From 9ef4f01ef1dd54bbb6e00c9f2487470dd063f0b7 Mon Sep 17 00:00:00 2001
From: Jimmy Chen <jimmychen.0102@gmail.com>
Date: Wed, 6 Feb 2019 11:51:22 -0800
Subject: [PATCH 1/2] Update comment for credentialName

---
 networking/v1alpha3/gateway.pb.go             | 21 +++++++++++--------
 networking/v1alpha3/gateway.proto             | 21 +++++++++++--------
 .../istio.networking.v1alpha3.pb.html         | 21 +++++++++++--------
 3 files changed, 36 insertions(+), 27 deletions(-)

diff --git a/networking/v1alpha3/gateway.pb.go b/networking/v1alpha3/gateway.pb.go
index 58fff44ccb..2a62646416 100644
--- a/networking/v1alpha3/gateway.pb.go
+++ b/networking/v1alpha3/gateway.pb.go
@@ -418,15 +418,18 @@ type Server_TLSOptions struct {
 	// client side certificate.
 	CaCertificates string `protobuf:"bytes,5,opt,name=ca_certificates,json=caCertificates,proto3" json:"ca_certificates,omitempty"`
 	// The credentialName stands for a unique identifier that can be used
-	// to identify the serverCertificate, the privateKey and the
-	// CaCertificates associated with this server. Gateway workloads
-	// capable of fetching credentials from a remote credential store will
-	// be configured to retrive the credentials using this name, instead of
-	// using the file system paths specified above. The semantics of the
-	// name are platform dependent. In Kubernetes, the default Istio
-	// supplied credentail server expects the credentialName to match the
-	// name of the Kubernetes secret that holds the server certificate, the
-	// private key, and the CA certificate (if using mutual TLS).
+	// to identify the serverCertificate and the privateKey. The credentialName
+	// appended with suffix "-cacert" is used to identify the CaCertificates
+	// associated with this server. Gateway workloads capable of fetching
+	// credentials from a remote credential store will be configured to retrieve
+	// the serverCertificate and the privateKey using credentialName, instead of
+	// using the file system paths specified above. If using mutual TLS,
+	// gateway workloads will retrieve the CaCertificates using
+	// credentialName-cacert. The semantics of the name are platform dependent.
+	// In Kubernetes, the default Istio supplied credentail server expects the
+	// credentialName to match the name of the Kubernetes secret that holds the
+	// server certificate, the private key, and the CA certificate
+	// (if using mutual TLS).
 	CredentialName string `protobuf:"bytes,10,opt,name=credential_name,json=credentialName,proto3" json:"credential_name,omitempty"`
 	// A list of alternate names to verify the subject identity in the
 	// certificate presented by the client.
diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto
index 4e00c4eadc..e16deb9123 100644
--- a/networking/v1alpha3/gateway.proto
+++ b/networking/v1alpha3/gateway.proto
@@ -305,15 +305,18 @@ message Server {
     string ca_certificates = 5;
 
     // The credentialName stands for a unique identifier that can be used
-    // to identify the serverCertificate, the privateKey and the
-    // CaCertificates associated with this server. Gateway workloads
-    // capable of fetching credentials from a remote credential store will
-    // be configured to retrive the credentials using this name, instead of
-    // using the file system paths specified above. The semantics of the
-    // name are platform dependent. In Kubernetes, the default Istio
-    // supplied credentail server expects the credentialName to match the
-    // name of the Kubernetes secret that holds the server certificate, the
-    // private key, and the CA certificate (if using mutual TLS).
+    // to identify the serverCertificate and the privateKey. The credentialName
+    // appended with suffix "-cacert" is used to identify the CaCertificates
+    // associated with this server. Gateway workloads capable of fetching
+    // credentials from a remote credential store will be configured to retrieve
+    // the serverCertificate and the privateKey using credentialName, instead of
+    // using the file system paths specified above. If using mutual TLS,
+    // gateway workloads will retrieve the CaCertificates using
+    // credentialName-cacert. The semantics of the name are platform dependent.
+    // In Kubernetes, the default Istio supplied credentail server expects the
+    // credentialName to match the name of the Kubernetes secret that holds the
+    // server certificate, the private key, and the CA certificate
+    // (if using mutual TLS).
     string credential_name = 10;
 
     // A list of alternate names to verify the subject identity in the
diff --git a/networking/v1alpha3/istio.networking.v1alpha3.pb.html b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
index 5f32305833..13d6ee779b 100644
--- a/networking/v1alpha3/istio.networking.v1alpha3.pb.html
+++ b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
@@ -2961,15 +2961,18 @@ <h2 id="Server-TLSOptions">Server.TLSOptions</h2>
 <td><code>string</code></td>
 <td>
 <p>The credentialName stands for a unique identifier that can be used
-to identify the serverCertificate, the privateKey and the
-CaCertificates associated with this server. Gateway workloads
-capable of fetching credentials from a remote credential store will
-be configured to retrive the credentials using this name, instead of
-using the file system paths specified above. The semantics of the
-name are platform dependent. In Kubernetes, the default Istio
-supplied credentail server expects the credentialName to match the
-name of the Kubernetes secret that holds the server certificate, the
-private key, and the CA certificate (if using mutual TLS).</p>
+to identify the serverCertificate and the privateKey. The credentialName
+appended with suffix &ldquo;-cacert&rdquo; is used to identify the CaCertificates
+associated with this server. Gateway workloads capable of fetching
+credentials from a remote credential store will be configured to retrieve
+the serverCertificate and the privateKey using credentialName, instead of
+using the file system paths specified above. If using mutual TLS,
+gateway workloads will retrieve the CaCertificates using
+credentialName-cacert. The semantics of the name are platform dependent.
+In Kubernetes, the default Istio supplied credentail server expects the
+credentialName to match the name of the Kubernetes secret that holds the
+server certificate, the private key, and the CA certificate
+(if using mutual TLS).</p>
 
 </td>
 </tr>

From 2117c4dac66500e2d2c815b9c5a197ca2b785c94 Mon Sep 17 00:00:00 2001
From: Jimmy Chen <jimmychen.0102@gmail.com>
Date: Wed, 6 Feb 2019 13:23:47 -0800
Subject: [PATCH 2/2] Update comment

---
 networking/v1alpha3/gateway.pb.go                     | 2 +-
 networking/v1alpha3/gateway.proto                     | 2 +-
 networking/v1alpha3/istio.networking.v1alpha3.pb.html | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/networking/v1alpha3/gateway.pb.go b/networking/v1alpha3/gateway.pb.go
index 2a62646416..0bb2c9e736 100644
--- a/networking/v1alpha3/gateway.pb.go
+++ b/networking/v1alpha3/gateway.pb.go
@@ -426,7 +426,7 @@ type Server_TLSOptions struct {
 	// using the file system paths specified above. If using mutual TLS,
 	// gateway workloads will retrieve the CaCertificates using
 	// credentialName-cacert. The semantics of the name are platform dependent.
-	// In Kubernetes, the default Istio supplied credentail server expects the
+	// In Kubernetes, the default Istio supplied credential server expects the
 	// credentialName to match the name of the Kubernetes secret that holds the
 	// server certificate, the private key, and the CA certificate
 	// (if using mutual TLS).
diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto
index e16deb9123..bc567376bd 100644
--- a/networking/v1alpha3/gateway.proto
+++ b/networking/v1alpha3/gateway.proto
@@ -313,7 +313,7 @@ message Server {
     // using the file system paths specified above. If using mutual TLS,
     // gateway workloads will retrieve the CaCertificates using
     // credentialName-cacert. The semantics of the name are platform dependent.
-    // In Kubernetes, the default Istio supplied credentail server expects the
+    // In Kubernetes, the default Istio supplied credential server expects the
     // credentialName to match the name of the Kubernetes secret that holds the
     // server certificate, the private key, and the CA certificate
     // (if using mutual TLS).
diff --git a/networking/v1alpha3/istio.networking.v1alpha3.pb.html b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
index 13d6ee779b..8fb3574c83 100644
--- a/networking/v1alpha3/istio.networking.v1alpha3.pb.html
+++ b/networking/v1alpha3/istio.networking.v1alpha3.pb.html
@@ -2969,7 +2969,7 @@ <h2 id="Server-TLSOptions">Server.TLSOptions</h2>
 using the file system paths specified above. If using mutual TLS,
 gateway workloads will retrieve the CaCertificates using
 credentialName-cacert. The semantics of the name are platform dependent.
-In Kubernetes, the default Istio supplied credentail server expects the
+In Kubernetes, the default Istio supplied credential server expects the
 credentialName to match the name of the Kubernetes secret that holds the
 server certificate, the private key, and the CA certificate
 (if using mutual TLS).</p>