From 79ac6c30bd68cd333c657b4adb5c30ad81f11735 Mon Sep 17 00:00:00 2001
From: Shriram Rajagopalan <shriramr@vmware.com>
Date: Tue, 29 Jan 2019 15:58:43 -0500
Subject: [PATCH 1/7] Enabling SDS in the gateway

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>
---
 networking/v1alpha3/gateway.pb.go             | 847 ++++++++++++++++--
 networking/v1alpha3/gateway.proto             |  53 +-
 .../istio.networking.v1alpha3.pb.html         | 122 ++-
 proto.lock                                    |  53 +-
 .../networking/v1alpha3/gateway_pb2.py        | 200 ++++-
 5 files changed, 1166 insertions(+), 109 deletions(-)

diff --git a/networking/v1alpha3/gateway.pb.go b/networking/v1alpha3/gateway.pb.go
index 3eeb4ff276..75e09f3975 100644
--- a/networking/v1alpha3/gateway.pb.go
+++ b/networking/v1alpha3/gateway.pb.go
@@ -409,10 +409,13 @@ type Server_TLSOptions struct {
 	Mode Server_TLSOptions_TLSmode `protobuf:"varint,2,opt,name=mode,proto3,enum=istio.networking.v1alpha3.Server_TLSOptions_TLSmode" json:"mode,omitempty"`
 	// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
 	// holding the server-side TLS certificate to use.
+	// Deprecated. Use
 	ServerCertificate string `protobuf:"bytes,3,opt,name=server_certificate,json=serverCertificate,proto3" json:"server_certificate,omitempty"`
 	// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
 	// holding the server's private key.
 	PrivateKey string `protobuf:"bytes,4,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
+	// REQUIRED if the mode is `SIMPLE` or `MUTUAL`.
+	CredentialStore *Server_TLSOptions_CredentialStore `protobuf:"bytes,10,opt,name=credential_store,json=credentialStore" json:"credential_store,omitempty"`
 	// REQUIRED if mode is `MUTUAL`. The path to a file containing
 	// certificate authority certificates to use in verifying a presented
 	// client side certificate.
@@ -427,12 +430,6 @@ type Server_TLSOptions struct {
 	// Optional: If specified, only support the specified cipher list.
 	// Otherwise default to the default cipher list supported by Envoy.
 	CipherSuites []string `protobuf:"bytes,9,rep,name=cipher_suites,json=cipherSuites" json:"cipher_suites,omitempty"`
-	// Optional: If specified, the gateway controllers (with SDS enabled)
-	// use the specified name as the SDS secret config name to call the SDS
-	// server, to retrieve the key and certificates. Otherwise, the gateway
-	// controllers (with SDS enabled) use the first value in the hosts as
-	// the SDS secret config name to call the SDS server.
-	SdsName string `protobuf:"bytes,10,opt,name=sds_name,json=sdsName,proto3" json:"sds_name,omitempty"`
 }
 
 func (m *Server_TLSOptions) Reset()                    { *m = Server_TLSOptions{} }
@@ -468,6 +465,13 @@ func (m *Server_TLSOptions) GetPrivateKey() string {
 	return ""
 }
 
+func (m *Server_TLSOptions) GetCredentialStore() *Server_TLSOptions_CredentialStore {
+	if m != nil {
+		return m.CredentialStore
+	}
+	return nil
+}
+
 func (m *Server_TLSOptions) GetCaCertificates() string {
 	if m != nil {
 		return m.CaCertificates
@@ -503,13 +507,212 @@ func (m *Server_TLSOptions) GetCipherSuites() []string {
 	return nil
 }
 
-func (m *Server_TLSOptions) GetSdsName() string {
+// The file backend specifies the file system paths where the
+// server's public and private keys can be obtained.
+type Server_TLSOptions_CredentialStoreFileBackend struct {
+	// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
+	// holding the server-side TLS certificate to use.
+	ServerCertificate string `protobuf:"bytes,3,opt,name=server_certificate,json=serverCertificate,proto3" json:"server_certificate,omitempty"`
+	// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
+	// holding the server's private key.
+	PrivateKey string `protobuf:"bytes,4,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
+}
+
+func (m *Server_TLSOptions_CredentialStoreFileBackend) Reset() {
+	*m = Server_TLSOptions_CredentialStoreFileBackend{}
+}
+func (m *Server_TLSOptions_CredentialStoreFileBackend) String() string {
+	return proto.CompactTextString(m)
+}
+func (*Server_TLSOptions_CredentialStoreFileBackend) ProtoMessage() {}
+func (*Server_TLSOptions_CredentialStoreFileBackend) Descriptor() ([]byte, []int) {
+	return fileDescriptorGateway, []int{1, 0, 0}
+}
+
+func (m *Server_TLSOptions_CredentialStoreFileBackend) GetServerCertificate() string {
+	if m != nil {
+		return m.ServerCertificate
+	}
+	return ""
+}
+
+func (m *Server_TLSOptions_CredentialStoreFileBackend) GetPrivateKey() string {
+	if m != nil {
+		return m.PrivateKey
+	}
+	return ""
+}
+
+// The remote backend provides information about the remote secret
+// management server that contains the server's public and private keys.
+type Server_TLSOptions_CredentialStoreRemoteBackend struct {
+	// REQUIRED the name of the resource that the credential server can
+	// use to identify the certificates associated with the gateway
+	// server. In kubernetes, this should correspond to the name of the
+	// secret that contains the server-side TLS certificate and the
+	// server's private key. Note that the secret should contain both the
+	// public and private keys associated with the server port.
+	//
+	// It is possible to use the same resourceName across several servers
+	// on different ports, if these servers share the same credentials.
+	ResourceName string `protobuf:"bytes,1,opt,name=resource_name,json=resourceName,proto3" json:"resource_name,omitempty"`
+	// The address where the credential store server can be reached.
+	// If omitted, will default to unix:/var/run/gateway/sds
+	ServerAddress string `protobuf:"bytes,2,opt,name=server_address,json=serverAddress,proto3" json:"server_address,omitempty"`
+}
+
+func (m *Server_TLSOptions_CredentialStoreRemoteBackend) Reset() {
+	*m = Server_TLSOptions_CredentialStoreRemoteBackend{}
+}
+func (m *Server_TLSOptions_CredentialStoreRemoteBackend) String() string {
+	return proto.CompactTextString(m)
+}
+func (*Server_TLSOptions_CredentialStoreRemoteBackend) ProtoMessage() {}
+func (*Server_TLSOptions_CredentialStoreRemoteBackend) Descriptor() ([]byte, []int) {
+	return fileDescriptorGateway, []int{1, 0, 1}
+}
+
+func (m *Server_TLSOptions_CredentialStoreRemoteBackend) GetResourceName() string {
+	if m != nil {
+		return m.ResourceName
+	}
+	return ""
+}
+
+func (m *Server_TLSOptions_CredentialStoreRemoteBackend) GetServerAddress() string {
 	if m != nil {
-		return m.SdsName
+		return m.ServerAddress
 	}
 	return ""
 }
 
+type Server_TLSOptions_CredentialStore struct {
+	// Types that are valid to be assigned to CredentialStore:
+	//	*Server_TLSOptions_CredentialStore_Files
+	//	*Server_TLSOptions_CredentialStore_Remote
+	CredentialStore isServer_TLSOptions_CredentialStore_CredentialStore `protobuf_oneof:"credentialStore"`
+}
+
+func (m *Server_TLSOptions_CredentialStore) Reset()         { *m = Server_TLSOptions_CredentialStore{} }
+func (m *Server_TLSOptions_CredentialStore) String() string { return proto.CompactTextString(m) }
+func (*Server_TLSOptions_CredentialStore) ProtoMessage()    {}
+func (*Server_TLSOptions_CredentialStore) Descriptor() ([]byte, []int) {
+	return fileDescriptorGateway, []int{1, 0, 2}
+}
+
+type isServer_TLSOptions_CredentialStore_CredentialStore interface {
+	isServer_TLSOptions_CredentialStore_CredentialStore()
+	MarshalTo([]byte) (int, error)
+	Size() int
+}
+
+type Server_TLSOptions_CredentialStore_Files struct {
+	Files *Server_TLSOptions_CredentialStoreFileBackend `protobuf:"bytes,1,opt,name=files,oneof"`
+}
+type Server_TLSOptions_CredentialStore_Remote struct {
+	Remote *Server_TLSOptions_CredentialStoreRemoteBackend `protobuf:"bytes,2,opt,name=remote,oneof"`
+}
+
+func (*Server_TLSOptions_CredentialStore_Files) isServer_TLSOptions_CredentialStore_CredentialStore() {
+}
+func (*Server_TLSOptions_CredentialStore_Remote) isServer_TLSOptions_CredentialStore_CredentialStore() {
+}
+
+func (m *Server_TLSOptions_CredentialStore) GetCredentialStore() isServer_TLSOptions_CredentialStore_CredentialStore {
+	if m != nil {
+		return m.CredentialStore
+	}
+	return nil
+}
+
+func (m *Server_TLSOptions_CredentialStore) GetFiles() *Server_TLSOptions_CredentialStoreFileBackend {
+	if x, ok := m.GetCredentialStore().(*Server_TLSOptions_CredentialStore_Files); ok {
+		return x.Files
+	}
+	return nil
+}
+
+func (m *Server_TLSOptions_CredentialStore) GetRemote() *Server_TLSOptions_CredentialStoreRemoteBackend {
+	if x, ok := m.GetCredentialStore().(*Server_TLSOptions_CredentialStore_Remote); ok {
+		return x.Remote
+	}
+	return nil
+}
+
+// XXX_OneofFuncs is for the internal use of the proto package.
+func (*Server_TLSOptions_CredentialStore) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{}) {
+	return _Server_TLSOptions_CredentialStore_OneofMarshaler, _Server_TLSOptions_CredentialStore_OneofUnmarshaler, _Server_TLSOptions_CredentialStore_OneofSizer, []interface{}{
+		(*Server_TLSOptions_CredentialStore_Files)(nil),
+		(*Server_TLSOptions_CredentialStore_Remote)(nil),
+	}
+}
+
+func _Server_TLSOptions_CredentialStore_OneofMarshaler(msg proto.Message, b *proto.Buffer) error {
+	m := msg.(*Server_TLSOptions_CredentialStore)
+	// credentialStore
+	switch x := m.CredentialStore.(type) {
+	case *Server_TLSOptions_CredentialStore_Files:
+		_ = b.EncodeVarint(1<<3 | proto.WireBytes)
+		if err := b.EncodeMessage(x.Files); err != nil {
+			return err
+		}
+	case *Server_TLSOptions_CredentialStore_Remote:
+		_ = b.EncodeVarint(2<<3 | proto.WireBytes)
+		if err := b.EncodeMessage(x.Remote); err != nil {
+			return err
+		}
+	case nil:
+	default:
+		return fmt.Errorf("Server_TLSOptions_CredentialStore.CredentialStore has unexpected type %T", x)
+	}
+	return nil
+}
+
+func _Server_TLSOptions_CredentialStore_OneofUnmarshaler(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error) {
+	m := msg.(*Server_TLSOptions_CredentialStore)
+	switch tag {
+	case 1: // credentialStore.files
+		if wire != proto.WireBytes {
+			return true, proto.ErrInternalBadWireType
+		}
+		msg := new(Server_TLSOptions_CredentialStoreFileBackend)
+		err := b.DecodeMessage(msg)
+		m.CredentialStore = &Server_TLSOptions_CredentialStore_Files{msg}
+		return true, err
+	case 2: // credentialStore.remote
+		if wire != proto.WireBytes {
+			return true, proto.ErrInternalBadWireType
+		}
+		msg := new(Server_TLSOptions_CredentialStoreRemoteBackend)
+		err := b.DecodeMessage(msg)
+		m.CredentialStore = &Server_TLSOptions_CredentialStore_Remote{msg}
+		return true, err
+	default:
+		return false, nil
+	}
+}
+
+func _Server_TLSOptions_CredentialStore_OneofSizer(msg proto.Message) (n int) {
+	m := msg.(*Server_TLSOptions_CredentialStore)
+	// credentialStore
+	switch x := m.CredentialStore.(type) {
+	case *Server_TLSOptions_CredentialStore_Files:
+		s := proto.Size(x.Files)
+		n += proto.SizeVarint(1<<3 | proto.WireBytes)
+		n += proto.SizeVarint(uint64(s))
+		n += s
+	case *Server_TLSOptions_CredentialStore_Remote:
+		s := proto.Size(x.Remote)
+		n += proto.SizeVarint(2<<3 | proto.WireBytes)
+		n += proto.SizeVarint(uint64(s))
+		n += s
+	case nil:
+	default:
+		panic(fmt.Sprintf("proto: unexpected type %T in oneof", x))
+	}
+	return n
+}
+
 // Port describes the properties of a specific port of a service.
 type Port struct {
 	// REQUIRED: A valid non-negative integer port number.
@@ -553,6 +756,9 @@ func init() {
 	proto.RegisterType((*Gateway)(nil), "istio.networking.v1alpha3.Gateway")
 	proto.RegisterType((*Server)(nil), "istio.networking.v1alpha3.Server")
 	proto.RegisterType((*Server_TLSOptions)(nil), "istio.networking.v1alpha3.Server.TLSOptions")
+	proto.RegisterType((*Server_TLSOptions_CredentialStoreFileBackend)(nil), "istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreFileBackend")
+	proto.RegisterType((*Server_TLSOptions_CredentialStoreRemoteBackend)(nil), "istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreRemoteBackend")
+	proto.RegisterType((*Server_TLSOptions_CredentialStore)(nil), "istio.networking.v1alpha3.Server.TLSOptions.CredentialStore")
 	proto.RegisterType((*Port)(nil), "istio.networking.v1alpha3.Port")
 	proto.RegisterEnum("istio.networking.v1alpha3.Server_TLSOptions_TLSmode", Server_TLSOptions_TLSmode_name, Server_TLSOptions_TLSmode_value)
 	proto.RegisterEnum("istio.networking.v1alpha3.Server_TLSOptions_TLSProtocol", Server_TLSOptions_TLSProtocol_name, Server_TLSOptions_TLSProtocol_value)
@@ -757,15 +963,132 @@ func (m *Server_TLSOptions) MarshalTo(dAtA []byte) (int, error) {
 			i += copy(dAtA[i:], s)
 		}
 	}
-	if len(m.SdsName) > 0 {
+	if m.CredentialStore != nil {
 		dAtA[i] = 0x52
 		i++
-		i = encodeVarintGateway(dAtA, i, uint64(len(m.SdsName)))
-		i += copy(dAtA[i:], m.SdsName)
+		i = encodeVarintGateway(dAtA, i, uint64(m.CredentialStore.Size()))
+		n3, err := m.CredentialStore.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n3
+	}
+	return i, nil
+}
+
+func (m *Server_TLSOptions_CredentialStoreFileBackend) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Server_TLSOptions_CredentialStoreFileBackend) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.ServerCertificate) > 0 {
+		dAtA[i] = 0x1a
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(len(m.ServerCertificate)))
+		i += copy(dAtA[i:], m.ServerCertificate)
+	}
+	if len(m.PrivateKey) > 0 {
+		dAtA[i] = 0x22
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(len(m.PrivateKey)))
+		i += copy(dAtA[i:], m.PrivateKey)
+	}
+	return i, nil
+}
+
+func (m *Server_TLSOptions_CredentialStoreRemoteBackend) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Server_TLSOptions_CredentialStoreRemoteBackend) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.ResourceName) > 0 {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(len(m.ResourceName)))
+		i += copy(dAtA[i:], m.ResourceName)
+	}
+	if len(m.ServerAddress) > 0 {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(len(m.ServerAddress)))
+		i += copy(dAtA[i:], m.ServerAddress)
+	}
+	return i, nil
+}
+
+func (m *Server_TLSOptions_CredentialStore) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *Server_TLSOptions_CredentialStore) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if m.CredentialStore != nil {
+		nn4, err := m.CredentialStore.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += nn4
 	}
 	return i, nil
 }
 
+func (m *Server_TLSOptions_CredentialStore_Files) MarshalTo(dAtA []byte) (int, error) {
+	i := 0
+	if m.Files != nil {
+		dAtA[i] = 0xa
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(m.Files.Size()))
+		n5, err := m.Files.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n5
+	}
+	return i, nil
+}
+func (m *Server_TLSOptions_CredentialStore_Remote) MarshalTo(dAtA []byte) (int, error) {
+	i := 0
+	if m.Remote != nil {
+		dAtA[i] = 0x12
+		i++
+		i = encodeVarintGateway(dAtA, i, uint64(m.Remote.Size()))
+		n6, err := m.Remote.MarshalTo(dAtA[i:])
+		if err != nil {
+			return 0, err
+		}
+		i += n6
+	}
+	return i, nil
+}
 func (m *Port) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
 	dAtA = make([]byte, size)
@@ -897,13 +1220,68 @@ func (m *Server_TLSOptions) Size() (n int) {
 			n += 1 + l + sovGateway(uint64(l))
 		}
 	}
-	l = len(m.SdsName)
+	if m.CredentialStore != nil {
+		l = m.CredentialStore.Size()
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	return n
+}
+
+func (m *Server_TLSOptions_CredentialStoreFileBackend) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.ServerCertificate)
+	if l > 0 {
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	l = len(m.PrivateKey)
+	if l > 0 {
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	return n
+}
+
+func (m *Server_TLSOptions_CredentialStoreRemoteBackend) Size() (n int) {
+	var l int
+	_ = l
+	l = len(m.ResourceName)
+	if l > 0 {
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	l = len(m.ServerAddress)
 	if l > 0 {
 		n += 1 + l + sovGateway(uint64(l))
 	}
 	return n
 }
 
+func (m *Server_TLSOptions_CredentialStore) Size() (n int) {
+	var l int
+	_ = l
+	if m.CredentialStore != nil {
+		n += m.CredentialStore.Size()
+	}
+	return n
+}
+
+func (m *Server_TLSOptions_CredentialStore_Files) Size() (n int) {
+	var l int
+	_ = l
+	if m.Files != nil {
+		l = m.Files.Size()
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	return n
+}
+func (m *Server_TLSOptions_CredentialStore_Remote) Size() (n int) {
+	var l int
+	_ = l
+	if m.Remote != nil {
+		l = m.Remote.Size()
+		n += 1 + l + sovGateway(uint64(l))
+	}
+	return n
+}
 func (m *Port) Size() (n int) {
 	var l int
 	_ = l
@@ -1589,9 +1967,9 @@ func (m *Server_TLSOptions) Unmarshal(dAtA []byte) error {
 			iNdEx = postIndex
 		case 10:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field SdsName", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field CredentialStore", wireType)
 			}
-			var stringLen uint64
+			var msglen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGateway
@@ -1601,20 +1979,354 @@ func (m *Server_TLSOptions) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= (uint64(b) & 0x7F) << shift
+				msglen |= (int(b) & 0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
+			if msglen < 0 {
 				return ErrInvalidLengthGateway
 			}
-			postIndex := iNdEx + intStringLen
+			postIndex := iNdEx + msglen
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.SdsName = string(dAtA[iNdEx:postIndex])
+			if m.CredentialStore == nil {
+				m.CredentialStore = &Server_TLSOptions_CredentialStore{}
+			}
+			if err := m.CredentialStore.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGateway(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGateway
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Server_TLSOptions_CredentialStoreFileBackend) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGateway
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CredentialStoreFileBackend: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CredentialStoreFileBackend: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ServerCertificate", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ServerCertificate = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PrivateKey", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PrivateKey = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGateway(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGateway
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Server_TLSOptions_CredentialStoreRemoteBackend) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGateway
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CredentialStoreRemoteBackend: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CredentialStoreRemoteBackend: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ResourceName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ResourceName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field ServerAddress", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.ServerAddress = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGateway(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGateway
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
+func (m *Server_TLSOptions_CredentialStore) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGateway
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: CredentialStore: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: CredentialStore: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Files", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			v := &Server_TLSOptions_CredentialStoreFileBackend{}
+			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			m.CredentialStore = &Server_TLSOptions_CredentialStore_Files{v}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Remote", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			v := &Server_TLSOptions_CredentialStoreRemoteBackend{}
+			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			m.CredentialStore = &Server_TLSOptions_CredentialStore_Remote{v}
 			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
@@ -1872,48 +2584,57 @@ var (
 func init() { proto.RegisterFile("networking/v1alpha3/gateway.proto", fileDescriptorGateway) }
 
 var fileDescriptorGateway = []byte{
-	// 673 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x54, 0x4d, 0x4f, 0xdb, 0x4c,
-	0x10, 0xc6, 0x49, 0xc8, 0xc7, 0x84, 0x10, 0xb3, 0x42, 0xaf, 0x0c, 0x07, 0x3e, 0xf2, 0xea, 0xd5,
-	0x4b, 0xab, 0xd6, 0x81, 0xa4, 0x07, 0x54, 0xa4, 0x4a, 0x69, 0x85, 0x48, 0xd5, 0x40, 0x22, 0x3b,
-	0xe1, 0xd0, 0x8b, 0xb5, 0x71, 0x16, 0xb2, 0xe0, 0x78, 0xad, 0xdd, 0x4d, 0x20, 0x7f, 0xa9, 0xbf,
-	0xa4, 0xc7, 0xf6, 0xd0, 0x7b, 0xc5, 0x2f, 0xa9, 0x76, 0xed, 0x90, 0xf4, 0x8b, 0x0a, 0xf5, 0x36,
-	0xf3, 0xcc, 0xcc, 0x33, 0x33, 0xcf, 0xac, 0x0d, 0xbb, 0x21, 0x91, 0x37, 0x8c, 0x5f, 0xd3, 0xf0,
-	0xb2, 0x3a, 0x39, 0xc0, 0x41, 0x34, 0xc4, 0xf5, 0xea, 0x25, 0x96, 0xe4, 0x06, 0x4f, 0xed, 0x88,
-	0x33, 0xc9, 0xd0, 0x06, 0x15, 0x92, 0x32, 0x7b, 0x9e, 0x68, 0xcf, 0x12, 0x2b, 0x9f, 0x0d, 0xc8,
-	0x9d, 0xc4, 0xc9, 0xe8, 0x08, 0x72, 0x82, 0xf0, 0x09, 0xe1, 0xc2, 0x32, 0x76, 0xd2, 0x7b, 0xc5,
-	0xda, 0xae, 0xfd, 0xdb, 0x42, 0xdb, 0xd5, 0x99, 0xce, 0xac, 0x02, 0xb5, 0x20, 0x2f, 0x48, 0x40,
-	0x7c, 0xc9, 0xb8, 0x95, 0xd2, 0xd5, 0xfb, 0x0f, 0x54, 0x27, 0x2d, 0x6d, 0x37, 0x29, 0x39, 0x0e,
-	0x25, 0x9f, 0x3a, 0xf7, 0x0c, 0x9b, 0x47, 0x50, 0xfa, 0x2e, 0x84, 0x4c, 0x48, 0x5f, 0x93, 0xa9,
-	0x65, 0xec, 0x18, 0x7b, 0x05, 0x47, 0x99, 0x68, 0x1d, 0x96, 0x27, 0x38, 0x18, 0x13, 0x2b, 0xa5,
-	0xb1, 0xd8, 0x79, 0x99, 0x3a, 0x34, 0x2a, 0x1f, 0x72, 0x90, 0x8d, 0xc7, 0x43, 0x75, 0xc8, 0x44,
-	0x8c, 0x4b, 0x5d, 0x57, 0xac, 0x6d, 0x3f, 0x30, 0x51, 0x87, 0x71, 0xe9, 0xe8, 0x64, 0xc5, 0x3c,
-	0x64, 0x42, 0x0a, 0xbd, 0x47, 0xc1, 0x89, 0x1d, 0xf4, 0x0a, 0xd2, 0x32, 0x10, 0x56, 0x5a, 0x33,
-	0x3d, 0xfb, 0xa3, 0x32, 0x76, 0xb7, 0xe5, 0xb6, 0x23, 0x49, 0x59, 0x28, 0x1c, 0x55, 0x88, 0x10,
-	0x64, 0xfa, 0x34, 0x1c, 0x58, 0x19, 0x3d, 0xae, 0xb6, 0xd1, 0x13, 0x30, 0x07, 0xe4, 0x02, 0x8f,
-	0x03, 0xe9, 0x91, 0x70, 0x10, 0x31, 0x1a, 0x4a, 0x6b, 0x59, 0xc7, 0xcb, 0x09, 0x7e, 0x9c, 0xc0,
-	0x9b, 0x5f, 0x96, 0x01, 0xe6, 0x94, 0xe8, 0x3f, 0x58, 0x1d, 0x4a, 0x19, 0x09, 0x8f, 0x93, 0x01,
-	0xe5, 0xc4, 0x8f, 0x57, 0xcc, 0x3b, 0x25, 0x8d, 0x3a, 0x09, 0x88, 0x9a, 0x90, 0x19, 0xb1, 0x41,
-	0xac, 0xd1, 0x6a, 0xed, 0xc5, 0x63, 0xa6, 0x56, 0xa6, 0xaa, 0x75, 0x34, 0x03, 0x7a, 0x0e, 0x28,
-	0x3e, 0xb5, 0xe7, 0x13, 0x2e, 0xe9, 0x05, 0xf5, 0xb1, 0x24, 0x5a, 0x8d, 0x82, 0xb3, 0x16, 0x47,
-	0xde, 0xcc, 0x03, 0x68, 0x1b, 0x8a, 0x11, 0xa7, 0x13, 0x2c, 0x89, 0xa7, 0xee, 0x16, 0x2f, 0x0d,
-	0x09, 0xf4, 0x8e, 0x4c, 0xd1, 0xff, 0x50, 0xf6, 0xf1, 0x22, 0x97, 0x48, 0x36, 0x5f, 0xf5, 0xf1,
-	0x02, 0x91, 0x40, 0x4f, 0x61, 0x4d, 0x8c, 0xfb, 0x57, 0xc4, 0x97, 0x1e, 0x0e, 0xa4, 0x17, 0xe2,
-	0x11, 0x11, 0x56, 0x56, 0x5f, 0xa6, 0x9c, 0x04, 0x1a, 0x81, 0x3c, 0x53, 0x30, 0xba, 0x82, 0xf5,
-	0x11, 0x0d, 0x3d, 0xfd, 0xea, 0x7d, 0x16, 0x78, 0xea, 0x65, 0x52, 0x16, 0x5a, 0x39, 0xbd, 0xfe,
-	0xe1, 0x63, 0xd7, 0xef, 0x24, 0x3c, 0x0e, 0x1a, 0xd1, 0x70, 0xe6, 0x9c, 0xc7, 0x9c, 0xba, 0x17,
-	0xbe, 0xfd, 0xb9, 0x57, 0xfe, 0xaf, 0x7b, 0xe1, 0xdb, 0x1f, 0x7b, 0xfd, 0x0b, 0x25, 0x9f, 0x46,
-	0x43, 0xc2, 0x3d, 0x31, 0xa6, 0x4a, 0xaa, 0x82, 0xde, 0x7f, 0x25, 0x06, 0x5d, 0x8d, 0xa1, 0x0d,
-	0xc8, 0x8b, 0x81, 0xd0, 0x02, 0x59, 0xa0, 0xa5, 0xcc, 0x89, 0x81, 0x50, 0xc2, 0x54, 0x9a, 0x90,
-	0x4b, 0xae, 0x89, 0xca, 0x50, 0xec, 0x34, 0x5c, 0xb7, 0xdb, 0x74, 0xda, 0xbd, 0x93, 0xa6, 0xb9,
-	0x84, 0x00, 0xb2, 0xee, 0xdb, 0xd3, 0x4e, 0xeb, 0xd8, 0x34, 0x94, 0x7d, 0xda, 0xeb, 0xf6, 0x1a,
-	0x2d, 0x33, 0x85, 0xd6, 0xc1, 0x6c, 0xf4, 0xba, 0x6d, 0x6f, 0x31, 0x3b, 0x5d, 0x69, 0x43, 0x71,
-	0x61, 0x58, 0xb4, 0x02, 0xf9, 0x6e, 0xcb, 0xf5, 0x54, 0xa2, 0xb9, 0x84, 0x8a, 0xba, 0xcd, 0xf9,
-	0x81, 0xb7, 0x6f, 0x1a, 0x73, 0xe7, 0xc0, 0x4c, 0xcd, 0x9d, 0x9a, 0x99, 0x9e, 0x3b, 0x75, 0x33,
-	0x53, 0x39, 0x83, 0x8c, 0xfa, 0xf4, 0xd0, 0x3f, 0x90, 0x0d, 0xc7, 0xa3, 0x3e, 0xe1, 0xfa, 0x21,
-	0x97, 0x9c, 0xc4, 0x43, 0x9b, 0x90, 0x9f, 0x49, 0x9c, 0x7c, 0xe9, 0xf7, 0xbe, 0xfa, 0xa4, 0xf4,
-	0xb6, 0xf1, 0x2b, 0xd4, 0xf6, 0x6b, 0xfb, 0xe3, 0xdd, 0x96, 0xf1, 0xe9, 0x6e, 0xcb, 0xf8, 0x7a,
-	0xb7, 0x65, 0xbc, 0xdf, 0x89, 0xaf, 0x40, 0x59, 0x15, 0x47, 0xb4, 0xfa, 0x8b, 0x3f, 0x65, 0x3f,
-	0xab, 0xd9, 0xea, 0xdf, 0x02, 0x00, 0x00, 0xff, 0xff, 0x20, 0x65, 0xa6, 0x2f, 0x47, 0x05, 0x00,
-	0x00,
+	// 820 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x55, 0x5d, 0x4f, 0x23, 0x37,
+	0x14, 0x65, 0x92, 0x10, 0x92, 0x3b, 0x84, 0x0c, 0x16, 0xaa, 0xa6, 0x51, 0xc5, 0xb2, 0x41, 0x55,
+	0xb7, 0x55, 0x3b, 0x2c, 0xa1, 0x0f, 0xab, 0x6e, 0x55, 0x29, 0xac, 0x28, 0x59, 0x35, 0xbb, 0x20,
+	0x4f, 0xd8, 0x87, 0xbe, 0x8c, 0xcc, 0x8c, 0x01, 0xc3, 0x64, 0x3c, 0xb2, 0x9d, 0xec, 0xe6, 0x17,
+	0xb6, 0x8f, 0xed, 0x3f, 0xa8, 0x78, 0xec, 0x63, 0x7f, 0x41, 0x65, 0x8f, 0xf3, 0xb1, 0x29, 0x4b,
+	0x85, 0x78, 0xf3, 0x3d, 0xbe, 0xf7, 0xdc, 0xeb, 0xe3, 0x33, 0x1e, 0x78, 0x9a, 0x51, 0xf5, 0x9e,
+	0x8b, 0x1b, 0x96, 0x5d, 0xee, 0x8d, 0xf7, 0x49, 0x9a, 0x5f, 0x91, 0x83, 0xbd, 0x4b, 0xa2, 0xe8,
+	0x7b, 0x32, 0x09, 0x72, 0xc1, 0x15, 0x47, 0x9f, 0x33, 0xa9, 0x18, 0x0f, 0xe6, 0x89, 0xc1, 0x34,
+	0xb1, 0xfd, 0xa7, 0x03, 0x6b, 0xc7, 0x45, 0x32, 0x7a, 0x09, 0x6b, 0x92, 0x8a, 0x31, 0x15, 0xd2,
+	0x77, 0x76, 0xca, 0xcf, 0xdc, 0xce, 0xd3, 0xe0, 0x93, 0x85, 0x41, 0x68, 0x32, 0xf1, 0xb4, 0x02,
+	0xf5, 0xa1, 0x26, 0x69, 0x4a, 0x63, 0xc5, 0x85, 0x5f, 0x32, 0xd5, 0xcf, 0xef, 0xa9, 0xb6, 0x2d,
+	0x83, 0xd0, 0x96, 0x1c, 0x65, 0x4a, 0x4c, 0xf0, 0x8c, 0xa1, 0xf5, 0x12, 0x1a, 0x1f, 0x6d, 0x21,
+	0x0f, 0xca, 0x37, 0x74, 0xe2, 0x3b, 0x3b, 0xce, 0xb3, 0x3a, 0xd6, 0x4b, 0xb4, 0x05, 0xab, 0x63,
+	0x92, 0x8e, 0xa8, 0x5f, 0x32, 0x58, 0x11, 0xfc, 0x50, 0x7a, 0xe1, 0xb4, 0x7f, 0x73, 0xa1, 0x5a,
+	0x8c, 0x87, 0x0e, 0xa0, 0x92, 0x73, 0xa1, 0x4c, 0x9d, 0xdb, 0x79, 0x72, 0xcf, 0x44, 0xa7, 0x5c,
+	0x28, 0x6c, 0x92, 0x35, 0xf3, 0x15, 0x97, 0x4a, 0x9a, 0x73, 0xd4, 0x71, 0x11, 0xa0, 0x9f, 0xa0,
+	0xac, 0x52, 0xe9, 0x97, 0x0d, 0xd3, 0xb7, 0xff, 0xab, 0x4c, 0x30, 0xe8, 0x87, 0x27, 0xb9, 0x62,
+	0x3c, 0x93, 0x58, 0x17, 0x22, 0x04, 0x95, 0x73, 0x96, 0x25, 0x7e, 0xc5, 0x8c, 0x6b, 0xd6, 0xe8,
+	0x6b, 0xf0, 0x12, 0x7a, 0x41, 0x46, 0xa9, 0x8a, 0x68, 0x96, 0xe4, 0x9c, 0x65, 0xca, 0x5f, 0x35,
+	0xfb, 0x4d, 0x8b, 0x1f, 0x59, 0xb8, 0xf5, 0x4f, 0x1d, 0x60, 0x4e, 0x89, 0xbe, 0x84, 0x8d, 0x2b,
+	0xa5, 0x72, 0x19, 0x09, 0x9a, 0x30, 0x41, 0xe3, 0xe2, 0x88, 0x35, 0xdc, 0x30, 0x28, 0xb6, 0x20,
+	0xea, 0x41, 0x65, 0xc8, 0x93, 0x42, 0xa3, 0x8d, 0xce, 0xf7, 0x0f, 0x99, 0x5a, 0x2f, 0x75, 0x2d,
+	0x36, 0x0c, 0x68, 0x1f, 0x50, 0x71, 0xd5, 0x51, 0x4c, 0x85, 0x62, 0x17, 0x2c, 0x26, 0x8a, 0x1a,
+	0x35, 0xea, 0x87, 0x25, 0xdf, 0xc1, 0x9b, 0xc5, 0xee, 0xab, 0xf9, 0x26, 0xda, 0x05, 0x37, 0x17,
+	0x6c, 0x4c, 0x14, 0x8d, 0xf4, 0xdd, 0x55, 0x66, 0xb9, 0x60, 0xe1, 0x5f, 0xe8, 0x04, 0x7d, 0x05,
+	0xcd, 0x98, 0x2c, 0x72, 0x4a, 0xab, 0xc0, 0x46, 0x4c, 0x16, 0xc8, 0x24, 0xfa, 0x06, 0x36, 0xe5,
+	0xe8, 0xfc, 0x9a, 0xc6, 0x2a, 0x22, 0xa9, 0x8a, 0x32, 0x32, 0xa4, 0xd2, 0xaf, 0x9a, 0x1b, 0x6a,
+	0xda, 0x8d, 0x6e, 0xaa, 0xde, 0x6a, 0x18, 0x5d, 0xc3, 0xd6, 0x90, 0x65, 0x91, 0x71, 0x7f, 0xcc,
+	0xd3, 0x48, 0x3b, 0x94, 0xf1, 0xcc, 0x5f, 0x33, 0x32, 0xbc, 0x78, 0xa8, 0x0c, 0xa7, 0x96, 0x07,
+	0xa3, 0x21, 0xcb, 0xa6, 0xc1, 0xbb, 0x82, 0xd3, 0xf4, 0x22, 0x1f, 0xfe, 0xdb, 0xab, 0xf6, 0xe8,
+	0x5e, 0xe4, 0xc3, 0x72, 0xaf, 0x5d, 0x68, 0xc4, 0x2c, 0xbf, 0xa2, 0x22, 0x92, 0x23, 0xa6, 0xa5,
+	0xaa, 0x9b, 0xf3, 0xaf, 0x17, 0x60, 0x68, 0x30, 0x74, 0x09, 0x5e, 0x2c, 0x68, 0x42, 0x33, 0xc5,
+	0x48, 0x1a, 0x49, 0xc5, 0x05, 0xf5, 0xc1, 0xb8, 0xf6, 0xc7, 0x07, 0x0d, 0xf3, 0x6a, 0x46, 0x12,
+	0x6a, 0x0e, 0xdc, 0x8c, 0x3f, 0x06, 0x5a, 0x29, 0xb4, 0x96, 0x72, 0x7e, 0x66, 0x29, 0x3d, 0x24,
+	0xf1, 0x0d, 0xcd, 0x12, 0xf4, 0xdd, 0xa7, 0x0d, 0x73, 0x97, 0x59, 0x9e, 0xdc, 0x61, 0x96, 0x45,
+	0xa3, 0xb4, 0xae, 0xe1, 0x8b, 0xe5, 0x89, 0xe8, 0x90, 0xab, 0x59, 0xbf, 0x5d, 0x68, 0x08, 0x2a,
+	0xf9, 0x48, 0xc4, 0xd4, 0x98, 0xc3, 0xbe, 0x15, 0xeb, 0x53, 0x50, 0x3b, 0x43, 0x7f, 0x36, 0x76,
+	0x28, 0x92, 0x24, 0x82, 0x4a, 0x69, 0x5f, 0x8f, 0x46, 0x81, 0x76, 0x0b, 0xb0, 0xf5, 0xb7, 0x03,
+	0xcd, 0xa5, 0x66, 0x28, 0x82, 0xd5, 0x0b, 0x96, 0x52, 0x69, 0xdf, 0x92, 0xe3, 0xc7, 0x68, 0xb9,
+	0xa0, 0x53, 0x6f, 0x05, 0x17, 0xbc, 0x28, 0x86, 0xaa, 0x30, 0x27, 0x32, 0x33, 0xb9, 0x9d, 0xd7,
+	0x8f, 0xba, 0xad, 0x45, 0x6d, 0x7a, 0x2b, 0xd8, 0x52, 0x1f, 0x6e, 0xc2, 0xf2, 0x35, 0xb6, 0x7b,
+	0xb0, 0x66, 0x3f, 0x75, 0xd4, 0x04, 0xf7, 0xb4, 0x1b, 0x86, 0x83, 0x1e, 0x3e, 0x39, 0x3b, 0xee,
+	0x79, 0x2b, 0x08, 0xa0, 0x1a, 0xbe, 0x7e, 0x73, 0xda, 0x3f, 0xf2, 0x1c, 0xbd, 0x7e, 0x73, 0x36,
+	0x38, 0xeb, 0xf6, 0xbd, 0x12, 0xda, 0x02, 0xaf, 0x7b, 0x36, 0x38, 0x89, 0x16, 0xb3, 0xcb, 0xed,
+	0x13, 0x70, 0x17, 0x1c, 0x8c, 0xd6, 0xa1, 0x36, 0xe8, 0x87, 0x91, 0x4e, 0xf4, 0x56, 0x90, 0x6b,
+	0xda, 0xbc, 0xdb, 0x8f, 0x9e, 0x7b, 0xce, 0x3c, 0xd8, 0xf7, 0x4a, 0xf3, 0xa0, 0xe3, 0x95, 0xe7,
+	0xc1, 0x81, 0x57, 0x69, 0xbf, 0x85, 0x8a, 0x7e, 0x97, 0xd1, 0x67, 0x50, 0xcd, 0x46, 0xc3, 0x73,
+	0x2a, 0x8c, 0xf8, 0x0d, 0x6c, 0x23, 0xd4, 0x82, 0xda, 0xf4, 0xbb, 0xb3, 0x17, 0x39, 0x8b, 0xf5,
+	0x7b, 0x6b, 0x6c, 0x50, 0x38, 0xce, 0xac, 0x0f, 0x83, 0xdf, 0x6f, 0xb7, 0x9d, 0x3f, 0x6e, 0xb7,
+	0x9d, 0xbf, 0x6e, 0xb7, 0x9d, 0x5f, 0x77, 0x0a, 0x7d, 0x19, 0xdf, 0x23, 0x39, 0xdb, 0xbb, 0xe3,
+	0x37, 0x7a, 0x5e, 0x35, 0x6c, 0x07, 0xff, 0x06, 0x00, 0x00, 0xff, 0xff, 0xf7, 0x4c, 0xea, 0xeb,
+	0x64, 0x07, 0x00, 0x00,
 }
diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto
index ad9f22791b..282a72f3d5 100644
--- a/networking/v1alpha3/gateway.proto
+++ b/networking/v1alpha3/gateway.proto
@@ -291,13 +291,55 @@ message Server {
     // enforced.
     TLSmode mode = 2;
 
+    // The file backend specifies the file system paths where the
+    // server's public and private keys can be obtained.
+    message CredentialStoreFileBackend {
+      // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
+      // holding the server-side TLS certificate to use.
+      string server_certificate = 3;
+
+      // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
+      // holding the server's private key.
+      string private_key = 4;
+    };
+
+    // The remote backend provides information about the remote secret
+    // management server that contains the server's public and private keys.
+    message CredentialStoreRemoteBackend {
+      // REQUIRED the name of the resource that the credential server can
+      // use to identify the certificates associated with the gateway
+      // server. In kubernetes, this should correspond to the name of the
+      // secret that contains the server-side TLS certificate and the
+      // server's private key. Note that the secret should contain both the
+      // public and private keys associated with the server port.
+      //
+      // It is possible to use the same resourceName across several servers
+      // on different ports, if these servers share the same credentials.
+      string resource_name = 1;
+
+      // The address where the credential store server can be reached.
+      // If omitted, will default to unix:/var/run/gateway/sds
+      string server_address = 2;
+    };
+
     // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
     // holding the server-side TLS certificate to use.
-    string server_certificate = 3;
+    // Deprecated. Use 
+    string server_certificate = 3 [deprecated=true];
 
     // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
     // holding the server's private key.
-    string private_key = 4;
+    string private_key = 4 [deprecated=true];
+
+    message CredentialStore {
+      oneof credentialStore {
+        CredentialStoreFileBackend files = 1;
+        CredentialStoreRemoteBackend remote = 2;
+      }
+    }
+
+    // REQUIRED if the mode is `SIMPLE` or `MUTUAL`.
+    CredentialStore credential_store = 10;
 
     // REQUIRED if mode is `MUTUAL`. The path to a file containing
     // certificate authority certificates to use in verifying a presented
@@ -335,13 +377,6 @@ message Server {
     // Optional: If specified, only support the specified cipher list.
     // Otherwise default to the default cipher list supported by Envoy.
     repeated string cipher_suites = 9;
-
-    // Optional: If specified, the gateway controllers (with SDS enabled)
-    // use the specified name as the SDS secret config name to call the SDS
-    // server, to retrieve the key and certificates. Otherwise, the gateway
-    // controllers (with SDS enabled) use the first value in the hosts as
-    // the SDS secret config name to call the SDS server.
-    string sds_name = 10;
   }
 
   // Set of TLS related options that govern the server's behavior. Use
diff --git a/networking/v1alpha3/istio.networking.v1alpha3.pb.html b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
index d4b3616627..aff9a57773 100644
--- a/networking/v1alpha3/istio.networking.v1alpha3.pb.html
+++ b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
@@ -6,7 +6,7 @@
 generator: protoc-gen-docs
 aliases:
   - /docs/reference/config/istio.routing.v1alpha1/
-number_of_entries: 60
+number_of_entries: 63
 ---
 <p>Configuration affecting traffic routing. Here are a few terms useful to define
 in the context of traffic routing.</p>
@@ -2928,22 +2928,31 @@ <h2 id="Server-TLSOptions">Server.TLSOptions</h2>
 
 </td>
 </tr>
-<tr id="Server-TLSOptions-server_certificate">
+<tr id="Server-TLSOptions-server_certificate" class="deprecated ">
 <td><code>serverCertificate</code></td>
 <td><code>string</code></td>
 <td>
 <p>REQUIRED if mode is <code>SIMPLE</code> or <code>MUTUAL</code>. The path to the file
-holding the server-side TLS certificate to use.</p>
+holding the server-side TLS certificate to use.
+Deprecated. Use</p>
 
 </td>
 </tr>
-<tr id="Server-TLSOptions-private_key">
+<tr id="Server-TLSOptions-private_key" class="deprecated ">
 <td><code>privateKey</code></td>
 <td><code>string</code></td>
 <td>
 <p>REQUIRED if mode is <code>SIMPLE</code> or <code>MUTUAL</code>. The path to the file
 holding the server&rsquo;s private key.</p>
 
+</td>
+</tr>
+<tr id="Server-TLSOptions-credential_store">
+<td><code>credentialStore</code></td>
+<td><code><a href="#Server-TLSOptions-CredentialStore">Server.TLSOptions.CredentialStore</a></code></td>
+<td>
+<p>REQUIRED if the mode is <code>SIMPLE</code> or <code>MUTUAL</code>.</p>
+
 </td>
 </tr>
 <tr id="Server-TLSOptions-ca_certificates">
@@ -2990,15 +2999,106 @@ <h2 id="Server-TLSOptions">Server.TLSOptions</h2>
 
 </td>
 </tr>
-<tr id="Server-TLSOptions-sds_name">
-<td><code>sdsName</code></td>
+</tbody>
+</table>
+</section>
+<h2 id="Server-TLSOptions-CredentialStore">Server.TLSOptions.CredentialStore</h2>
+<section>
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Type</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="Server-TLSOptions-CredentialStore-files" class="oneof oneof-start">
+<td><code>files</code></td>
+<td><code><a href="#Server-TLSOptions-CredentialStoreFileBackend">Server.TLSOptions.CredentialStoreFileBackend (oneof)</a></code></td>
+<td>
+</td>
+</tr>
+<tr id="Server-TLSOptions-CredentialStore-remote" class="oneof">
+<td><code>remote</code></td>
+<td><code><a href="#Server-TLSOptions-CredentialStoreRemoteBackend">Server.TLSOptions.CredentialStoreRemoteBackend (oneof)</a></code></td>
+<td>
+</td>
+</tr>
+</tbody>
+</table>
+</section>
+<h2 id="Server-TLSOptions-CredentialStoreFileBackend">Server.TLSOptions.CredentialStoreFileBackend</h2>
+<section>
+<p>The file backend specifies the file system paths where the
+server&rsquo;s public and private keys can be obtained.</p>
+
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Type</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="Server-TLSOptions-CredentialStoreFileBackend-server_certificate">
+<td><code>serverCertificate</code></td>
+<td><code>string</code></td>
+<td>
+<p>REQUIRED if mode is <code>SIMPLE</code> or <code>MUTUAL</code>. The path to the file
+holding the server-side TLS certificate to use.</p>
+
+</td>
+</tr>
+<tr id="Server-TLSOptions-CredentialStoreFileBackend-private_key">
+<td><code>privateKey</code></td>
+<td><code>string</code></td>
+<td>
+<p>REQUIRED if mode is <code>SIMPLE</code> or <code>MUTUAL</code>. The path to the file
+holding the server&rsquo;s private key.</p>
+
+</td>
+</tr>
+</tbody>
+</table>
+</section>
+<h2 id="Server-TLSOptions-CredentialStoreRemoteBackend">Server.TLSOptions.CredentialStoreRemoteBackend</h2>
+<section>
+<p>The remote backend provides information about the remote secret
+management server that contains the server&rsquo;s public and private keys.</p>
+
+<table class="message-fields">
+<thead>
+<tr>
+<th>Field</th>
+<th>Type</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr id="Server-TLSOptions-CredentialStoreRemoteBackend-resource_name">
+<td><code>resourceName</code></td>
+<td><code>string</code></td>
+<td>
+<p>REQUIRED the name of the resource that the credential server can
+use to identify the certificates associated with the gateway
+server. In kubernetes, this should correspond to the name of the
+secret that contains the server-side TLS certificate and the
+server&rsquo;s private key. Note that the secret should contain both the
+public and private keys associated with the server port.</p>
+
+<p>It is possible to use the same resourceName across several servers
+on different ports, if these servers share the same credentials.</p>
+
+</td>
+</tr>
+<tr id="Server-TLSOptions-CredentialStoreRemoteBackend-server_address">
+<td><code>serverAddress</code></td>
 <td><code>string</code></td>
 <td>
-<p>Optional: If specified, the gateway controllers (with SDS enabled)
-use the specified name as the SDS secret config name to call the SDS
-server, to retrieve the key and certificates. Otherwise, the gateway
-controllers (with SDS enabled) use the first value in the hosts as
-the SDS secret config name to call the SDS server.</p>
+<p>The address where the credential store server can be reached.
+If omitted, will default to unix:/var/run/gateway/sds</p>
 
 </td>
 </tr>
diff --git a/proto.lock b/proto.lock
index c0b4dd150f..f0cb8b6af0 100644
--- a/proto.lock
+++ b/proto.lock
@@ -3300,6 +3300,11 @@
                     "name": "private_key",
                     "type": "string"
                   },
+                  {
+                    "id": 10,
+                    "name": "credential_store",
+                    "type": "CredentialStore"
+                  },
                   {
                     "id": 5,
                     "name": "ca_certificates",
@@ -3326,11 +3331,53 @@
                     "name": "cipher_suites",
                     "type": "string",
                     "is_repeated": true
+                  }
+                ],
+                "messages": [
+                  {
+                    "name": "CredentialStoreFileBackend",
+                    "fields": [
+                      {
+                        "id": 3,
+                        "name": "server_certificate",
+                        "type": "string"
+                      },
+                      {
+                        "id": 4,
+                        "name": "private_key",
+                        "type": "string"
+                      }
+                    ]
                   },
                   {
-                    "id": 10,
-                    "name": "sds_name",
-                    "type": "string"
+                    "name": "CredentialStoreRemoteBackend",
+                    "fields": [
+                      {
+                        "id": 1,
+                        "name": "resource_name",
+                        "type": "string"
+                      },
+                      {
+                        "id": 2,
+                        "name": "server_address",
+                        "type": "string"
+                      }
+                    ]
+                  },
+                  {
+                    "name": "CredentialStore",
+                    "fields": [
+                      {
+                        "id": 1,
+                        "name": "files",
+                        "type": "CredentialStoreFileBackend"
+                      },
+                      {
+                        "id": 2,
+                        "name": "remote",
+                        "type": "CredentialStoreRemoteBackend"
+                      }
+                    ]
                   }
                 ]
               }
diff --git a/python/istio_api/networking/v1alpha3/gateway_pb2.py b/python/istio_api/networking/v1alpha3/gateway_pb2.py
index 77c9a04a9d..bbd46f864d 100644
--- a/python/istio_api/networking/v1alpha3/gateway_pb2.py
+++ b/python/istio_api/networking/v1alpha3/gateway_pb2.py
@@ -19,7 +19,7 @@
   name='networking/v1alpha3/gateway.proto',
   package='istio.networking.v1alpha3',
   syntax='proto3',
-  serialized_pb=_b('\n!networking/v1alpha3/gateway.proto\x12\x19istio.networking.v1alpha3\"\xb2\x01\n\x07Gateway\x12\x32\n\x07servers\x18\x01 \x03(\x0b\x32!.istio.networking.v1alpha3.Server\x12\x42\n\x08selector\x18\x02 \x03(\x0b\x32\x30.istio.networking.v1alpha3.Gateway.SelectorEntry\x1a/\n\rSelectorEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xed\x05\n\x06Server\x12-\n\x04port\x18\x01 \x01(\x0b\x32\x1f.istio.networking.v1alpha3.Port\x12\x0c\n\x04\x62ind\x18\x04 \x01(\t\x12\r\n\x05hosts\x18\x02 \x03(\t\x12\x39\n\x03tls\x18\x03 \x01(\x0b\x32,.istio.networking.v1alpha3.Server.TLSOptions\x12\x18\n\x10\x64\x65\x66\x61ult_endpoint\x18\x05 \x01(\t\x1a\xc1\x04\n\nTLSOptions\x12\x16\n\x0ehttps_redirect\x18\x01 \x01(\x08\x12\x42\n\x04mode\x18\x02 \x01(\x0e\x32\x34.istio.networking.v1alpha3.Server.TLSOptions.TLSmode\x12\x1a\n\x12server_certificate\x18\x03 \x01(\t\x12\x13\n\x0bprivate_key\x18\x04 \x01(\t\x12\x17\n\x0f\x63\x61_certificates\x18\x05 \x01(\t\x12\x19\n\x11subject_alt_names\x18\x06 \x03(\t\x12V\n\x14min_protocol_version\x18\x07 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12V\n\x14max_protocol_version\x18\x08 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12\x15\n\rcipher_suites\x18\t \x03(\t\x12\x10\n\x08sds_name\x18\n \x01(\t\"H\n\x07TLSmode\x12\x0f\n\x0bPASSTHROUGH\x10\x00\x12\n\n\x06SIMPLE\x10\x01\x12\n\n\x06MUTUAL\x10\x02\x12\x14\n\x10\x41UTO_PASSTHROUGH\x10\x03\"O\n\x0bTLSProtocol\x12\x0c\n\x08TLS_AUTO\x10\x00\x12\x0b\n\x07TLSV1_0\x10\x01\x12\x0b\n\x07TLSV1_1\x10\x02\x12\x0b\n\x07TLSV1_2\x10\x03\x12\x0b\n\x07TLSV1_3\x10\x04\"6\n\x04Port\x12\x0e\n\x06number\x18\x01 \x01(\r\x12\x10\n\x08protocol\x18\x02 \x01(\t\x12\x0c\n\x04name\x18\x03 \x01(\tB\"Z istio.io/api/networking/v1alpha3b\x06proto3')
+  serialized_pb=_b('\n!networking/v1alpha3/gateway.proto\x12\x19istio.networking.v1alpha3\"\xb2\x01\n\x07Gateway\x12\x32\n\x07servers\x18\x01 \x03(\x0b\x32!.istio.networking.v1alpha3.Server\x12\x42\n\x08selector\x18\x02 \x03(\x0b\x32\x30.istio.networking.v1alpha3.Gateway.SelectorEntry\x1a/\n\rSelectorEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xb7\t\n\x06Server\x12-\n\x04port\x18\x01 \x01(\x0b\x32\x1f.istio.networking.v1alpha3.Port\x12\x0c\n\x04\x62ind\x18\x04 \x01(\t\x12\r\n\x05hosts\x18\x02 \x03(\t\x12\x39\n\x03tls\x18\x03 \x01(\x0b\x32,.istio.networking.v1alpha3.Server.TLSOptions\x12\x18\n\x10\x64\x65\x66\x61ult_endpoint\x18\x05 \x01(\t\x1a\x8b\x08\n\nTLSOptions\x12\x16\n\x0ehttps_redirect\x18\x01 \x01(\x08\x12\x42\n\x04mode\x18\x02 \x01(\x0e\x32\x34.istio.networking.v1alpha3.Server.TLSOptions.TLSmode\x12\x1e\n\x12server_certificate\x18\x03 \x01(\tB\x02\x18\x01\x12\x17\n\x0bprivate_key\x18\x04 \x01(\tB\x02\x18\x01\x12V\n\x10\x63redential_store\x18\n \x01(\x0b\x32<.istio.networking.v1alpha3.Server.TLSOptions.CredentialStore\x12\x17\n\x0f\x63\x61_certificates\x18\x05 \x01(\t\x12\x19\n\x11subject_alt_names\x18\x06 \x03(\t\x12V\n\x14min_protocol_version\x18\x07 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12V\n\x14max_protocol_version\x18\x08 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12\x15\n\rcipher_suites\x18\t \x03(\t\x1aM\n\x1a\x43redentialStoreFileBackend\x12\x1a\n\x12server_certificate\x18\x03 \x01(\t\x12\x13\n\x0bprivate_key\x18\x04 \x01(\t\x1aM\n\x1c\x43redentialStoreRemoteBackend\x12\x15\n\rresource_name\x18\x01 \x01(\t\x12\x16\n\x0eserver_address\x18\x02 \x01(\t\x1a\xdb\x01\n\x0f\x43redentialStore\x12X\n\x05\x66iles\x18\x01 \x01(\x0b\x32G.istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreFileBackendH\x00\x12[\n\x06remote\x18\x02 \x01(\x0b\x32I.istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreRemoteBackendH\x00\x42\x11\n\x0f\x63redentialStore\"H\n\x07TLSmode\x12\x0f\n\x0bPASSTHROUGH\x10\x00\x12\n\n\x06SIMPLE\x10\x01\x12\n\n\x06MUTUAL\x10\x02\x12\x14\n\x10\x41UTO_PASSTHROUGH\x10\x03\"O\n\x0bTLSProtocol\x12\x0c\n\x08TLS_AUTO\x10\x00\x12\x0b\n\x07TLSV1_0\x10\x01\x12\x0b\n\x07TLSV1_1\x10\x02\x12\x0b\n\x07TLSV1_2\x10\x03\x12\x0b\n\x07TLSV1_3\x10\x04\"6\n\x04Port\x12\x0e\n\x06number\x18\x01 \x01(\r\x12\x10\n\x08protocol\x18\x02 \x01(\t\x12\x0c\n\x04name\x18\x03 \x01(\tB\"Z istio.io/api/networking/v1alpha3b\x06proto3')
 )
 
 
@@ -49,8 +49,8 @@
   ],
   containing_type=None,
   options=None,
-  serialized_start=842,
-  serialized_end=914,
+  serialized_start=1300,
+  serialized_end=1372,
 )
 _sym_db.RegisterEnumDescriptor(_SERVER_TLSOPTIONS_TLSMODE)
 
@@ -83,8 +83,8 @@
   ],
   containing_type=None,
   options=None,
-  serialized_start=916,
-  serialized_end=995,
+  serialized_start=1374,
+  serialized_end=1453,
 )
 _sym_db.RegisterEnumDescriptor(_SERVER_TLSOPTIONS_TLSPROTOCOL)
 
@@ -164,6 +164,120 @@
 )
 
 
+_SERVER_TLSOPTIONS_CREDENTIALSTOREFILEBACKEND = _descriptor.Descriptor(
+  name='CredentialStoreFileBackend',
+  full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreFileBackend',
+  filename=None,
+  file=DESCRIPTOR,
+  containing_type=None,
+  fields=[
+    _descriptor.FieldDescriptor(
+      name='server_certificate', full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreFileBackend.server_certificate', index=0,
+      number=3, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=_b("").decode('utf-8'),
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+    _descriptor.FieldDescriptor(
+      name='private_key', full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreFileBackend.private_key', index=1,
+      number=4, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=_b("").decode('utf-8'),
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+  ],
+  extensions=[
+  ],
+  nested_types=[],
+  enum_types=[
+  ],
+  options=None,
+  is_extendable=False,
+  syntax='proto3',
+  extension_ranges=[],
+  oneofs=[
+  ],
+  serialized_start=920,
+  serialized_end=997,
+)
+
+_SERVER_TLSOPTIONS_CREDENTIALSTOREREMOTEBACKEND = _descriptor.Descriptor(
+  name='CredentialStoreRemoteBackend',
+  full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreRemoteBackend',
+  filename=None,
+  file=DESCRIPTOR,
+  containing_type=None,
+  fields=[
+    _descriptor.FieldDescriptor(
+      name='resource_name', full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreRemoteBackend.resource_name', index=0,
+      number=1, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=_b("").decode('utf-8'),
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+    _descriptor.FieldDescriptor(
+      name='server_address', full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreRemoteBackend.server_address', index=1,
+      number=2, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=_b("").decode('utf-8'),
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+  ],
+  extensions=[
+  ],
+  nested_types=[],
+  enum_types=[
+  ],
+  options=None,
+  is_extendable=False,
+  syntax='proto3',
+  extension_ranges=[],
+  oneofs=[
+  ],
+  serialized_start=999,
+  serialized_end=1076,
+)
+
+_SERVER_TLSOPTIONS_CREDENTIALSTORE = _descriptor.Descriptor(
+  name='CredentialStore',
+  full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStore',
+  filename=None,
+  file=DESCRIPTOR,
+  containing_type=None,
+  fields=[
+    _descriptor.FieldDescriptor(
+      name='files', full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStore.files', index=0,
+      number=1, type=11, cpp_type=10, label=1,
+      has_default_value=False, default_value=None,
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+    _descriptor.FieldDescriptor(
+      name='remote', full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStore.remote', index=1,
+      number=2, type=11, cpp_type=10, label=1,
+      has_default_value=False, default_value=None,
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
+      options=None, file=DESCRIPTOR),
+  ],
+  extensions=[
+  ],
+  nested_types=[],
+  enum_types=[
+  ],
+  options=None,
+  is_extendable=False,
+  syntax='proto3',
+  extension_ranges=[],
+  oneofs=[
+    _descriptor.OneofDescriptor(
+      name='credentialStore', full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStore.credentialStore',
+      index=0, containing_type=None, fields=[]),
+  ],
+  serialized_start=1079,
+  serialized_end=1298,
+)
+
 _SERVER_TLSOPTIONS = _descriptor.Descriptor(
   name='TLSOptions',
   full_name='istio.networking.v1alpha3.Server.TLSOptions',
@@ -191,60 +305,60 @@
       has_default_value=False, default_value=_b("").decode('utf-8'),
       message_type=None, enum_type=None, containing_type=None,
       is_extension=False, extension_scope=None,
-      options=None, file=DESCRIPTOR),
+      options=_descriptor._ParseOptions(descriptor_pb2.FieldOptions(), _b('\030\001')), file=DESCRIPTOR),
     _descriptor.FieldDescriptor(
       name='private_key', full_name='istio.networking.v1alpha3.Server.TLSOptions.private_key', index=3,
       number=4, type=9, cpp_type=9, label=1,
       has_default_value=False, default_value=_b("").decode('utf-8'),
       message_type=None, enum_type=None, containing_type=None,
       is_extension=False, extension_scope=None,
+      options=_descriptor._ParseOptions(descriptor_pb2.FieldOptions(), _b('\030\001')), file=DESCRIPTOR),
+    _descriptor.FieldDescriptor(
+      name='credential_store', full_name='istio.networking.v1alpha3.Server.TLSOptions.credential_store', index=4,
+      number=10, type=11, cpp_type=10, label=1,
+      has_default_value=False, default_value=None,
+      message_type=None, enum_type=None, containing_type=None,
+      is_extension=False, extension_scope=None,
       options=None, file=DESCRIPTOR),
     _descriptor.FieldDescriptor(
-      name='ca_certificates', full_name='istio.networking.v1alpha3.Server.TLSOptions.ca_certificates', index=4,
+      name='ca_certificates', full_name='istio.networking.v1alpha3.Server.TLSOptions.ca_certificates', index=5,
       number=5, type=9, cpp_type=9, label=1,
       has_default_value=False, default_value=_b("").decode('utf-8'),
       message_type=None, enum_type=None, containing_type=None,
       is_extension=False, extension_scope=None,
       options=None, file=DESCRIPTOR),
     _descriptor.FieldDescriptor(
-      name='subject_alt_names', full_name='istio.networking.v1alpha3.Server.TLSOptions.subject_alt_names', index=5,
+      name='subject_alt_names', full_name='istio.networking.v1alpha3.Server.TLSOptions.subject_alt_names', index=6,
       number=6, type=9, cpp_type=9, label=3,
       has_default_value=False, default_value=[],
       message_type=None, enum_type=None, containing_type=None,
       is_extension=False, extension_scope=None,
       options=None, file=DESCRIPTOR),
     _descriptor.FieldDescriptor(
-      name='min_protocol_version', full_name='istio.networking.v1alpha3.Server.TLSOptions.min_protocol_version', index=6,
+      name='min_protocol_version', full_name='istio.networking.v1alpha3.Server.TLSOptions.min_protocol_version', index=7,
       number=7, type=14, cpp_type=8, label=1,
       has_default_value=False, default_value=0,
       message_type=None, enum_type=None, containing_type=None,
       is_extension=False, extension_scope=None,
       options=None, file=DESCRIPTOR),
     _descriptor.FieldDescriptor(
-      name='max_protocol_version', full_name='istio.networking.v1alpha3.Server.TLSOptions.max_protocol_version', index=7,
+      name='max_protocol_version', full_name='istio.networking.v1alpha3.Server.TLSOptions.max_protocol_version', index=8,
       number=8, type=14, cpp_type=8, label=1,
       has_default_value=False, default_value=0,
       message_type=None, enum_type=None, containing_type=None,
       is_extension=False, extension_scope=None,
       options=None, file=DESCRIPTOR),
     _descriptor.FieldDescriptor(
-      name='cipher_suites', full_name='istio.networking.v1alpha3.Server.TLSOptions.cipher_suites', index=8,
+      name='cipher_suites', full_name='istio.networking.v1alpha3.Server.TLSOptions.cipher_suites', index=9,
       number=9, type=9, cpp_type=9, label=3,
       has_default_value=False, default_value=[],
       message_type=None, enum_type=None, containing_type=None,
       is_extension=False, extension_scope=None,
       options=None, file=DESCRIPTOR),
-    _descriptor.FieldDescriptor(
-      name='sds_name', full_name='istio.networking.v1alpha3.Server.TLSOptions.sds_name', index=9,
-      number=10, type=9, cpp_type=9, label=1,
-      has_default_value=False, default_value=_b("").decode('utf-8'),
-      message_type=None, enum_type=None, containing_type=None,
-      is_extension=False, extension_scope=None,
-      options=None, file=DESCRIPTOR),
   ],
   extensions=[
   ],
-  nested_types=[],
+  nested_types=[_SERVER_TLSOPTIONS_CREDENTIALSTOREFILEBACKEND, _SERVER_TLSOPTIONS_CREDENTIALSTOREREMOTEBACKEND, _SERVER_TLSOPTIONS_CREDENTIALSTORE, ],
   enum_types=[
     _SERVER_TLSOPTIONS_TLSMODE,
     _SERVER_TLSOPTIONS_TLSPROTOCOL,
@@ -256,7 +370,7 @@
   oneofs=[
   ],
   serialized_start=418,
-  serialized_end=995,
+  serialized_end=1453,
 )
 
 _SERVER = _descriptor.Descriptor(
@@ -314,7 +428,7 @@
   oneofs=[
   ],
   serialized_start=246,
-  serialized_end=995,
+  serialized_end=1453,
 )
 
 
@@ -358,14 +472,26 @@
   extension_ranges=[],
   oneofs=[
   ],
-  serialized_start=997,
-  serialized_end=1051,
+  serialized_start=1455,
+  serialized_end=1509,
 )
 
 _GATEWAY_SELECTORENTRY.containing_type = _GATEWAY
 _GATEWAY.fields_by_name['servers'].message_type = _SERVER
 _GATEWAY.fields_by_name['selector'].message_type = _GATEWAY_SELECTORENTRY
+_SERVER_TLSOPTIONS_CREDENTIALSTOREFILEBACKEND.containing_type = _SERVER_TLSOPTIONS
+_SERVER_TLSOPTIONS_CREDENTIALSTOREREMOTEBACKEND.containing_type = _SERVER_TLSOPTIONS
+_SERVER_TLSOPTIONS_CREDENTIALSTORE.fields_by_name['files'].message_type = _SERVER_TLSOPTIONS_CREDENTIALSTOREFILEBACKEND
+_SERVER_TLSOPTIONS_CREDENTIALSTORE.fields_by_name['remote'].message_type = _SERVER_TLSOPTIONS_CREDENTIALSTOREREMOTEBACKEND
+_SERVER_TLSOPTIONS_CREDENTIALSTORE.containing_type = _SERVER_TLSOPTIONS
+_SERVER_TLSOPTIONS_CREDENTIALSTORE.oneofs_by_name['credentialStore'].fields.append(
+  _SERVER_TLSOPTIONS_CREDENTIALSTORE.fields_by_name['files'])
+_SERVER_TLSOPTIONS_CREDENTIALSTORE.fields_by_name['files'].containing_oneof = _SERVER_TLSOPTIONS_CREDENTIALSTORE.oneofs_by_name['credentialStore']
+_SERVER_TLSOPTIONS_CREDENTIALSTORE.oneofs_by_name['credentialStore'].fields.append(
+  _SERVER_TLSOPTIONS_CREDENTIALSTORE.fields_by_name['remote'])
+_SERVER_TLSOPTIONS_CREDENTIALSTORE.fields_by_name['remote'].containing_oneof = _SERVER_TLSOPTIONS_CREDENTIALSTORE.oneofs_by_name['credentialStore']
 _SERVER_TLSOPTIONS.fields_by_name['mode'].enum_type = _SERVER_TLSOPTIONS_TLSMODE
+_SERVER_TLSOPTIONS.fields_by_name['credential_store'].message_type = _SERVER_TLSOPTIONS_CREDENTIALSTORE
 _SERVER_TLSOPTIONS.fields_by_name['min_protocol_version'].enum_type = _SERVER_TLSOPTIONS_TLSPROTOCOL
 _SERVER_TLSOPTIONS.fields_by_name['max_protocol_version'].enum_type = _SERVER_TLSOPTIONS_TLSPROTOCOL
 _SERVER_TLSOPTIONS.containing_type = _SERVER
@@ -396,6 +522,27 @@
 Server = _reflection.GeneratedProtocolMessageType('Server', (_message.Message,), dict(
 
   TLSOptions = _reflection.GeneratedProtocolMessageType('TLSOptions', (_message.Message,), dict(
+
+    CredentialStoreFileBackend = _reflection.GeneratedProtocolMessageType('CredentialStoreFileBackend', (_message.Message,), dict(
+      DESCRIPTOR = _SERVER_TLSOPTIONS_CREDENTIALSTOREFILEBACKEND,
+      __module__ = 'networking.v1alpha3.gateway_pb2'
+      # @@protoc_insertion_point(class_scope:istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreFileBackend)
+      ))
+    ,
+
+    CredentialStoreRemoteBackend = _reflection.GeneratedProtocolMessageType('CredentialStoreRemoteBackend', (_message.Message,), dict(
+      DESCRIPTOR = _SERVER_TLSOPTIONS_CREDENTIALSTOREREMOTEBACKEND,
+      __module__ = 'networking.v1alpha3.gateway_pb2'
+      # @@protoc_insertion_point(class_scope:istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreRemoteBackend)
+      ))
+    ,
+
+    CredentialStore = _reflection.GeneratedProtocolMessageType('CredentialStore', (_message.Message,), dict(
+      DESCRIPTOR = _SERVER_TLSOPTIONS_CREDENTIALSTORE,
+      __module__ = 'networking.v1alpha3.gateway_pb2'
+      # @@protoc_insertion_point(class_scope:istio.networking.v1alpha3.Server.TLSOptions.CredentialStore)
+      ))
+    ,
     DESCRIPTOR = _SERVER_TLSOPTIONS,
     __module__ = 'networking.v1alpha3.gateway_pb2'
     # @@protoc_insertion_point(class_scope:istio.networking.v1alpha3.Server.TLSOptions)
@@ -407,6 +554,9 @@
   ))
 _sym_db.RegisterMessage(Server)
 _sym_db.RegisterMessage(Server.TLSOptions)
+_sym_db.RegisterMessage(Server.TLSOptions.CredentialStoreFileBackend)
+_sym_db.RegisterMessage(Server.TLSOptions.CredentialStoreRemoteBackend)
+_sym_db.RegisterMessage(Server.TLSOptions.CredentialStore)
 
 Port = _reflection.GeneratedProtocolMessageType('Port', (_message.Message,), dict(
   DESCRIPTOR = _PORT,
@@ -420,4 +570,8 @@
 DESCRIPTOR._options = _descriptor._ParseOptions(descriptor_pb2.FileOptions(), _b('Z istio.io/api/networking/v1alpha3'))
 _GATEWAY_SELECTORENTRY.has_options = True
 _GATEWAY_SELECTORENTRY._options = _descriptor._ParseOptions(descriptor_pb2.MessageOptions(), _b('8\001'))
+_SERVER_TLSOPTIONS.fields_by_name['server_certificate'].has_options = True
+_SERVER_TLSOPTIONS.fields_by_name['server_certificate']._options = _descriptor._ParseOptions(descriptor_pb2.FieldOptions(), _b('\030\001'))
+_SERVER_TLSOPTIONS.fields_by_name['private_key'].has_options = True
+_SERVER_TLSOPTIONS.fields_by_name['private_key']._options = _descriptor._ParseOptions(descriptor_pb2.FieldOptions(), _b('\030\001'))
 # @@protoc_insertion_point(module_scope)

From 3d7b336732d08c3ff2afa0f74570bbbf360ad453 Mon Sep 17 00:00:00 2001
From: Shriram Rajagopalan <shriramr@vmware.com>
Date: Tue, 29 Jan 2019 16:06:44 -0500
Subject: [PATCH 2/7] lint

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>
---
 networking/v1alpha3/gateway.pb.go             | 116 +++++++++---------
 networking/v1alpha3/gateway.proto             |   2 +-
 .../networking/v1alpha3/gateway_pb2.py        |  30 ++---
 3 files changed, 74 insertions(+), 74 deletions(-)

diff --git a/networking/v1alpha3/gateway.pb.go b/networking/v1alpha3/gateway.pb.go
index 75e09f3975..10483edacd 100644
--- a/networking/v1alpha3/gateway.pb.go
+++ b/networking/v1alpha3/gateway.pb.go
@@ -590,7 +590,7 @@ type Server_TLSOptions_CredentialStore struct {
 	// Types that are valid to be assigned to CredentialStore:
 	//	*Server_TLSOptions_CredentialStore_Files
 	//	*Server_TLSOptions_CredentialStore_Remote
-	CredentialStore isServer_TLSOptions_CredentialStore_CredentialStore `protobuf_oneof:"credentialStore"`
+	CredentialStore isServer_TLSOptions_CredentialStore_CredentialStore `protobuf_oneof:"credential_store"`
 }
 
 func (m *Server_TLSOptions_CredentialStore) Reset()         { *m = Server_TLSOptions_CredentialStore{} }
@@ -649,7 +649,7 @@ func (*Server_TLSOptions_CredentialStore) XXX_OneofFuncs() (func(msg proto.Messa
 
 func _Server_TLSOptions_CredentialStore_OneofMarshaler(msg proto.Message, b *proto.Buffer) error {
 	m := msg.(*Server_TLSOptions_CredentialStore)
-	// credentialStore
+	// credential_store
 	switch x := m.CredentialStore.(type) {
 	case *Server_TLSOptions_CredentialStore_Files:
 		_ = b.EncodeVarint(1<<3 | proto.WireBytes)
@@ -671,7 +671,7 @@ func _Server_TLSOptions_CredentialStore_OneofMarshaler(msg proto.Message, b *pro
 func _Server_TLSOptions_CredentialStore_OneofUnmarshaler(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error) {
 	m := msg.(*Server_TLSOptions_CredentialStore)
 	switch tag {
-	case 1: // credentialStore.files
+	case 1: // credential_store.files
 		if wire != proto.WireBytes {
 			return true, proto.ErrInternalBadWireType
 		}
@@ -679,7 +679,7 @@ func _Server_TLSOptions_CredentialStore_OneofUnmarshaler(msg proto.Message, tag,
 		err := b.DecodeMessage(msg)
 		m.CredentialStore = &Server_TLSOptions_CredentialStore_Files{msg}
 		return true, err
-	case 2: // credentialStore.remote
+	case 2: // credential_store.remote
 		if wire != proto.WireBytes {
 			return true, proto.ErrInternalBadWireType
 		}
@@ -694,7 +694,7 @@ func _Server_TLSOptions_CredentialStore_OneofUnmarshaler(msg proto.Message, tag,
 
 func _Server_TLSOptions_CredentialStore_OneofSizer(msg proto.Message) (n int) {
 	m := msg.(*Server_TLSOptions_CredentialStore)
-	// credentialStore
+	// credential_store
 	switch x := m.CredentialStore.(type) {
 	case *Server_TLSOptions_CredentialStore_Files:
 		s := proto.Size(x.Files)
@@ -2584,57 +2584,57 @@ var (
 func init() { proto.RegisterFile("networking/v1alpha3/gateway.proto", fileDescriptorGateway) }
 
 var fileDescriptorGateway = []byte{
-	// 820 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x55, 0x5d, 0x4f, 0x23, 0x37,
-	0x14, 0x65, 0x92, 0x10, 0x92, 0x3b, 0x84, 0x0c, 0x16, 0xaa, 0xa6, 0x51, 0xc5, 0xb2, 0x41, 0x55,
-	0xb7, 0x55, 0x3b, 0x2c, 0xa1, 0x0f, 0xab, 0x6e, 0x55, 0x29, 0xac, 0x28, 0x59, 0x35, 0xbb, 0x20,
-	0x4f, 0xd8, 0x87, 0xbe, 0x8c, 0xcc, 0x8c, 0x01, 0xc3, 0x64, 0x3c, 0xb2, 0x9d, 0xec, 0xe6, 0x17,
-	0xb6, 0x8f, 0xed, 0x3f, 0xa8, 0x78, 0xec, 0x63, 0x7f, 0x41, 0x65, 0x8f, 0xf3, 0xb1, 0x29, 0x4b,
-	0x85, 0x78, 0xf3, 0x3d, 0xbe, 0xf7, 0xdc, 0xeb, 0xe3, 0x33, 0x1e, 0x78, 0x9a, 0x51, 0xf5, 0x9e,
-	0x8b, 0x1b, 0x96, 0x5d, 0xee, 0x8d, 0xf7, 0x49, 0x9a, 0x5f, 0x91, 0x83, 0xbd, 0x4b, 0xa2, 0xe8,
-	0x7b, 0x32, 0x09, 0x72, 0xc1, 0x15, 0x47, 0x9f, 0x33, 0xa9, 0x18, 0x0f, 0xe6, 0x89, 0xc1, 0x34,
-	0xb1, 0xfd, 0xa7, 0x03, 0x6b, 0xc7, 0x45, 0x32, 0x7a, 0x09, 0x6b, 0x92, 0x8a, 0x31, 0x15, 0xd2,
-	0x77, 0x76, 0xca, 0xcf, 0xdc, 0xce, 0xd3, 0xe0, 0x93, 0x85, 0x41, 0x68, 0x32, 0xf1, 0xb4, 0x02,
-	0xf5, 0xa1, 0x26, 0x69, 0x4a, 0x63, 0xc5, 0x85, 0x5f, 0x32, 0xd5, 0xcf, 0xef, 0xa9, 0xb6, 0x2d,
-	0x83, 0xd0, 0x96, 0x1c, 0x65, 0x4a, 0x4c, 0xf0, 0x8c, 0xa1, 0xf5, 0x12, 0x1a, 0x1f, 0x6d, 0x21,
-	0x0f, 0xca, 0x37, 0x74, 0xe2, 0x3b, 0x3b, 0xce, 0xb3, 0x3a, 0xd6, 0x4b, 0xb4, 0x05, 0xab, 0x63,
-	0x92, 0x8e, 0xa8, 0x5f, 0x32, 0x58, 0x11, 0xfc, 0x50, 0x7a, 0xe1, 0xb4, 0x7f, 0x73, 0xa1, 0x5a,
-	0x8c, 0x87, 0x0e, 0xa0, 0x92, 0x73, 0xa1, 0x4c, 0x9d, 0xdb, 0x79, 0x72, 0xcf, 0x44, 0xa7, 0x5c,
-	0x28, 0x6c, 0x92, 0x35, 0xf3, 0x15, 0x97, 0x4a, 0x9a, 0x73, 0xd4, 0x71, 0x11, 0xa0, 0x9f, 0xa0,
-	0xac, 0x52, 0xe9, 0x97, 0x0d, 0xd3, 0xb7, 0xff, 0xab, 0x4c, 0x30, 0xe8, 0x87, 0x27, 0xb9, 0x62,
-	0x3c, 0x93, 0x58, 0x17, 0x22, 0x04, 0x95, 0x73, 0x96, 0x25, 0x7e, 0xc5, 0x8c, 0x6b, 0xd6, 0xe8,
-	0x6b, 0xf0, 0x12, 0x7a, 0x41, 0x46, 0xa9, 0x8a, 0x68, 0x96, 0xe4, 0x9c, 0x65, 0xca, 0x5f, 0x35,
-	0xfb, 0x4d, 0x8b, 0x1f, 0x59, 0xb8, 0xf5, 0x4f, 0x1d, 0x60, 0x4e, 0x89, 0xbe, 0x84, 0x8d, 0x2b,
-	0xa5, 0x72, 0x19, 0x09, 0x9a, 0x30, 0x41, 0xe3, 0xe2, 0x88, 0x35, 0xdc, 0x30, 0x28, 0xb6, 0x20,
-	0xea, 0x41, 0x65, 0xc8, 0x93, 0x42, 0xa3, 0x8d, 0xce, 0xf7, 0x0f, 0x99, 0x5a, 0x2f, 0x75, 0x2d,
-	0x36, 0x0c, 0x68, 0x1f, 0x50, 0x71, 0xd5, 0x51, 0x4c, 0x85, 0x62, 0x17, 0x2c, 0x26, 0x8a, 0x1a,
-	0x35, 0xea, 0x87, 0x25, 0xdf, 0xc1, 0x9b, 0xc5, 0xee, 0xab, 0xf9, 0x26, 0xda, 0x05, 0x37, 0x17,
-	0x6c, 0x4c, 0x14, 0x8d, 0xf4, 0xdd, 0x55, 0x66, 0xb9, 0x60, 0xe1, 0x5f, 0xe8, 0x04, 0x7d, 0x05,
-	0xcd, 0x98, 0x2c, 0x72, 0x4a, 0xab, 0xc0, 0x46, 0x4c, 0x16, 0xc8, 0x24, 0xfa, 0x06, 0x36, 0xe5,
-	0xe8, 0xfc, 0x9a, 0xc6, 0x2a, 0x22, 0xa9, 0x8a, 0x32, 0x32, 0xa4, 0xd2, 0xaf, 0x9a, 0x1b, 0x6a,
-	0xda, 0x8d, 0x6e, 0xaa, 0xde, 0x6a, 0x18, 0x5d, 0xc3, 0xd6, 0x90, 0x65, 0x91, 0x71, 0x7f, 0xcc,
-	0xd3, 0x48, 0x3b, 0x94, 0xf1, 0xcc, 0x5f, 0x33, 0x32, 0xbc, 0x78, 0xa8, 0x0c, 0xa7, 0x96, 0x07,
-	0xa3, 0x21, 0xcb, 0xa6, 0xc1, 0xbb, 0x82, 0xd3, 0xf4, 0x22, 0x1f, 0xfe, 0xdb, 0xab, 0xf6, 0xe8,
-	0x5e, 0xe4, 0xc3, 0x72, 0xaf, 0x5d, 0x68, 0xc4, 0x2c, 0xbf, 0xa2, 0x22, 0x92, 0x23, 0xa6, 0xa5,
-	0xaa, 0x9b, 0xf3, 0xaf, 0x17, 0x60, 0x68, 0x30, 0x74, 0x09, 0x5e, 0x2c, 0x68, 0x42, 0x33, 0xc5,
-	0x48, 0x1a, 0x49, 0xc5, 0x05, 0xf5, 0xc1, 0xb8, 0xf6, 0xc7, 0x07, 0x0d, 0xf3, 0x6a, 0x46, 0x12,
-	0x6a, 0x0e, 0xdc, 0x8c, 0x3f, 0x06, 0x5a, 0x29, 0xb4, 0x96, 0x72, 0x7e, 0x66, 0x29, 0x3d, 0x24,
-	0xf1, 0x0d, 0xcd, 0x12, 0xf4, 0xdd, 0xa7, 0x0d, 0x73, 0x97, 0x59, 0x9e, 0xdc, 0x61, 0x96, 0x45,
-	0xa3, 0xb4, 0xae, 0xe1, 0x8b, 0xe5, 0x89, 0xe8, 0x90, 0xab, 0x59, 0xbf, 0x5d, 0x68, 0x08, 0x2a,
-	0xf9, 0x48, 0xc4, 0xd4, 0x98, 0xc3, 0xbe, 0x15, 0xeb, 0x53, 0x50, 0x3b, 0x43, 0x7f, 0x36, 0x76,
-	0x28, 0x92, 0x24, 0x82, 0x4a, 0x69, 0x5f, 0x8f, 0x46, 0x81, 0x76, 0x0b, 0xb0, 0xf5, 0xb7, 0x03,
-	0xcd, 0xa5, 0x66, 0x28, 0x82, 0xd5, 0x0b, 0x96, 0x52, 0x69, 0xdf, 0x92, 0xe3, 0xc7, 0x68, 0xb9,
-	0xa0, 0x53, 0x6f, 0x05, 0x17, 0xbc, 0x28, 0x86, 0xaa, 0x30, 0x27, 0x32, 0x33, 0xb9, 0x9d, 0xd7,
-	0x8f, 0xba, 0xad, 0x45, 0x6d, 0x7a, 0x2b, 0xd8, 0x52, 0x1f, 0x6e, 0xc2, 0xf2, 0x35, 0xb6, 0x7b,
-	0xb0, 0x66, 0x3f, 0x75, 0xd4, 0x04, 0xf7, 0xb4, 0x1b, 0x86, 0x83, 0x1e, 0x3e, 0x39, 0x3b, 0xee,
-	0x79, 0x2b, 0x08, 0xa0, 0x1a, 0xbe, 0x7e, 0x73, 0xda, 0x3f, 0xf2, 0x1c, 0xbd, 0x7e, 0x73, 0x36,
-	0x38, 0xeb, 0xf6, 0xbd, 0x12, 0xda, 0x02, 0xaf, 0x7b, 0x36, 0x38, 0x89, 0x16, 0xb3, 0xcb, 0xed,
-	0x13, 0x70, 0x17, 0x1c, 0x8c, 0xd6, 0xa1, 0x36, 0xe8, 0x87, 0x91, 0x4e, 0xf4, 0x56, 0x90, 0x6b,
-	0xda, 0xbc, 0xdb, 0x8f, 0x9e, 0x7b, 0xce, 0x3c, 0xd8, 0xf7, 0x4a, 0xf3, 0xa0, 0xe3, 0x95, 0xe7,
-	0xc1, 0x81, 0x57, 0x69, 0xbf, 0x85, 0x8a, 0x7e, 0x97, 0xd1, 0x67, 0x50, 0xcd, 0x46, 0xc3, 0x73,
-	0x2a, 0x8c, 0xf8, 0x0d, 0x6c, 0x23, 0xd4, 0x82, 0xda, 0xf4, 0xbb, 0xb3, 0x17, 0x39, 0x8b, 0xf5,
-	0x7b, 0x6b, 0x6c, 0x50, 0x38, 0xce, 0xac, 0x0f, 0x83, 0xdf, 0x6f, 0xb7, 0x9d, 0x3f, 0x6e, 0xb7,
-	0x9d, 0xbf, 0x6e, 0xb7, 0x9d, 0x5f, 0x77, 0x0a, 0x7d, 0x19, 0xdf, 0x23, 0x39, 0xdb, 0xbb, 0xe3,
-	0x37, 0x7a, 0x5e, 0x35, 0x6c, 0x07, 0xff, 0x06, 0x00, 0x00, 0xff, 0xff, 0xf7, 0x4c, 0xea, 0xeb,
-	0x64, 0x07, 0x00, 0x00,
+	// 819 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x55, 0x5d, 0x6f, 0xdb, 0x36,
+	0x14, 0x8d, 0x6c, 0xc7, 0xb1, 0xaf, 0xe2, 0x58, 0x25, 0x82, 0x41, 0x33, 0x86, 0x34, 0x75, 0x30,
+	0xac, 0x1b, 0x36, 0xa5, 0x71, 0xf6, 0x50, 0xac, 0xc3, 0x00, 0xa7, 0xc8, 0xe2, 0x62, 0x6e, 0x13,
+	0x50, 0x4e, 0x1f, 0xf6, 0x22, 0x30, 0x12, 0x93, 0x30, 0x91, 0x45, 0x81, 0xa4, 0xdd, 0xfa, 0x1f,
+	0xf6, 0x71, 0xfb, 0x07, 0x43, 0x5e, 0xf7, 0xb8, 0x3f, 0x30, 0x90, 0xa2, 0x3f, 0xea, 0xa6, 0x29,
+	0x82, 0xbc, 0xf1, 0x1e, 0xde, 0x7b, 0xee, 0xe5, 0xe1, 0x11, 0x05, 0x4f, 0x32, 0xaa, 0xde, 0x71,
+	0x71, 0xcd, 0xb2, 0x8b, 0xdd, 0xf1, 0x1e, 0x49, 0xf3, 0x4b, 0xb2, 0xbf, 0x7b, 0x41, 0x14, 0x7d,
+	0x47, 0x26, 0x41, 0x2e, 0xb8, 0xe2, 0xe8, 0x6b, 0x26, 0x15, 0xe3, 0xc1, 0x3c, 0x31, 0x98, 0x26,
+	0xb6, 0xff, 0x76, 0x60, 0xed, 0xa8, 0x48, 0x46, 0x2f, 0x60, 0x4d, 0x52, 0x31, 0xa6, 0x42, 0xfa,
+	0xce, 0x76, 0xf9, 0xa9, 0xdb, 0x79, 0x12, 0x7c, 0xb6, 0x30, 0x08, 0x4d, 0x26, 0x9e, 0x56, 0xa0,
+	0x3e, 0xd4, 0x24, 0x4d, 0x69, 0xac, 0xb8, 0xf0, 0x4b, 0xa6, 0xfa, 0xd9, 0x1d, 0xd5, 0xb6, 0x65,
+	0x10, 0xda, 0x92, 0xc3, 0x4c, 0x89, 0x09, 0x9e, 0x31, 0xb4, 0x5e, 0x40, 0xe3, 0xa3, 0x2d, 0xe4,
+	0x41, 0xf9, 0x9a, 0x4e, 0x7c, 0x67, 0xdb, 0x79, 0x5a, 0xc7, 0x7a, 0x89, 0x36, 0x61, 0x75, 0x4c,
+	0xd2, 0x11, 0xf5, 0x4b, 0x06, 0x2b, 0x82, 0x5f, 0x4a, 0xcf, 0x9d, 0xf6, 0x07, 0x17, 0xaa, 0xc5,
+	0x78, 0x68, 0x1f, 0x2a, 0x39, 0x17, 0xca, 0xd4, 0xb9, 0x9d, 0xc7, 0x77, 0x4c, 0x74, 0xc2, 0x85,
+	0xc2, 0x26, 0x59, 0x33, 0x5f, 0x72, 0xa9, 0xa4, 0x39, 0x47, 0x1d, 0x17, 0x01, 0xfa, 0x0d, 0xca,
+	0x2a, 0x95, 0x7e, 0xd9, 0x30, 0xfd, 0xf8, 0x45, 0x65, 0x82, 0x41, 0x3f, 0x3c, 0xce, 0x15, 0xe3,
+	0x99, 0xc4, 0xba, 0x10, 0x21, 0xa8, 0x9c, 0xb1, 0x2c, 0xf1, 0x2b, 0x66, 0x5c, 0xb3, 0x46, 0xdf,
+	0x83, 0x97, 0xd0, 0x73, 0x32, 0x4a, 0x55, 0x44, 0xb3, 0x24, 0xe7, 0x2c, 0x53, 0xfe, 0xaa, 0xd9,
+	0x6f, 0x5a, 0xfc, 0xd0, 0xc2, 0xad, 0xff, 0xea, 0x00, 0x73, 0x4a, 0xf4, 0x2d, 0x6c, 0x5c, 0x2a,
+	0x95, 0xcb, 0x48, 0xd0, 0x84, 0x09, 0x1a, 0x17, 0x47, 0xac, 0xe1, 0x86, 0x41, 0xb1, 0x05, 0x51,
+	0x0f, 0x2a, 0x43, 0x9e, 0x14, 0x1a, 0x6d, 0x74, 0x7e, 0xbe, 0xcf, 0xd4, 0x7a, 0xa9, 0x6b, 0xb1,
+	0x61, 0x40, 0x7b, 0x80, 0x8a, 0xab, 0x8e, 0x62, 0x2a, 0x14, 0x3b, 0x67, 0x31, 0x51, 0xd4, 0xa8,
+	0x51, 0x3f, 0x28, 0xf9, 0x0e, 0x7e, 0x54, 0xec, 0xbe, 0x9c, 0x6f, 0xa2, 0x1d, 0x70, 0x73, 0xc1,
+	0xc6, 0x44, 0xd1, 0x48, 0xdf, 0x5d, 0x65, 0x96, 0x0b, 0x16, 0xfe, 0x83, 0x4e, 0xd0, 0x77, 0xd0,
+	0x8c, 0xc9, 0x22, 0xa7, 0xb4, 0x0a, 0x6c, 0xc4, 0x64, 0x81, 0x4c, 0xa2, 0x1f, 0xe0, 0x91, 0x1c,
+	0x9d, 0x5d, 0xd1, 0x58, 0x45, 0x24, 0x55, 0x51, 0x46, 0x86, 0x54, 0xfa, 0x55, 0x73, 0x43, 0x4d,
+	0xbb, 0xd1, 0x4d, 0xd5, 0x1b, 0x0d, 0xa3, 0x2b, 0xd8, 0x1c, 0xb2, 0x2c, 0x32, 0xee, 0x8f, 0x79,
+	0x1a, 0x69, 0x87, 0x32, 0x9e, 0xf9, 0x6b, 0x46, 0x86, 0xe7, 0xf7, 0x95, 0xe1, 0xc4, 0xf2, 0x60,
+	0x34, 0x64, 0xd9, 0x34, 0x78, 0x5b, 0x70, 0x9a, 0x5e, 0xe4, 0xfd, 0xa7, 0xbd, 0x6a, 0x0f, 0xee,
+	0x45, 0xde, 0x2f, 0xf7, 0xda, 0x81, 0x46, 0xcc, 0xf2, 0x4b, 0x2a, 0x22, 0x39, 0x62, 0x5a, 0xaa,
+	0xba, 0x39, 0xff, 0x7a, 0x01, 0x86, 0x06, 0x43, 0x17, 0xe0, 0xc5, 0x82, 0x26, 0x34, 0x53, 0x8c,
+	0xa4, 0x91, 0x54, 0x5c, 0x50, 0x1f, 0x8c, 0x6b, 0x7f, 0xbd, 0xd7, 0x30, 0x2f, 0x67, 0x24, 0xa1,
+	0xe6, 0xc0, 0xcd, 0xf8, 0x63, 0xa0, 0x95, 0x42, 0x6b, 0x29, 0xe7, 0x77, 0x96, 0xd2, 0x03, 0x12,
+	0x5f, 0xd3, 0x2c, 0x41, 0x3f, 0x7d, 0xde, 0x30, 0xb7, 0x99, 0xe5, 0xf1, 0x2d, 0x66, 0x59, 0x34,
+	0x4a, 0xeb, 0x0a, 0xbe, 0x59, 0x9e, 0x88, 0x0e, 0xb9, 0x9a, 0xf5, 0xdb, 0x81, 0x86, 0xa0, 0x92,
+	0x8f, 0x44, 0x4c, 0x8d, 0x39, 0xec, 0x5b, 0xb1, 0x3e, 0x05, 0xb5, 0x33, 0xf4, 0x67, 0x63, 0x87,
+	0x22, 0x49, 0x22, 0xa8, 0x94, 0xf6, 0xf5, 0x68, 0x14, 0x68, 0xb7, 0x00, 0x5b, 0xff, 0x3a, 0xd0,
+	0x5c, 0x6a, 0x86, 0x22, 0x58, 0x3d, 0x67, 0x29, 0x95, 0xf6, 0x2d, 0x39, 0x7a, 0x88, 0x96, 0x0b,
+	0x3a, 0xf5, 0x56, 0x70, 0xc1, 0x8b, 0x62, 0xa8, 0x0a, 0x73, 0x22, 0x33, 0x93, 0xdb, 0x79, 0xf5,
+	0xa0, 0xdb, 0x5a, 0xd4, 0xa6, 0xb7, 0x82, 0x2d, 0xf5, 0x01, 0xfa, 0xd4, 0x1c, 0xed, 0x1e, 0xac,
+	0xd9, 0x6f, 0x1d, 0x35, 0xc1, 0x3d, 0xe9, 0x86, 0xe1, 0xa0, 0x87, 0x8f, 0x4f, 0x8f, 0x7a, 0xde,
+	0x0a, 0x02, 0xa8, 0x86, 0xaf, 0x5e, 0x9f, 0xf4, 0x0f, 0x3d, 0x47, 0xaf, 0x5f, 0x9f, 0x0e, 0x4e,
+	0xbb, 0x7d, 0xaf, 0x84, 0x36, 0xc1, 0xeb, 0x9e, 0x0e, 0x8e, 0xa3, 0xc5, 0xec, 0x72, 0xfb, 0x18,
+	0xdc, 0x05, 0x0b, 0xa3, 0x75, 0xa8, 0x0d, 0xfa, 0x61, 0xa4, 0x13, 0xbd, 0x15, 0xe4, 0x9a, 0x36,
+	0x6f, 0xf7, 0xa2, 0x67, 0x9e, 0x33, 0x0f, 0xf6, 0xbc, 0xd2, 0x3c, 0xe8, 0x78, 0xe5, 0x79, 0xb0,
+	0xef, 0x55, 0xda, 0x6f, 0xa0, 0xa2, 0x1f, 0x66, 0xf4, 0x15, 0x54, 0xb3, 0xd1, 0xf0, 0x8c, 0x0a,
+	0xa3, 0x7e, 0x03, 0xdb, 0x08, 0xb5, 0xa0, 0x36, 0xfd, 0xf0, 0xec, 0x4d, 0xce, 0x62, 0xfd, 0xe0,
+	0x1a, 0x1f, 0x14, 0x96, 0x33, 0xeb, 0x83, 0xe0, 0xc3, 0xcd, 0x96, 0xf3, 0xd7, 0xcd, 0x96, 0xf3,
+	0xcf, 0xcd, 0x96, 0xf3, 0xe7, 0x76, 0x21, 0x30, 0xe3, 0xbb, 0x24, 0x67, 0xbb, 0xb7, 0xfc, 0x47,
+	0xcf, 0xaa, 0x86, 0x6d, 0xff, 0xff, 0x00, 0x00, 0x00, 0xff, 0xff, 0x35, 0xd5, 0xf3, 0x8a, 0x65,
+	0x07, 0x00, 0x00,
 }
diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto
index 282a72f3d5..cdc0334ace 100644
--- a/networking/v1alpha3/gateway.proto
+++ b/networking/v1alpha3/gateway.proto
@@ -332,7 +332,7 @@ message Server {
     string private_key = 4 [deprecated=true];
 
     message CredentialStore {
-      oneof credentialStore {
+      oneof credential_store {
         CredentialStoreFileBackend files = 1;
         CredentialStoreRemoteBackend remote = 2;
       }
diff --git a/python/istio_api/networking/v1alpha3/gateway_pb2.py b/python/istio_api/networking/v1alpha3/gateway_pb2.py
index bbd46f864d..6be5efb3a0 100644
--- a/python/istio_api/networking/v1alpha3/gateway_pb2.py
+++ b/python/istio_api/networking/v1alpha3/gateway_pb2.py
@@ -19,7 +19,7 @@
   name='networking/v1alpha3/gateway.proto',
   package='istio.networking.v1alpha3',
   syntax='proto3',
-  serialized_pb=_b('\n!networking/v1alpha3/gateway.proto\x12\x19istio.networking.v1alpha3\"\xb2\x01\n\x07Gateway\x12\x32\n\x07servers\x18\x01 \x03(\x0b\x32!.istio.networking.v1alpha3.Server\x12\x42\n\x08selector\x18\x02 \x03(\x0b\x32\x30.istio.networking.v1alpha3.Gateway.SelectorEntry\x1a/\n\rSelectorEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xb7\t\n\x06Server\x12-\n\x04port\x18\x01 \x01(\x0b\x32\x1f.istio.networking.v1alpha3.Port\x12\x0c\n\x04\x62ind\x18\x04 \x01(\t\x12\r\n\x05hosts\x18\x02 \x03(\t\x12\x39\n\x03tls\x18\x03 \x01(\x0b\x32,.istio.networking.v1alpha3.Server.TLSOptions\x12\x18\n\x10\x64\x65\x66\x61ult_endpoint\x18\x05 \x01(\t\x1a\x8b\x08\n\nTLSOptions\x12\x16\n\x0ehttps_redirect\x18\x01 \x01(\x08\x12\x42\n\x04mode\x18\x02 \x01(\x0e\x32\x34.istio.networking.v1alpha3.Server.TLSOptions.TLSmode\x12\x1e\n\x12server_certificate\x18\x03 \x01(\tB\x02\x18\x01\x12\x17\n\x0bprivate_key\x18\x04 \x01(\tB\x02\x18\x01\x12V\n\x10\x63redential_store\x18\n \x01(\x0b\x32<.istio.networking.v1alpha3.Server.TLSOptions.CredentialStore\x12\x17\n\x0f\x63\x61_certificates\x18\x05 \x01(\t\x12\x19\n\x11subject_alt_names\x18\x06 \x03(\t\x12V\n\x14min_protocol_version\x18\x07 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12V\n\x14max_protocol_version\x18\x08 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12\x15\n\rcipher_suites\x18\t \x03(\t\x1aM\n\x1a\x43redentialStoreFileBackend\x12\x1a\n\x12server_certificate\x18\x03 \x01(\t\x12\x13\n\x0bprivate_key\x18\x04 \x01(\t\x1aM\n\x1c\x43redentialStoreRemoteBackend\x12\x15\n\rresource_name\x18\x01 \x01(\t\x12\x16\n\x0eserver_address\x18\x02 \x01(\t\x1a\xdb\x01\n\x0f\x43redentialStore\x12X\n\x05\x66iles\x18\x01 \x01(\x0b\x32G.istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreFileBackendH\x00\x12[\n\x06remote\x18\x02 \x01(\x0b\x32I.istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreRemoteBackendH\x00\x42\x11\n\x0f\x63redentialStore\"H\n\x07TLSmode\x12\x0f\n\x0bPASSTHROUGH\x10\x00\x12\n\n\x06SIMPLE\x10\x01\x12\n\n\x06MUTUAL\x10\x02\x12\x14\n\x10\x41UTO_PASSTHROUGH\x10\x03\"O\n\x0bTLSProtocol\x12\x0c\n\x08TLS_AUTO\x10\x00\x12\x0b\n\x07TLSV1_0\x10\x01\x12\x0b\n\x07TLSV1_1\x10\x02\x12\x0b\n\x07TLSV1_2\x10\x03\x12\x0b\n\x07TLSV1_3\x10\x04\"6\n\x04Port\x12\x0e\n\x06number\x18\x01 \x01(\r\x12\x10\n\x08protocol\x18\x02 \x01(\t\x12\x0c\n\x04name\x18\x03 \x01(\tB\"Z istio.io/api/networking/v1alpha3b\x06proto3')
+  serialized_pb=_b('\n!networking/v1alpha3/gateway.proto\x12\x19istio.networking.v1alpha3\"\xb2\x01\n\x07Gateway\x12\x32\n\x07servers\x18\x01 \x03(\x0b\x32!.istio.networking.v1alpha3.Server\x12\x42\n\x08selector\x18\x02 \x03(\x0b\x32\x30.istio.networking.v1alpha3.Gateway.SelectorEntry\x1a/\n\rSelectorEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xb8\t\n\x06Server\x12-\n\x04port\x18\x01 \x01(\x0b\x32\x1f.istio.networking.v1alpha3.Port\x12\x0c\n\x04\x62ind\x18\x04 \x01(\t\x12\r\n\x05hosts\x18\x02 \x03(\t\x12\x39\n\x03tls\x18\x03 \x01(\x0b\x32,.istio.networking.v1alpha3.Server.TLSOptions\x12\x18\n\x10\x64\x65\x66\x61ult_endpoint\x18\x05 \x01(\t\x1a\x8c\x08\n\nTLSOptions\x12\x16\n\x0ehttps_redirect\x18\x01 \x01(\x08\x12\x42\n\x04mode\x18\x02 \x01(\x0e\x32\x34.istio.networking.v1alpha3.Server.TLSOptions.TLSmode\x12\x1e\n\x12server_certificate\x18\x03 \x01(\tB\x02\x18\x01\x12\x17\n\x0bprivate_key\x18\x04 \x01(\tB\x02\x18\x01\x12V\n\x10\x63redential_store\x18\n \x01(\x0b\x32<.istio.networking.v1alpha3.Server.TLSOptions.CredentialStore\x12\x17\n\x0f\x63\x61_certificates\x18\x05 \x01(\t\x12\x19\n\x11subject_alt_names\x18\x06 \x03(\t\x12V\n\x14min_protocol_version\x18\x07 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12V\n\x14max_protocol_version\x18\x08 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12\x15\n\rcipher_suites\x18\t \x03(\t\x1aM\n\x1a\x43redentialStoreFileBackend\x12\x1a\n\x12server_certificate\x18\x03 \x01(\t\x12\x13\n\x0bprivate_key\x18\x04 \x01(\t\x1aM\n\x1c\x43redentialStoreRemoteBackend\x12\x15\n\rresource_name\x18\x01 \x01(\t\x12\x16\n\x0eserver_address\x18\x02 \x01(\t\x1a\xdc\x01\n\x0f\x43redentialStore\x12X\n\x05\x66iles\x18\x01 \x01(\x0b\x32G.istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreFileBackendH\x00\x12[\n\x06remote\x18\x02 \x01(\x0b\x32I.istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreRemoteBackendH\x00\x42\x12\n\x10\x63redential_store\"H\n\x07TLSmode\x12\x0f\n\x0bPASSTHROUGH\x10\x00\x12\n\n\x06SIMPLE\x10\x01\x12\n\n\x06MUTUAL\x10\x02\x12\x14\n\x10\x41UTO_PASSTHROUGH\x10\x03\"O\n\x0bTLSProtocol\x12\x0c\n\x08TLS_AUTO\x10\x00\x12\x0b\n\x07TLSV1_0\x10\x01\x12\x0b\n\x07TLSV1_1\x10\x02\x12\x0b\n\x07TLSV1_2\x10\x03\x12\x0b\n\x07TLSV1_3\x10\x04\"6\n\x04Port\x12\x0e\n\x06number\x18\x01 \x01(\r\x12\x10\n\x08protocol\x18\x02 \x01(\t\x12\x0c\n\x04name\x18\x03 \x01(\tB\"Z istio.io/api/networking/v1alpha3b\x06proto3')
 )
 
 
@@ -49,8 +49,8 @@
   ],
   containing_type=None,
   options=None,
-  serialized_start=1300,
-  serialized_end=1372,
+  serialized_start=1301,
+  serialized_end=1373,
 )
 _sym_db.RegisterEnumDescriptor(_SERVER_TLSOPTIONS_TLSMODE)
 
@@ -83,8 +83,8 @@
   ],
   containing_type=None,
   options=None,
-  serialized_start=1374,
-  serialized_end=1453,
+  serialized_start=1375,
+  serialized_end=1454,
 )
 _sym_db.RegisterEnumDescriptor(_SERVER_TLSOPTIONS_TLSPROTOCOL)
 
@@ -271,11 +271,11 @@
   extension_ranges=[],
   oneofs=[
     _descriptor.OneofDescriptor(
-      name='credentialStore', full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStore.credentialStore',
+      name='credential_store', full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStore.credential_store',
       index=0, containing_type=None, fields=[]),
   ],
   serialized_start=1079,
-  serialized_end=1298,
+  serialized_end=1299,
 )
 
 _SERVER_TLSOPTIONS = _descriptor.Descriptor(
@@ -370,7 +370,7 @@
   oneofs=[
   ],
   serialized_start=418,
-  serialized_end=1453,
+  serialized_end=1454,
 )
 
 _SERVER = _descriptor.Descriptor(
@@ -428,7 +428,7 @@
   oneofs=[
   ],
   serialized_start=246,
-  serialized_end=1453,
+  serialized_end=1454,
 )
 
 
@@ -472,8 +472,8 @@
   extension_ranges=[],
   oneofs=[
   ],
-  serialized_start=1455,
-  serialized_end=1509,
+  serialized_start=1456,
+  serialized_end=1510,
 )
 
 _GATEWAY_SELECTORENTRY.containing_type = _GATEWAY
@@ -484,12 +484,12 @@
 _SERVER_TLSOPTIONS_CREDENTIALSTORE.fields_by_name['files'].message_type = _SERVER_TLSOPTIONS_CREDENTIALSTOREFILEBACKEND
 _SERVER_TLSOPTIONS_CREDENTIALSTORE.fields_by_name['remote'].message_type = _SERVER_TLSOPTIONS_CREDENTIALSTOREREMOTEBACKEND
 _SERVER_TLSOPTIONS_CREDENTIALSTORE.containing_type = _SERVER_TLSOPTIONS
-_SERVER_TLSOPTIONS_CREDENTIALSTORE.oneofs_by_name['credentialStore'].fields.append(
+_SERVER_TLSOPTIONS_CREDENTIALSTORE.oneofs_by_name['credential_store'].fields.append(
   _SERVER_TLSOPTIONS_CREDENTIALSTORE.fields_by_name['files'])
-_SERVER_TLSOPTIONS_CREDENTIALSTORE.fields_by_name['files'].containing_oneof = _SERVER_TLSOPTIONS_CREDENTIALSTORE.oneofs_by_name['credentialStore']
-_SERVER_TLSOPTIONS_CREDENTIALSTORE.oneofs_by_name['credentialStore'].fields.append(
+_SERVER_TLSOPTIONS_CREDENTIALSTORE.fields_by_name['files'].containing_oneof = _SERVER_TLSOPTIONS_CREDENTIALSTORE.oneofs_by_name['credential_store']
+_SERVER_TLSOPTIONS_CREDENTIALSTORE.oneofs_by_name['credential_store'].fields.append(
   _SERVER_TLSOPTIONS_CREDENTIALSTORE.fields_by_name['remote'])
-_SERVER_TLSOPTIONS_CREDENTIALSTORE.fields_by_name['remote'].containing_oneof = _SERVER_TLSOPTIONS_CREDENTIALSTORE.oneofs_by_name['credentialStore']
+_SERVER_TLSOPTIONS_CREDENTIALSTORE.fields_by_name['remote'].containing_oneof = _SERVER_TLSOPTIONS_CREDENTIALSTORE.oneofs_by_name['credential_store']
 _SERVER_TLSOPTIONS.fields_by_name['mode'].enum_type = _SERVER_TLSOPTIONS_TLSMODE
 _SERVER_TLSOPTIONS.fields_by_name['credential_store'].message_type = _SERVER_TLSOPTIONS_CREDENTIALSTORE
 _SERVER_TLSOPTIONS.fields_by_name['min_protocol_version'].enum_type = _SERVER_TLSOPTIONS_TLSPROTOCOL

From 14d88221e27298f18eb0252d9ad106244a5d50b5 Mon Sep 17 00:00:00 2001
From: Shriram Rajagopalan <shriramr@vmware.com>
Date: Tue, 29 Jan 2019 19:41:43 -0500
Subject: [PATCH 3/7] nits

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>
---
 networking/v1alpha3/gateway.pb.go             | 118 +++++++++---------
 networking/v1alpha3/gateway.proto             |   4 +-
 proto.lock                                    |   4 +-
 .../networking/v1alpha3/gateway_pb2.py        |   6 +-
 4 files changed, 66 insertions(+), 66 deletions(-)

diff --git a/networking/v1alpha3/gateway.pb.go b/networking/v1alpha3/gateway.pb.go
index 10483edacd..9cda87a461 100644
--- a/networking/v1alpha3/gateway.pb.go
+++ b/networking/v1alpha3/gateway.pb.go
@@ -512,10 +512,10 @@ func (m *Server_TLSOptions) GetCipherSuites() []string {
 type Server_TLSOptions_CredentialStoreFileBackend struct {
 	// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
 	// holding the server-side TLS certificate to use.
-	ServerCertificate string `protobuf:"bytes,3,opt,name=server_certificate,json=serverCertificate,proto3" json:"server_certificate,omitempty"`
+	ServerCertificate string `protobuf:"bytes,1,opt,name=server_certificate,json=serverCertificate,proto3" json:"server_certificate,omitempty"`
 	// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
 	// holding the server's private key.
-	PrivateKey string `protobuf:"bytes,4,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
+	PrivateKey string `protobuf:"bytes,2,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
 }
 
 func (m *Server_TLSOptions_CredentialStoreFileBackend) Reset() {
@@ -992,13 +992,13 @@ func (m *Server_TLSOptions_CredentialStoreFileBackend) MarshalTo(dAtA []byte) (i
 	var l int
 	_ = l
 	if len(m.ServerCertificate) > 0 {
-		dAtA[i] = 0x1a
+		dAtA[i] = 0xa
 		i++
 		i = encodeVarintGateway(dAtA, i, uint64(len(m.ServerCertificate)))
 		i += copy(dAtA[i:], m.ServerCertificate)
 	}
 	if len(m.PrivateKey) > 0 {
-		dAtA[i] = 0x22
+		dAtA[i] = 0x12
 		i++
 		i = encodeVarintGateway(dAtA, i, uint64(len(m.PrivateKey)))
 		i += copy(dAtA[i:], m.PrivateKey)
@@ -2048,7 +2048,7 @@ func (m *Server_TLSOptions_CredentialStoreFileBackend) Unmarshal(dAtA []byte) er
 			return fmt.Errorf("proto: CredentialStoreFileBackend: illegal tag %d (wire type %d)", fieldNum, wire)
 		}
 		switch fieldNum {
-		case 3:
+		case 1:
 			if wireType != 2 {
 				return fmt.Errorf("proto: wrong wireType = %d for field ServerCertificate", wireType)
 			}
@@ -2077,7 +2077,7 @@ func (m *Server_TLSOptions_CredentialStoreFileBackend) Unmarshal(dAtA []byte) er
 			}
 			m.ServerCertificate = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
-		case 4:
+		case 2:
 			if wireType != 2 {
 				return fmt.Errorf("proto: wrong wireType = %d for field PrivateKey", wireType)
 			}
@@ -2584,57 +2584,57 @@ var (
 func init() { proto.RegisterFile("networking/v1alpha3/gateway.proto", fileDescriptorGateway) }
 
 var fileDescriptorGateway = []byte{
-	// 819 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x55, 0x5d, 0x6f, 0xdb, 0x36,
-	0x14, 0x8d, 0x6c, 0xc7, 0xb1, 0xaf, 0xe2, 0x58, 0x25, 0x82, 0x41, 0x33, 0x86, 0x34, 0x75, 0x30,
-	0xac, 0x1b, 0x36, 0xa5, 0x71, 0xf6, 0x50, 0xac, 0xc3, 0x00, 0xa7, 0xc8, 0xe2, 0x62, 0x6e, 0x13,
-	0x50, 0x4e, 0x1f, 0xf6, 0x22, 0x30, 0x12, 0x93, 0x30, 0x91, 0x45, 0x81, 0xa4, 0xdd, 0xfa, 0x1f,
-	0xf6, 0x71, 0xfb, 0x07, 0x43, 0x5e, 0xf7, 0xb8, 0x3f, 0x30, 0x90, 0xa2, 0x3f, 0xea, 0xa6, 0x29,
-	0x82, 0xbc, 0xf1, 0x1e, 0xde, 0x7b, 0xee, 0xe5, 0xe1, 0x11, 0x05, 0x4f, 0x32, 0xaa, 0xde, 0x71,
-	0x71, 0xcd, 0xb2, 0x8b, 0xdd, 0xf1, 0x1e, 0x49, 0xf3, 0x4b, 0xb2, 0xbf, 0x7b, 0x41, 0x14, 0x7d,
-	0x47, 0x26, 0x41, 0x2e, 0xb8, 0xe2, 0xe8, 0x6b, 0x26, 0x15, 0xe3, 0xc1, 0x3c, 0x31, 0x98, 0x26,
-	0xb6, 0xff, 0x76, 0x60, 0xed, 0xa8, 0x48, 0x46, 0x2f, 0x60, 0x4d, 0x52, 0x31, 0xa6, 0x42, 0xfa,
-	0xce, 0x76, 0xf9, 0xa9, 0xdb, 0x79, 0x12, 0x7c, 0xb6, 0x30, 0x08, 0x4d, 0x26, 0x9e, 0x56, 0xa0,
-	0x3e, 0xd4, 0x24, 0x4d, 0x69, 0xac, 0xb8, 0xf0, 0x4b, 0xa6, 0xfa, 0xd9, 0x1d, 0xd5, 0xb6, 0x65,
-	0x10, 0xda, 0x92, 0xc3, 0x4c, 0x89, 0x09, 0x9e, 0x31, 0xb4, 0x5e, 0x40, 0xe3, 0xa3, 0x2d, 0xe4,
-	0x41, 0xf9, 0x9a, 0x4e, 0x7c, 0x67, 0xdb, 0x79, 0x5a, 0xc7, 0x7a, 0x89, 0x36, 0x61, 0x75, 0x4c,
-	0xd2, 0x11, 0xf5, 0x4b, 0x06, 0x2b, 0x82, 0x5f, 0x4a, 0xcf, 0x9d, 0xf6, 0x07, 0x17, 0xaa, 0xc5,
-	0x78, 0x68, 0x1f, 0x2a, 0x39, 0x17, 0xca, 0xd4, 0xb9, 0x9d, 0xc7, 0x77, 0x4c, 0x74, 0xc2, 0x85,
-	0xc2, 0x26, 0x59, 0x33, 0x5f, 0x72, 0xa9, 0xa4, 0x39, 0x47, 0x1d, 0x17, 0x01, 0xfa, 0x0d, 0xca,
-	0x2a, 0x95, 0x7e, 0xd9, 0x30, 0xfd, 0xf8, 0x45, 0x65, 0x82, 0x41, 0x3f, 0x3c, 0xce, 0x15, 0xe3,
-	0x99, 0xc4, 0xba, 0x10, 0x21, 0xa8, 0x9c, 0xb1, 0x2c, 0xf1, 0x2b, 0x66, 0x5c, 0xb3, 0x46, 0xdf,
-	0x83, 0x97, 0xd0, 0x73, 0x32, 0x4a, 0x55, 0x44, 0xb3, 0x24, 0xe7, 0x2c, 0x53, 0xfe, 0xaa, 0xd9,
-	0x6f, 0x5a, 0xfc, 0xd0, 0xc2, 0xad, 0xff, 0xea, 0x00, 0x73, 0x4a, 0xf4, 0x2d, 0x6c, 0x5c, 0x2a,
-	0x95, 0xcb, 0x48, 0xd0, 0x84, 0x09, 0x1a, 0x17, 0x47, 0xac, 0xe1, 0x86, 0x41, 0xb1, 0x05, 0x51,
-	0x0f, 0x2a, 0x43, 0x9e, 0x14, 0x1a, 0x6d, 0x74, 0x7e, 0xbe, 0xcf, 0xd4, 0x7a, 0xa9, 0x6b, 0xb1,
-	0x61, 0x40, 0x7b, 0x80, 0x8a, 0xab, 0x8e, 0x62, 0x2a, 0x14, 0x3b, 0x67, 0x31, 0x51, 0xd4, 0xa8,
-	0x51, 0x3f, 0x28, 0xf9, 0x0e, 0x7e, 0x54, 0xec, 0xbe, 0x9c, 0x6f, 0xa2, 0x1d, 0x70, 0x73, 0xc1,
-	0xc6, 0x44, 0xd1, 0x48, 0xdf, 0x5d, 0x65, 0x96, 0x0b, 0x16, 0xfe, 0x83, 0x4e, 0xd0, 0x77, 0xd0,
-	0x8c, 0xc9, 0x22, 0xa7, 0xb4, 0x0a, 0x6c, 0xc4, 0x64, 0x81, 0x4c, 0xa2, 0x1f, 0xe0, 0x91, 0x1c,
-	0x9d, 0x5d, 0xd1, 0x58, 0x45, 0x24, 0x55, 0x51, 0x46, 0x86, 0x54, 0xfa, 0x55, 0x73, 0x43, 0x4d,
-	0xbb, 0xd1, 0x4d, 0xd5, 0x1b, 0x0d, 0xa3, 0x2b, 0xd8, 0x1c, 0xb2, 0x2c, 0x32, 0xee, 0x8f, 0x79,
-	0x1a, 0x69, 0x87, 0x32, 0x9e, 0xf9, 0x6b, 0x46, 0x86, 0xe7, 0xf7, 0x95, 0xe1, 0xc4, 0xf2, 0x60,
-	0x34, 0x64, 0xd9, 0x34, 0x78, 0x5b, 0x70, 0x9a, 0x5e, 0xe4, 0xfd, 0xa7, 0xbd, 0x6a, 0x0f, 0xee,
-	0x45, 0xde, 0x2f, 0xf7, 0xda, 0x81, 0x46, 0xcc, 0xf2, 0x4b, 0x2a, 0x22, 0x39, 0x62, 0x5a, 0xaa,
-	0xba, 0x39, 0xff, 0x7a, 0x01, 0x86, 0x06, 0x43, 0x17, 0xe0, 0xc5, 0x82, 0x26, 0x34, 0x53, 0x8c,
-	0xa4, 0x91, 0x54, 0x5c, 0x50, 0x1f, 0x8c, 0x6b, 0x7f, 0xbd, 0xd7, 0x30, 0x2f, 0x67, 0x24, 0xa1,
-	0xe6, 0xc0, 0xcd, 0xf8, 0x63, 0xa0, 0x95, 0x42, 0x6b, 0x29, 0xe7, 0x77, 0x96, 0xd2, 0x03, 0x12,
-	0x5f, 0xd3, 0x2c, 0x41, 0x3f, 0x7d, 0xde, 0x30, 0xb7, 0x99, 0xe5, 0xf1, 0x2d, 0x66, 0x59, 0x34,
-	0x4a, 0xeb, 0x0a, 0xbe, 0x59, 0x9e, 0x88, 0x0e, 0xb9, 0x9a, 0xf5, 0xdb, 0x81, 0x86, 0xa0, 0x92,
-	0x8f, 0x44, 0x4c, 0x8d, 0x39, 0xec, 0x5b, 0xb1, 0x3e, 0x05, 0xb5, 0x33, 0xf4, 0x67, 0x63, 0x87,
-	0x22, 0x49, 0x22, 0xa8, 0x94, 0xf6, 0xf5, 0x68, 0x14, 0x68, 0xb7, 0x00, 0x5b, 0xff, 0x3a, 0xd0,
-	0x5c, 0x6a, 0x86, 0x22, 0x58, 0x3d, 0x67, 0x29, 0x95, 0xf6, 0x2d, 0x39, 0x7a, 0x88, 0x96, 0x0b,
-	0x3a, 0xf5, 0x56, 0x70, 0xc1, 0x8b, 0x62, 0xa8, 0x0a, 0x73, 0x22, 0x33, 0x93, 0xdb, 0x79, 0xf5,
-	0xa0, 0xdb, 0x5a, 0xd4, 0xa6, 0xb7, 0x82, 0x2d, 0xf5, 0x01, 0xfa, 0xd4, 0x1c, 0xed, 0x1e, 0xac,
-	0xd9, 0x6f, 0x1d, 0x35, 0xc1, 0x3d, 0xe9, 0x86, 0xe1, 0xa0, 0x87, 0x8f, 0x4f, 0x8f, 0x7a, 0xde,
-	0x0a, 0x02, 0xa8, 0x86, 0xaf, 0x5e, 0x9f, 0xf4, 0x0f, 0x3d, 0x47, 0xaf, 0x5f, 0x9f, 0x0e, 0x4e,
-	0xbb, 0x7d, 0xaf, 0x84, 0x36, 0xc1, 0xeb, 0x9e, 0x0e, 0x8e, 0xa3, 0xc5, 0xec, 0x72, 0xfb, 0x18,
-	0xdc, 0x05, 0x0b, 0xa3, 0x75, 0xa8, 0x0d, 0xfa, 0x61, 0xa4, 0x13, 0xbd, 0x15, 0xe4, 0x9a, 0x36,
-	0x6f, 0xf7, 0xa2, 0x67, 0x9e, 0x33, 0x0f, 0xf6, 0xbc, 0xd2, 0x3c, 0xe8, 0x78, 0xe5, 0x79, 0xb0,
-	0xef, 0x55, 0xda, 0x6f, 0xa0, 0xa2, 0x1f, 0x66, 0xf4, 0x15, 0x54, 0xb3, 0xd1, 0xf0, 0x8c, 0x0a,
-	0xa3, 0x7e, 0x03, 0xdb, 0x08, 0xb5, 0xa0, 0x36, 0xfd, 0xf0, 0xec, 0x4d, 0xce, 0x62, 0xfd, 0xe0,
-	0x1a, 0x1f, 0x14, 0x96, 0x33, 0xeb, 0x83, 0xe0, 0xc3, 0xcd, 0x96, 0xf3, 0xd7, 0xcd, 0x96, 0xf3,
-	0xcf, 0xcd, 0x96, 0xf3, 0xe7, 0x76, 0x21, 0x30, 0xe3, 0xbb, 0x24, 0x67, 0xbb, 0xb7, 0xfc, 0x47,
-	0xcf, 0xaa, 0x86, 0x6d, 0xff, 0xff, 0x00, 0x00, 0x00, 0xff, 0xff, 0x35, 0xd5, 0xf3, 0x8a, 0x65,
-	0x07, 0x00, 0x00,
+	// 823 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x55, 0x5d, 0x4f, 0x1b, 0x47,
+	0x14, 0x65, 0x6d, 0x63, 0xec, 0x6b, 0x8c, 0x37, 0x23, 0x54, 0x6d, 0xad, 0x8a, 0x10, 0xa3, 0xaa,
+	0x69, 0xd5, 0x2e, 0xc1, 0xf4, 0x21, 0x6a, 0xaa, 0x4a, 0x26, 0xa2, 0x38, 0xaa, 0x13, 0xd0, 0xac,
+	0xc9, 0x43, 0x5f, 0x56, 0xc3, 0xee, 0x00, 0x03, 0xeb, 0x9d, 0xd5, 0xcc, 0x98, 0x84, 0x7f, 0x98,
+	0xc7, 0xf6, 0x1f, 0x54, 0xbc, 0xf6, 0xb1, 0x7f, 0xa0, 0x9a, 0x0f, 0x7f, 0xe0, 0x50, 0x2a, 0xc4,
+	0xdb, 0xdc, 0x33, 0xf7, 0x9e, 0x7b, 0xf7, 0xcc, 0x99, 0x59, 0x78, 0x96, 0x53, 0xf5, 0x81, 0x8b,
+	0x4b, 0x96, 0x9f, 0x6d, 0x5f, 0xed, 0x90, 0xac, 0x38, 0x27, 0xbb, 0xdb, 0x67, 0x44, 0xd1, 0x0f,
+	0xe4, 0x3a, 0x2c, 0x04, 0x57, 0x1c, 0x7d, 0xc9, 0xa4, 0x62, 0x3c, 0x9c, 0x25, 0x86, 0x93, 0xc4,
+	0xce, 0x9f, 0x1e, 0xac, 0x1c, 0xd8, 0x64, 0xf4, 0x0a, 0x56, 0x24, 0x15, 0x57, 0x54, 0xc8, 0xc0,
+	0xdb, 0x2c, 0x3f, 0x6f, 0x74, 0x9f, 0x85, 0xff, 0x59, 0x18, 0x46, 0x26, 0x13, 0x4f, 0x2a, 0xd0,
+	0x00, 0x6a, 0x92, 0x66, 0x34, 0x51, 0x5c, 0x04, 0x25, 0x53, 0xfd, 0xe2, 0x9e, 0x6a, 0xd7, 0x32,
+	0x8c, 0x5c, 0xc9, 0x7e, 0xae, 0xc4, 0x35, 0x9e, 0x32, 0xb4, 0x5f, 0x41, 0xf3, 0xd6, 0x16, 0xf2,
+	0xa1, 0x7c, 0x49, 0xaf, 0x03, 0x6f, 0xd3, 0x7b, 0x5e, 0xc7, 0x7a, 0x89, 0xd6, 0x61, 0xf9, 0x8a,
+	0x64, 0x63, 0x1a, 0x94, 0x0c, 0x66, 0x83, 0x9f, 0x4a, 0x2f, 0xbd, 0xce, 0xa7, 0x06, 0x54, 0xed,
+	0x78, 0x68, 0x17, 0x2a, 0x05, 0x17, 0xca, 0xd4, 0x35, 0xba, 0x4f, 0xef, 0x99, 0xe8, 0x88, 0x0b,
+	0x85, 0x4d, 0xb2, 0x66, 0x3e, 0xe7, 0x52, 0x49, 0xf3, 0x1d, 0x75, 0x6c, 0x03, 0xf4, 0x0b, 0x94,
+	0x55, 0x26, 0x83, 0xb2, 0x61, 0xfa, 0xfe, 0x7f, 0x95, 0x09, 0x87, 0x83, 0xe8, 0xb0, 0x50, 0x8c,
+	0xe7, 0x12, 0xeb, 0x42, 0x84, 0xa0, 0x72, 0xc2, 0xf2, 0x34, 0xa8, 0x98, 0x71, 0xcd, 0x1a, 0x7d,
+	0x0b, 0x7e, 0x4a, 0x4f, 0xc9, 0x38, 0x53, 0x31, 0xcd, 0xd3, 0x82, 0xb3, 0x5c, 0x05, 0xcb, 0x66,
+	0xbf, 0xe5, 0xf0, 0x7d, 0x07, 0xb7, 0xff, 0xa9, 0x03, 0xcc, 0x28, 0xd1, 0xd7, 0xb0, 0x76, 0xae,
+	0x54, 0x21, 0x63, 0x41, 0x53, 0x26, 0x68, 0x62, 0x3f, 0xb1, 0x86, 0x9b, 0x06, 0xc5, 0x0e, 0x44,
+	0x7d, 0xa8, 0x8c, 0x78, 0x6a, 0x35, 0x5a, 0xeb, 0xfe, 0xf8, 0x90, 0xa9, 0xf5, 0x52, 0xd7, 0x62,
+	0xc3, 0x80, 0x76, 0x00, 0xd9, 0xa3, 0x8e, 0x13, 0x2a, 0x14, 0x3b, 0x65, 0x09, 0x51, 0xd4, 0xa8,
+	0x51, 0xdf, 0x2b, 0x05, 0x1e, 0x7e, 0x62, 0x77, 0x5f, 0xcf, 0x36, 0xd1, 0x16, 0x34, 0x0a, 0xc1,
+	0xae, 0x88, 0xa2, 0xb1, 0x3e, 0xbb, 0xca, 0x34, 0x17, 0x1c, 0xfc, 0x1b, 0xbd, 0x46, 0xdf, 0x40,
+	0x2b, 0x21, 0xf3, 0x9c, 0xd2, 0x29, 0xb0, 0x96, 0x90, 0x39, 0x32, 0x89, 0xbe, 0x83, 0x27, 0x72,
+	0x7c, 0x72, 0x41, 0x13, 0x15, 0x93, 0x4c, 0xc5, 0x39, 0x19, 0x51, 0x19, 0x54, 0xcd, 0x09, 0xb5,
+	0xdc, 0x46, 0x2f, 0x53, 0xef, 0x34, 0x8c, 0x2e, 0x60, 0x7d, 0xc4, 0xf2, 0xd8, 0xb8, 0x3f, 0xe1,
+	0x59, 0xac, 0x1d, 0xca, 0x78, 0x1e, 0xac, 0x18, 0x19, 0x5e, 0x3e, 0x54, 0x86, 0x23, 0xc7, 0x83,
+	0xd1, 0x88, 0xe5, 0x93, 0xe0, 0xbd, 0xe5, 0x34, 0xbd, 0xc8, 0xc7, 0xcf, 0x7b, 0xd5, 0x1e, 0xdd,
+	0x8b, 0x7c, 0x5c, 0xec, 0xb5, 0x05, 0xcd, 0x84, 0x15, 0xe7, 0x54, 0xc4, 0x72, 0xcc, 0xb4, 0x54,
+	0x75, 0xf3, 0xfd, 0xab, 0x16, 0x8c, 0x0c, 0x86, 0xce, 0xc0, 0x4f, 0x04, 0x4d, 0x69, 0xae, 0x18,
+	0xc9, 0x62, 0xa9, 0xb8, 0xa0, 0x01, 0x18, 0xd7, 0xfe, 0xfc, 0xa0, 0x61, 0x5e, 0x4f, 0x49, 0x22,
+	0xcd, 0x81, 0x5b, 0xc9, 0x6d, 0xa0, 0x9d, 0x41, 0x7b, 0x21, 0xe7, 0x57, 0x96, 0xd1, 0x3d, 0x92,
+	0x5c, 0xd2, 0x3c, 0x45, 0x3f, 0xdc, 0x69, 0x18, 0x7b, 0x81, 0xef, 0x30, 0xcb, 0xd3, 0xdb, 0x66,
+	0xb1, 0x97, 0x7a, 0xce, 0x28, 0xed, 0x0b, 0xf8, 0x6a, 0x71, 0x22, 0x3a, 0xe2, 0x6a, 0xda, 0x6f,
+	0x0b, 0x9a, 0x82, 0x4a, 0x3e, 0x16, 0x09, 0x35, 0xe6, 0x70, 0xad, 0x56, 0x27, 0xa0, 0x76, 0x86,
+	0xbe, 0x36, 0x6e, 0x28, 0x92, 0xa6, 0x82, 0x4a, 0xe9, 0x1a, 0x35, 0x2d, 0xda, 0xb3, 0x60, 0xfb,
+	0x6f, 0x0f, 0x5a, 0x0b, 0xcd, 0x50, 0x0c, 0xcb, 0xa7, 0x2c, 0xa3, 0xd2, 0xbd, 0x25, 0x07, 0x8f,
+	0xd1, 0x72, 0x4e, 0xa7, 0xfe, 0x12, 0xb6, 0xbc, 0x28, 0x81, 0xaa, 0x30, 0x5f, 0x64, 0x66, 0x6a,
+	0x74, 0xdf, 0x3c, 0xea, 0xb4, 0xe6, 0xb5, 0xe9, 0x2f, 0x61, 0x47, 0xbd, 0x87, 0x3e, 0x37, 0x47,
+	0xa7, 0x0f, 0x2b, 0xee, 0xae, 0xa3, 0x16, 0x34, 0x8e, 0x7a, 0x51, 0x34, 0xec, 0xe3, 0xc3, 0xe3,
+	0x83, 0xbe, 0xbf, 0x84, 0x00, 0xaa, 0xd1, 0x9b, 0xb7, 0x47, 0x83, 0x7d, 0xdf, 0xd3, 0xeb, 0xb7,
+	0xc7, 0xc3, 0xe3, 0xde, 0xc0, 0x2f, 0xa1, 0x75, 0xf0, 0x7b, 0xc7, 0xc3, 0xc3, 0x78, 0x3e, 0xbb,
+	0xdc, 0x39, 0x84, 0xc6, 0x9c, 0x85, 0xd1, 0x2a, 0xd4, 0x86, 0x83, 0x28, 0xd6, 0x89, 0xfe, 0x12,
+	0x6a, 0x98, 0x36, 0xef, 0x77, 0xe2, 0x17, 0xbe, 0x37, 0x0b, 0x76, 0xfc, 0xd2, 0x2c, 0xe8, 0xfa,
+	0xe5, 0x59, 0xb0, 0xeb, 0x57, 0x3a, 0xef, 0xa0, 0xa2, 0x1f, 0x66, 0xf4, 0x05, 0x54, 0xf3, 0xf1,
+	0xe8, 0x84, 0x0a, 0xa3, 0x7e, 0x13, 0xbb, 0x08, 0xb5, 0xa1, 0x36, 0xb9, 0x78, 0xee, 0x24, 0xa7,
+	0xb1, 0x7e, 0x70, 0x8d, 0x0f, 0xca, 0xf6, 0xc1, 0xd5, 0xeb, 0xbd, 0xf0, 0xd3, 0xcd, 0x86, 0xf7,
+	0xc7, 0xcd, 0x86, 0xf7, 0xd7, 0xcd, 0x86, 0xf7, 0xfb, 0xa6, 0x15, 0x98, 0xf1, 0x6d, 0x52, 0xb0,
+	0xed, 0x3b, 0xfe, 0xa3, 0x27, 0x55, 0xc3, 0xb6, 0xfb, 0x6f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x2a,
+	0x72, 0x94, 0xd5, 0x65, 0x07, 0x00, 0x00,
 }
diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto
index cdc0334ace..0b4bd9bff8 100644
--- a/networking/v1alpha3/gateway.proto
+++ b/networking/v1alpha3/gateway.proto
@@ -296,11 +296,11 @@ message Server {
     message CredentialStoreFileBackend {
       // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
       // holding the server-side TLS certificate to use.
-      string server_certificate = 3;
+      string server_certificate = 1;
 
       // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
       // holding the server's private key.
-      string private_key = 4;
+      string private_key = 2;
     };
 
     // The remote backend provides information about the remote secret
diff --git a/proto.lock b/proto.lock
index f0cb8b6af0..fb49a91d83 100644
--- a/proto.lock
+++ b/proto.lock
@@ -3338,12 +3338,12 @@
                     "name": "CredentialStoreFileBackend",
                     "fields": [
                       {
-                        "id": 3,
+                        "id": 1,
                         "name": "server_certificate",
                         "type": "string"
                       },
                       {
-                        "id": 4,
+                        "id": 2,
                         "name": "private_key",
                         "type": "string"
                       }
diff --git a/python/istio_api/networking/v1alpha3/gateway_pb2.py b/python/istio_api/networking/v1alpha3/gateway_pb2.py
index 6be5efb3a0..d1b5d6b3f2 100644
--- a/python/istio_api/networking/v1alpha3/gateway_pb2.py
+++ b/python/istio_api/networking/v1alpha3/gateway_pb2.py
@@ -19,7 +19,7 @@
   name='networking/v1alpha3/gateway.proto',
   package='istio.networking.v1alpha3',
   syntax='proto3',
-  serialized_pb=_b('\n!networking/v1alpha3/gateway.proto\x12\x19istio.networking.v1alpha3\"\xb2\x01\n\x07Gateway\x12\x32\n\x07servers\x18\x01 \x03(\x0b\x32!.istio.networking.v1alpha3.Server\x12\x42\n\x08selector\x18\x02 \x03(\x0b\x32\x30.istio.networking.v1alpha3.Gateway.SelectorEntry\x1a/\n\rSelectorEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xb8\t\n\x06Server\x12-\n\x04port\x18\x01 \x01(\x0b\x32\x1f.istio.networking.v1alpha3.Port\x12\x0c\n\x04\x62ind\x18\x04 \x01(\t\x12\r\n\x05hosts\x18\x02 \x03(\t\x12\x39\n\x03tls\x18\x03 \x01(\x0b\x32,.istio.networking.v1alpha3.Server.TLSOptions\x12\x18\n\x10\x64\x65\x66\x61ult_endpoint\x18\x05 \x01(\t\x1a\x8c\x08\n\nTLSOptions\x12\x16\n\x0ehttps_redirect\x18\x01 \x01(\x08\x12\x42\n\x04mode\x18\x02 \x01(\x0e\x32\x34.istio.networking.v1alpha3.Server.TLSOptions.TLSmode\x12\x1e\n\x12server_certificate\x18\x03 \x01(\tB\x02\x18\x01\x12\x17\n\x0bprivate_key\x18\x04 \x01(\tB\x02\x18\x01\x12V\n\x10\x63redential_store\x18\n \x01(\x0b\x32<.istio.networking.v1alpha3.Server.TLSOptions.CredentialStore\x12\x17\n\x0f\x63\x61_certificates\x18\x05 \x01(\t\x12\x19\n\x11subject_alt_names\x18\x06 \x03(\t\x12V\n\x14min_protocol_version\x18\x07 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12V\n\x14max_protocol_version\x18\x08 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12\x15\n\rcipher_suites\x18\t \x03(\t\x1aM\n\x1a\x43redentialStoreFileBackend\x12\x1a\n\x12server_certificate\x18\x03 \x01(\t\x12\x13\n\x0bprivate_key\x18\x04 \x01(\t\x1aM\n\x1c\x43redentialStoreRemoteBackend\x12\x15\n\rresource_name\x18\x01 \x01(\t\x12\x16\n\x0eserver_address\x18\x02 \x01(\t\x1a\xdc\x01\n\x0f\x43redentialStore\x12X\n\x05\x66iles\x18\x01 \x01(\x0b\x32G.istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreFileBackendH\x00\x12[\n\x06remote\x18\x02 \x01(\x0b\x32I.istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreRemoteBackendH\x00\x42\x12\n\x10\x63redential_store\"H\n\x07TLSmode\x12\x0f\n\x0bPASSTHROUGH\x10\x00\x12\n\n\x06SIMPLE\x10\x01\x12\n\n\x06MUTUAL\x10\x02\x12\x14\n\x10\x41UTO_PASSTHROUGH\x10\x03\"O\n\x0bTLSProtocol\x12\x0c\n\x08TLS_AUTO\x10\x00\x12\x0b\n\x07TLSV1_0\x10\x01\x12\x0b\n\x07TLSV1_1\x10\x02\x12\x0b\n\x07TLSV1_2\x10\x03\x12\x0b\n\x07TLSV1_3\x10\x04\"6\n\x04Port\x12\x0e\n\x06number\x18\x01 \x01(\r\x12\x10\n\x08protocol\x18\x02 \x01(\t\x12\x0c\n\x04name\x18\x03 \x01(\tB\"Z istio.io/api/networking/v1alpha3b\x06proto3')
+  serialized_pb=_b('\n!networking/v1alpha3/gateway.proto\x12\x19istio.networking.v1alpha3\"\xb2\x01\n\x07Gateway\x12\x32\n\x07servers\x18\x01 \x03(\x0b\x32!.istio.networking.v1alpha3.Server\x12\x42\n\x08selector\x18\x02 \x03(\x0b\x32\x30.istio.networking.v1alpha3.Gateway.SelectorEntry\x1a/\n\rSelectorEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xb8\t\n\x06Server\x12-\n\x04port\x18\x01 \x01(\x0b\x32\x1f.istio.networking.v1alpha3.Port\x12\x0c\n\x04\x62ind\x18\x04 \x01(\t\x12\r\n\x05hosts\x18\x02 \x03(\t\x12\x39\n\x03tls\x18\x03 \x01(\x0b\x32,.istio.networking.v1alpha3.Server.TLSOptions\x12\x18\n\x10\x64\x65\x66\x61ult_endpoint\x18\x05 \x01(\t\x1a\x8c\x08\n\nTLSOptions\x12\x16\n\x0ehttps_redirect\x18\x01 \x01(\x08\x12\x42\n\x04mode\x18\x02 \x01(\x0e\x32\x34.istio.networking.v1alpha3.Server.TLSOptions.TLSmode\x12\x1e\n\x12server_certificate\x18\x03 \x01(\tB\x02\x18\x01\x12\x17\n\x0bprivate_key\x18\x04 \x01(\tB\x02\x18\x01\x12V\n\x10\x63redential_store\x18\n \x01(\x0b\x32<.istio.networking.v1alpha3.Server.TLSOptions.CredentialStore\x12\x17\n\x0f\x63\x61_certificates\x18\x05 \x01(\t\x12\x19\n\x11subject_alt_names\x18\x06 \x03(\t\x12V\n\x14min_protocol_version\x18\x07 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12V\n\x14max_protocol_version\x18\x08 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12\x15\n\rcipher_suites\x18\t \x03(\t\x1aM\n\x1a\x43redentialStoreFileBackend\x12\x1a\n\x12server_certificate\x18\x01 \x01(\t\x12\x13\n\x0bprivate_key\x18\x02 \x01(\t\x1aM\n\x1c\x43redentialStoreRemoteBackend\x12\x15\n\rresource_name\x18\x01 \x01(\t\x12\x16\n\x0eserver_address\x18\x02 \x01(\t\x1a\xdc\x01\n\x0f\x43redentialStore\x12X\n\x05\x66iles\x18\x01 \x01(\x0b\x32G.istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreFileBackendH\x00\x12[\n\x06remote\x18\x02 \x01(\x0b\x32I.istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreRemoteBackendH\x00\x42\x12\n\x10\x63redential_store\"H\n\x07TLSmode\x12\x0f\n\x0bPASSTHROUGH\x10\x00\x12\n\n\x06SIMPLE\x10\x01\x12\n\n\x06MUTUAL\x10\x02\x12\x14\n\x10\x41UTO_PASSTHROUGH\x10\x03\"O\n\x0bTLSProtocol\x12\x0c\n\x08TLS_AUTO\x10\x00\x12\x0b\n\x07TLSV1_0\x10\x01\x12\x0b\n\x07TLSV1_1\x10\x02\x12\x0b\n\x07TLSV1_2\x10\x03\x12\x0b\n\x07TLSV1_3\x10\x04\"6\n\x04Port\x12\x0e\n\x06number\x18\x01 \x01(\r\x12\x10\n\x08protocol\x18\x02 \x01(\t\x12\x0c\n\x04name\x18\x03 \x01(\tB\"Z istio.io/api/networking/v1alpha3b\x06proto3')
 )
 
 
@@ -173,14 +173,14 @@
   fields=[
     _descriptor.FieldDescriptor(
       name='server_certificate', full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreFileBackend.server_certificate', index=0,
-      number=3, type=9, cpp_type=9, label=1,
+      number=1, type=9, cpp_type=9, label=1,
       has_default_value=False, default_value=_b("").decode('utf-8'),
       message_type=None, enum_type=None, containing_type=None,
       is_extension=False, extension_scope=None,
       options=None, file=DESCRIPTOR),
     _descriptor.FieldDescriptor(
       name='private_key', full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreFileBackend.private_key', index=1,
-      number=4, type=9, cpp_type=9, label=1,
+      number=2, type=9, cpp_type=9, label=1,
       has_default_value=False, default_value=_b("").decode('utf-8'),
       message_type=None, enum_type=None, containing_type=None,
       is_extension=False, extension_scope=None,

From 51390101f2faac89edc3a69e5d14026c2e14801c Mon Sep 17 00:00:00 2001
From: Shriram Rajagopalan <shriramr@vmware.com>
Date: Thu, 31 Jan 2019 10:01:47 -0500
Subject: [PATCH 4/7] cleanups

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>
---
 networking/v1alpha3/gateway.pb.go             | 855 ++----------------
 networking/v1alpha3/gateway.proto             |  59 +-
 .../istio.networking.v1alpha3.pb.html         | 130 +--
 proto.lock                                    |  51 +-
 .../networking/v1alpha3/gateway_pb2.py        | 184 +---
 5 files changed, 120 insertions(+), 1159 deletions(-)

diff --git a/networking/v1alpha3/gateway.pb.go b/networking/v1alpha3/gateway.pb.go
index 9cda87a461..63d8b9bf88 100644
--- a/networking/v1alpha3/gateway.pb.go
+++ b/networking/v1alpha3/gateway.pb.go
@@ -409,13 +409,22 @@ type Server_TLSOptions struct {
 	Mode Server_TLSOptions_TLSmode `protobuf:"varint,2,opt,name=mode,proto3,enum=istio.networking.v1alpha3.Server_TLSOptions_TLSmode" json:"mode,omitempty"`
 	// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
 	// holding the server-side TLS certificate to use.
-	// Deprecated. Use
 	ServerCertificate string `protobuf:"bytes,3,opt,name=server_certificate,json=serverCertificate,proto3" json:"server_certificate,omitempty"`
 	// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
 	// holding the server's private key.
 	PrivateKey string `protobuf:"bytes,4,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
-	// REQUIRED if the mode is `SIMPLE` or `MUTUAL`.
-	CredentialStore *Server_TLSOptions_CredentialStore `protobuf:"bytes,10,opt,name=credential_store,json=credentialStore" json:"credential_store,omitempty"`
+	// The credentialName stands for a unique identifier that can be used
+	// to identify the serverCertificate and the privateKey (not the
+	// CaCertificates) associated with this server. Gateway workloads
+	// capable of fetching credentials from a remote credential store will
+	// be configured to retrive the server certificate and the private key
+	// using this name, instead of using the file system paths specified
+	// above. The semantics of the name are platform dependent. In
+	// Kubernetes, the default Istio supplied credentail server expects the
+	// credentialName to be of the form secretName.namespace, where the
+	// secretName is the name of the Kubernetes secret that holds the
+	// server certificate and the private key.
+	CredentialName string `protobuf:"bytes,10,opt,name=credential_name,json=credentialName,proto3" json:"credential_name,omitempty"`
 	// REQUIRED if mode is `MUTUAL`. The path to a file containing
 	// certificate authority certificates to use in verifying a presented
 	// client side certificate.
@@ -465,11 +474,11 @@ func (m *Server_TLSOptions) GetPrivateKey() string {
 	return ""
 }
 
-func (m *Server_TLSOptions) GetCredentialStore() *Server_TLSOptions_CredentialStore {
+func (m *Server_TLSOptions) GetCredentialName() string {
 	if m != nil {
-		return m.CredentialStore
+		return m.CredentialName
 	}
-	return nil
+	return ""
 }
 
 func (m *Server_TLSOptions) GetCaCertificates() string {
@@ -507,212 +516,6 @@ func (m *Server_TLSOptions) GetCipherSuites() []string {
 	return nil
 }
 
-// The file backend specifies the file system paths where the
-// server's public and private keys can be obtained.
-type Server_TLSOptions_CredentialStoreFileBackend struct {
-	// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
-	// holding the server-side TLS certificate to use.
-	ServerCertificate string `protobuf:"bytes,1,opt,name=server_certificate,json=serverCertificate,proto3" json:"server_certificate,omitempty"`
-	// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
-	// holding the server's private key.
-	PrivateKey string `protobuf:"bytes,2,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
-}
-
-func (m *Server_TLSOptions_CredentialStoreFileBackend) Reset() {
-	*m = Server_TLSOptions_CredentialStoreFileBackend{}
-}
-func (m *Server_TLSOptions_CredentialStoreFileBackend) String() string {
-	return proto.CompactTextString(m)
-}
-func (*Server_TLSOptions_CredentialStoreFileBackend) ProtoMessage() {}
-func (*Server_TLSOptions_CredentialStoreFileBackend) Descriptor() ([]byte, []int) {
-	return fileDescriptorGateway, []int{1, 0, 0}
-}
-
-func (m *Server_TLSOptions_CredentialStoreFileBackend) GetServerCertificate() string {
-	if m != nil {
-		return m.ServerCertificate
-	}
-	return ""
-}
-
-func (m *Server_TLSOptions_CredentialStoreFileBackend) GetPrivateKey() string {
-	if m != nil {
-		return m.PrivateKey
-	}
-	return ""
-}
-
-// The remote backend provides information about the remote secret
-// management server that contains the server's public and private keys.
-type Server_TLSOptions_CredentialStoreRemoteBackend struct {
-	// REQUIRED the name of the resource that the credential server can
-	// use to identify the certificates associated with the gateway
-	// server. In kubernetes, this should correspond to the name of the
-	// secret that contains the server-side TLS certificate and the
-	// server's private key. Note that the secret should contain both the
-	// public and private keys associated with the server port.
-	//
-	// It is possible to use the same resourceName across several servers
-	// on different ports, if these servers share the same credentials.
-	ResourceName string `protobuf:"bytes,1,opt,name=resource_name,json=resourceName,proto3" json:"resource_name,omitempty"`
-	// The address where the credential store server can be reached.
-	// If omitted, will default to unix:/var/run/gateway/sds
-	ServerAddress string `protobuf:"bytes,2,opt,name=server_address,json=serverAddress,proto3" json:"server_address,omitempty"`
-}
-
-func (m *Server_TLSOptions_CredentialStoreRemoteBackend) Reset() {
-	*m = Server_TLSOptions_CredentialStoreRemoteBackend{}
-}
-func (m *Server_TLSOptions_CredentialStoreRemoteBackend) String() string {
-	return proto.CompactTextString(m)
-}
-func (*Server_TLSOptions_CredentialStoreRemoteBackend) ProtoMessage() {}
-func (*Server_TLSOptions_CredentialStoreRemoteBackend) Descriptor() ([]byte, []int) {
-	return fileDescriptorGateway, []int{1, 0, 1}
-}
-
-func (m *Server_TLSOptions_CredentialStoreRemoteBackend) GetResourceName() string {
-	if m != nil {
-		return m.ResourceName
-	}
-	return ""
-}
-
-func (m *Server_TLSOptions_CredentialStoreRemoteBackend) GetServerAddress() string {
-	if m != nil {
-		return m.ServerAddress
-	}
-	return ""
-}
-
-type Server_TLSOptions_CredentialStore struct {
-	// Types that are valid to be assigned to CredentialStore:
-	//	*Server_TLSOptions_CredentialStore_Files
-	//	*Server_TLSOptions_CredentialStore_Remote
-	CredentialStore isServer_TLSOptions_CredentialStore_CredentialStore `protobuf_oneof:"credential_store"`
-}
-
-func (m *Server_TLSOptions_CredentialStore) Reset()         { *m = Server_TLSOptions_CredentialStore{} }
-func (m *Server_TLSOptions_CredentialStore) String() string { return proto.CompactTextString(m) }
-func (*Server_TLSOptions_CredentialStore) ProtoMessage()    {}
-func (*Server_TLSOptions_CredentialStore) Descriptor() ([]byte, []int) {
-	return fileDescriptorGateway, []int{1, 0, 2}
-}
-
-type isServer_TLSOptions_CredentialStore_CredentialStore interface {
-	isServer_TLSOptions_CredentialStore_CredentialStore()
-	MarshalTo([]byte) (int, error)
-	Size() int
-}
-
-type Server_TLSOptions_CredentialStore_Files struct {
-	Files *Server_TLSOptions_CredentialStoreFileBackend `protobuf:"bytes,1,opt,name=files,oneof"`
-}
-type Server_TLSOptions_CredentialStore_Remote struct {
-	Remote *Server_TLSOptions_CredentialStoreRemoteBackend `protobuf:"bytes,2,opt,name=remote,oneof"`
-}
-
-func (*Server_TLSOptions_CredentialStore_Files) isServer_TLSOptions_CredentialStore_CredentialStore() {
-}
-func (*Server_TLSOptions_CredentialStore_Remote) isServer_TLSOptions_CredentialStore_CredentialStore() {
-}
-
-func (m *Server_TLSOptions_CredentialStore) GetCredentialStore() isServer_TLSOptions_CredentialStore_CredentialStore {
-	if m != nil {
-		return m.CredentialStore
-	}
-	return nil
-}
-
-func (m *Server_TLSOptions_CredentialStore) GetFiles() *Server_TLSOptions_CredentialStoreFileBackend {
-	if x, ok := m.GetCredentialStore().(*Server_TLSOptions_CredentialStore_Files); ok {
-		return x.Files
-	}
-	return nil
-}
-
-func (m *Server_TLSOptions_CredentialStore) GetRemote() *Server_TLSOptions_CredentialStoreRemoteBackend {
-	if x, ok := m.GetCredentialStore().(*Server_TLSOptions_CredentialStore_Remote); ok {
-		return x.Remote
-	}
-	return nil
-}
-
-// XXX_OneofFuncs is for the internal use of the proto package.
-func (*Server_TLSOptions_CredentialStore) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{}) {
-	return _Server_TLSOptions_CredentialStore_OneofMarshaler, _Server_TLSOptions_CredentialStore_OneofUnmarshaler, _Server_TLSOptions_CredentialStore_OneofSizer, []interface{}{
-		(*Server_TLSOptions_CredentialStore_Files)(nil),
-		(*Server_TLSOptions_CredentialStore_Remote)(nil),
-	}
-}
-
-func _Server_TLSOptions_CredentialStore_OneofMarshaler(msg proto.Message, b *proto.Buffer) error {
-	m := msg.(*Server_TLSOptions_CredentialStore)
-	// credential_store
-	switch x := m.CredentialStore.(type) {
-	case *Server_TLSOptions_CredentialStore_Files:
-		_ = b.EncodeVarint(1<<3 | proto.WireBytes)
-		if err := b.EncodeMessage(x.Files); err != nil {
-			return err
-		}
-	case *Server_TLSOptions_CredentialStore_Remote:
-		_ = b.EncodeVarint(2<<3 | proto.WireBytes)
-		if err := b.EncodeMessage(x.Remote); err != nil {
-			return err
-		}
-	case nil:
-	default:
-		return fmt.Errorf("Server_TLSOptions_CredentialStore.CredentialStore has unexpected type %T", x)
-	}
-	return nil
-}
-
-func _Server_TLSOptions_CredentialStore_OneofUnmarshaler(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error) {
-	m := msg.(*Server_TLSOptions_CredentialStore)
-	switch tag {
-	case 1: // credential_store.files
-		if wire != proto.WireBytes {
-			return true, proto.ErrInternalBadWireType
-		}
-		msg := new(Server_TLSOptions_CredentialStoreFileBackend)
-		err := b.DecodeMessage(msg)
-		m.CredentialStore = &Server_TLSOptions_CredentialStore_Files{msg}
-		return true, err
-	case 2: // credential_store.remote
-		if wire != proto.WireBytes {
-			return true, proto.ErrInternalBadWireType
-		}
-		msg := new(Server_TLSOptions_CredentialStoreRemoteBackend)
-		err := b.DecodeMessage(msg)
-		m.CredentialStore = &Server_TLSOptions_CredentialStore_Remote{msg}
-		return true, err
-	default:
-		return false, nil
-	}
-}
-
-func _Server_TLSOptions_CredentialStore_OneofSizer(msg proto.Message) (n int) {
-	m := msg.(*Server_TLSOptions_CredentialStore)
-	// credential_store
-	switch x := m.CredentialStore.(type) {
-	case *Server_TLSOptions_CredentialStore_Files:
-		s := proto.Size(x.Files)
-		n += proto.SizeVarint(1<<3 | proto.WireBytes)
-		n += proto.SizeVarint(uint64(s))
-		n += s
-	case *Server_TLSOptions_CredentialStore_Remote:
-		s := proto.Size(x.Remote)
-		n += proto.SizeVarint(2<<3 | proto.WireBytes)
-		n += proto.SizeVarint(uint64(s))
-		n += s
-	case nil:
-	default:
-		panic(fmt.Sprintf("proto: unexpected type %T in oneof", x))
-	}
-	return n
-}
-
 // Port describes the properties of a specific port of a service.
 type Port struct {
 	// REQUIRED: A valid non-negative integer port number.
@@ -756,9 +559,6 @@ func init() {
 	proto.RegisterType((*Gateway)(nil), "istio.networking.v1alpha3.Gateway")
 	proto.RegisterType((*Server)(nil), "istio.networking.v1alpha3.Server")
 	proto.RegisterType((*Server_TLSOptions)(nil), "istio.networking.v1alpha3.Server.TLSOptions")
-	proto.RegisterType((*Server_TLSOptions_CredentialStoreFileBackend)(nil), "istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreFileBackend")
-	proto.RegisterType((*Server_TLSOptions_CredentialStoreRemoteBackend)(nil), "istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreRemoteBackend")
-	proto.RegisterType((*Server_TLSOptions_CredentialStore)(nil), "istio.networking.v1alpha3.Server.TLSOptions.CredentialStore")
 	proto.RegisterType((*Port)(nil), "istio.networking.v1alpha3.Port")
 	proto.RegisterEnum("istio.networking.v1alpha3.Server_TLSOptions_TLSmode", Server_TLSOptions_TLSmode_name, Server_TLSOptions_TLSmode_value)
 	proto.RegisterEnum("istio.networking.v1alpha3.Server_TLSOptions_TLSProtocol", Server_TLSOptions_TLSProtocol_name, Server_TLSOptions_TLSProtocol_value)
@@ -963,132 +763,15 @@ func (m *Server_TLSOptions) MarshalTo(dAtA []byte) (int, error) {
 			i += copy(dAtA[i:], s)
 		}
 	}
-	if m.CredentialStore != nil {
+	if len(m.CredentialName) > 0 {
 		dAtA[i] = 0x52
 		i++
-		i = encodeVarintGateway(dAtA, i, uint64(m.CredentialStore.Size()))
-		n3, err := m.CredentialStore.MarshalTo(dAtA[i:])
-		if err != nil {
-			return 0, err
-		}
-		i += n3
-	}
-	return i, nil
-}
-
-func (m *Server_TLSOptions_CredentialStoreFileBackend) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalTo(dAtA)
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *Server_TLSOptions_CredentialStoreFileBackend) MarshalTo(dAtA []byte) (int, error) {
-	var i int
-	_ = i
-	var l int
-	_ = l
-	if len(m.ServerCertificate) > 0 {
-		dAtA[i] = 0xa
-		i++
-		i = encodeVarintGateway(dAtA, i, uint64(len(m.ServerCertificate)))
-		i += copy(dAtA[i:], m.ServerCertificate)
-	}
-	if len(m.PrivateKey) > 0 {
-		dAtA[i] = 0x12
-		i++
-		i = encodeVarintGateway(dAtA, i, uint64(len(m.PrivateKey)))
-		i += copy(dAtA[i:], m.PrivateKey)
-	}
-	return i, nil
-}
-
-func (m *Server_TLSOptions_CredentialStoreRemoteBackend) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalTo(dAtA)
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *Server_TLSOptions_CredentialStoreRemoteBackend) MarshalTo(dAtA []byte) (int, error) {
-	var i int
-	_ = i
-	var l int
-	_ = l
-	if len(m.ResourceName) > 0 {
-		dAtA[i] = 0xa
-		i++
-		i = encodeVarintGateway(dAtA, i, uint64(len(m.ResourceName)))
-		i += copy(dAtA[i:], m.ResourceName)
-	}
-	if len(m.ServerAddress) > 0 {
-		dAtA[i] = 0x12
-		i++
-		i = encodeVarintGateway(dAtA, i, uint64(len(m.ServerAddress)))
-		i += copy(dAtA[i:], m.ServerAddress)
-	}
-	return i, nil
-}
-
-func (m *Server_TLSOptions_CredentialStore) Marshal() (dAtA []byte, err error) {
-	size := m.Size()
-	dAtA = make([]byte, size)
-	n, err := m.MarshalTo(dAtA)
-	if err != nil {
-		return nil, err
-	}
-	return dAtA[:n], nil
-}
-
-func (m *Server_TLSOptions_CredentialStore) MarshalTo(dAtA []byte) (int, error) {
-	var i int
-	_ = i
-	var l int
-	_ = l
-	if m.CredentialStore != nil {
-		nn4, err := m.CredentialStore.MarshalTo(dAtA[i:])
-		if err != nil {
-			return 0, err
-		}
-		i += nn4
+		i = encodeVarintGateway(dAtA, i, uint64(len(m.CredentialName)))
+		i += copy(dAtA[i:], m.CredentialName)
 	}
 	return i, nil
 }
 
-func (m *Server_TLSOptions_CredentialStore_Files) MarshalTo(dAtA []byte) (int, error) {
-	i := 0
-	if m.Files != nil {
-		dAtA[i] = 0xa
-		i++
-		i = encodeVarintGateway(dAtA, i, uint64(m.Files.Size()))
-		n5, err := m.Files.MarshalTo(dAtA[i:])
-		if err != nil {
-			return 0, err
-		}
-		i += n5
-	}
-	return i, nil
-}
-func (m *Server_TLSOptions_CredentialStore_Remote) MarshalTo(dAtA []byte) (int, error) {
-	i := 0
-	if m.Remote != nil {
-		dAtA[i] = 0x12
-		i++
-		i = encodeVarintGateway(dAtA, i, uint64(m.Remote.Size()))
-		n6, err := m.Remote.MarshalTo(dAtA[i:])
-		if err != nil {
-			return 0, err
-		}
-		i += n6
-	}
-	return i, nil
-}
 func (m *Port) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
 	dAtA = make([]byte, size)
@@ -1220,68 +903,13 @@ func (m *Server_TLSOptions) Size() (n int) {
 			n += 1 + l + sovGateway(uint64(l))
 		}
 	}
-	if m.CredentialStore != nil {
-		l = m.CredentialStore.Size()
-		n += 1 + l + sovGateway(uint64(l))
-	}
-	return n
-}
-
-func (m *Server_TLSOptions_CredentialStoreFileBackend) Size() (n int) {
-	var l int
-	_ = l
-	l = len(m.ServerCertificate)
-	if l > 0 {
-		n += 1 + l + sovGateway(uint64(l))
-	}
-	l = len(m.PrivateKey)
-	if l > 0 {
-		n += 1 + l + sovGateway(uint64(l))
-	}
-	return n
-}
-
-func (m *Server_TLSOptions_CredentialStoreRemoteBackend) Size() (n int) {
-	var l int
-	_ = l
-	l = len(m.ResourceName)
-	if l > 0 {
-		n += 1 + l + sovGateway(uint64(l))
-	}
-	l = len(m.ServerAddress)
+	l = len(m.CredentialName)
 	if l > 0 {
 		n += 1 + l + sovGateway(uint64(l))
 	}
 	return n
 }
 
-func (m *Server_TLSOptions_CredentialStore) Size() (n int) {
-	var l int
-	_ = l
-	if m.CredentialStore != nil {
-		n += m.CredentialStore.Size()
-	}
-	return n
-}
-
-func (m *Server_TLSOptions_CredentialStore_Files) Size() (n int) {
-	var l int
-	_ = l
-	if m.Files != nil {
-		l = m.Files.Size()
-		n += 1 + l + sovGateway(uint64(l))
-	}
-	return n
-}
-func (m *Server_TLSOptions_CredentialStore_Remote) Size() (n int) {
-	var l int
-	_ = l
-	if m.Remote != nil {
-		l = m.Remote.Size()
-		n += 1 + l + sovGateway(uint64(l))
-	}
-	return n
-}
 func (m *Port) Size() (n int) {
 	var l int
 	_ = l
@@ -1967,9 +1595,9 @@ func (m *Server_TLSOptions) Unmarshal(dAtA []byte) error {
 			iNdEx = postIndex
 		case 10:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field CredentialStore", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field CredentialName", wireType)
 			}
-			var msglen int
+			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowGateway
@@ -1979,354 +1607,20 @@ func (m *Server_TLSOptions) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				msglen |= (int(b) & 0x7F) << shift
+				stringLen |= (uint64(b) & 0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			if msglen < 0 {
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
 				return ErrInvalidLengthGateway
 			}
-			postIndex := iNdEx + msglen
+			postIndex := iNdEx + intStringLen
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			if m.CredentialStore == nil {
-				m.CredentialStore = &Server_TLSOptions_CredentialStore{}
-			}
-			if err := m.CredentialStore.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipGateway(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if skippy < 0 {
-				return ErrInvalidLengthGateway
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *Server_TLSOptions_CredentialStoreFileBackend) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowGateway
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= (uint64(b) & 0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: CredentialStoreFileBackend: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: CredentialStoreFileBackend: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ServerCertificate", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGateway
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= (uint64(b) & 0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGateway
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.ServerCertificate = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field PrivateKey", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGateway
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= (uint64(b) & 0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGateway
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.PrivateKey = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipGateway(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if skippy < 0 {
-				return ErrInvalidLengthGateway
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *Server_TLSOptions_CredentialStoreRemoteBackend) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowGateway
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= (uint64(b) & 0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: CredentialStoreRemoteBackend: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: CredentialStoreRemoteBackend: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ResourceName", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGateway
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= (uint64(b) & 0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGateway
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.ResourceName = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field ServerAddress", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGateway
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= (uint64(b) & 0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthGateway
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.ServerAddress = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
-		default:
-			iNdEx = preIndex
-			skippy, err := skipGateway(dAtA[iNdEx:])
-			if err != nil {
-				return err
-			}
-			if skippy < 0 {
-				return ErrInvalidLengthGateway
-			}
-			if (iNdEx + skippy) > l {
-				return io.ErrUnexpectedEOF
-			}
-			iNdEx += skippy
-		}
-	}
-
-	if iNdEx > l {
-		return io.ErrUnexpectedEOF
-	}
-	return nil
-}
-func (m *Server_TLSOptions_CredentialStore) Unmarshal(dAtA []byte) error {
-	l := len(dAtA)
-	iNdEx := 0
-	for iNdEx < l {
-		preIndex := iNdEx
-		var wire uint64
-		for shift := uint(0); ; shift += 7 {
-			if shift >= 64 {
-				return ErrIntOverflowGateway
-			}
-			if iNdEx >= l {
-				return io.ErrUnexpectedEOF
-			}
-			b := dAtA[iNdEx]
-			iNdEx++
-			wire |= (uint64(b) & 0x7F) << shift
-			if b < 0x80 {
-				break
-			}
-		}
-		fieldNum := int32(wire >> 3)
-		wireType := int(wire & 0x7)
-		if wireType == 4 {
-			return fmt.Errorf("proto: CredentialStore: wiretype end group for non-group")
-		}
-		if fieldNum <= 0 {
-			return fmt.Errorf("proto: CredentialStore: illegal tag %d (wire type %d)", fieldNum, wire)
-		}
-		switch fieldNum {
-		case 1:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Files", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGateway
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= (int(b) & 0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGateway
-			}
-			postIndex := iNdEx + msglen
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			v := &Server_TLSOptions_CredentialStoreFileBackend{}
-			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			m.CredentialStore = &Server_TLSOptions_CredentialStore_Files{v}
-			iNdEx = postIndex
-		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field Remote", wireType)
-			}
-			var msglen int
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowGateway
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				msglen |= (int(b) & 0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			if msglen < 0 {
-				return ErrInvalidLengthGateway
-			}
-			postIndex := iNdEx + msglen
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			v := &Server_TLSOptions_CredentialStoreRemoteBackend{}
-			if err := v.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
-				return err
-			}
-			m.CredentialStore = &Server_TLSOptions_CredentialStore_Remote{v}
+			m.CredentialName = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
@@ -2584,57 +1878,48 @@ var (
 func init() { proto.RegisterFile("networking/v1alpha3/gateway.proto", fileDescriptorGateway) }
 
 var fileDescriptorGateway = []byte{
-	// 823 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x55, 0x5d, 0x4f, 0x1b, 0x47,
-	0x14, 0x65, 0x6d, 0x63, 0xec, 0x6b, 0x8c, 0x37, 0x23, 0x54, 0x6d, 0xad, 0x8a, 0x10, 0xa3, 0xaa,
-	0x69, 0xd5, 0x2e, 0xc1, 0xf4, 0x21, 0x6a, 0xaa, 0x4a, 0x26, 0xa2, 0x38, 0xaa, 0x13, 0xd0, 0xac,
-	0xc9, 0x43, 0x5f, 0x56, 0xc3, 0xee, 0x00, 0x03, 0xeb, 0x9d, 0xd5, 0xcc, 0x98, 0x84, 0x7f, 0x98,
-	0xc7, 0xf6, 0x1f, 0x54, 0xbc, 0xf6, 0xb1, 0x7f, 0xa0, 0x9a, 0x0f, 0x7f, 0xe0, 0x50, 0x2a, 0xc4,
-	0xdb, 0xdc, 0x33, 0xf7, 0x9e, 0x7b, 0xf7, 0xcc, 0x99, 0x59, 0x78, 0x96, 0x53, 0xf5, 0x81, 0x8b,
-	0x4b, 0x96, 0x9f, 0x6d, 0x5f, 0xed, 0x90, 0xac, 0x38, 0x27, 0xbb, 0xdb, 0x67, 0x44, 0xd1, 0x0f,
-	0xe4, 0x3a, 0x2c, 0x04, 0x57, 0x1c, 0x7d, 0xc9, 0xa4, 0x62, 0x3c, 0x9c, 0x25, 0x86, 0x93, 0xc4,
-	0xce, 0x9f, 0x1e, 0xac, 0x1c, 0xd8, 0x64, 0xf4, 0x0a, 0x56, 0x24, 0x15, 0x57, 0x54, 0xc8, 0xc0,
-	0xdb, 0x2c, 0x3f, 0x6f, 0x74, 0x9f, 0x85, 0xff, 0x59, 0x18, 0x46, 0x26, 0x13, 0x4f, 0x2a, 0xd0,
-	0x00, 0x6a, 0x92, 0x66, 0x34, 0x51, 0x5c, 0x04, 0x25, 0x53, 0xfd, 0xe2, 0x9e, 0x6a, 0xd7, 0x32,
-	0x8c, 0x5c, 0xc9, 0x7e, 0xae, 0xc4, 0x35, 0x9e, 0x32, 0xb4, 0x5f, 0x41, 0xf3, 0xd6, 0x16, 0xf2,
-	0xa1, 0x7c, 0x49, 0xaf, 0x03, 0x6f, 0xd3, 0x7b, 0x5e, 0xc7, 0x7a, 0x89, 0xd6, 0x61, 0xf9, 0x8a,
-	0x64, 0x63, 0x1a, 0x94, 0x0c, 0x66, 0x83, 0x9f, 0x4a, 0x2f, 0xbd, 0xce, 0xa7, 0x06, 0x54, 0xed,
-	0x78, 0x68, 0x17, 0x2a, 0x05, 0x17, 0xca, 0xd4, 0x35, 0xba, 0x4f, 0xef, 0x99, 0xe8, 0x88, 0x0b,
-	0x85, 0x4d, 0xb2, 0x66, 0x3e, 0xe7, 0x52, 0x49, 0xf3, 0x1d, 0x75, 0x6c, 0x03, 0xf4, 0x0b, 0x94,
-	0x55, 0x26, 0x83, 0xb2, 0x61, 0xfa, 0xfe, 0x7f, 0x95, 0x09, 0x87, 0x83, 0xe8, 0xb0, 0x50, 0x8c,
-	0xe7, 0x12, 0xeb, 0x42, 0x84, 0xa0, 0x72, 0xc2, 0xf2, 0x34, 0xa8, 0x98, 0x71, 0xcd, 0x1a, 0x7d,
-	0x0b, 0x7e, 0x4a, 0x4f, 0xc9, 0x38, 0x53, 0x31, 0xcd, 0xd3, 0x82, 0xb3, 0x5c, 0x05, 0xcb, 0x66,
-	0xbf, 0xe5, 0xf0, 0x7d, 0x07, 0xb7, 0xff, 0xa9, 0x03, 0xcc, 0x28, 0xd1, 0xd7, 0xb0, 0x76, 0xae,
-	0x54, 0x21, 0x63, 0x41, 0x53, 0x26, 0x68, 0x62, 0x3f, 0xb1, 0x86, 0x9b, 0x06, 0xc5, 0x0e, 0x44,
-	0x7d, 0xa8, 0x8c, 0x78, 0x6a, 0x35, 0x5a, 0xeb, 0xfe, 0xf8, 0x90, 0xa9, 0xf5, 0x52, 0xd7, 0x62,
-	0xc3, 0x80, 0x76, 0x00, 0xd9, 0xa3, 0x8e, 0x13, 0x2a, 0x14, 0x3b, 0x65, 0x09, 0x51, 0xd4, 0xa8,
-	0x51, 0xdf, 0x2b, 0x05, 0x1e, 0x7e, 0x62, 0x77, 0x5f, 0xcf, 0x36, 0xd1, 0x16, 0x34, 0x0a, 0xc1,
-	0xae, 0x88, 0xa2, 0xb1, 0x3e, 0xbb, 0xca, 0x34, 0x17, 0x1c, 0xfc, 0x1b, 0xbd, 0x46, 0xdf, 0x40,
-	0x2b, 0x21, 0xf3, 0x9c, 0xd2, 0x29, 0xb0, 0x96, 0x90, 0x39, 0x32, 0x89, 0xbe, 0x83, 0x27, 0x72,
-	0x7c, 0x72, 0x41, 0x13, 0x15, 0x93, 0x4c, 0xc5, 0x39, 0x19, 0x51, 0x19, 0x54, 0xcd, 0x09, 0xb5,
-	0xdc, 0x46, 0x2f, 0x53, 0xef, 0x34, 0x8c, 0x2e, 0x60, 0x7d, 0xc4, 0xf2, 0xd8, 0xb8, 0x3f, 0xe1,
-	0x59, 0xac, 0x1d, 0xca, 0x78, 0x1e, 0xac, 0x18, 0x19, 0x5e, 0x3e, 0x54, 0x86, 0x23, 0xc7, 0x83,
-	0xd1, 0x88, 0xe5, 0x93, 0xe0, 0xbd, 0xe5, 0x34, 0xbd, 0xc8, 0xc7, 0xcf, 0x7b, 0xd5, 0x1e, 0xdd,
-	0x8b, 0x7c, 0x5c, 0xec, 0xb5, 0x05, 0xcd, 0x84, 0x15, 0xe7, 0x54, 0xc4, 0x72, 0xcc, 0xb4, 0x54,
-	0x75, 0xf3, 0xfd, 0xab, 0x16, 0x8c, 0x0c, 0x86, 0xce, 0xc0, 0x4f, 0x04, 0x4d, 0x69, 0xae, 0x18,
-	0xc9, 0x62, 0xa9, 0xb8, 0xa0, 0x01, 0x18, 0xd7, 0xfe, 0xfc, 0xa0, 0x61, 0x5e, 0x4f, 0x49, 0x22,
-	0xcd, 0x81, 0x5b, 0xc9, 0x6d, 0xa0, 0x9d, 0x41, 0x7b, 0x21, 0xe7, 0x57, 0x96, 0xd1, 0x3d, 0x92,
-	0x5c, 0xd2, 0x3c, 0x45, 0x3f, 0xdc, 0x69, 0x18, 0x7b, 0x81, 0xef, 0x30, 0xcb, 0xd3, 0xdb, 0x66,
-	0xb1, 0x97, 0x7a, 0xce, 0x28, 0xed, 0x0b, 0xf8, 0x6a, 0x71, 0x22, 0x3a, 0xe2, 0x6a, 0xda, 0x6f,
-	0x0b, 0x9a, 0x82, 0x4a, 0x3e, 0x16, 0x09, 0x35, 0xe6, 0x70, 0xad, 0x56, 0x27, 0xa0, 0x76, 0x86,
-	0xbe, 0x36, 0x6e, 0x28, 0x92, 0xa6, 0x82, 0x4a, 0xe9, 0x1a, 0x35, 0x2d, 0xda, 0xb3, 0x60, 0xfb,
-	0x6f, 0x0f, 0x5a, 0x0b, 0xcd, 0x50, 0x0c, 0xcb, 0xa7, 0x2c, 0xa3, 0xd2, 0xbd, 0x25, 0x07, 0x8f,
-	0xd1, 0x72, 0x4e, 0xa7, 0xfe, 0x12, 0xb6, 0xbc, 0x28, 0x81, 0xaa, 0x30, 0x5f, 0x64, 0x66, 0x6a,
-	0x74, 0xdf, 0x3c, 0xea, 0xb4, 0xe6, 0xb5, 0xe9, 0x2f, 0x61, 0x47, 0xbd, 0x87, 0x3e, 0x37, 0x47,
-	0xa7, 0x0f, 0x2b, 0xee, 0xae, 0xa3, 0x16, 0x34, 0x8e, 0x7a, 0x51, 0x34, 0xec, 0xe3, 0xc3, 0xe3,
-	0x83, 0xbe, 0xbf, 0x84, 0x00, 0xaa, 0xd1, 0x9b, 0xb7, 0x47, 0x83, 0x7d, 0xdf, 0xd3, 0xeb, 0xb7,
-	0xc7, 0xc3, 0xe3, 0xde, 0xc0, 0x2f, 0xa1, 0x75, 0xf0, 0x7b, 0xc7, 0xc3, 0xc3, 0x78, 0x3e, 0xbb,
-	0xdc, 0x39, 0x84, 0xc6, 0x9c, 0x85, 0xd1, 0x2a, 0xd4, 0x86, 0x83, 0x28, 0xd6, 0x89, 0xfe, 0x12,
-	0x6a, 0x98, 0x36, 0xef, 0x77, 0xe2, 0x17, 0xbe, 0x37, 0x0b, 0x76, 0xfc, 0xd2, 0x2c, 0xe8, 0xfa,
-	0xe5, 0x59, 0xb0, 0xeb, 0x57, 0x3a, 0xef, 0xa0, 0xa2, 0x1f, 0x66, 0xf4, 0x05, 0x54, 0xf3, 0xf1,
-	0xe8, 0x84, 0x0a, 0xa3, 0x7e, 0x13, 0xbb, 0x08, 0xb5, 0xa1, 0x36, 0xb9, 0x78, 0xee, 0x24, 0xa7,
-	0xb1, 0x7e, 0x70, 0x8d, 0x0f, 0xca, 0xf6, 0xc1, 0xd5, 0xeb, 0xbd, 0xf0, 0xd3, 0xcd, 0x86, 0xf7,
-	0xc7, 0xcd, 0x86, 0xf7, 0xd7, 0xcd, 0x86, 0xf7, 0xfb, 0xa6, 0x15, 0x98, 0xf1, 0x6d, 0x52, 0xb0,
-	0xed, 0x3b, 0xfe, 0xa3, 0x27, 0x55, 0xc3, 0xb6, 0xfb, 0x6f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x2a,
-	0x72, 0x94, 0xd5, 0x65, 0x07, 0x00, 0x00,
+	// 674 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x54, 0xdb, 0x4e, 0xdb, 0x4c,
+	0x10, 0xc6, 0x49, 0xc8, 0x61, 0x42, 0x88, 0x59, 0xa1, 0x5f, 0xfe, 0xb9, 0xe0, 0x90, 0xaa, 0x2a,
+	0xad, 0x5a, 0x07, 0x92, 0x5e, 0xa0, 0x22, 0x55, 0x4a, 0x2b, 0x44, 0xaa, 0x06, 0x12, 0xd9, 0x09,
+	0x17, 0xbd, 0xb1, 0x36, 0xce, 0x42, 0x16, 0x1c, 0xaf, 0xb5, 0xbb, 0x09, 0xe4, 0xcd, 0xfa, 0x08,
+	0xbd, 0x6c, 0xdf, 0xa0, 0xa2, 0x2f, 0x52, 0xed, 0xda, 0x21, 0xe9, 0x89, 0x0a, 0xf5, 0x6e, 0xe6,
+	0x9b, 0x99, 0x6f, 0x66, 0xbe, 0x59, 0x1b, 0x76, 0x42, 0x22, 0xaf, 0x19, 0xbf, 0xa2, 0xe1, 0x45,
+	0x75, 0xb2, 0x8f, 0x83, 0x68, 0x88, 0xeb, 0xd5, 0x0b, 0x2c, 0xc9, 0x35, 0x9e, 0xda, 0x11, 0x67,
+	0x92, 0xa1, 0xff, 0xa9, 0x90, 0x94, 0xd9, 0xf3, 0x44, 0x7b, 0x96, 0x58, 0xf9, 0x62, 0x40, 0xee,
+	0x38, 0x4e, 0x46, 0x87, 0x90, 0x13, 0x84, 0x4f, 0x08, 0x17, 0x96, 0xb1, 0x9d, 0xde, 0x2d, 0xd6,
+	0x76, 0xec, 0x3f, 0x16, 0xda, 0xae, 0xce, 0x74, 0x66, 0x15, 0xa8, 0x05, 0x79, 0x41, 0x02, 0xe2,
+	0x4b, 0xc6, 0xad, 0x94, 0xae, 0xde, 0xbb, 0xa7, 0x3a, 0x69, 0x69, 0xbb, 0x49, 0xc9, 0x51, 0x28,
+	0xf9, 0xd4, 0xb9, 0x63, 0xd8, 0x38, 0x84, 0xd2, 0x0f, 0x21, 0x64, 0x42, 0xfa, 0x8a, 0x4c, 0x2d,
+	0x63, 0xdb, 0xd8, 0x2d, 0x38, 0xca, 0x44, 0xeb, 0xb0, 0x3c, 0xc1, 0xc1, 0x98, 0x58, 0x29, 0x8d,
+	0xc5, 0xce, 0xab, 0xd4, 0x81, 0x51, 0xf9, 0x98, 0x83, 0x6c, 0x3c, 0x1e, 0xaa, 0x43, 0x26, 0x62,
+	0x5c, 0xea, 0xba, 0x62, 0x6d, 0xeb, 0x9e, 0x89, 0x3a, 0x8c, 0x4b, 0x47, 0x27, 0x2b, 0xe6, 0x21,
+	0x13, 0x52, 0xe8, 0x3d, 0x0a, 0x4e, 0xec, 0xa0, 0xd7, 0x90, 0x96, 0x81, 0xb0, 0xd2, 0x9a, 0xe9,
+	0xf9, 0x5f, 0x95, 0xb1, 0xbb, 0x2d, 0xb7, 0x1d, 0x49, 0xca, 0x42, 0xe1, 0xa8, 0x42, 0x84, 0x20,
+	0xd3, 0xa7, 0xe1, 0xc0, 0xca, 0xe8, 0x71, 0xb5, 0x8d, 0x9e, 0x82, 0x39, 0x20, 0xe7, 0x78, 0x1c,
+	0x48, 0x8f, 0x84, 0x83, 0x88, 0xd1, 0x50, 0x5a, 0xcb, 0x3a, 0x5e, 0x4e, 0xf0, 0xa3, 0x04, 0xde,
+	0xf8, 0xb6, 0x0c, 0x30, 0xa7, 0x44, 0x8f, 0x61, 0x75, 0x28, 0x65, 0x24, 0x3c, 0x4e, 0x06, 0x94,
+	0x13, 0x3f, 0x5e, 0x31, 0xef, 0x94, 0x34, 0xea, 0x24, 0x20, 0x6a, 0x42, 0x66, 0xc4, 0x06, 0xb1,
+	0x46, 0xab, 0xb5, 0x97, 0x0f, 0x99, 0x5a, 0x99, 0xaa, 0xd6, 0xd1, 0x0c, 0xe8, 0x05, 0xa0, 0xf8,
+	0xd4, 0x9e, 0x4f, 0xb8, 0xa4, 0xe7, 0xd4, 0xc7, 0x92, 0x68, 0x35, 0x0a, 0xce, 0x5a, 0x1c, 0x79,
+	0x3b, 0x0f, 0xa0, 0x2d, 0x28, 0x46, 0x9c, 0x4e, 0xb0, 0x24, 0x9e, 0xba, 0x5b, 0xbc, 0x34, 0x24,
+	0xd0, 0x7b, 0x32, 0x45, 0x4f, 0xa0, 0xec, 0xe3, 0x45, 0x2e, 0x91, 0x6c, 0xbe, 0xea, 0xe3, 0x05,
+	0x22, 0x81, 0x9e, 0xc1, 0x9a, 0x18, 0xf7, 0x2f, 0x89, 0x2f, 0x3d, 0x1c, 0x48, 0x2f, 0xc4, 0x23,
+	0x22, 0xac, 0xac, 0xbe, 0x4c, 0x39, 0x09, 0x34, 0x02, 0x79, 0xaa, 0x60, 0x74, 0x09, 0xeb, 0x23,
+	0x1a, 0x7a, 0xfa, 0xd5, 0xfb, 0x2c, 0xf0, 0xd4, 0xcb, 0xa4, 0x2c, 0xb4, 0x72, 0x7a, 0xfd, 0x83,
+	0x87, 0xae, 0xdf, 0x49, 0x78, 0x1c, 0x34, 0xa2, 0xe1, 0xcc, 0x39, 0x8b, 0x39, 0x75, 0x2f, 0x7c,
+	0xf3, 0x6b, 0xaf, 0xfc, 0x3f, 0xf7, 0xc2, 0x37, 0x3f, 0xf7, 0x7a, 0x04, 0x25, 0x9f, 0x46, 0x43,
+	0xc2, 0x3d, 0x31, 0xa6, 0x4a, 0xaa, 0x82, 0xde, 0x7f, 0x25, 0x06, 0x5d, 0x8d, 0x69, 0x45, 0x39,
+	0x19, 0x90, 0x50, 0x52, 0x1c, 0x68, 0x9d, 0x2c, 0x48, 0x14, 0xbd, 0x83, 0x95, 0x4c, 0x95, 0x26,
+	0xe4, 0x92, 0xdb, 0xa2, 0x32, 0x14, 0x3b, 0x0d, 0xd7, 0xed, 0x36, 0x9d, 0x76, 0xef, 0xb8, 0x69,
+	0x2e, 0x21, 0x80, 0xac, 0xfb, 0xee, 0xa4, 0xd3, 0x3a, 0x32, 0x0d, 0x65, 0x9f, 0xf4, 0xba, 0xbd,
+	0x46, 0xcb, 0x4c, 0xa1, 0x75, 0x30, 0x1b, 0xbd, 0x6e, 0xdb, 0x5b, 0xcc, 0x4e, 0x57, 0xda, 0x50,
+	0x5c, 0x18, 0x1d, 0xad, 0x40, 0xbe, 0xdb, 0x72, 0x3d, 0x95, 0x68, 0x2e, 0xa1, 0xa2, 0x6e, 0x73,
+	0xb6, 0xef, 0xed, 0x99, 0xc6, 0xdc, 0xd9, 0x37, 0x53, 0x73, 0xa7, 0x66, 0xa6, 0xe7, 0x4e, 0xdd,
+	0xcc, 0x54, 0x4e, 0x21, 0xa3, 0x3e, 0x44, 0xf4, 0x1f, 0x64, 0xc3, 0xf1, 0xa8, 0x4f, 0xb8, 0x7e,
+	0xd6, 0x25, 0x27, 0xf1, 0xd0, 0x06, 0xe4, 0x67, 0x82, 0x27, 0xdf, 0xfd, 0x9d, 0xaf, 0x3e, 0x30,
+	0xbd, 0x74, 0xfc, 0x26, 0xb5, 0xfd, 0xc6, 0xfe, 0x74, 0xbb, 0x69, 0x7c, 0xbe, 0xdd, 0x34, 0xbe,
+	0xde, 0x6e, 0x1a, 0x1f, 0xb6, 0xe3, 0x9b, 0x50, 0x56, 0xc5, 0x11, 0xad, 0xfe, 0xe6, 0xbf, 0xd9,
+	0xcf, 0x6a, 0xb6, 0xfa, 0xf7, 0x00, 0x00, 0x00, 0xff, 0xff, 0xaa, 0xbd, 0x84, 0xff, 0x55, 0x05,
+	0x00, 0x00,
 }
diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto
index 0b4bd9bff8..e7e615b4cd 100644
--- a/networking/v1alpha3/gateway.proto
+++ b/networking/v1alpha3/gateway.proto
@@ -291,55 +291,26 @@ message Server {
     // enforced.
     TLSmode mode = 2;
 
-    // The file backend specifies the file system paths where the
-    // server's public and private keys can be obtained.
-    message CredentialStoreFileBackend {
-      // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
-      // holding the server-side TLS certificate to use.
-      string server_certificate = 1;
-
-      // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
-      // holding the server's private key.
-      string private_key = 2;
-    };
-
-    // The remote backend provides information about the remote secret
-    // management server that contains the server's public and private keys.
-    message CredentialStoreRemoteBackend {
-      // REQUIRED the name of the resource that the credential server can
-      // use to identify the certificates associated with the gateway
-      // server. In kubernetes, this should correspond to the name of the
-      // secret that contains the server-side TLS certificate and the
-      // server's private key. Note that the secret should contain both the
-      // public and private keys associated with the server port.
-      //
-      // It is possible to use the same resourceName across several servers
-      // on different ports, if these servers share the same credentials.
-      string resource_name = 1;
-
-      // The address where the credential store server can be reached.
-      // If omitted, will default to unix:/var/run/gateway/sds
-      string server_address = 2;
-    };
-
     // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
     // holding the server-side TLS certificate to use.
-    // Deprecated. Use 
-    string server_certificate = 3 [deprecated=true];
+    string server_certificate = 3;
 
     // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
     // holding the server's private key.
-    string private_key = 4 [deprecated=true];
-
-    message CredentialStore {
-      oneof credential_store {
-        CredentialStoreFileBackend files = 1;
-        CredentialStoreRemoteBackend remote = 2;
-      }
-    }
-
-    // REQUIRED if the mode is `SIMPLE` or `MUTUAL`.
-    CredentialStore credential_store = 10;
+    string private_key = 4;
+
+    // The credentialName stands for a unique identifier that can be used
+    // to identify the serverCertificate and the privateKey (not the
+    // CaCertificates) associated with this server. Gateway workloads
+    // capable of fetching credentials from a remote credential store will
+    // be configured to retrive the server certificate and the private key
+    // using this name, instead of using the file system paths specified
+    // above. The semantics of the name are platform dependent. In
+    // Kubernetes, the default Istio supplied credentail server expects the
+    // credentialName to be of the form secretName.namespace, where the
+    // secretName is the name of the Kubernetes secret that holds the
+    // server certificate and the private key.
+    string credential_name = 10;
 
     // REQUIRED if mode is `MUTUAL`. The path to a file containing
     // certificate authority certificates to use in verifying a presented
diff --git a/networking/v1alpha3/istio.networking.v1alpha3.pb.html b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
index aff9a57773..8238f66b00 100644
--- a/networking/v1alpha3/istio.networking.v1alpha3.pb.html
+++ b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
@@ -6,7 +6,7 @@
 generator: protoc-gen-docs
 aliases:
   - /docs/reference/config/istio.routing.v1alpha1/
-number_of_entries: 63
+number_of_entries: 60
 ---
 <p>Configuration affecting traffic routing. Here are a few terms useful to define
 in the context of traffic routing.</p>
@@ -2928,17 +2928,16 @@ <h2 id="Server-TLSOptions">Server.TLSOptions</h2>
 
 </td>
 </tr>
-<tr id="Server-TLSOptions-server_certificate" class="deprecated ">
+<tr id="Server-TLSOptions-server_certificate">
 <td><code>serverCertificate</code></td>
 <td><code>string</code></td>
 <td>
 <p>REQUIRED if mode is <code>SIMPLE</code> or <code>MUTUAL</code>. The path to the file
-holding the server-side TLS certificate to use.
-Deprecated. Use</p>
+holding the server-side TLS certificate to use.</p>
 
 </td>
 </tr>
-<tr id="Server-TLSOptions-private_key" class="deprecated ">
+<tr id="Server-TLSOptions-private_key">
 <td><code>privateKey</code></td>
 <td><code>string</code></td>
 <td>
@@ -2947,11 +2946,21 @@ <h2 id="Server-TLSOptions">Server.TLSOptions</h2>
 
 </td>
 </tr>
-<tr id="Server-TLSOptions-credential_store">
-<td><code>credentialStore</code></td>
-<td><code><a href="#Server-TLSOptions-CredentialStore">Server.TLSOptions.CredentialStore</a></code></td>
+<tr id="Server-TLSOptions-credential_name">
+<td><code>credentialName</code></td>
+<td><code>string</code></td>
 <td>
-<p>REQUIRED if the mode is <code>SIMPLE</code> or <code>MUTUAL</code>.</p>
+<p>The credentialName stands for a unique identifier that can be used
+to identify the serverCertificate and the privateKey (not the
+CaCertificates) associated with this server. Gateway workloads
+capable of fetching credentials from a remote credential store will
+be configured to retrive the server certificate and the private key
+using this name, instead of using the file system paths specified
+above. The semantics of the name are platform dependent. In
+Kubernetes, the default Istio supplied credentail server expects the
+credentialName to be of the form secretName.namespace, where the
+secretName is the name of the Kubernetes secret that holds the
+server certificate and the private key.</p>
 
 </td>
 </tr>
@@ -2997,109 +3006,6 @@ <h2 id="Server-TLSOptions">Server.TLSOptions</h2>
 <p>Optional: If specified, only support the specified cipher list.
 Otherwise default to the default cipher list supported by Envoy.</p>
 
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="Server-TLSOptions-CredentialStore">Server.TLSOptions.CredentialStore</h2>
-<section>
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr id="Server-TLSOptions-CredentialStore-files" class="oneof oneof-start">
-<td><code>files</code></td>
-<td><code><a href="#Server-TLSOptions-CredentialStoreFileBackend">Server.TLSOptions.CredentialStoreFileBackend (oneof)</a></code></td>
-<td>
-</td>
-</tr>
-<tr id="Server-TLSOptions-CredentialStore-remote" class="oneof">
-<td><code>remote</code></td>
-<td><code><a href="#Server-TLSOptions-CredentialStoreRemoteBackend">Server.TLSOptions.CredentialStoreRemoteBackend (oneof)</a></code></td>
-<td>
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="Server-TLSOptions-CredentialStoreFileBackend">Server.TLSOptions.CredentialStoreFileBackend</h2>
-<section>
-<p>The file backend specifies the file system paths where the
-server&rsquo;s public and private keys can be obtained.</p>
-
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr id="Server-TLSOptions-CredentialStoreFileBackend-server_certificate">
-<td><code>serverCertificate</code></td>
-<td><code>string</code></td>
-<td>
-<p>REQUIRED if mode is <code>SIMPLE</code> or <code>MUTUAL</code>. The path to the file
-holding the server-side TLS certificate to use.</p>
-
-</td>
-</tr>
-<tr id="Server-TLSOptions-CredentialStoreFileBackend-private_key">
-<td><code>privateKey</code></td>
-<td><code>string</code></td>
-<td>
-<p>REQUIRED if mode is <code>SIMPLE</code> or <code>MUTUAL</code>. The path to the file
-holding the server&rsquo;s private key.</p>
-
-</td>
-</tr>
-</tbody>
-</table>
-</section>
-<h2 id="Server-TLSOptions-CredentialStoreRemoteBackend">Server.TLSOptions.CredentialStoreRemoteBackend</h2>
-<section>
-<p>The remote backend provides information about the remote secret
-management server that contains the server&rsquo;s public and private keys.</p>
-
-<table class="message-fields">
-<thead>
-<tr>
-<th>Field</th>
-<th>Type</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr id="Server-TLSOptions-CredentialStoreRemoteBackend-resource_name">
-<td><code>resourceName</code></td>
-<td><code>string</code></td>
-<td>
-<p>REQUIRED the name of the resource that the credential server can
-use to identify the certificates associated with the gateway
-server. In kubernetes, this should correspond to the name of the
-secret that contains the server-side TLS certificate and the
-server&rsquo;s private key. Note that the secret should contain both the
-public and private keys associated with the server port.</p>
-
-<p>It is possible to use the same resourceName across several servers
-on different ports, if these servers share the same credentials.</p>
-
-</td>
-</tr>
-<tr id="Server-TLSOptions-CredentialStoreRemoteBackend-server_address">
-<td><code>serverAddress</code></td>
-<td><code>string</code></td>
-<td>
-<p>The address where the credential store server can be reached.
-If omitted, will default to unix:/var/run/gateway/sds</p>
-
 </td>
 </tr>
 </tbody>
diff --git a/proto.lock b/proto.lock
index 9e9564c6e6..6c536869ee 100644
--- a/proto.lock
+++ b/proto.lock
@@ -3320,8 +3320,8 @@
                   },
                   {
                     "id": 10,
-                    "name": "credential_store",
-                    "type": "CredentialStore"
+                    "name": "credential_name",
+                    "type": "string"
                   },
                   {
                     "id": 5,
@@ -3350,53 +3350,6 @@
                     "type": "string",
                     "is_repeated": true
                   }
-                ],
-                "messages": [
-                  {
-                    "name": "CredentialStoreFileBackend",
-                    "fields": [
-                      {
-                        "id": 1,
-                        "name": "server_certificate",
-                        "type": "string"
-                      },
-                      {
-                        "id": 2,
-                        "name": "private_key",
-                        "type": "string"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "CredentialStoreRemoteBackend",
-                    "fields": [
-                      {
-                        "id": 1,
-                        "name": "resource_name",
-                        "type": "string"
-                      },
-                      {
-                        "id": 2,
-                        "name": "server_address",
-                        "type": "string"
-                      }
-                    ]
-                  },
-                  {
-                    "name": "CredentialStore",
-                    "fields": [
-                      {
-                        "id": 1,
-                        "name": "files",
-                        "type": "CredentialStoreFileBackend"
-                      },
-                      {
-                        "id": 2,
-                        "name": "remote",
-                        "type": "CredentialStoreRemoteBackend"
-                      }
-                    ]
-                  }
                 ]
               }
             ]
diff --git a/python/istio_api/networking/v1alpha3/gateway_pb2.py b/python/istio_api/networking/v1alpha3/gateway_pb2.py
index d1b5d6b3f2..974e685697 100644
--- a/python/istio_api/networking/v1alpha3/gateway_pb2.py
+++ b/python/istio_api/networking/v1alpha3/gateway_pb2.py
@@ -19,7 +19,7 @@
   name='networking/v1alpha3/gateway.proto',
   package='istio.networking.v1alpha3',
   syntax='proto3',
-  serialized_pb=_b('\n!networking/v1alpha3/gateway.proto\x12\x19istio.networking.v1alpha3\"\xb2\x01\n\x07Gateway\x12\x32\n\x07servers\x18\x01 \x03(\x0b\x32!.istio.networking.v1alpha3.Server\x12\x42\n\x08selector\x18\x02 \x03(\x0b\x32\x30.istio.networking.v1alpha3.Gateway.SelectorEntry\x1a/\n\rSelectorEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xb8\t\n\x06Server\x12-\n\x04port\x18\x01 \x01(\x0b\x32\x1f.istio.networking.v1alpha3.Port\x12\x0c\n\x04\x62ind\x18\x04 \x01(\t\x12\r\n\x05hosts\x18\x02 \x03(\t\x12\x39\n\x03tls\x18\x03 \x01(\x0b\x32,.istio.networking.v1alpha3.Server.TLSOptions\x12\x18\n\x10\x64\x65\x66\x61ult_endpoint\x18\x05 \x01(\t\x1a\x8c\x08\n\nTLSOptions\x12\x16\n\x0ehttps_redirect\x18\x01 \x01(\x08\x12\x42\n\x04mode\x18\x02 \x01(\x0e\x32\x34.istio.networking.v1alpha3.Server.TLSOptions.TLSmode\x12\x1e\n\x12server_certificate\x18\x03 \x01(\tB\x02\x18\x01\x12\x17\n\x0bprivate_key\x18\x04 \x01(\tB\x02\x18\x01\x12V\n\x10\x63redential_store\x18\n \x01(\x0b\x32<.istio.networking.v1alpha3.Server.TLSOptions.CredentialStore\x12\x17\n\x0f\x63\x61_certificates\x18\x05 \x01(\t\x12\x19\n\x11subject_alt_names\x18\x06 \x03(\t\x12V\n\x14min_protocol_version\x18\x07 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12V\n\x14max_protocol_version\x18\x08 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12\x15\n\rcipher_suites\x18\t \x03(\t\x1aM\n\x1a\x43redentialStoreFileBackend\x12\x1a\n\x12server_certificate\x18\x01 \x01(\t\x12\x13\n\x0bprivate_key\x18\x02 \x01(\t\x1aM\n\x1c\x43redentialStoreRemoteBackend\x12\x15\n\rresource_name\x18\x01 \x01(\t\x12\x16\n\x0eserver_address\x18\x02 \x01(\t\x1a\xdc\x01\n\x0f\x43redentialStore\x12X\n\x05\x66iles\x18\x01 \x01(\x0b\x32G.istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreFileBackendH\x00\x12[\n\x06remote\x18\x02 \x01(\x0b\x32I.istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreRemoteBackendH\x00\x42\x12\n\x10\x63redential_store\"H\n\x07TLSmode\x12\x0f\n\x0bPASSTHROUGH\x10\x00\x12\n\n\x06SIMPLE\x10\x01\x12\n\n\x06MUTUAL\x10\x02\x12\x14\n\x10\x41UTO_PASSTHROUGH\x10\x03\"O\n\x0bTLSProtocol\x12\x0c\n\x08TLS_AUTO\x10\x00\x12\x0b\n\x07TLSV1_0\x10\x01\x12\x0b\n\x07TLSV1_1\x10\x02\x12\x0b\n\x07TLSV1_2\x10\x03\x12\x0b\n\x07TLSV1_3\x10\x04\"6\n\x04Port\x12\x0e\n\x06number\x18\x01 \x01(\r\x12\x10\n\x08protocol\x18\x02 \x01(\t\x12\x0c\n\x04name\x18\x03 \x01(\tB\"Z istio.io/api/networking/v1alpha3b\x06proto3')
+  serialized_pb=_b('\n!networking/v1alpha3/gateway.proto\x12\x19istio.networking.v1alpha3\"\xb2\x01\n\x07Gateway\x12\x32\n\x07servers\x18\x01 \x03(\x0b\x32!.istio.networking.v1alpha3.Server\x12\x42\n\x08selector\x18\x02 \x03(\x0b\x32\x30.istio.networking.v1alpha3.Gateway.SelectorEntry\x1a/\n\rSelectorEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xf4\x05\n\x06Server\x12-\n\x04port\x18\x01 \x01(\x0b\x32\x1f.istio.networking.v1alpha3.Port\x12\x0c\n\x04\x62ind\x18\x04 \x01(\t\x12\r\n\x05hosts\x18\x02 \x03(\t\x12\x39\n\x03tls\x18\x03 \x01(\x0b\x32,.istio.networking.v1alpha3.Server.TLSOptions\x12\x18\n\x10\x64\x65\x66\x61ult_endpoint\x18\x05 \x01(\t\x1a\xc8\x04\n\nTLSOptions\x12\x16\n\x0ehttps_redirect\x18\x01 \x01(\x08\x12\x42\n\x04mode\x18\x02 \x01(\x0e\x32\x34.istio.networking.v1alpha3.Server.TLSOptions.TLSmode\x12\x1a\n\x12server_certificate\x18\x03 \x01(\t\x12\x13\n\x0bprivate_key\x18\x04 \x01(\t\x12\x17\n\x0f\x63redential_name\x18\n \x01(\t\x12\x17\n\x0f\x63\x61_certificates\x18\x05 \x01(\t\x12\x19\n\x11subject_alt_names\x18\x06 \x03(\t\x12V\n\x14min_protocol_version\x18\x07 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12V\n\x14max_protocol_version\x18\x08 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12\x15\n\rcipher_suites\x18\t \x03(\t\"H\n\x07TLSmode\x12\x0f\n\x0bPASSTHROUGH\x10\x00\x12\n\n\x06SIMPLE\x10\x01\x12\n\n\x06MUTUAL\x10\x02\x12\x14\n\x10\x41UTO_PASSTHROUGH\x10\x03\"O\n\x0bTLSProtocol\x12\x0c\n\x08TLS_AUTO\x10\x00\x12\x0b\n\x07TLSV1_0\x10\x01\x12\x0b\n\x07TLSV1_1\x10\x02\x12\x0b\n\x07TLSV1_2\x10\x03\x12\x0b\n\x07TLSV1_3\x10\x04\"6\n\x04Port\x12\x0e\n\x06number\x18\x01 \x01(\r\x12\x10\n\x08protocol\x18\x02 \x01(\t\x12\x0c\n\x04name\x18\x03 \x01(\tB\"Z istio.io/api/networking/v1alpha3b\x06proto3')
 )
 
 
@@ -49,8 +49,8 @@
   ],
   containing_type=None,
   options=None,
-  serialized_start=1301,
-  serialized_end=1373,
+  serialized_start=849,
+  serialized_end=921,
 )
 _sym_db.RegisterEnumDescriptor(_SERVER_TLSOPTIONS_TLSMODE)
 
@@ -83,8 +83,8 @@
   ],
   containing_type=None,
   options=None,
-  serialized_start=1375,
-  serialized_end=1454,
+  serialized_start=923,
+  serialized_end=1002,
 )
 _sym_db.RegisterEnumDescriptor(_SERVER_TLSOPTIONS_TLSPROTOCOL)
 
@@ -164,120 +164,6 @@
 )
 
 
-_SERVER_TLSOPTIONS_CREDENTIALSTOREFILEBACKEND = _descriptor.Descriptor(
-  name='CredentialStoreFileBackend',
-  full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreFileBackend',
-  filename=None,
-  file=DESCRIPTOR,
-  containing_type=None,
-  fields=[
-    _descriptor.FieldDescriptor(
-      name='server_certificate', full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreFileBackend.server_certificate', index=0,
-      number=1, type=9, cpp_type=9, label=1,
-      has_default_value=False, default_value=_b("").decode('utf-8'),
-      message_type=None, enum_type=None, containing_type=None,
-      is_extension=False, extension_scope=None,
-      options=None, file=DESCRIPTOR),
-    _descriptor.FieldDescriptor(
-      name='private_key', full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreFileBackend.private_key', index=1,
-      number=2, type=9, cpp_type=9, label=1,
-      has_default_value=False, default_value=_b("").decode('utf-8'),
-      message_type=None, enum_type=None, containing_type=None,
-      is_extension=False, extension_scope=None,
-      options=None, file=DESCRIPTOR),
-  ],
-  extensions=[
-  ],
-  nested_types=[],
-  enum_types=[
-  ],
-  options=None,
-  is_extendable=False,
-  syntax='proto3',
-  extension_ranges=[],
-  oneofs=[
-  ],
-  serialized_start=920,
-  serialized_end=997,
-)
-
-_SERVER_TLSOPTIONS_CREDENTIALSTOREREMOTEBACKEND = _descriptor.Descriptor(
-  name='CredentialStoreRemoteBackend',
-  full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreRemoteBackend',
-  filename=None,
-  file=DESCRIPTOR,
-  containing_type=None,
-  fields=[
-    _descriptor.FieldDescriptor(
-      name='resource_name', full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreRemoteBackend.resource_name', index=0,
-      number=1, type=9, cpp_type=9, label=1,
-      has_default_value=False, default_value=_b("").decode('utf-8'),
-      message_type=None, enum_type=None, containing_type=None,
-      is_extension=False, extension_scope=None,
-      options=None, file=DESCRIPTOR),
-    _descriptor.FieldDescriptor(
-      name='server_address', full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreRemoteBackend.server_address', index=1,
-      number=2, type=9, cpp_type=9, label=1,
-      has_default_value=False, default_value=_b("").decode('utf-8'),
-      message_type=None, enum_type=None, containing_type=None,
-      is_extension=False, extension_scope=None,
-      options=None, file=DESCRIPTOR),
-  ],
-  extensions=[
-  ],
-  nested_types=[],
-  enum_types=[
-  ],
-  options=None,
-  is_extendable=False,
-  syntax='proto3',
-  extension_ranges=[],
-  oneofs=[
-  ],
-  serialized_start=999,
-  serialized_end=1076,
-)
-
-_SERVER_TLSOPTIONS_CREDENTIALSTORE = _descriptor.Descriptor(
-  name='CredentialStore',
-  full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStore',
-  filename=None,
-  file=DESCRIPTOR,
-  containing_type=None,
-  fields=[
-    _descriptor.FieldDescriptor(
-      name='files', full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStore.files', index=0,
-      number=1, type=11, cpp_type=10, label=1,
-      has_default_value=False, default_value=None,
-      message_type=None, enum_type=None, containing_type=None,
-      is_extension=False, extension_scope=None,
-      options=None, file=DESCRIPTOR),
-    _descriptor.FieldDescriptor(
-      name='remote', full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStore.remote', index=1,
-      number=2, type=11, cpp_type=10, label=1,
-      has_default_value=False, default_value=None,
-      message_type=None, enum_type=None, containing_type=None,
-      is_extension=False, extension_scope=None,
-      options=None, file=DESCRIPTOR),
-  ],
-  extensions=[
-  ],
-  nested_types=[],
-  enum_types=[
-  ],
-  options=None,
-  is_extendable=False,
-  syntax='proto3',
-  extension_ranges=[],
-  oneofs=[
-    _descriptor.OneofDescriptor(
-      name='credential_store', full_name='istio.networking.v1alpha3.Server.TLSOptions.CredentialStore.credential_store',
-      index=0, containing_type=None, fields=[]),
-  ],
-  serialized_start=1079,
-  serialized_end=1299,
-)
-
 _SERVER_TLSOPTIONS = _descriptor.Descriptor(
   name='TLSOptions',
   full_name='istio.networking.v1alpha3.Server.TLSOptions',
@@ -305,18 +191,18 @@
       has_default_value=False, default_value=_b("").decode('utf-8'),
       message_type=None, enum_type=None, containing_type=None,
       is_extension=False, extension_scope=None,
-      options=_descriptor._ParseOptions(descriptor_pb2.FieldOptions(), _b('\030\001')), file=DESCRIPTOR),
+      options=None, file=DESCRIPTOR),
     _descriptor.FieldDescriptor(
       name='private_key', full_name='istio.networking.v1alpha3.Server.TLSOptions.private_key', index=3,
       number=4, type=9, cpp_type=9, label=1,
       has_default_value=False, default_value=_b("").decode('utf-8'),
       message_type=None, enum_type=None, containing_type=None,
       is_extension=False, extension_scope=None,
-      options=_descriptor._ParseOptions(descriptor_pb2.FieldOptions(), _b('\030\001')), file=DESCRIPTOR),
+      options=None, file=DESCRIPTOR),
     _descriptor.FieldDescriptor(
-      name='credential_store', full_name='istio.networking.v1alpha3.Server.TLSOptions.credential_store', index=4,
-      number=10, type=11, cpp_type=10, label=1,
-      has_default_value=False, default_value=None,
+      name='credential_name', full_name='istio.networking.v1alpha3.Server.TLSOptions.credential_name', index=4,
+      number=10, type=9, cpp_type=9, label=1,
+      has_default_value=False, default_value=_b("").decode('utf-8'),
       message_type=None, enum_type=None, containing_type=None,
       is_extension=False, extension_scope=None,
       options=None, file=DESCRIPTOR),
@@ -358,7 +244,7 @@
   ],
   extensions=[
   ],
-  nested_types=[_SERVER_TLSOPTIONS_CREDENTIALSTOREFILEBACKEND, _SERVER_TLSOPTIONS_CREDENTIALSTOREREMOTEBACKEND, _SERVER_TLSOPTIONS_CREDENTIALSTORE, ],
+  nested_types=[],
   enum_types=[
     _SERVER_TLSOPTIONS_TLSMODE,
     _SERVER_TLSOPTIONS_TLSPROTOCOL,
@@ -370,7 +256,7 @@
   oneofs=[
   ],
   serialized_start=418,
-  serialized_end=1454,
+  serialized_end=1002,
 )
 
 _SERVER = _descriptor.Descriptor(
@@ -428,7 +314,7 @@
   oneofs=[
   ],
   serialized_start=246,
-  serialized_end=1454,
+  serialized_end=1002,
 )
 
 
@@ -472,26 +358,14 @@
   extension_ranges=[],
   oneofs=[
   ],
-  serialized_start=1456,
-  serialized_end=1510,
+  serialized_start=1004,
+  serialized_end=1058,
 )
 
 _GATEWAY_SELECTORENTRY.containing_type = _GATEWAY
 _GATEWAY.fields_by_name['servers'].message_type = _SERVER
 _GATEWAY.fields_by_name['selector'].message_type = _GATEWAY_SELECTORENTRY
-_SERVER_TLSOPTIONS_CREDENTIALSTOREFILEBACKEND.containing_type = _SERVER_TLSOPTIONS
-_SERVER_TLSOPTIONS_CREDENTIALSTOREREMOTEBACKEND.containing_type = _SERVER_TLSOPTIONS
-_SERVER_TLSOPTIONS_CREDENTIALSTORE.fields_by_name['files'].message_type = _SERVER_TLSOPTIONS_CREDENTIALSTOREFILEBACKEND
-_SERVER_TLSOPTIONS_CREDENTIALSTORE.fields_by_name['remote'].message_type = _SERVER_TLSOPTIONS_CREDENTIALSTOREREMOTEBACKEND
-_SERVER_TLSOPTIONS_CREDENTIALSTORE.containing_type = _SERVER_TLSOPTIONS
-_SERVER_TLSOPTIONS_CREDENTIALSTORE.oneofs_by_name['credential_store'].fields.append(
-  _SERVER_TLSOPTIONS_CREDENTIALSTORE.fields_by_name['files'])
-_SERVER_TLSOPTIONS_CREDENTIALSTORE.fields_by_name['files'].containing_oneof = _SERVER_TLSOPTIONS_CREDENTIALSTORE.oneofs_by_name['credential_store']
-_SERVER_TLSOPTIONS_CREDENTIALSTORE.oneofs_by_name['credential_store'].fields.append(
-  _SERVER_TLSOPTIONS_CREDENTIALSTORE.fields_by_name['remote'])
-_SERVER_TLSOPTIONS_CREDENTIALSTORE.fields_by_name['remote'].containing_oneof = _SERVER_TLSOPTIONS_CREDENTIALSTORE.oneofs_by_name['credential_store']
 _SERVER_TLSOPTIONS.fields_by_name['mode'].enum_type = _SERVER_TLSOPTIONS_TLSMODE
-_SERVER_TLSOPTIONS.fields_by_name['credential_store'].message_type = _SERVER_TLSOPTIONS_CREDENTIALSTORE
 _SERVER_TLSOPTIONS.fields_by_name['min_protocol_version'].enum_type = _SERVER_TLSOPTIONS_TLSPROTOCOL
 _SERVER_TLSOPTIONS.fields_by_name['max_protocol_version'].enum_type = _SERVER_TLSOPTIONS_TLSPROTOCOL
 _SERVER_TLSOPTIONS.containing_type = _SERVER
@@ -522,27 +396,6 @@
 Server = _reflection.GeneratedProtocolMessageType('Server', (_message.Message,), dict(
 
   TLSOptions = _reflection.GeneratedProtocolMessageType('TLSOptions', (_message.Message,), dict(
-
-    CredentialStoreFileBackend = _reflection.GeneratedProtocolMessageType('CredentialStoreFileBackend', (_message.Message,), dict(
-      DESCRIPTOR = _SERVER_TLSOPTIONS_CREDENTIALSTOREFILEBACKEND,
-      __module__ = 'networking.v1alpha3.gateway_pb2'
-      # @@protoc_insertion_point(class_scope:istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreFileBackend)
-      ))
-    ,
-
-    CredentialStoreRemoteBackend = _reflection.GeneratedProtocolMessageType('CredentialStoreRemoteBackend', (_message.Message,), dict(
-      DESCRIPTOR = _SERVER_TLSOPTIONS_CREDENTIALSTOREREMOTEBACKEND,
-      __module__ = 'networking.v1alpha3.gateway_pb2'
-      # @@protoc_insertion_point(class_scope:istio.networking.v1alpha3.Server.TLSOptions.CredentialStoreRemoteBackend)
-      ))
-    ,
-
-    CredentialStore = _reflection.GeneratedProtocolMessageType('CredentialStore', (_message.Message,), dict(
-      DESCRIPTOR = _SERVER_TLSOPTIONS_CREDENTIALSTORE,
-      __module__ = 'networking.v1alpha3.gateway_pb2'
-      # @@protoc_insertion_point(class_scope:istio.networking.v1alpha3.Server.TLSOptions.CredentialStore)
-      ))
-    ,
     DESCRIPTOR = _SERVER_TLSOPTIONS,
     __module__ = 'networking.v1alpha3.gateway_pb2'
     # @@protoc_insertion_point(class_scope:istio.networking.v1alpha3.Server.TLSOptions)
@@ -554,9 +407,6 @@
   ))
 _sym_db.RegisterMessage(Server)
 _sym_db.RegisterMessage(Server.TLSOptions)
-_sym_db.RegisterMessage(Server.TLSOptions.CredentialStoreFileBackend)
-_sym_db.RegisterMessage(Server.TLSOptions.CredentialStoreRemoteBackend)
-_sym_db.RegisterMessage(Server.TLSOptions.CredentialStore)
 
 Port = _reflection.GeneratedProtocolMessageType('Port', (_message.Message,), dict(
   DESCRIPTOR = _PORT,
@@ -570,8 +420,4 @@
 DESCRIPTOR._options = _descriptor._ParseOptions(descriptor_pb2.FileOptions(), _b('Z istio.io/api/networking/v1alpha3'))
 _GATEWAY_SELECTORENTRY.has_options = True
 _GATEWAY_SELECTORENTRY._options = _descriptor._ParseOptions(descriptor_pb2.MessageOptions(), _b('8\001'))
-_SERVER_TLSOPTIONS.fields_by_name['server_certificate'].has_options = True
-_SERVER_TLSOPTIONS.fields_by_name['server_certificate']._options = _descriptor._ParseOptions(descriptor_pb2.FieldOptions(), _b('\030\001'))
-_SERVER_TLSOPTIONS.fields_by_name['private_key'].has_options = True
-_SERVER_TLSOPTIONS.fields_by_name['private_key']._options = _descriptor._ParseOptions(descriptor_pb2.FieldOptions(), _b('\030\001'))
 # @@protoc_insertion_point(module_scope)

From 1a81a904cdb38953f8ff7954b8fd1f2db60bb2c1 Mon Sep 17 00:00:00 2001
From: Shriram Rajagopalan <shriramr@vmware.com>
Date: Thu, 31 Jan 2019 16:52:42 -0500
Subject: [PATCH 5/7] update

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>
---
 networking/v1alpha3/gateway.pb.go                     | 3 +--
 networking/v1alpha3/gateway.proto                     | 3 +--
 networking/v1alpha3/istio.networking.v1alpha3.pb.html | 3 +--
 3 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/networking/v1alpha3/gateway.pb.go b/networking/v1alpha3/gateway.pb.go
index 63d8b9bf88..035391a4d8 100644
--- a/networking/v1alpha3/gateway.pb.go
+++ b/networking/v1alpha3/gateway.pb.go
@@ -421,8 +421,7 @@ type Server_TLSOptions struct {
 	// using this name, instead of using the file system paths specified
 	// above. The semantics of the name are platform dependent. In
 	// Kubernetes, the default Istio supplied credentail server expects the
-	// credentialName to be of the form secretName.namespace, where the
-	// secretName is the name of the Kubernetes secret that holds the
+	// credentialName to match the name of the Kubernetes secret that holds the
 	// server certificate and the private key.
 	CredentialName string `protobuf:"bytes,10,opt,name=credential_name,json=credentialName,proto3" json:"credential_name,omitempty"`
 	// REQUIRED if mode is `MUTUAL`. The path to a file containing
diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto
index e7e615b4cd..7162fbe459 100644
--- a/networking/v1alpha3/gateway.proto
+++ b/networking/v1alpha3/gateway.proto
@@ -307,8 +307,7 @@ message Server {
     // using this name, instead of using the file system paths specified
     // above. The semantics of the name are platform dependent. In
     // Kubernetes, the default Istio supplied credentail server expects the
-    // credentialName to be of the form secretName.namespace, where the
-    // secretName is the name of the Kubernetes secret that holds the
+    // credentialName to match the name of the Kubernetes secret that holds the
     // server certificate and the private key.
     string credential_name = 10;
 
diff --git a/networking/v1alpha3/istio.networking.v1alpha3.pb.html b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
index 8238f66b00..0f610812c9 100644
--- a/networking/v1alpha3/istio.networking.v1alpha3.pb.html
+++ b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
@@ -2958,8 +2958,7 @@ <h2 id="Server-TLSOptions">Server.TLSOptions</h2>
 using this name, instead of using the file system paths specified
 above. The semantics of the name are platform dependent. In
 Kubernetes, the default Istio supplied credentail server expects the
-credentialName to be of the form secretName.namespace, where the
-secretName is the name of the Kubernetes secret that holds the
+credentialName to match the name of the Kubernetes secret that holds the
 server certificate and the private key.</p>
 
 </td>

From c9c2109cd5cb5f7a9c035bf4d30b7e6f5e49d753 Mon Sep 17 00:00:00 2001
From: Shriram Rajagopalan <shriramr@vmware.com>
Date: Thu, 31 Jan 2019 17:16:43 -0500
Subject: [PATCH 6/7] updates

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>
---
 networking/v1alpha3/gateway.pb.go             | 30 ++++++++--------
 networking/v1alpha3/gateway.proto             | 24 ++++++-------
 .../istio.networking.v1alpha3.pb.html         | 34 +++++++++----------
 .../networking/v1alpha3/gateway_pb2.py        | 10 +++---
 4 files changed, 49 insertions(+), 49 deletions(-)

diff --git a/networking/v1alpha3/gateway.pb.go b/networking/v1alpha3/gateway.pb.go
index 035391a4d8..58fff44ccb 100644
--- a/networking/v1alpha3/gateway.pb.go
+++ b/networking/v1alpha3/gateway.pb.go
@@ -413,21 +413,21 @@ type Server_TLSOptions struct {
 	// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
 	// holding the server's private key.
 	PrivateKey string `protobuf:"bytes,4,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
-	// The credentialName stands for a unique identifier that can be used
-	// to identify the serverCertificate and the privateKey (not the
-	// CaCertificates) associated with this server. Gateway workloads
-	// capable of fetching credentials from a remote credential store will
-	// be configured to retrive the server certificate and the private key
-	// using this name, instead of using the file system paths specified
-	// above. The semantics of the name are platform dependent. In
-	// Kubernetes, the default Istio supplied credentail server expects the
-	// credentialName to match the name of the Kubernetes secret that holds the
-	// server certificate and the private key.
-	CredentialName string `protobuf:"bytes,10,opt,name=credential_name,json=credentialName,proto3" json:"credential_name,omitempty"`
 	// REQUIRED if mode is `MUTUAL`. The path to a file containing
 	// certificate authority certificates to use in verifying a presented
 	// client side certificate.
 	CaCertificates string `protobuf:"bytes,5,opt,name=ca_certificates,json=caCertificates,proto3" json:"ca_certificates,omitempty"`
+	// The credentialName stands for a unique identifier that can be used
+	// to identify the serverCertificate, the privateKey and the
+	// CaCertificates associated with this server. Gateway workloads
+	// capable of fetching credentials from a remote credential store will
+	// be configured to retrive the credentials using this name, instead of
+	// using the file system paths specified above. The semantics of the
+	// name are platform dependent. In Kubernetes, the default Istio
+	// supplied credentail server expects the credentialName to match the
+	// name of the Kubernetes secret that holds the server certificate, the
+	// private key, and the CA certificate (if using mutual TLS).
+	CredentialName string `protobuf:"bytes,10,opt,name=credential_name,json=credentialName,proto3" json:"credential_name,omitempty"`
 	// A list of alternate names to verify the subject identity in the
 	// certificate presented by the client.
 	SubjectAltNames []string `protobuf:"bytes,6,rep,name=subject_alt_names,json=subjectAltNames" json:"subject_alt_names,omitempty"`
@@ -473,16 +473,16 @@ func (m *Server_TLSOptions) GetPrivateKey() string {
 	return ""
 }
 
-func (m *Server_TLSOptions) GetCredentialName() string {
+func (m *Server_TLSOptions) GetCaCertificates() string {
 	if m != nil {
-		return m.CredentialName
+		return m.CaCertificates
 	}
 	return ""
 }
 
-func (m *Server_TLSOptions) GetCaCertificates() string {
+func (m *Server_TLSOptions) GetCredentialName() string {
 	if m != nil {
-		return m.CaCertificates
+		return m.CredentialName
 	}
 	return ""
 }
diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto
index 7162fbe459..4e00c4eadc 100644
--- a/networking/v1alpha3/gateway.proto
+++ b/networking/v1alpha3/gateway.proto
@@ -299,23 +299,23 @@ message Server {
     // holding the server's private key.
     string private_key = 4;
 
-    // The credentialName stands for a unique identifier that can be used
-    // to identify the serverCertificate and the privateKey (not the
-    // CaCertificates) associated with this server. Gateway workloads
-    // capable of fetching credentials from a remote credential store will
-    // be configured to retrive the server certificate and the private key
-    // using this name, instead of using the file system paths specified
-    // above. The semantics of the name are platform dependent. In
-    // Kubernetes, the default Istio supplied credentail server expects the
-    // credentialName to match the name of the Kubernetes secret that holds the
-    // server certificate and the private key.
-    string credential_name = 10;
-
     // REQUIRED if mode is `MUTUAL`. The path to a file containing
     // certificate authority certificates to use in verifying a presented
     // client side certificate.
     string ca_certificates = 5;
 
+    // The credentialName stands for a unique identifier that can be used
+    // to identify the serverCertificate, the privateKey and the
+    // CaCertificates associated with this server. Gateway workloads
+    // capable of fetching credentials from a remote credential store will
+    // be configured to retrive the credentials using this name, instead of
+    // using the file system paths specified above. The semantics of the
+    // name are platform dependent. In Kubernetes, the default Istio
+    // supplied credentail server expects the credentialName to match the
+    // name of the Kubernetes secret that holds the server certificate, the
+    // private key, and the CA certificate (if using mutual TLS).
+    string credential_name = 10;
+
     // A list of alternate names to verify the subject identity in the
     // certificate presented by the client.
     repeated string subject_alt_names = 6;
diff --git a/networking/v1alpha3/istio.networking.v1alpha3.pb.html b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
index 0f610812c9..e83d3b10fc 100644
--- a/networking/v1alpha3/istio.networking.v1alpha3.pb.html
+++ b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
@@ -2944,23 +2944,6 @@ <h2 id="Server-TLSOptions">Server.TLSOptions</h2>
 <p>REQUIRED if mode is <code>SIMPLE</code> or <code>MUTUAL</code>. The path to the file
 holding the server&rsquo;s private key.</p>
 
-</td>
-</tr>
-<tr id="Server-TLSOptions-credential_name">
-<td><code>credentialName</code></td>
-<td><code>string</code></td>
-<td>
-<p>The credentialName stands for a unique identifier that can be used
-to identify the serverCertificate and the privateKey (not the
-CaCertificates) associated with this server. Gateway workloads
-capable of fetching credentials from a remote credential store will
-be configured to retrive the server certificate and the private key
-using this name, instead of using the file system paths specified
-above. The semantics of the name are platform dependent. In
-Kubernetes, the default Istio supplied credentail server expects the
-credentialName to match the name of the Kubernetes secret that holds the
-server certificate and the private key.</p>
-
 </td>
 </tr>
 <tr id="Server-TLSOptions-ca_certificates">
@@ -2971,6 +2954,23 @@ <h2 id="Server-TLSOptions">Server.TLSOptions</h2>
 certificate authority certificates to use in verifying a presented
 client side certificate.</p>
 
+</td>
+</tr>
+<tr id="Server-TLSOptions-credential_name">
+<td><code>credentialName</code></td>
+<td><code>string</code></td>
+<td>
+<p>The credentialName stands for a unique identifier that can be used
+to identify the serverCertificate, the privateKey and the
+CaCertificates associated with this server. Gateway workloads
+capable of fetching credentials from a remote credential store will
+be configured to retrive the credentials using this name, instead of
+using the file system paths specified above. The semantics of the
+name are platform dependent. In Kubernetes, the default Istio
+supplied credentail server expects the credentialName to match the
+name of the Kubernetes secret that holds the server certificate, the
+private key, and the CA certificate (if using mutual TLS).</p>
+
 </td>
 </tr>
 <tr id="Server-TLSOptions-subject_alt_names">
diff --git a/python/istio_api/networking/v1alpha3/gateway_pb2.py b/python/istio_api/networking/v1alpha3/gateway_pb2.py
index 974e685697..6626cc2cac 100644
--- a/python/istio_api/networking/v1alpha3/gateway_pb2.py
+++ b/python/istio_api/networking/v1alpha3/gateway_pb2.py
@@ -19,7 +19,7 @@
   name='networking/v1alpha3/gateway.proto',
   package='istio.networking.v1alpha3',
   syntax='proto3',
-  serialized_pb=_b('\n!networking/v1alpha3/gateway.proto\x12\x19istio.networking.v1alpha3\"\xb2\x01\n\x07Gateway\x12\x32\n\x07servers\x18\x01 \x03(\x0b\x32!.istio.networking.v1alpha3.Server\x12\x42\n\x08selector\x18\x02 \x03(\x0b\x32\x30.istio.networking.v1alpha3.Gateway.SelectorEntry\x1a/\n\rSelectorEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xf4\x05\n\x06Server\x12-\n\x04port\x18\x01 \x01(\x0b\x32\x1f.istio.networking.v1alpha3.Port\x12\x0c\n\x04\x62ind\x18\x04 \x01(\t\x12\r\n\x05hosts\x18\x02 \x03(\t\x12\x39\n\x03tls\x18\x03 \x01(\x0b\x32,.istio.networking.v1alpha3.Server.TLSOptions\x12\x18\n\x10\x64\x65\x66\x61ult_endpoint\x18\x05 \x01(\t\x1a\xc8\x04\n\nTLSOptions\x12\x16\n\x0ehttps_redirect\x18\x01 \x01(\x08\x12\x42\n\x04mode\x18\x02 \x01(\x0e\x32\x34.istio.networking.v1alpha3.Server.TLSOptions.TLSmode\x12\x1a\n\x12server_certificate\x18\x03 \x01(\t\x12\x13\n\x0bprivate_key\x18\x04 \x01(\t\x12\x17\n\x0f\x63redential_name\x18\n \x01(\t\x12\x17\n\x0f\x63\x61_certificates\x18\x05 \x01(\t\x12\x19\n\x11subject_alt_names\x18\x06 \x03(\t\x12V\n\x14min_protocol_version\x18\x07 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12V\n\x14max_protocol_version\x18\x08 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12\x15\n\rcipher_suites\x18\t \x03(\t\"H\n\x07TLSmode\x12\x0f\n\x0bPASSTHROUGH\x10\x00\x12\n\n\x06SIMPLE\x10\x01\x12\n\n\x06MUTUAL\x10\x02\x12\x14\n\x10\x41UTO_PASSTHROUGH\x10\x03\"O\n\x0bTLSProtocol\x12\x0c\n\x08TLS_AUTO\x10\x00\x12\x0b\n\x07TLSV1_0\x10\x01\x12\x0b\n\x07TLSV1_1\x10\x02\x12\x0b\n\x07TLSV1_2\x10\x03\x12\x0b\n\x07TLSV1_3\x10\x04\"6\n\x04Port\x12\x0e\n\x06number\x18\x01 \x01(\r\x12\x10\n\x08protocol\x18\x02 \x01(\t\x12\x0c\n\x04name\x18\x03 \x01(\tB\"Z istio.io/api/networking/v1alpha3b\x06proto3')
+  serialized_pb=_b('\n!networking/v1alpha3/gateway.proto\x12\x19istio.networking.v1alpha3\"\xb2\x01\n\x07Gateway\x12\x32\n\x07servers\x18\x01 \x03(\x0b\x32!.istio.networking.v1alpha3.Server\x12\x42\n\x08selector\x18\x02 \x03(\x0b\x32\x30.istio.networking.v1alpha3.Gateway.SelectorEntry\x1a/\n\rSelectorEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xf4\x05\n\x06Server\x12-\n\x04port\x18\x01 \x01(\x0b\x32\x1f.istio.networking.v1alpha3.Port\x12\x0c\n\x04\x62ind\x18\x04 \x01(\t\x12\r\n\x05hosts\x18\x02 \x03(\t\x12\x39\n\x03tls\x18\x03 \x01(\x0b\x32,.istio.networking.v1alpha3.Server.TLSOptions\x12\x18\n\x10\x64\x65\x66\x61ult_endpoint\x18\x05 \x01(\t\x1a\xc8\x04\n\nTLSOptions\x12\x16\n\x0ehttps_redirect\x18\x01 \x01(\x08\x12\x42\n\x04mode\x18\x02 \x01(\x0e\x32\x34.istio.networking.v1alpha3.Server.TLSOptions.TLSmode\x12\x1a\n\x12server_certificate\x18\x03 \x01(\t\x12\x13\n\x0bprivate_key\x18\x04 \x01(\t\x12\x17\n\x0f\x63\x61_certificates\x18\x05 \x01(\t\x12\x17\n\x0f\x63redential_name\x18\n \x01(\t\x12\x19\n\x11subject_alt_names\x18\x06 \x03(\t\x12V\n\x14min_protocol_version\x18\x07 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12V\n\x14max_protocol_version\x18\x08 \x01(\x0e\x32\x38.istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol\x12\x15\n\rcipher_suites\x18\t \x03(\t\"H\n\x07TLSmode\x12\x0f\n\x0bPASSTHROUGH\x10\x00\x12\n\n\x06SIMPLE\x10\x01\x12\n\n\x06MUTUAL\x10\x02\x12\x14\n\x10\x41UTO_PASSTHROUGH\x10\x03\"O\n\x0bTLSProtocol\x12\x0c\n\x08TLS_AUTO\x10\x00\x12\x0b\n\x07TLSV1_0\x10\x01\x12\x0b\n\x07TLSV1_1\x10\x02\x12\x0b\n\x07TLSV1_2\x10\x03\x12\x0b\n\x07TLSV1_3\x10\x04\"6\n\x04Port\x12\x0e\n\x06number\x18\x01 \x01(\r\x12\x10\n\x08protocol\x18\x02 \x01(\t\x12\x0c\n\x04name\x18\x03 \x01(\tB\"Z istio.io/api/networking/v1alpha3b\x06proto3')
 )
 
 
@@ -200,15 +200,15 @@
       is_extension=False, extension_scope=None,
       options=None, file=DESCRIPTOR),
     _descriptor.FieldDescriptor(
-      name='credential_name', full_name='istio.networking.v1alpha3.Server.TLSOptions.credential_name', index=4,
-      number=10, type=9, cpp_type=9, label=1,
+      name='ca_certificates', full_name='istio.networking.v1alpha3.Server.TLSOptions.ca_certificates', index=4,
+      number=5, type=9, cpp_type=9, label=1,
       has_default_value=False, default_value=_b("").decode('utf-8'),
       message_type=None, enum_type=None, containing_type=None,
       is_extension=False, extension_scope=None,
       options=None, file=DESCRIPTOR),
     _descriptor.FieldDescriptor(
-      name='ca_certificates', full_name='istio.networking.v1alpha3.Server.TLSOptions.ca_certificates', index=5,
-      number=5, type=9, cpp_type=9, label=1,
+      name='credential_name', full_name='istio.networking.v1alpha3.Server.TLSOptions.credential_name', index=5,
+      number=10, type=9, cpp_type=9, label=1,
       has_default_value=False, default_value=_b("").decode('utf-8'),
       message_type=None, enum_type=None, containing_type=None,
       is_extension=False, extension_scope=None,

From 066e5f1e1935d9eba72f2b521c749e6a8270b7a7 Mon Sep 17 00:00:00 2001
From: Shriram Rajagopalan <shriramr@vmware.com>
Date: Thu, 31 Jan 2019 17:19:20 -0500
Subject: [PATCH 7/7] protolock

Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>
---
 proto.lock | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/proto.lock b/proto.lock
index 6c536869ee..18877af34a 100644
--- a/proto.lock
+++ b/proto.lock
@@ -3319,13 +3319,13 @@
                     "type": "string"
                   },
                   {
-                    "id": 10,
-                    "name": "credential_name",
+                    "id": 5,
+                    "name": "ca_certificates",
                     "type": "string"
                   },
                   {
-                    "id": 5,
-                    "name": "ca_certificates",
+                    "id": 10,
+                    "name": "credential_name",
                     "type": "string"
                   },
                   {