Remove mentions of VERIFY_CERTIFICATE_AT_CLIENT and ENABLE_AUTO_SNI (#…

…3122)

* Remove mentions of VERIFY_CERTIFICATE_AT_CLIENT and ENABLE_AUTO_SNI

* adjust ca_certificates comment

* sync gen files

networking/v1/destination_rule.proto

@@ -829,7 +829,8 @@ message ClientTLSSettings {
 
   // OPTIONAL: The path to the file containing certificate authority
   // certificates to use in verifying a presented server certificate. If
-  // omitted, the proxy will not verify the server's certificate.
+  // omitted, the proxy will verify the server's certificate using
+  // the OS CA certificates.
   // Should be empty if mode is `ISTIO_MUTUAL`.
   string ca_certificates = 4;
 
@@ -860,28 +861,17 @@ message ClientTLSSettings {
   // If specified, this list overrides the value of subject_alt_names
   // from the ServiceEntry. If unspecified, automatic validation of upstream
   // presented certificate for new upstream connections will be done based on the
-  // downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT`
-  // and `ENABLE_AUTO_SNI` environmental variables are set to `true`.
+  // downstream HTTP host/authority header.
   repeated string subject_alt_names = 5;
 
   // SNI string to present to the server during TLS handshake.
   // If unspecified, SNI will be automatically set based on downstream HTTP
-  // host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI`
-  // environmental variable is set to `true`.
+  // host/authority header for SIMPLE and MUTUAL TLS modes.
   string sni = 6;
 
   // `insecureSkipVerify` specifies whether the proxy should skip verifying the
   // CA signature and SAN for the server certificate corresponding to the host.
-  // This flag should only be set if global CA signature verification is
-  // enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`,
-  // but no verification is desired for a specific host. If enabled with or
-  // without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and
-  // SAN will be skipped.
-  //
-  // `insecureSkipVerify` is `false` by default.
-  // `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will
-  // be `true` by default in a later version where, going forward, it will be
-  // enabled by default.
+  // The default value of this field is false.
   google.protobuf.BoolValue insecure_skip_verify = 8;
 
   // OPTIONAL: The path to the file containing the certificate revocation list (CRL)

networking/v1alpha3/destination_rule.proto

@@ -853,7 +853,8 @@ message ClientTLSSettings {
 
   // OPTIONAL: The path to the file containing certificate authority
   // certificates to use in verifying a presented server certificate. If
-  // omitted, the proxy will not verify the server's certificate.
+  // omitted, the proxy will verify the server's certificate using
+  // the OS CA certificates.
   // Should be empty if mode is `ISTIO_MUTUAL`.
   string ca_certificates = 4;
 
@@ -884,28 +885,17 @@ message ClientTLSSettings {
   // If specified, this list overrides the value of subject_alt_names
   // from the ServiceEntry. If unspecified, automatic validation of upstream
   // presented certificate for new upstream connections will be done based on the
-  // downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT`
-  // and `ENABLE_AUTO_SNI` environmental variables are set to `true`.
+  // downstream HTTP host/authority header.
   repeated string subject_alt_names = 5;
 
   // SNI string to present to the server during TLS handshake.
   // If unspecified, SNI will be automatically set based on downstream HTTP
-  // host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI`
-  // environmental variable is set to `true`.
+  // host/authority header for SIMPLE and MUTUAL TLS modes.
   string sni = 6;
 
   // `insecureSkipVerify` specifies whether the proxy should skip verifying the
   // CA signature and SAN for the server certificate corresponding to the host.
-  // This flag should only be set if global CA signature verification is
-  // enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`,
-  // but no verification is desired for a specific host. If enabled with or
-  // without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and
-  // SAN will be skipped.
-  //
-  // `insecureSkipVerify` is `false` by default.
-  // `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will
-  // be `true` by default in a later version where, going forward, it will be
-  // enabled by default.
+  // The default value of this field is false.
   google.protobuf.BoolValue insecure_skip_verify = 8;
 
   // OPTIONAL: The path to the file containing the certificate revocation list (CRL)

networking/v1beta1/destination_rule.proto

@@ -830,7 +830,8 @@ message ClientTLSSettings {
 
   // OPTIONAL: The path to the file containing certificate authority
   // certificates to use in verifying a presented server certificate. If
-  // omitted, the proxy will not verify the server's certificate.
+  // omitted, the proxy will verify the server's certificate using
+  // the OS CA certificates.
   // Should be empty if mode is `ISTIO_MUTUAL`.
   string ca_certificates = 4;
 
@@ -861,28 +862,17 @@ message ClientTLSSettings {
   // If specified, this list overrides the value of subject_alt_names
   // from the ServiceEntry. If unspecified, automatic validation of upstream
   // presented certificate for new upstream connections will be done based on the
-  // downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT`
-  // and `ENABLE_AUTO_SNI` environmental variables are set to `true`.
+  // downstream HTTP host/authority header.
   repeated string subject_alt_names = 5;
 
   // SNI string to present to the server during TLS handshake.
   // If unspecified, SNI will be automatically set based on downstream HTTP
-  // host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI`
-  // environmental variable is set to `true`.
+  // host/authority header for SIMPLE and MUTUAL TLS modes.
   string sni = 6;
 
   // `insecureSkipVerify` specifies whether the proxy should skip verifying the
   // CA signature and SAN for the server certificate corresponding to the host.
-  // This flag should only be set if global CA signature verification is
-  // enabled, `VERIFY_CERTIFICATE_AT_CLIENT` environmental variable is set to `true`,
-  // but no verification is desired for a specific host. If enabled with or
-  // without `VERIFY_CERTIFICATE_AT_CLIENT` enabled, verification of the CA signature and
-  // SAN will be skipped.
-  //
-  // `insecureSkipVerify` is `false` by default.
-  // `VERIFY_CERTIFICATE_AT_CLIENT` is `false` by default in Istio version 1.9 but will
-  // be `true` by default in a later version where, going forward, it will be
-  // enabled by default.
+  // The default value of this field is false.
   google.protobuf.BoolValue insecure_skip_verify = 8;
 
   // OPTIONAL: The path to the file containing the certificate revocation list (CRL)