dual-stack/"
-      nextExpectedPromotion: ""
-    area: Core
+
   # Ambient
   - name: "Ztunnel Core"
+    id: "ambient.ztunnel"
     level:
       checklist: features/ambient.md
       maturity: Beta
     area: Ambient
   - name: "Waypoints Core"
+    id: "ambient.waypoints"
     level:
       checklist: features/ambient.md
       maturity: Beta
     area: Ambient
   - name: "Authorization Policies"
+    id: "ambient.authz"
     level:
       checklist: features/ambient.md
       maturity: Beta
     area: Ambient
   - name: "Gateway API (HTTPRoute)"
+    id: "ambient.httproute"
     level:
       checklist: features/ambient.md
       maturity: Beta
     area: Ambient
   - name: "Sidecar Interop"
+    id: "ambient.sidecar_interoperability"
     level:
       checklist: features/ambient.md
       maturity: Alpha
     area: Ambient
   - name: "DNS Proxying"
+    id: "ambient.dns_proxying"
     level:
       checklist: features/ambient.md
       maturity: Alpha
     area: Ambient
   - name: "Multi-cluster"
+    id: "ambient.multi_cluster"  
     level:
       checklist: features/ambient.md
       maturity: Alpha
     area: Ambient
   - name: "Multi-network"
+    id: "ambient.multi_network"
     level:
       checklist: features/ambient.md
       maturity: Experimental
     area: Ambient
   - name: "Dual Stack, IPv6"
+    id: "ambient.dual_stack"
     level:
       checklist: features/ambient.md
       maturity: Experimental
diff --git a/go.mod b/go.mod
index faa5ca785a6f5..41c9b77297d41 100644
--- a/go.mod
+++ b/go.mod
@@ -13,9 +13,9 @@ replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.5
 require (
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2
 	golang.org/x/sync v0.7.0
-	istio.io/istio v0.0.0-20240808223150-f8e9c97e7b62
-	k8s.io/apimachinery v0.30.1
-	k8s.io/client-go v0.30.1
+	istio.io/istio v0.0.0-20240814211719-2021e0ebd4b6
+	k8s.io/apimachinery v0.30.3
+	k8s.io/client-go v0.30.3
 )
 
 require (
@@ -37,13 +37,12 @@ require (
 	github.com/cheggaaa/pb/v3 v3.1.5 // indirect
 	github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
-	github.com/docker/cli v26.1.4+incompatible // indirect
+	github.com/docker/cli v27.1.1+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker v26.1.5+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.0 // indirect
 	github.com/envoyproxy/go-control-plane v0.12.1-0.20240719165848-f888b4f71207 // indirect
@@ -92,9 +91,6 @@ require (
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.17.8 // indirect
-	github.com/kr/pretty v0.3.1 // indirect
-	github.com/kr/text v0.2.0 // indirect
-	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
@@ -128,16 +124,15 @@ require (
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pires/go-proxyproto v0.7.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
+	github.com/planetscale/vtprotobuf v0.6.1-0.20240409071808-615f978279ca // indirect
 	github.com/prometheus/client_golang v1.19.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.54.0 // indirect
+	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/prometheus/prometheus v0.52.1 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
 	github.com/quic-go/quic-go v0.44.0 // indirect
 	github.com/rivo/uniseg v0.4.6 // indirect
-	github.com/rogpeppe/go-internal v1.12.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
@@ -147,7 +142,7 @@ require (
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.6.0 // indirect
-	github.com/spf13/cobra v1.8.0 // indirect
+	github.com/spf13/cobra v1.8.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/spf13/viper v1.19.0 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
@@ -158,59 +153,58 @@ require (
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	github.com/xlab/treeprint v1.2.0 // indirect
 	github.com/yl2chen/cidranger v1.0.2 // indirect
-	go.opentelemetry.io/otel v1.27.0 // indirect
+	go.opentelemetry.io/otel v1.28.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.27.0 // indirect
-	go.opentelemetry.io/otel/exporters/prometheus v0.49.0 // indirect
-	go.opentelemetry.io/otel/metric v1.27.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.27.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.27.0 // indirect
-	go.opentelemetry.io/otel/trace v1.27.0 // indirect
+	go.opentelemetry.io/otel/exporters/prometheus v0.50.0 // indirect
+	go.opentelemetry.io/otel/metric v1.28.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.28.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.28.0 // indirect
+	go.opentelemetry.io/otel/trace v1.28.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.2.0 // indirect
 	go.starlark.net v0.0.0-20231121155337-90ade8b19d09 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/mock v0.4.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.24.0 // indirect
-	golang.org/x/exp v0.0.0-20240604190554-fc45aab8b7f8 // indirect
-	golang.org/x/mod v0.18.0 // indirect
-	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/crypto v0.25.0 // indirect
+	golang.org/x/exp v0.0.0-20240716175740-e3f259677ff7 // indirect
+	golang.org/x/mod v0.19.0 // indirect
+	golang.org/x/net v0.27.0 // indirect
 	golang.org/x/oauth2 v0.21.0 // indirect
-	golang.org/x/sys v0.21.0 // indirect
-	golang.org/x/term v0.21.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/term v0.22.0 // indirect
 	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.22.0 // indirect
+	golang.org/x/tools v0.23.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240604185151-ef581f913117 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240711142825-46eb208f015d // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240711142825-46eb208f015d // indirect
 	google.golang.org/grpc v1.65.0 // indirect
-	google.golang.org/protobuf v1.34.1 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
-	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	helm.sh/helm/v3 v3.15.1 // indirect
 	istio.io/api v1.23.0-rc.0.0.20240808171852-2bb3b8eba0c2 // indirect
 	istio.io/client-go v1.23.0-rc.0.0.20240808172151-69d119325620 // indirect
-	k8s.io/api v0.30.1 // indirect
-	k8s.io/apiextensions-apiserver v0.30.1 // indirect
-	k8s.io/apiserver v0.30.1 // indirect
-	k8s.io/cli-runtime v0.30.1 // indirect
-	k8s.io/component-base v0.30.1 // indirect
-	k8s.io/klog/v2 v2.120.1 // indirect
+	k8s.io/api v0.30.3 // indirect
+	k8s.io/apiextensions-apiserver v0.30.3 // indirect
+	k8s.io/apiserver v0.30.3 // indirect
+	k8s.io/cli-runtime v0.30.3 // indirect
+	k8s.io/component-base v0.30.3 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108 // indirect
-	k8s.io/kubectl v0.30.1 // indirect
+	k8s.io/kubectl v0.30.3 // indirect
 	k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect
 	sigs.k8s.io/controller-runtime v0.18.3 // indirect
 	sigs.k8s.io/gateway-api v1.1.0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.16.0 // indirect
-	sigs.k8s.io/mcs-api v0.1.0 // indirect
+	sigs.k8s.io/mcs-api v0.1.1-0.20240624222831-d7001fe1d21c // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
diff --git a/go.sum b/go.sum
index 96ab874eac3eb..e5f3eb3653aff 100644
--- a/go.sum
+++ b/go.sum
@@ -1,22 +1,12 @@
 cel.dev/expr v0.15.0 h1:O1jzfJCQBfL5BFoYktaxwIhuttaQPsVWerH9/EEKx0w=
 cel.dev/expr v0.15.0/go.mod h1:TRSuuV7DlVCE/uwv5QbAiW/v8l5O8C4eEPHeu7gf7Sg=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
 cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
 cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
-github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
-github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
-github.com/Azure/go-autorest/autorest/adal v0.5.0/go.mod h1:8Z9fGy2MpX0PvDjB1pEgQTmVqjGhiHBW7RJJEciWzS0=
-github.com/Azure/go-autorest/autorest/date v0.1.0/go.mod h1:plvfp3oPSKwf2DNjlBjWF/7vwR+cUD/ELuzDCXwHUVA=
-github.com/Azure/go-autorest/autorest/mocks v0.1.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
-github.com/Azure/go-autorest/autorest/mocks v0.2.0/go.mod h1:OTyCOPRA2IgIlWxVYxBee2F5Gr4kF2zd2J5cFRaIDN0=
-github.com/Azure/go-autorest/logger v0.1.0/go.mod h1:oExouG+K6PryycPJfVSxi/koC6LSNgds39diKLz7Vrc=
-github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbtp2fGCgRFtBroKn4Dk=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
 github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
@@ -29,41 +19,21 @@ github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0
 github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
 github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA=
 github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM=
-github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
-github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
-github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/purell v1.1.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
-github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
-github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/VividCortex/ewma v1.2.0 h1:f58SaIzcDXrSy3kWaHNvuJgJ3Nmz59Zji6XoJR/q1ow=
 github.com/VividCortex/ewma v1.2.0/go.mod h1:nz4BbCtbLyFDeC9SUHbtcT5644juEuWfUAUnGx7j5l4=
-github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM=
 github.com/alecholmes/xfccparser v0.3.0 h1:SI/zhgFw+CsoHnR2VXcbVg/9gij6T/ENT+1yqBOeLNA=
 github.com/alecholmes/xfccparser v0.3.0/go.mod h1:J9fzzUOtjw74IwNdGVbjnOVj1UDlwGQj1zZzgQRlRDY=
 github.com/alecthomas/participle/v2 v2.1.0 h1:z7dElHRrOEEq45F2TG5cbQihMtNTv8vwldytDj7Wrz4=
 github.com/alecthomas/participle/v2 v2.1.0/go.mod h1:Y1+hAs8DHPmc3YUFzqllV+eSQ9ljPTk0ZkPMtEdAx2c=
-github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
-github.com/alessio/shellescape v1.2.2/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30=
-github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df h1:7RFfzj4SSt6nnvCPbCqijJi1nWCd+TqAT3bYCStRC18=
 github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM=
-github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
-github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
-github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
-github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
-github.com/blang/semver v3.5.0+incompatible h1:CGxCgetQ64DKk7rdZ++Vfnb1+ogGNnB17OJKJXD2Cfs=
-github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
@@ -71,7 +41,6 @@ github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyY
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g=
 github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw=
-github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk=
@@ -82,29 +51,13 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b h1:ga8SEFjZ60pxLcmhnThWgvH2wg8376yUJmPhEH4H3kw=
 github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
-github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
 github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G/ZW/0kEe2oEKCdS/ZxIyoCU=
 github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk=
-github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
-github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
-github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
 github.com/coreos/go-oidc/v3 v3.10.0 h1:tDnXHnLyiTVyT/2zLDGj09pFPkhND8Gl8lnTRhoEaJU=
 github.com/coreos/go-oidc/v3 v3.10.0/go.mod h1:5j11xcw0D3+SGxn6Z/WFADsgcWVMyNAlSQupk0KK3ac=
-github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
-github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
-github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
-github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
-github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/cpuguy83/go-md2man/v2 v2.0.3 h1:qMCsGGgs+MAzDFyp9LpAe1Lqy/fY/qCovCm0qnXZOBM=
-github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
+github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
 github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
@@ -116,26 +69,12 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8Yc
 github.com/decred/dcrd/crypto/blake256 v1.0.1/go.mod h1:2OfgNZ5wDpcsFmHmCK5gZTPcCXqlm2ArzUIkw9czNJo=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
-github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
-github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
-github.com/docker/cli v26.1.4+incompatible h1:I8PHdc0MtxEADqYJZvhBrW9bo8gawKwwenxRM7/rLu8=
-github.com/docker/cli v26.1.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v27.1.1+incompatible h1:goaZxOqs4QKxznZjjBWKONQci/MywhtRv2oNn0GkeZE=
+github.com/docker/cli v27.1.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker v26.1.5+incompatible h1:NEAxTwEjxV6VbBMBoGG3zPqbiJosIApZjxlbrG9q3/g=
-github.com/docker/docker v26.1.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo=
 github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
-github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
-github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM=
-github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
-github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
-github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
-github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
-github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
-github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/emicklei/go-restful/v3 v3.12.0 h1:y2DdzBAURM29NFF94q6RaY4vjIH1rtwDapwQtU84iWk=
 github.com/emicklei/go-restful/v3 v3.12.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -146,136 +85,61 @@ github.com/envoyproxy/go-control-plane v0.12.1-0.20240719165848-f888b4f71207/go.
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A=
 github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew=
-github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls=
 github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/evanphx/json-patch/v5 v5.0.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
 github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg=
 github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
 github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4=
 github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc=
 github.com/fatih/camelcase v1.0.0 h1:hxNvNX/xYBp0ovncs8WyWZrOrpBNub/JfaMvbURyft8=
 github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc=
-github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4=
 github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
-github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
-github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
-github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
 github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk=
 github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=
 github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
 github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=
 github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
-github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
-github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
-github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
-github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/go-logr/zapr v0.1.0/go.mod h1:tabnROwaDl0UNxkVeFRbY8bwB37GwRv0P8lg6aAiEnk=
 github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
 github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
-github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI=
-github.com/go-openapi/analysis v0.17.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik=
-github.com/go-openapi/analysis v0.18.0/go.mod h1:IowGgpVeD0vNm45So8nr+IcQ3pxVtpRoBWb8PVZO0ik=
-github.com/go-openapi/analysis v0.19.2/go.mod h1:3P1osvZa9jKjb8ed2TPng3f0i/UY9snX6gxi44djMjk=
-github.com/go-openapi/analysis v0.19.5/go.mod h1:hkEAkxagaIvIP7VTn8ygJNkd4kAYON2rCu0v0ObL0AU=
-github.com/go-openapi/errors v0.17.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
-github.com/go-openapi/errors v0.18.0/go.mod h1:LcZQpmvG4wyF5j4IhA73wkLFQg+QJXOQHVjmcZxhka0=
-github.com/go-openapi/errors v0.19.2/go.mod h1:qX0BLWsyaKfvhluLejVpVNwNRdXZhEbTA4kxxpKBC94=
-github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+35s3my2LFTysnkMfxsJBAMHj/DoqoB9knIWoYG/Vk0=
-github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
-github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M=
-github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg=
-github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
-github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
-github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
-github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I=
-github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc=
-github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
 github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=
 github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4=
-github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
-github.com/go-openapi/loads v0.18.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
-github.com/go-openapi/loads v0.19.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU=
-github.com/go-openapi/loads v0.19.2/go.mod h1:QAskZPMX5V0C2gvfkGZzJlINuP7Hx/4+ix5jWFxsNPs=
-github.com/go-openapi/loads v0.19.4/go.mod h1:zZVHonKd8DXyxyw4yfnVjPzBjIQcLt0CCsn0N0ZrQsk=
-github.com/go-openapi/runtime v0.0.0-20180920151709-4f900dc2ade9/go.mod h1:6v9a6LTXWQCdL8k1AO3cvqx5OtZY/Y9wKTgaoP6YRfA=
-github.com/go-openapi/runtime v0.19.0/go.mod h1:OwNfisksmmaZse4+gpV3Ne9AyMOlP1lt4sK4FXt0O64=
-github.com/go-openapi/runtime v0.19.4/go.mod h1:X277bwSUBxVlCYR3r7xgZZGKVvBd/29gLDlFGtJ8NL4=
-github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
-github.com/go-openapi/spec v0.17.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
-github.com/go-openapi/spec v0.18.0/go.mod h1:XkF/MOi14NmjsfZ8VtAKf8pIlbZzyoTvZsdfssdxcBI=
-github.com/go-openapi/spec v0.19.2/go.mod h1:sCxk3jxKgioEJikev4fgkNmwS+3kuYdJtcsZsD5zxMY=
-github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo=
-github.com/go-openapi/strfmt v0.17.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
-github.com/go-openapi/strfmt v0.18.0/go.mod h1:P82hnJI0CXkErkXi8IKjPbNBM6lV6+5pLP5l494TcyU=
-github.com/go-openapi/strfmt v0.19.0/go.mod h1:+uW+93UVvGGq2qGaZxdDeJqSAqBqBdl+ZPMF/cC8nDY=
-github.com/go-openapi/strfmt v0.19.3/go.mod h1:0yX7dbo8mKIvc3XSKp7MNfxw4JytCfCD6+bY1AVL9LU=
-github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
-github.com/go-openapi/swag v0.17.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
-github.com/go-openapi/swag v0.18.0/go.mod h1:AByQ+nYG6gQg71GINrmuDXCPWdL640yX49/kXLo40Tg=
-github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
-github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
-github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4=
-github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA=
-github.com/go-openapi/validate v0.19.5/go.mod h1:8DJv2CVJQ6kGNpFW6eV9N3JviE1C85nY1c2z52x1Gk4=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/gobuffalo/flect v0.2.0/go.mod h1:W3K3X9ksuZfir8f/LrfVtWmCDQFfayuylOJ7sz/Fj80=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
 github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
-github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
-github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/protobuf v0.0.0-20161109072736-4bd1920723d7/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
-github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
-github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
-github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
-github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
-github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
-github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/cel-go v0.17.8 h1:j9m730pMZt1Fc4oKhCLUHfjj6527LuhYcYw0Rl8gqto=
@@ -283,53 +147,34 @@ github.com/google/cel-go v0.17.8/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulN
 github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
 github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-containerregistry v0.19.1 h1:yMQ62Al6/V0Z7CqIrrS1iYoA5/oQCm88DeNujc7C1KY=
 github.com/google/go-containerregistry v0.19.1/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
-github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg=
 github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
-github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
-github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
-github.com/googleapis/gnostic v0.1.0/go.mod h1:sJBsCZ4ayReDTBIg8b9dl28c5xFWyhBTVRp3pOg5EKY=
-github.com/googleapis/gnostic v0.3.1/go.mod h1:on+2t9HRStVgn95RSsFWFz+6Q0Snyqv1awfrALZdbtU=
-github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
-github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
-github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY=
 github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=
 github.com/grafana/regexp v0.0.0-20221122212121-6b5c0a4cb7fd h1:PpuIBO5P3e9hpqBD0O/HjhShYuM6XE0i/lbE6J94kww=
 github.com/grafana/regexp v0.0.0-20221122212121-6b5c0a4cb7fd/go.mod h1:M5qHK+eWfAv8VR/265dIuEpL3fNfeC21tXXp9itM24A=
-github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA=
 github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
-github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
-github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI=
 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vbp88Yd8NsDy6rZz+RcrMPxvld8=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho=
 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
-github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
-github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -339,54 +184,35 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
 github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
-github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
 github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/huandu/xstrings v1.4.0 h1:D17IlohoQq4UcpqD7fDk80P7l+lwAmlFaBHgOipl2FU=
 github.com/huandu/xstrings v1.4.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q=
 github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
-github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
-github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
-github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
-github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
-github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU=
 github.com/klauspost/compress v1.17.8/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
-github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/lestrrat-go/backoff/v2 v2.0.8 h1:oNb5E5isby2kiro9AgdHLv5N5tint1AnDVVf2E2un5A=
 github.com/lestrrat-go/backoff/v2 v2.0.8/go.mod h1:rHP/q/r9aT27n24JQLa7JhSQZCKBBOiM/uP402WwN8Y=
 github.com/lestrrat-go/blackmagic v1.0.2 h1:Cg2gVSc9h7sz9NOByczrbUvLopQmXrfFx//N+AkAr5k=
@@ -402,31 +228,17 @@ github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNB
 github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0=
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
-github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
 github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
-github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20180823135443-60711f1a8329/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7ldAVICs=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
-github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
-github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
-github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
-github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
-github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
 github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
-github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs=
 github.com/miekg/dns v1.1.59/go.mod h1:nZpewl5p6IvctfgrckopVx2OlSEHPRO/U4SYkRklrEk=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
@@ -436,7 +248,6 @@ github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
 github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
-github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
@@ -449,35 +260,18 @@ github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0=
 github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4=
-github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f h1:KUppIJq7/+SVif2QVs3tOP0zanoHgBEVAwHxUSIzRqU=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
-github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
-github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
-github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
-github.com/onsi/ginkgo v1.14.0/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
 github.com/onsi/ginkgo/v2 v2.17.3 h1:oJcvKpIb7/8uLpDDtnQuf18xVnwKp8DTD7DQ6gTd/MU=
 github.com/onsi/ginkgo/v2 v2.17.3/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc=
-github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
-github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
-github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
-github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk=
 github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
@@ -487,51 +281,31 @@ github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVn
 github.com/openshift/api v0.0.0-20240530053948-b01900f1982a h1:EyLN5c8dxine8V9XaBzG76p1UEY8W0aP97EOvv36eOY=
 github.com/openshift/api v0.0.0-20240530053948-b01900f1982a/go.mod h1:OOh6Qopf21pSzqNVCB5gomomBXb8o5sGKZxG2KNpaXM=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
-github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
-github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
-github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE=
 github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=
 github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
 github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pires/go-proxyproto v0.7.0 h1:IukmRewDQFWC7kfnb66CSomk2q/seBuilHBYFwyq0Hs=
 github.com/pires/go-proxyproto v0.7.0/go.mod h1:Vz/1JPY/OACxWGQNIRY2BeyDmpoaWmEP40O9LbuiFR4=
-github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
-github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
-github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240409071808-615f978279ca h1:ujRGEVWJEoaxQ+8+HMl8YEpGaDAgohgZxJ5S+d2TTFQ=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240409071808-615f978279ca/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
-github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
-github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
-github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
 github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
-github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
 github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
-github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/common v0.54.0 h1:ZlZy0BgJhTwVZUn7dLOkwCZHUkrAqd3WYtcFCWnM1D8=
-github.com/prometheus/common v0.54.0/go.mod h1:/TQgMJP5CuVYveyT7n/0Ix8yLNNXy9yRSkhnLTHPDIQ=
-github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
-github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.0.11/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
+github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc=
+github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/prometheus/prometheus v0.52.1 h1:BrQ29YG+mzdGh8DgHPirHbeMGNqtL+INe0rqg7ttBJ4=
 github.com/prometheus/prometheus v0.52.1/go.mod h1:3z74cVsmVH0iXOR5QBjB7Pa6A0KJeEAK5A6UsmAFb1g=
-github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/quic-go/qpack v0.4.0 h1:Cr9BXA1sQS2SmDUWjSofMPNKmvF6IiIfDRmgU0w1ZCo=
 github.com/quic-go/qpack v0.4.0/go.mod h1:UZVnYIfi5GRk+zI9UMaCPsmZ2xKJP7XBUvVyT1Knj9A=
 github.com/quic-go/quic-go v0.44.0 h1:So5wOr7jyO4vzL2sd8/pD9Kesciv91zSk8BoFngItQ0=
@@ -539,12 +313,8 @@ github.com/quic-go/quic-go v0.44.0/go.mod h1:z4cx/9Ny9UtGITIPzmPTXh1ULfOyWh4qGQl
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.6 h1:Sovz9sDSwbOz9tgUy8JpT+KgCkPYJEN/oYzlJiYTNLg=
 github.com/rivo/uniseg v0.4.6/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
-github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
-github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
-github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
@@ -553,49 +323,31 @@ github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6ke
 github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4=
 github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE=
 github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
-github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
 github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
 github.com/shopspring/decimal v1.3.1 h1:2Usl1nmF/WZucqkFZhnfFYxxxu8LG21F6nPQBE5gKV8=
 github.com/shopspring/decimal v1.3.1/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
-github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
 github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
-github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
-github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
-github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
 github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
-github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
 github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
-github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
-github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
-github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
-github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
-github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
-github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
-github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
+github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
-github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
 github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI=
 github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg=
 github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
 github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
@@ -614,15 +366,8 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
-github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
-github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
-github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
-github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
-github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
-github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts=
 github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk=
-github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv3vaXspKw=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
@@ -630,48 +375,37 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHo
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
-github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
 github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
-github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
 github.com/yl2chen/cidranger v1.0.2 h1:lbOWZVCG1tCRX4u24kuM1Tb4nHqWkDxwLdoS+SevawU=
 github.com/yl2chen/cidranger v1.0.2/go.mod h1:9U1yz7WPYDwf0vpNWFaeRh0bjwz5RVgRy/9UEQfHl0g=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
-go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
-go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg=
-go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
-go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
-go.mongodb.org/mongo-driver v1.1.2/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
-go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0 h1:cEPbyTSEHlQR89XVlyo78gqluF8Y3oMeBkXGWzQsfXY=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0/go.mod h1:DKdbWcT4GH1D0Y3Sqt/PFXt2naRKDWtU+eE6oLdFNA8=
-go.opentelemetry.io/otel v1.27.0 h1:9BZoF3yMK/O1AafMiQTVu0YDj5Ea4hPhxCs7sGva+cg=
-go.opentelemetry.io/otel v1.27.0/go.mod h1:DMpAK8fzYRzs+bi3rS5REupisuqTheUlSZJ1WnZaPAQ=
+go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo=
+go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 h1:R9DE4kQ4k+YtfLI2ULwX82VtNQ2J8yZmA7ZIF/D+7Mc=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0/go.mod h1:OQFyQVrDlbe+R7xrEyDr/2Wr67Ol0hRUgsfA+V5A95s=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.27.0 h1:QY7/0NeRPKlzusf40ZE4t1VlMKbqSNT7cJRYzWuja0s=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.27.0/go.mod h1:HVkSiDhTM9BoUJU8qE6j2eSWLLXvi1USXjyd2BXT8PY=
-go.opentelemetry.io/otel/exporters/prometheus v0.49.0 h1:Er5I1g/YhfYv9Affk9nJLfH/+qCCVVg1f2R9AbJfqDQ=
-go.opentelemetry.io/otel/exporters/prometheus v0.49.0/go.mod h1:KfQ1wpjf3zsHjzP149P4LyAwWRupc6c7t1ZJ9eXpKQM=
-go.opentelemetry.io/otel/metric v1.27.0 h1:hvj3vdEKyeCi4YaYfNjv2NUje8FqKqUY8IlF0FxV/ik=
-go.opentelemetry.io/otel/metric v1.27.0/go.mod h1:mVFgmRlhljgBiuk/MP/oKylr4hs85GZAylncepAX/ak=
-go.opentelemetry.io/otel/sdk v1.27.0 h1:mlk+/Y1gLPLn84U4tI8d3GNJmGT/eXe3ZuOXN9kTWmI=
-go.opentelemetry.io/otel/sdk v1.27.0/go.mod h1:Ha9vbLwJE6W86YstIywK2xFfPjbWlCuwPtMkKdz/Y4A=
-go.opentelemetry.io/otel/sdk/metric v1.27.0 h1:5uGNOlpXi+Hbo/DRoI31BSb1v+OGcpv2NemcCrOL8gI=
-go.opentelemetry.io/otel/sdk/metric v1.27.0/go.mod h1:we7jJVrYN2kh3mVBlswtPU22K0SA+769l93J6bsyvqw=
-go.opentelemetry.io/otel/trace v1.27.0 h1:IqYb813p7cmbHk0a5y6pD5JPakbVfftRXABGt5/Rscw=
-go.opentelemetry.io/otel/trace v1.27.0/go.mod h1:6RiD1hkAprV4/q+yd2ln1HG9GoPx39SuvvstaLBl+l4=
+go.opentelemetry.io/otel/exporters/prometheus v0.50.0 h1:2Ewsda6hejmbhGFyUvWZjUThC98Cf8Zy6g0zkIimOng=
+go.opentelemetry.io/otel/exporters/prometheus v0.50.0/go.mod h1:pMm5PkUo5YwbLiuEf7t2xg4wbP0/eSJrMxIMxKosynY=
+go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q=
+go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s=
+go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE=
+go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg=
+go.opentelemetry.io/otel/sdk/metric v1.28.0 h1:OkuaKgKrgAbYrrY0t92c+cC+2F6hsFNnCQArXCKlg08=
+go.opentelemetry.io/otel/sdk/metric v1.28.0/go.mod h1:cWPjykihLAPvXKi4iZc1dpER3Jdq2Z0YLse3moQUCpg=
+go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g=
+go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI=
 go.opentelemetry.io/proto/otlp v1.2.0 h1:pVeZGk7nXDC9O2hncA6nHldxEjm6LByfA2aN8IOkz94=
 go.opentelemetry.io/proto/otlp v1.2.0/go.mod h1:gGpR8txAl5M03pDhMC79G6SdqNV26naRm/KDsgaHD8A=
 go.starlark.net v0.0.0-20231121155337-90ade8b19d09 h1:hzy3LFnSN8kuQK8h9tHl4ndF6UruMj47OqwqsS+/Ai4=
 go.starlark.net v0.0.0-20231121155337-90ade8b19d09/go.mod h1:LcLNIzVOMp4oV+uusnpk+VU+SzXaJakUuBjoCSWH5dM=
-go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
-go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
@@ -680,64 +414,41 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/mock v0.4.0 h1:VcM4ZOtdbR4f6VXfiOpwpVJDL6lCReaZ6mw31wqh7KU=
 go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
-go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.18.1/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190320223903-b7391e95e576/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
-golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
-golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20240604190554-fc45aab8b7f8 h1:LoYXNGAShUG3m/ehNk4iFctuhGX/+R1ZpfJ4/ia80JM=
-golang.org/x/exp v0.0.0-20240604190554-fc45aab8b7f8/go.mod h1:jj3sYF3dwk5D+ghuXyeI3r5MFf+NT2An6/9dOA95KSI=
+golang.org/x/exp v0.0.0-20240716175740-e3f259677ff7 h1:wDLEX9a7YQoKdKNQt88rtydkqDxeGaBUTnIYc3iG/mA=
+golang.org/x/exp v0.0.0-20240716175740-e3f259677ff7/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.18.0 h1:5+9lSbEzPSdWkH32vYPBwEpX8KwDbM52Ud9xBUvNlb0=
-golang.org/x/mod v0.18.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
+golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181005035420-146acd28ed58/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190320064053-1272bf9dcd53/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
@@ -745,17 +456,13 @@ golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
-golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
+golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
+golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
 golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -763,29 +470,10 @@ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190321052220-f7bb7a8bee54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191022100944-742c48ecaeb7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -801,8 +489,8 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
@@ -810,12 +498,9 @@ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
-golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
-golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
-golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
+golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
@@ -824,186 +509,110 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
-golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181011042414-1f849cf54d09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190125232054-d66bd3c5d5a6/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190614205625-5aca471b1d59/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190617190820-da514acc4774/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.22.0 h1:gqSGLZqv+AI9lIQzniJ0nZDRG5GBPsSi+DRNHWNz6yA=
-golang.org/x/tools v0.22.0/go.mod h1:aCwcsjqvq7Yqt6TNyX7QMU2enbQ/Gt0bo6krSeEri+c=
+golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg=
+golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gomodules.xyz/jsonpatch/v2 v2.0.1/go.mod h1:IhYNNY4jnS53ZnfE4PAmpKtDpTCj1JFXc+3mwe7XcUU=
 gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
 gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
-google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto/googleapis/api v0.0.0-20240604185151-ef581f913117 h1:+rdxYoE3E5htTEWIe15GlN6IfvbURM//Jt0mmkmm6ZU=
-google.golang.org/genproto/googleapis/api v0.0.0-20240604185151-ef581f913117/go.mod h1:OimBR/bc1wPO9iV4NC2bpyjy3VnAwZh5EBPQdtaE5oo=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117 h1:1GBuWVLM/KMVUv1t1En5Gs+gFZCNd360GGb4sSxtrhU=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240604185151-ef581f913117/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0=
+google.golang.org/genproto/googleapis/api v0.0.0-20240711142825-46eb208f015d h1:kHjw/5UfflP/L5EbledDrcG4C2597RtymmGRZvHiCuY=
+google.golang.org/genproto/googleapis/api v0.0.0-20240711142825-46eb208f015d/go.mod h1:mw8MG/Qz5wfgYr6VqVCiZcHe/GJEfI+oGGDCohaVgB0=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240711142825-46eb208f015d h1:JU0iKnSg02Gmb5ZdV8nYsKEKsP6o/FGVWTrw4i1DA9A=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240711142825-46eb208f015d/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
-google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
 google.golang.org/grpc v1.65.0 h1:bs/cUb4lp1G5iImFFd3u5ixQzweKizoZJAwBNLR42lc=
 google.golang.org/grpc v1.65.0/go.mod h1:WgYC2ypjlB0EiQi6wdKixMqukr6lBc0Vo+oOgjrM5ZQ=
-google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
-google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
-google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
-google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
-google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
-google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
-google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
-gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
-gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
-gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
-gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
-gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
-gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-gopkg.in/yaml.v3 v3.0.0-20190905181640-827449938966/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20200121175148-a6ecf24a6d71/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
-gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
 gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
 helm.sh/helm/v3 v3.15.1 h1:22ztacHz4gMqhXNqCQ9NAg6BFWoRUryNLvnkz6OVyw0=
 helm.sh/helm/v3 v3.15.1/go.mod h1:fvfoRcB8UKRUV5jrIfOTaN/pG1TPhuqSb56fjYdTKXg=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 istio.io/api v1.23.0-rc.0.0.20240808171852-2bb3b8eba0c2 h1:0sf0blnF707QN6Q5agY8cPKya832XqL1WuaX6OG/7pk=
 istio.io/api v1.23.0-rc.0.0.20240808171852-2bb3b8eba0c2/go.mod h1:QPSTGXuIQdnZFEm3myf9NZ5uBMwCdJWUvfj9ZZ+2oBM=
 istio.io/client-go v1.23.0-rc.0.0.20240808172151-69d119325620 h1:11QCpFWE1SdmYnBfS8KoggkJVCSA50EB5hKpU0qy/E8=
 istio.io/client-go v1.23.0-rc.0.0.20240808172151-69d119325620/go.mod h1:3qX/KBS5aR47QV4JhphcZl5ysnZ53x78TBjNQLM2TC4=
-istio.io/istio v0.0.0-20240808223150-f8e9c97e7b62 h1:Gqody7FhA/V8uoif2zYa0eVg97GDdKt85mRCJ3DSs1M=
-istio.io/istio v0.0.0-20240808223150-f8e9c97e7b62/go.mod h1:v2YSyuJdAC3zWqhHVo/8a7ie0TUYYtxJ3imXkD2/kJU=
-k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78=
-k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4=
-k8s.io/api v0.30.1 h1:kCm/6mADMdbAxmIh0LBjS54nQBE+U4KmbCfIkF5CpJY=
-k8s.io/api v0.30.1/go.mod h1:ddbN2C0+0DIiPntan/bye3SW3PdwLa11/0yqwvuRrJM=
-k8s.io/apiextensions-apiserver v0.18.2/go.mod h1:q3faSnRGmYimiocj6cHQ1I3WpLqmDgJFlKL37fC4ZvY=
-k8s.io/apiextensions-apiserver v0.18.4/go.mod h1:NYeyeYq4SIpFlPxSAB6jHPIdvu3hL0pc36wuRChybio=
-k8s.io/apiextensions-apiserver v0.30.1 h1:4fAJZ9985BmpJG6PkoxVRpXv9vmPUOVzl614xarePws=
-k8s.io/apiextensions-apiserver v0.30.1/go.mod h1:R4GuSrlhgq43oRY9sF2IToFh7PVlF1JjfWdoG3pixk4=
-k8s.io/apimachinery v0.18.2/go.mod h1:9SnR/e11v5IbyPCGbvJViimtJ0SwHG4nfZFjU77ftcA=
-k8s.io/apimachinery v0.18.4/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko=
-k8s.io/apimachinery v0.30.1 h1:ZQStsEfo4n65yAdlGTfP/uSHMQSoYzU/oeEbkmF7P2U=
-k8s.io/apimachinery v0.30.1/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
-k8s.io/apiserver v0.18.2/go.mod h1:Xbh066NqrZO8cbsoenCwyDJ1OSi8Ag8I2lezeHxzwzw=
-k8s.io/apiserver v0.18.4/go.mod h1:q+zoFct5ABNnYkGIaGQ3bcbUNdmPyOCoEBcg51LChY8=
-k8s.io/apiserver v0.30.1 h1:BEWEe8bzS12nMtDKXzCF5Q5ovp6LjjYkSp8qOPk8LZ8=
-k8s.io/apiserver v0.30.1/go.mod h1:i87ZnQ+/PGAmSbD/iEKM68bm1D5reX8fO4Ito4B01mo=
-k8s.io/cli-runtime v0.30.1 h1:kSBBpfrJGS6lllc24KeniI9JN7ckOOJKnmFYH1RpTOw=
-k8s.io/cli-runtime v0.30.1/go.mod h1:zhHgbqI4J00pxb6gM3gJPVf2ysDjhQmQtnTxnMScab8=
-k8s.io/client-go v0.18.2/go.mod h1:Xcm5wVGXX9HAA2JJ2sSBUn3tCJ+4SVlCbl2MNNv+CIU=
-k8s.io/client-go v0.18.4/go.mod h1:f5sXwL4yAZRkAtzOxRWUhA/N8XzGCb+nPZI8PfobZ9g=
-k8s.io/client-go v0.30.1 h1:uC/Ir6A3R46wdkgCV3vbLyNOYyCJ8oZnjtJGKfytl/Q=
-k8s.io/client-go v0.30.1/go.mod h1:wrAqLNs2trwiCH/wxxmT/x3hKVH9PuV0GGW0oDoHVqc=
-k8s.io/code-generator v0.18.2/go.mod h1:+UHX5rSbxmR8kzS+FAv7um6dtYrZokQvjHpDSYRVkTc=
-k8s.io/code-generator v0.18.4/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c=
-k8s.io/component-base v0.18.2/go.mod h1:kqLlMuhJNHQ9lz8Z7V5bxUUtjFZnrypArGl58gmDfUM=
-k8s.io/component-base v0.18.4/go.mod h1:7jr/Ef5PGmKwQhyAz/pjByxJbC58mhKAhiaDu0vXfPk=
-k8s.io/component-base v0.30.1 h1:bvAtlPh1UrdaZL20D9+sWxsJljMi0QZ3Lmw+kmZAaxQ=
-k8s.io/component-base v0.30.1/go.mod h1:e/X9kDiOebwlI41AvBHuWdqFriSRrX50CdwA9TFaHLI=
-k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
-k8s.io/gengo v0.0.0-20200114144118-36b2048a9120/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
-k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
-k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
-k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
-k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
-k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
-k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
-k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
+istio.io/istio v0.0.0-20240814211719-2021e0ebd4b6 h1:xxAbi9teBxtU+AyEBZg48on0PF10B9xA7ULow7CDaBU=
+istio.io/istio v0.0.0-20240814211719-2021e0ebd4b6/go.mod h1:4YypioCIdszSllDb9Vo+U79ThLw6ilpnsmlJxvVaJ9c=
+k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ=
+k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04=
+k8s.io/apiextensions-apiserver v0.30.3 h1:oChu5li2vsZHx2IvnGP3ah8Nj3KyqG3kRSaKmijhB9U=
+k8s.io/apiextensions-apiserver v0.30.3/go.mod h1:uhXxYDkMAvl6CJw4lrDN4CPbONkF3+XL9cacCT44kV4=
+k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc=
+k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
+k8s.io/apiserver v0.30.3 h1:QZJndA9k2MjFqpnyYv/PH+9PE0SHhx3hBho4X0vE65g=
+k8s.io/apiserver v0.30.3/go.mod h1:6Oa88y1CZqnzetd2JdepO0UXzQX4ZnOekx2/PtEjrOg=
+k8s.io/cli-runtime v0.30.3 h1:aG69oRzJuP2Q4o8dm+f5WJIX4ZBEwrvdID0+MXyUY6k=
+k8s.io/cli-runtime v0.30.3/go.mod h1:hwrrRdd9P84CXSKzhHxrOivAR9BRnkMt0OeP5mj7X30=
+k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k=
+k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U=
+k8s.io/component-base v0.30.3 h1:Ci0UqKWf4oiwy8hr1+E3dsnliKnkMLZMVbWzeorlk7s=
+k8s.io/component-base v0.30.3/go.mod h1:C1SshT3rGPCuNtBs14RmVD2xW0EhRSeLvBh7AGk1quA=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108 h1:Q8Z7VlGhcJgBHJHYugJ/K/7iB8a2eSxCyxdVjJp+lLY=
 k8s.io/kube-openapi v0.0.0-20240423202451-8948a665c108/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98=
-k8s.io/kubectl v0.30.1 h1:sHFIRI3oP0FFZmBAVEE8ErjnTyXDPkBcvO88mH9RjuY=
-k8s.io/kubectl v0.30.1/go.mod h1:7j+L0Cc38RYEcx+WH3y44jRBe1Q1jxdGPKkX0h4iDq0=
-k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
-k8s.io/utils v0.0.0-20200603063816-c1c6865ac451/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
+k8s.io/kubectl v0.30.3 h1:YIBBvMdTW0xcDpmrOBzcpUVsn+zOgjMYIu7kAq+yqiI=
+k8s.io/kubectl v0.30.3/go.mod h1:IcR0I9RN2+zzTRUa1BzZCm4oM0NLOawE6RzlDvd1Fpo=
 k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak=
 k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7/go.mod h1:PHgbrJT7lCHcxMU+mDHEm+nx46H4zuuHZkDP6icnhu0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0 h1:/U5vjBbQn3RChhv7P11uhYvCSm5G2GaIi5AIGBS6r4c=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.29.0/go.mod h1:z7+wmGM2dfIiLRfrC6jb5kV2Mq/sK1ZP303cxzkV5Y4=
-sigs.k8s.io/controller-runtime v0.6.1/go.mod h1:XRYBPdbf5XJu9kpS84VJiZ7h/u1hF3gEORz0efEja7A=
 sigs.k8s.io/controller-runtime v0.18.3 h1:B5Wmmo8WMWK7izei+2LlXLVDGzMwAHBNLX68lwtlSR4=
 sigs.k8s.io/controller-runtime v0.18.3/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg=
-sigs.k8s.io/controller-tools v0.3.0/go.mod h1:enhtKGfxZD1GFEoMgP8Fdbu+uKQ/cq1/WGJhdVChfvI=
 sigs.k8s.io/gateway-api v1.1.0 h1:DsLDXCi6jR+Xz8/xd0Z1PYl2Pn0TyaFMOPPZIj4inDM=
 sigs.k8s.io/gateway-api v1.1.0/go.mod h1:ZH4lHrL2sDi0FHZ9jjneb8kKnGzFWyrTya35sWUTrRs=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/kind v0.8.1/go.mod h1:oNKTxUVPYkV9lWzY6CVMNluVq8cBsyq+UgPJdvA3uu4=
 sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 h1:XX3Ajgzov2RKUdc5jW3t5jwY7Bo7dcRm+tFxT+NfgY0=
 sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3/go.mod h1:9n16EZKMhXBNSiUC5kSdFQJkdH3zbxS/JoO619G1VAY=
 sigs.k8s.io/kustomize/kyaml v0.16.0 h1:6J33uKSoATlKZH16unr2XOhDI+otoe2sR3M8PDzW3K0=
 sigs.k8s.io/kustomize/kyaml v0.16.0/go.mod h1:xOK/7i+vmE14N2FdFyugIshB8eF6ALpy7jI87Q2nRh4=
-sigs.k8s.io/mcs-api v0.1.0 h1:edDbg0oRGfXw8TmZjKYep06LcJLv/qcYLidejnUp0PM=
-sigs.k8s.io/mcs-api v0.1.0/go.mod h1:gGiAryeFNB4GBsq2LBmVqSgKoobLxt+p7ii/WG5QYYw=
-sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
-sigs.k8s.io/structured-merge-diff/v3 v3.0.0/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
+sigs.k8s.io/mcs-api v0.1.1-0.20240624222831-d7001fe1d21c h1:F7hIEutAxtXDOQX9NXFdvhWmWETu2zmUPHuPPcAez7g=
+sigs.k8s.io/mcs-api v0.1.1-0.20240624222831-d7001fe1d21c/go.mod h1:DPFniRsBzCeLB4ANjlPEvQQt9QGIX489d1faK+GPvI4=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
-sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
-sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
diff --git a/scripts/grab_reference_docs.sh b/scripts/grab_reference_docs.sh
index 077da9074a44a..b99e835da8a12 100755
--- a/scripts/grab_reference_docs.sh
+++ b/scripts/grab_reference_docs.sh
@@ -45,7 +45,6 @@ COMPONENTS=(
     https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@istioctl/cmd/istioctl@istioctl
     https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@pilot/cmd/pilot-agent@pilot-agent
     https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@pilot/cmd/pilot-discovery@pilot-discovery
-    https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@operator/cmd/operator@operator
     https://github.com/istio/istio.git@"${SOURCE_BRANCH_NAME}"@cni/cmd/install-cni@install-cni
 )
 
@@ -191,7 +190,7 @@ handle_config_analysis_messages() {
 }
 
 # delete all the existing generated files so that any stale files are removed
-find "${ROOTDIR}/content/en/docs/reference" -name '*.html' -type f -print0 | xargs -0 rm 2>/dev/null
+find "${ROOTDIR}/content/en/docs/reference" -name '*.html' -type f -print0 | grep -v istio.operator.v1alpha1 | xargs -0 rm 2>/dev/null
 find "${ROOTDIR}/content/zh/docs/reference" -name '*.html' -type f -print0 | xargs -0 rm 2>/dev/null
 
 # Prepare the work directory


 
 

 REGISTRY_ONLY
 
-
Outbound traffic will be restricted to services defined in the
-service registry as well as those defined through ServiceEntry configurations.

+
In REGISTRY_ONLY mode, unknown outbound traffic will be dropped.
+Traffic destinations must be explicitly declared into the service registry through ServiceEntry configurations.

+
Note: Istio does not offer an outbound traffic security policy.
+This option does not act as one, or as any form of an outbound firewall.
+Instead, this option exists primarily to offer users a way to detect missing ServiceEntry configurations by explicitly failing.

 
 		
 

 

 ALLOW_ANY
 
-
Outbound traffic to unknown destinations will be allowed, in case
-there are no services or ServiceEntry configurations for the destination port.

+
In ALLOW_ANY mode, any traffic to unknown destinations will be allowed.
+Unknown destination traffic will have limited functionality, however, such as reduced observability.
+This mode allows users that do not have all possible egress destinations registered through ServiceEntry configurations to still connect
+to arbitrary destinations.