WIP

Signed-off-by: Daniel Hawton <[email protected]>

Author: dhawton

Makefile.core.mk

@@ -27,7 +27,7 @@ export IN_BUILD_CONTAINER := $(IN_BUILD_CONTAINER)
 
 # ISTIO_IMAGE_VERSION stores the prefix used by default for the Docker images for Istio.
 # For example, a value of 1.6-alpha will assume a default TAG value of 1.6-dev.<SHA>
-ISTIO_IMAGE_VERSION ?= 1.27-alpha
+ISTIO_IMAGE_VERSION ?= 1.28-alpha
 export ISTIO_IMAGE_VERSION
 
 # Determine the SHA for the Istio dependency by parsing the go.mod file.
@@ -87,7 +87,7 @@ export NETLIFY_URL
 
 
 # Which branch of the Istio source code do we fetch stuff from
-export SOURCE_BRANCH_NAME ?= release-1.27
+export SOURCE_BRANCH_NAME ?= master
 
 site:
 	@scripts/gen_site.sh

README.md

@@ -82,19 +82,22 @@ This script replaces the old process where an admin needed to run to commit dire
 a release branch, but this should be doable for anyone on the docs team and parallels the process of branch cutting done by the release managers for minor versions in
 the other repositories.
 
-This script requires the `gh` command line tool to be installed and authenticated. Please note that due to a limitation in the gh tool's PR creation ability, the forked
-repository must be created by a user and not an organization. See [this issue](https://github.com/cli/cli/issues/10093) for more details.
+This script requires:
+
+- The GitHub CLI tool (`gh`) to be installed and authenticated. Please note that due to a limitation in the gh tool's PR creation ability, the forked
+    repository must be created by a user and not an organization. See [this issue](https://github.com/cli/cli/issues/10093) for more details.
+- GNU tools. If you are running OS X, you will need to install at least gnu-sed and have `sed` by linked to that version of the utility.
 
 1. The script takes a single argument, the new minor version. For example, if the new minor version is `1.26`, run
-   `./scripts/create_minor_version.sh 1.26`. The script *requires* the `FORKED_REPO_SOURCE` environment variable to be set to the source of the forked repo. This is used
+   `./scripts/create_minor_version.sh 1.26`. The script *requires* the `FORKED_GIT_SOURCE` environment variable to be set to the source of the forked repo. This is used
     to do the work and to create PRs from
 
 1. Do a dry run before the official release to ensure everything is working as expected. This is done by specifying DRY_RUN=1 in the command line. For example:
-    `DRY_RUN=1 FORKED_REPO_SOURCE[email protected]:dhawton/istio-istio.io ./scripts/create_minor_version.sh 1.26`. This will do all the work in a /tmp directory (or `TMP_DIR`) and will not
+    `DRY_RUN=1 FORKED_GIT_SOURCE[email protected]:dhawton/istio-istio.io ./scripts/create_minor_version.sh 1.26`. This will do all the work in a /tmp directory (or `TMP_DIR`) and will not
     push any changes to the repos
 
 1. On the day of .0 release, the docs team will need to run the script but leave off the DRY_RUN environment variable. This will be the live publishing.
-    `FORKED_REPO_SOURCE[email protected]:dhawton/istio-istio.io ./scripts/create_minor_version.sh 1.26`
+    `FORKED_GIT_SOURCE[email protected]:dhawton/istio-istio.io ./scripts/create_minor_version.sh 1.26`
 
 1. Go to the istio.io project on [Netlify](https://netlify.com) and set the staging environment to the new release branch and deploy. Navigate to https://istio-staging.netlify.app and
    verify that the new release branch is being used and the documentation looks correct

content/en/docs/reference/commands/istioctl/index.html

@@ -141,10 +141,10 @@ <h4 id="istioctl-admin Examples">Examples</h4>
 </code></pre>
 <h3 id="istioctl-admin-log">istioctl admin log</h3>
 <p>Retrieve or update logging levels of istiod components.</p>
-<pre class="language-bash"><code>istioctl admin log [&lt;pod-name&gt;]|[-r|--revision] [--level &lt;scope&gt;:&lt;level&gt;][--stack-trace-level &lt;scope&gt;:&lt;level&gt;]|[--reset]|[--output|-o short|json|yaml] [flags]
+<pre class="language-bash"><code>istioctl admin log [&lt;pod-name&gt;]|[-r|--revision] [--level &lt;scope&gt;:&lt;level&gt;][--stack-trace-level &lt;scope&gt;:&lt;level&gt;]|[--reset|--log-reset|--stack-trace-reset]|[--output|-o short|json|yaml] [flags]
 </code></pre>
 <div class="aliases">
-<pre class="language-bash"><code>istioctl admin l [&lt;pod-name&gt;]|[-r|--revision] [--level &lt;scope&gt;:&lt;level&gt;][--stack-trace-level &lt;scope&gt;:&lt;level&gt;]|[--reset]|[--output|-o short|json|yaml] [flags]
+<pre class="language-bash"><code>istioctl admin l [&lt;pod-name&gt;]|[-r|--revision] [--level &lt;scope&gt;:&lt;level&gt;][--stack-trace-level &lt;scope&gt;:&lt;level&gt;]|[--reset|--log-reset|--stack-trace-reset]|[--output|-o short|json|yaml] [flags]
 </code></pre></div>
 <table class="command-flags">
 <thead>
@@ -201,6 +201,11 @@ <h3 id="istioctl-admin-log">istioctl admin log</h3>
 <td>Comma-separated list of output logging level for scopes in the format of &lt;scope&gt;:&lt;level&gt;[,&lt;scope&gt;:&lt;level&gt;,...]. Possible values for &lt;level&gt;: none, error, warn, info, debug  (default ``)</td>
 </tr>
 <tr>
+<td><code>--log-reset</code></td>
+<td></td>
+<td>Reset log levels to default value. (info) </td>
+</tr>
+<tr>
 <td><code>--namespace &lt;string&gt;</code></td>
 <td><code>-n</code></td>
 <td>Kubernetes namespace  (default ``)</td>
@@ -213,7 +218,7 @@ <h3 id="istioctl-admin-log">istioctl admin log</h3>
 <tr>
 <td><code>--reset</code></td>
 <td></td>
-<td>Reset levels to default value. (info) </td>
+<td>Reset all levels to default value. (info) </td>
 </tr>
 <tr>
 <td><code>--revision &lt;string&gt;</code></td>
@@ -231,6 +236,11 @@ <h3 id="istioctl-admin-log">istioctl admin log</h3>
 <td>Comma-separated list of stack trace level for scopes in the format of &lt;scope&gt;:&lt;stack-trace-level&gt;[,&lt;scope&gt;:&lt;stack-trace-level&gt;,...]. Possible values for &lt;stack-trace-level&gt;: none, error, warn, info, debug  (default ``)</td>
 </tr>
 <tr>
+<td><code>--stack-trace-reset</code></td>
+<td></td>
+<td>Reset stack stace levels to default value. (none) </td>
+</tr>
+<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
@@ -244,14 +254,20 @@ <h4 id="istioctl-admin-log Examples">Examples</h4>
   # Retrieve information about istiod logging levels on a specific control plane pod.
   istioctl admin l istiod-5c868d8bdd-pmvgg
 
-  # Update levels of the specified loggers.
-  istioctl admin log --level ads:debug,authorization:debug
+  # Update levels of the specified loggers and stack trace.
+  istioctl admin log --level ads:debug,authorization:debug --stack-trace-level ads:debug,adsc:debug
 
   # Retrieve information about istiod logging levels for a specified revision.
   istioctl admin log --revision v1
 
   # Reset levels of all the loggers to default value (info).
-  istioctl admin log --reset
+  istioctl admin log --log-reset
+
+  # Reset all stack stace levels to default value. (none)
+  istioctl admin log --stack-trace-reset
+
+  # Reset levels of all the loggers and stack stace to default value.
+  istioctl admin log --log-reset
 
 </code></pre>
 <h3 id="istioctl-analyze">istioctl analyze</h3>
@@ -606,6 +622,11 @@ <h3 id="istioctl-bug-report">istioctl bug-report</h3>
 <td>Set a specific directory for output archive file.  (default ``)</td>
 </tr>
 <tr>
+<td><code>--proxy-admin-port &lt;int&gt;</code></td>
+<td></td>
+<td>Envoy proxy admin port  (default `15000`)</td>
+</tr>
+<tr>
 <td><code>--rq-concurrency &lt;int&gt;</code></td>
 <td></td>
 <td>Set the concurrency limit of requests to the Kubernetes API server, defaults to 32.  (default `0`)</td>
@@ -746,6 +767,11 @@ <h3 id="istioctl-bug-report-version">istioctl bug-report version</h3>
 <td>Set a specific directory for output archive file.  (default ``)</td>
 </tr>
 <tr>
+<td><code>--proxy-admin-port &lt;int&gt;</code></td>
+<td></td>
+<td>Envoy proxy admin port  (default `15000`)</td>
+</tr>
+<tr>
 <td><code>--rq-concurrency &lt;int&gt;</code></td>
 <td></td>
 <td>Set the concurrency limit of requests to the Kubernetes API server, defaults to 32.  (default `0`)</td>
@@ -2437,6 +2463,11 @@ <h3 id="istioctl-experimental-authz-check">istioctl experimental authz check</h3
 <td>Kubernetes namespace  (default ``)</td>
 </tr>
 <tr>
+<td><code>--proxy-admin-port &lt;int&gt;</code></td>
+<td></td>
+<td>Envoy proxy admin port  (default `15000`)</td>
+</tr>
+<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
@@ -2782,14 +2813,19 @@ <h3 id="istioctl-experimental-describe-pod">istioctl experimental describe pod</
 <td>Kubernetes namespace  (default ``)</td>
 </tr>
 <tr>
+<td><code>--proxy-admin-port &lt;int&gt;</code></td>
+<td></td>
+<td>Envoy proxy admin port  (default `15000`)</td>
+</tr>
+<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
 </tbody>
 </table>
 <h4 id="istioctl-experimental-describe-pod Examples">Examples</h4>
-<pre class="language-bash"><code>  #Pod query with inferred namespace (current context&#39;s namespace)
+<pre class="language-bash"><code>  # Pod query with inferred namespace (current context&#39;s namespace)
   istioctl experimental describe pod helloworld-v1-676yyy3y5r-d8hdl
 
   # Pod query with explicit namespace 
@@ -2861,14 +2897,19 @@ <h3 id="istioctl-experimental-describe-service">istioctl experimental describe s
 <td>Kubernetes namespace  (default ``)</td>
 </tr>
 <tr>
+<td><code>--proxy-admin-port &lt;int&gt;</code></td>
+<td></td>
+<td>Envoy proxy admin port  (default `15000`)</td>
+</tr>
+<tr>
 <td><code>--vklog &lt;Level&gt;</code></td>
 <td></td>
 <td>number for the log level verbosity. Like -v flag. ex: --vklog=9  (default `0`)</td>
 </tr>
 </tbody>
 </table>
 <h4 id="istioctl-experimental-describe-service Examples">Examples</h4>
-<pre class="language-bash"><code>  #Service query with inferred namespace (current context&#39;s namespace)
+<pre class="language-bash"><code>  # Service query with inferred namespace (current context&#39;s namespace)
   istioctl experimental describe service productpage
 
   # Service query with explicit namespace
@@ -3515,6 +3556,11 @@ <h3 id="istioctl-experimental-proxy-status">istioctl experimental proxy-status</
 <td>Use plain-text HTTP/2 when connecting to server (no TLS). </td>
 </tr>
 <tr>
+<td><code>--proxy-admin-port &lt;int&gt;</code></td>
+<td></td>
+<td>Envoy proxy admin port  (default `15000`)</td>
+</tr>
+<tr>
 <td><code>--revision &lt;string&gt;</code></td>
 <td><code>-r</code></td>
 <td>Control plane revision  (default ``)</td>
@@ -6145,6 +6191,11 @@ <h3 id="istioctl-proxy-status">istioctl proxy-status</h3>
 <td>Use plain-text HTTP/2 when connecting to server (no TLS). </td>
 </tr>
 <tr>
+<td><code>--proxy-admin-port &lt;int&gt;</code></td>
+<td></td>
+<td>Envoy proxy admin port  (default `15000`)</td>
+</tr>
+<tr>
 <td><code>--revision &lt;string&gt;</code></td>
 <td><code>-r</code></td>
 <td>Control plane revision  (default ``)</td>

content/en/docs/reference/commands/pilot-discovery/index.html

@@ -268,17 +268,17 @@ <h3 id="pilot-discovery-discovery">pilot-discovery discovery</h3>
 <tr>
 <td><code>--log_caller &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, fullpush, gateway, grpc, grpcgen, ip-autoallocate, klog, krt, kube, model, monitoring, pkica, pkira, probes, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, untaint, validation, validationController, validationServer, wasm, wle]  (default ``)</td>
+<td>Comma-separated list of scopes for which to include caller information, scopes can be any of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, fullpush, gateway, grpc, grpcgen, ip-autoallocate, klog, krt, kube, model, monitoring, pkica, pkira, probes, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, tag-watcher, trustBundle, untaint, validation, validationController, validationServer, wasm, wle]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_output_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, fullpush, gateway, grpc, grpcgen, ip-autoallocate, klog, krt, kube, model, monitoring, pkica, pkira, probes, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, untaint, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)</td>
+<td>Comma-separated minimum per-scope logging level of messages to output, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope&gt;:&lt;level&gt;,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, fullpush, gateway, grpc, grpcgen, ip-autoallocate, klog, krt, kube, model, monitoring, pkica, pkira, probes, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, tag-watcher, trustBundle, untaint, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default ``)</td>
 </tr>
 <tr>
 <td><code>--log_stacktrace_level &lt;string&gt;</code></td>
 <td></td>
-<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, fullpush, gateway, grpc, grpcgen, ip-autoallocate, klog, krt, kube, model, monitoring, pkica, pkira, probes, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, trustBundle, untaint, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
+<td>Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of &lt;scope&gt;:&lt;level&gt;,&lt;scope:level&gt;,... where scope can be one of [ads, adsc, all, analysis, authn, authorization, ca, controllers, default, delta, deltaadsc, file, fullpush, gateway, grpc, grpcgen, ip-autoallocate, klog, krt, kube, model, monitoring, pkica, pkira, probes, processing, retry, rootcertrotator, secretcontroller, security, serverca, serviceentry, spiffe, status, tag-watcher, trustBundle, untaint, validation, validationController, validationServer, wasm, wle] and level can be one of [debug, info, warn, error, fatal, none]  (default `default:none`)</td>
 </tr>
 <tr>
 <td><code>--log_target &lt;stringArray&gt;</code></td>

content/en/docs/reference/config/annotations/index.html

@@ -11,6 +11,29 @@
 This page presents the various resource <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/">annotations</a> that
 Istio supports to control its behavior.
 </p>
+<h2 id="AmbientBypassInboundCapture">ambient.istio.io/bypass-inbound-capture</h2>
+<table class="annotations">
+  <tbody>
+    <tr>
+      <th>Name</th>
+      <td><code>ambient.istio.io/bypass-inbound-capture</code></td>
+    </tr>
+    <tr>
+      <th>Feature Status</th>
+      <td>Alpha</td>
+    </tr>
+    <tr>
+      <th>Resource Types</th>
+      <td>[Pod]</td>
+    </tr>
+    <tr>
+      <th>Description</th>
+      <td><p>When specified on a <code>Pod</code> enrolled in ambient mesh, only outbound traffic will be captured.
+This is intended to be used when enrolling a workload that only receives traffic from out-of-the-mesh clients, such as third party ingress controllers.</p>
+</td>
+    </tr>
+  </tbody>
+</table>
 <h2 id="AmbientRedirection">ambient.istio.io/redirection</h2>
 <table class="annotations">
   <tbody>

content/en/docs/reference/config/istio.mesh.v1alpha1/index.html

@@ -7,7 +7,7 @@
 layout: protoc-gen-docs
 generator: protoc-gen-docs
 weight: 20
-number_of_entries: 81
+number_of_entries: 83
 ---
 <p>Configuration affecting the service mesh as a whole.</p>
 
@@ -4097,6 +4097,29 @@ <h3 id="ProxyConfig-ProxyHeaders">ProxyHeaders</h3>
 requests and automatically normalize headers to lowercase, ensuring compliance with HTTP/2
 standards.</p>
 
+</td>
+</tr>
+<tr id="ProxyConfig-ProxyHeaders-x_forwarded_host">
+<td><div class="field"><div class="name"><code><a href="#ProxyConfig-ProxyHeaders-x_forwarded_host">xForwardedHost</a></code></div>
+<div class="type"><a href="#ProxyConfig-ProxyHeaders-XForwardedHost">XForwardedHost</a></div>
+</div></td>
+<td>
+<p>Controls the <code>X-Forwarded-Host</code> header. If enabled, the <code>X-Forwarded-Host</code> header is appended
+with the original host when it is rewritten.
+This header is disabled by default.</p>
+
+</td>
+</tr>
+<tr id="ProxyConfig-ProxyHeaders-x_forwarded_port">
+<td><div class="field"><div class="name"><code><a href="#ProxyConfig-ProxyHeaders-x_forwarded_port">xForwardedPort</a></code></div>
+<div class="type"><a href="#ProxyConfig-ProxyHeaders-XForwardedPort">XForwardedPort</a></div>
+</div></td>
+<td>
+<p>Controls the <code>X-Forwarded-Port</code> header. If enabled, the <code>X-Forwarded-Port</code> header is header with the port value
+client used to connect to Envoy. It will be ignored if the <code>x-forwarded-port</code> header has been set by any
+trusted proxy in front of Envoy.
+This header is disabled by default.</p>
+
 </td>
 </tr>
 </tbody>
@@ -4171,6 +4194,46 @@ <h4 id="ProxyConfig-ProxyHeaders-AttemptCount">AttemptCount</h4>
 </tbody>
 </table>
 </section>
+<h4 id="ProxyConfig-ProxyHeaders-XForwardedHost">XForwardedHost</h4>
+<section>
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="ProxyConfig-ProxyHeaders-XForwardedHost-enabled">
+<td><div class="field"><div class="name"><code><a href="#ProxyConfig-ProxyHeaders-XForwardedHost-enabled">enabled</a></code></div>
+<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></div>
+</div></td>
+<td>
+</td>
+</tr>
+</tbody>
+</table>
+</section>
+<h4 id="ProxyConfig-ProxyHeaders-XForwardedPort">XForwardedPort</h4>
+<section>
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="ProxyConfig-ProxyHeaders-XForwardedPort-enabled">
+<td><div class="field"><div class="name"><code><a href="#ProxyConfig-ProxyHeaders-XForwardedPort-enabled">enabled</a></code></div>
+<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></div>
+</div></td>
+<td>
+</td>
+</tr>
+</tbody>
+</table>
+</section>
 <h4 id="ProxyConfig-ProxyHeaders-EnvoyDebugHeaders">EnvoyDebugHeaders</h4>
 <section>
 <table class="message-fields">

content/en/docs/reference/config/networking/gateway/index.html

@@ -513,6 +513,16 @@ <h2 id="ServerTLSSettings">ServerTLSSettings</h2>
 <p>Same as CredentialName but for multiple certificates. Mainly used for specifying
 RSA and ECDSA certificates for the same server.</p>
 
+</td>
+</tr>
+<tr id="ServerTLSSettings-ca_cert_credential_name">
+<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-ca_cert_credential_name">caCertCredentialName</a></code></div>
+<div class="type">string</div>
+</div></td>
+<td>
+<p>For mutual TLS, the name of the secret or the configmap that holds CA certificates.
+Takes precedence over CA certificates in the Secret referenced with <code>credentialName(s)</code>.</p>
+
 </td>
 </tr>
 <tr id="ServerTLSSettings-tls_certificates">