From 59f747962394267f8cafd54074c019f324edd90f Mon Sep 17 00:00:00 2001
From: Leonardo Sarra <leonardo.sarra@est.tech>
Date: Fri, 20 Sep 2024 11:07:23 +0200
Subject: [PATCH 1/5] Clarify ForwardClientCertDetails comments

---
 mesh/v1alpha1/proxy.pb.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/mesh/v1alpha1/proxy.pb.go b/mesh/v1alpha1/proxy.pb.go
index f7d686ef3f5..cbe162ff625 100644
--- a/mesh/v1alpha1/proxy.pb.go
+++ b/mesh/v1alpha1/proxy.pb.go
@@ -95,7 +95,7 @@ func (AuthenticationPolicy) EnumDescriptor() ([]byte, []int) {
 }
 
 // ForwardClientCertDetails controls how the x-forwarded-client-cert (XFCC)
-// header is handled by the gateway proxy.
+// header is handled by the proxies.
 // See [Envoy XFCC](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html#enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-forwardclientcertdetails)
 // header handling for more details.
 type ForwardClientCertDetails int32
@@ -103,13 +103,13 @@ type ForwardClientCertDetails int32
 const (
 	// Field is not set
 	ForwardClientCertDetails_UNDEFINED ForwardClientCertDetails = 0
-	// Do not send the XFCC header to the next hop. This is the default value.
+	// Do not send the XFCC header to the next hop. This is the default value for gateway proxies.
 	ForwardClientCertDetails_SANITIZE ForwardClientCertDetails = 1
 	// When the client connection is mTLS (Mutual TLS), forward the XFCC header
 	// in the request.
 	ForwardClientCertDetails_FORWARD_ONLY ForwardClientCertDetails = 2
 	// When the client connection is mTLS, append the client certificate
-	// information to the request’s XFCC header and forward it.
+	// information to the request’s XFCC header and forward it. This is the default value for sidecar proxies.
 	ForwardClientCertDetails_APPEND_FORWARD ForwardClientCertDetails = 3
 	// When the client connection is mTLS, reset the XFCC header with the client
 	// certificate information and send it to the next hop.

From 4d13e1de2f5a586dd2e0e21c4b819c7e37739cc3 Mon Sep 17 00:00:00 2001
From: Leonardo Sarra <leonardo.sarra@est.tech>
Date: Fri, 20 Sep 2024 11:12:12 +0200
Subject: [PATCH 2/5] update gen files

---
 mesh/v1alpha1/istio.mesh.v1alpha1.pb.html | 4 ++--
 mesh/v1alpha1/proxy.pb.go                 | 4 ++--
 mesh/v1alpha1/proxy.proto                 | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
index 9a6851d1884..6526613172c 100644
--- a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
+++ b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
@@ -4737,7 +4737,7 @@ <h2 id="ForwardClientCertDetails">ForwardClientCertDetails</h2>
 <tr id="ForwardClientCertDetails-SANITIZE">
 <td><code>SANITIZE</code></td>
 <td>
-<p>Do not send the XFCC header to the next hop. This is the default value.</p>
+<p>Do not send the XFCC header to the next hop. This is the default value. This is the default value for gateway proxies.</p>
 
 </td>
 </tr>
@@ -4753,7 +4753,7 @@ <h2 id="ForwardClientCertDetails">ForwardClientCertDetails</h2>
 <td><code>APPEND_FORWARD</code></td>
 <td>
 <p>When the client connection is mTLS, append the client certificate
-information to the request’s XFCC header and forward it.</p>
+information to the request’s XFCC header and forward it. This is the default value for sidecar proxies.</p>
 
 </td>
 </tr>
diff --git a/mesh/v1alpha1/proxy.pb.go b/mesh/v1alpha1/proxy.pb.go
index cbe162ff625..79f9dcd8865 100644
--- a/mesh/v1alpha1/proxy.pb.go
+++ b/mesh/v1alpha1/proxy.pb.go
@@ -95,7 +95,7 @@ func (AuthenticationPolicy) EnumDescriptor() ([]byte, []int) {
 }
 
 // ForwardClientCertDetails controls how the x-forwarded-client-cert (XFCC)
-// header is handled by the proxies.
+// header is handled by the gateway proxy.
 // See [Envoy XFCC](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html#enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-forwardclientcertdetails)
 // header handling for more details.
 type ForwardClientCertDetails int32
@@ -103,7 +103,7 @@ type ForwardClientCertDetails int32
 const (
 	// Field is not set
 	ForwardClientCertDetails_UNDEFINED ForwardClientCertDetails = 0
-	// Do not send the XFCC header to the next hop. This is the default value for gateway proxies.
+	// Do not send the XFCC header to the next hop. This is the default value. This is the default value for gateway proxies.
 	ForwardClientCertDetails_SANITIZE ForwardClientCertDetails = 1
 	// When the client connection is mTLS (Mutual TLS), forward the XFCC header
 	// in the request.
diff --git a/mesh/v1alpha1/proxy.proto b/mesh/v1alpha1/proxy.proto
index e1ec3e8b59d..c7cef619e94 100644
--- a/mesh/v1alpha1/proxy.proto
+++ b/mesh/v1alpha1/proxy.proto
@@ -280,7 +280,7 @@ enum ForwardClientCertDetails {
   // Field is not set
   UNDEFINED = 0;
 
-  // Do not send the XFCC header to the next hop. This is the default value.
+  // Do not send the XFCC header to the next hop. This is the default value. This is the default value for gateway proxies.
   SANITIZE = 1;
 
   // When the client connection is mTLS (Mutual TLS), forward the XFCC header
@@ -288,7 +288,7 @@ enum ForwardClientCertDetails {
   FORWARD_ONLY = 2;
 
   // When the client connection is mTLS, append the client certificate
-  // information to the request’s XFCC header and forward it.
+  // information to the request’s XFCC header and forward it. This is the default value for sidecar proxies.
   APPEND_FORWARD = 3;
 
   // When the client connection is mTLS, reset the XFCC header with the client

From 8e87169a656c6aa03b3f036d35119336985675ac Mon Sep 17 00:00:00 2001
From: Leonardo Sarra <leonardo.sarra@est.tech>
Date: Fri, 20 Sep 2024 11:15:14 +0200
Subject: [PATCH 3/5] fix typo

---
 mesh/v1alpha1/istio.mesh.v1alpha1.pb.html | 2 +-
 mesh/v1alpha1/proxy.pb.go                 | 2 +-
 mesh/v1alpha1/proxy.proto                 | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
index 6526613172c..c49a1599044 100644
--- a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
+++ b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
@@ -4737,7 +4737,7 @@ <h2 id="ForwardClientCertDetails">ForwardClientCertDetails</h2>
 <tr id="ForwardClientCertDetails-SANITIZE">
 <td><code>SANITIZE</code></td>
 <td>
-<p>Do not send the XFCC header to the next hop. This is the default value. This is the default value for gateway proxies.</p>
+<p>Do not send the XFCC header to the next hop. This is the default value for gateway proxies.</p>
 
 </td>
 </tr>
diff --git a/mesh/v1alpha1/proxy.pb.go b/mesh/v1alpha1/proxy.pb.go
index 79f9dcd8865..fb7d796894d 100644
--- a/mesh/v1alpha1/proxy.pb.go
+++ b/mesh/v1alpha1/proxy.pb.go
@@ -103,7 +103,7 @@ type ForwardClientCertDetails int32
 const (
 	// Field is not set
 	ForwardClientCertDetails_UNDEFINED ForwardClientCertDetails = 0
-	// Do not send the XFCC header to the next hop. This is the default value. This is the default value for gateway proxies.
+	// Do not send the XFCC header to the next hop. This is the default value for gateway proxies.
 	ForwardClientCertDetails_SANITIZE ForwardClientCertDetails = 1
 	// When the client connection is mTLS (Mutual TLS), forward the XFCC header
 	// in the request.
diff --git a/mesh/v1alpha1/proxy.proto b/mesh/v1alpha1/proxy.proto
index c7cef619e94..303bd893395 100644
--- a/mesh/v1alpha1/proxy.proto
+++ b/mesh/v1alpha1/proxy.proto
@@ -280,7 +280,7 @@ enum ForwardClientCertDetails {
   // Field is not set
   UNDEFINED = 0;
 
-  // Do not send the XFCC header to the next hop. This is the default value. This is the default value for gateway proxies.
+  // Do not send the XFCC header to the next hop. This is the default value for gateway proxies.
   SANITIZE = 1;
 
   // When the client connection is mTLS (Mutual TLS), forward the XFCC header

From 77492aecd8e103b7cde0e5315910f9cd6fb843a6 Mon Sep 17 00:00:00 2001
From: Leonardo Sarra <leonardo.sarra@est.tech>
Date: Fri, 20 Sep 2024 11:28:23 +0200
Subject: [PATCH 4/5] remove mention of gateway proxy

---
 mesh/v1alpha1/istio.mesh.v1alpha1.pb.html | 2 +-
 mesh/v1alpha1/proxy.pb.go                 | 2 +-
 mesh/v1alpha1/proxy.proto                 | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
index c49a1599044..dbff6c3778a 100644
--- a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
+++ b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
@@ -4715,7 +4715,7 @@ <h2 id="AuthenticationPolicy">AuthenticationPolicy</h2>
 <h2 id="ForwardClientCertDetails">ForwardClientCertDetails</h2>
 <section>
 <p>ForwardClientCertDetails controls how the x-forwarded-client-cert (XFCC)
-header is handled by the gateway proxy.
+header is handled by a proxy.
 See <a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html#enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-forwardclientcertdetails">Envoy XFCC</a>
 header handling for more details.</p>
 
diff --git a/mesh/v1alpha1/proxy.pb.go b/mesh/v1alpha1/proxy.pb.go
index fb7d796894d..8facf59a672 100644
--- a/mesh/v1alpha1/proxy.pb.go
+++ b/mesh/v1alpha1/proxy.pb.go
@@ -95,7 +95,7 @@ func (AuthenticationPolicy) EnumDescriptor() ([]byte, []int) {
 }
 
 // ForwardClientCertDetails controls how the x-forwarded-client-cert (XFCC)
-// header is handled by the gateway proxy.
+// header is handled by a proxy.
 // See [Envoy XFCC](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html#enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-forwardclientcertdetails)
 // header handling for more details.
 type ForwardClientCertDetails int32
diff --git a/mesh/v1alpha1/proxy.proto b/mesh/v1alpha1/proxy.proto
index 303bd893395..9f70cad451b 100644
--- a/mesh/v1alpha1/proxy.proto
+++ b/mesh/v1alpha1/proxy.proto
@@ -273,7 +273,7 @@ message Topology {
 }
 
 // ForwardClientCertDetails controls how the x-forwarded-client-cert (XFCC)
-// header is handled by the gateway proxy.
+// header is handled by a proxy.
 // See [Envoy XFCC](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html#enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-forwardclientcertdetails)
 // header handling for more details.
 enum ForwardClientCertDetails {

From 04605666fff8e1f4e5a109e2a74ca2dfc84e93f8 Mon Sep 17 00:00:00 2001
From: Leonardo Sarra <leonardo.sarra@est.tech>
Date: Fri, 20 Sep 2024 11:36:33 +0200
Subject: [PATCH 5/5] fix default value for gw

---
 mesh/v1alpha1/istio.mesh.v1alpha1.pb.html | 4 ++--
 mesh/v1alpha1/proxy.pb.go                 | 4 ++--
 mesh/v1alpha1/proxy.proto                 | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
index dbff6c3778a..e8ffb614b4c 100644
--- a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
+++ b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
@@ -4737,7 +4737,7 @@ <h2 id="ForwardClientCertDetails">ForwardClientCertDetails</h2>
 <tr id="ForwardClientCertDetails-SANITIZE">
 <td><code>SANITIZE</code></td>
 <td>
-<p>Do not send the XFCC header to the next hop. This is the default value for gateway proxies.</p>
+<p>Do not send the XFCC header to the next hop.</p>
 
 </td>
 </tr>
@@ -4761,7 +4761,7 @@ <h2 id="ForwardClientCertDetails">ForwardClientCertDetails</h2>
 <td><code>SANITIZE_SET</code></td>
 <td>
 <p>When the client connection is mTLS, reset the XFCC header with the client
-certificate information and send it to the next hop.</p>
+certificate information and send it to the next hop. This is the default value for gateway proxies.</p>
 
 </td>
 </tr>
diff --git a/mesh/v1alpha1/proxy.pb.go b/mesh/v1alpha1/proxy.pb.go
index 8facf59a672..a9f969ac1f0 100644
--- a/mesh/v1alpha1/proxy.pb.go
+++ b/mesh/v1alpha1/proxy.pb.go
@@ -103,7 +103,7 @@ type ForwardClientCertDetails int32
 const (
 	// Field is not set
 	ForwardClientCertDetails_UNDEFINED ForwardClientCertDetails = 0
-	// Do not send the XFCC header to the next hop. This is the default value for gateway proxies.
+	// Do not send the XFCC header to the next hop.
 	ForwardClientCertDetails_SANITIZE ForwardClientCertDetails = 1
 	// When the client connection is mTLS (Mutual TLS), forward the XFCC header
 	// in the request.
@@ -112,7 +112,7 @@ const (
 	// information to the request’s XFCC header and forward it. This is the default value for sidecar proxies.
 	ForwardClientCertDetails_APPEND_FORWARD ForwardClientCertDetails = 3
 	// When the client connection is mTLS, reset the XFCC header with the client
-	// certificate information and send it to the next hop.
+	// certificate information and send it to the next hop. This is the default value for gateway proxies.
 	ForwardClientCertDetails_SANITIZE_SET ForwardClientCertDetails = 4
 	// Always forward the XFCC header in the request, regardless of whether the
 	// client connection is mTLS.
diff --git a/mesh/v1alpha1/proxy.proto b/mesh/v1alpha1/proxy.proto
index 9f70cad451b..091298d206e 100644
--- a/mesh/v1alpha1/proxy.proto
+++ b/mesh/v1alpha1/proxy.proto
@@ -280,7 +280,7 @@ enum ForwardClientCertDetails {
   // Field is not set
   UNDEFINED = 0;
 
-  // Do not send the XFCC header to the next hop. This is the default value for gateway proxies.
+  // Do not send the XFCC header to the next hop.
   SANITIZE = 1;
 
   // When the client connection is mTLS (Mutual TLS), forward the XFCC header
@@ -292,7 +292,7 @@ enum ForwardClientCertDetails {
   APPEND_FORWARD = 3;
 
   // When the client connection is mTLS, reset the XFCC header with the client
-  // certificate information and send it to the next hop.
+  // certificate information and send it to the next hop. This is the default value for gateway proxies.
   SANITIZE_SET = 4;
 
   // Always forward the XFCC header in the request, regardless of whether the