ASM UMN initial version -20240425

Reviewed-by: Kovács, Zoltán <zkovacs@t-systems.com> Co-authored-by: Dong, Qiu Jian <qiujiandong1@huawei.com> Co-committed-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
2024-09-18 09:02:28 +00:00 · 2024-09-18 09:02:28 +00:00 · ec0b45029f
commit ec0b45029f
parent d8a2842a27
175 changed files with 5291 additions and 0 deletions
--- a/docs/asm/umn/ALL_META.TXT.json
+++ b/docs/asm/umn/ALL_META.TXT.json
--- a/docs/asm/umn/CLASS.TXT.json
+++ b/docs/asm/umn/CLASS.TXT.json
--- a/docs/asm/umn/PARAMETERS.txt
+++ b/docs/asm/umn/PARAMETERS.txt
@ -0,0 +1,3 @@
 version=""
 language="en-us"
 type=""
--- a/docs/asm/umn/asm_01_0016.html
+++ b/docs/asm/umn/asm_01_0016.html
@ -0,0 +1,13 @@
 <a name="asm_01_0016"></a><a name="asm_01_0016"></a>
 <h1 class="topictitle1">Application Service Mesh</h1>
 <div id="body0000001083553366"><p id="asm_01_0016__p13190152018530">Application Service Mesh (ASM) is a service mesh platform developed based on Istio. It seamlessly interconnects with Cloud Container Engine (CCE), an enterprise-level Kubernetes cluster service. With better usability, reliability, and visualization, ASM provides you with out-of-the-box features and enhanced user experience.</p>
 <p id="asm_01_0016__p102231950161415">ASM is a non-intrusive microservice governance solution that provides full-lifecycle management and traffic management. It is compatible with the Kubernetes and Istio ecosystems and provides a wide range of features such as load balancing, outlier detection, and rate limiting. ASM provides diversified built-in grayscale releases, including canary release and blue-green deployment, enabling one-stop automatic release management. </p>
 <p id="asm_01_0016__p0763127151216">For more about ASM, see <a href="asm_productdesc_0001.html">Introduction</a>.</p>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0000001627845328.html">User Guide</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0017.html
+++ b/docs/asm/umn/asm_01_0017.html
@ -0,0 +1,15 @@
 <a name="asm_01_0017"></a><a name="asm_01_0017"></a>
 <h1 class="topictitle1">Creating a Service Mesh</h1>
 <div id="body0000001209619746"></div>
 <div>
 <ul class="ullinks">
 <li class="ulchildlink"><strong><a href="asm_01_0020.html">Creating a Service Mesh</a></strong><br>
 </li>
 </ul>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0000001627845328.html">User Guide</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0020.html
+++ b/docs/asm/umn/asm_01_0020.html
@ -0,0 +1,56 @@
 <a name="asm_01_0020"></a><a name="asm_01_0020"></a>
 <h1 class="topictitle1">Creating a Service Mesh</h1>
 <div id="body8662426"><p id="asm_01_0020__en-us_topic_0000001542706401_p7705103811473">ASM allows you to create a service mesh of the Basic edition, which is a standard service mesh available for commercial use.</p>
 <div class="section" id="asm_01_0020__en-us_topic_0000001542706401_section033812246196"><h4 class="sectiontitle">Prerequisites</h4><p id="asm_01_0020__en-us_topic_0000001542706401_p43381724171910">A CCE cluster is available.</p>
 </div>
 <div class="section" id="asm_01_0020__en-us_topic_0000001542706401_section1486314595204"><h4 class="sectiontitle">Constraints</h4><ul id="asm_01_0020__en-us_topic_0000001542706401_ul186475910202"><li id="asm_01_0020__en-us_topic_0000001542706401_li1786417596203">ASM depends on the domain name resolution of CoreDNS. Before creating a service mesh for a cluster, ensure that the cluster has required resources and CoreDNS is running normally.</li><li id="asm_01_0020__li133817361244">Istio components v1.13 and v1.15 cannot run on nodes running CentOS or EulerOS 2.5. When creating a service mesh, do not specify these types of nodes as master nodes.</li></ul>
 </div>
 <div class="section" id="asm_01_0020__en-us_topic_0000001542706401_section201371027102715"><h4 class="sectiontitle">Procedure</h4><ol id="asm_01_0020__en-us_topic_0000001542706401_ol1158918434276"><li id="asm_01_0020__en-us_topic_0000001542706401_li184614499427"><span>Log in to the ASM console.</span></li><li id="asm_01_0020__en-us_topic_0000001542706401_li125894431271"><span>Click Create Mesh in the upper right corner.</span></li><li id="asm_01_0020__en-us_topic_0000001542706401_li135891543162714"><span>Configure the following parameters.</span><p><ul id="asm_01_0020__en-us_topic_0000001542706401_ul75901043202711"><li id="asm_01_0020__en-us_topic_0000001542706401_li2092711501216"><strong id="asm_01_0020__en-us_topic_0000001542706401_b1094850142211">Mesh Edition</strong><p id="asm_01_0020__en-us_topic_0000001542706401_p4479132261213">Only service meshes of the Basic edition are supported.</p>
 </li><li id="asm_01_0020__en-us_topic_0000001542706401_li35901243162718"><strong id="asm_01_0020__b696006975">Mesh Name</strong><p id="asm_01_0020__en-us_topic_0000001542706401_p19590743152711">Enter a service mesh name, which consists of 4 to 64 characters. It must start with a lowercase letter and cannot end with a hyphen (-). Only lowercase letters, digits, and hyphens (-) are allowed.</p>
 <p id="asm_01_0020__en-us_topic_0000001542706401_p11590144316275">Service mesh names under the same account must be unique and cannot be modified after creation.</p>
 </li><li id="asm_01_0020__en-us_topic_0000001542706401_li3590184362716"><strong id="asm_01_0020__b1645938020">Istio Version</strong><p id="asm_01_0020__en-us_topic_0000001542706401_p19590144310274">Select the Istio version supported by the service mesh.</p>
 </li><li id="asm_01_0020__li20991123625914"><strong id="asm_01_0020__b54661518132116">Enable IPv6</strong><p id="asm_01_0020__p1499153613599">Determine whether to enable IPv6. This option is supported only in Istio 1.18 or later.</p>
 </li><li id="asm_01_0020__en-us_topic_0000001542706401_li4590154315271"><strong id="asm_01_0020__b1309500367">Cluster</strong><p id="asm_01_0020__en-us_topic_0000001542706401_p4590184313278">Select the target cluster from the cluster list or enter the target cluster name in the upper right corner of the list to search for it. You can select only the clusters which versions are supported by the current mesh version.</p>
 </li><li id="asm_01_0020__en-us_topic_0000001542706401_li159044311277"><strong id="asm_01_0020__b1490852056">Mesh Control Plane Node</strong><p id="asm_01_0020__en-us_topic_0000001542706401_p125902437272">To install the control plane components for the service mesh of the Basic edition in your cluster, you need to select a node for installation. If HA is required, you can select two or more nodes from different AZs.</p>
 <p id="asm_01_0020__en-us_topic_0000001542706401_p1959024392713">The selected node is labeled with <strong id="asm_01_0020__b12113195612363">istio:master</strong>, and the components are scheduled to this node.</p>
 </li><li id="asm_01_0020__li17225629125"><strong id="asm_01_0020__b182161818152520">Observability Configuration</strong><ul id="asm_01_0020__ul162251921123"><li id="asm_01_0020__li1233211216319"><strong id="asm_01_0020__b274587613">Application Metrics</strong><p id="asm_01_0020__p93321821123112">If this option is enabled, you can build service access metrics, application topologies, and service health and SLO definitions in the service mesh.</p>
 </li><li id="asm_01_0020__li4225182181210"><strong id="asm_01_0020__b784414181280">Access Logging</strong><p id="asm_01_0020__p172253214122">If this option is enabled, you can query inter-service access records in the service mesh to locate exceptions. After enabling this option, you need to select the Log Tank Service (LTS) log group and log stream. Access logs will be transmitted to the log stream. You can view the access logs on the <strong id="asm_01_0020__b109851931102518">Monitoring Center</strong> &gt; <strong id="asm_01_0020__b098543172514">Access Logs</strong> page.</p>
 <div class="note" id="asm_01_0020__note172251629121"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="asm_01_0020__ul10225923127"><li id="asm_01_0020__li17225122121217">Only Istio 1.18 or later can work with LTS to collect and store access logs. To ensure logs are reported to LTS, install CCE Log-Agent on the <strong id="asm_01_0020__b16168103005612">Add-ons</strong> page in advance.</li></ul>
 </div></div>
 </li><li id="asm_01_0020__li1522512214127">Tracing<p id="asm_01_0020__p3225124129"><a name="asm_01_0020__li1522512214127"></a><a name="li1522512214127"></a>- <strong id="asm_01_0020__b1649171110292">Sampling Rate</strong>: Number of requests generated by the tracing/Total number of requests</p>
 <p id="asm_01_0020__p722519210123">- <strong id="asm_01_0020__b13853258294">Version</strong>: the tracing service. If you select <strong id="asm_01_0020__b1028517591813">Third-party Jaeger/Zipkin service</strong>, you need to set <strong id="asm_01_0020__b613018597425">Service Address</strong> and <strong id="asm_01_0020__b665636154317">Service Port</strong>, which indicate the address and port number used by the third-party tracing service to receive requests.</p>
 <div class="note" id="asm_01_0020__note122518211219"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="asm_01_0020__ul1522613251216"><li id="asm_01_0020__li112261223127">Only Istio 1.15 or later support the third-party tracing service.</li><li id="asm_01_0020__li142761222131512">If you want to use the third-party Jaeger or Zipkin service, install Jaeger or Zipkin first. Alternatively, you can obtain the service address after installing Jaeger or Zipkin by referring to section "Installing Jaeger/Zipkin" in the <em id="asm_01_0020__i195711233204615">FAQs</em>.</li><li id="asm_01_0020__li1622612111211">The default service ports of Jaeger and Zipkin are both 9411. If you customize the service port during Jaeger or Zipkin installation, replace <strong id="asm_01_0020__b3675134710313">Service Port</strong> with the actual value.</li></ul>
 </div></div>
 </li></ul>
 </li></ul>
 </p></li><li id="asm_01_0020__en-us_topic_0000001542706401_li185901043112713"><span>(Optional) Configure advanced settings.</span><p><ul id="asm_01_0020__en-us_topic_0000001542706401_ul195914431277"><li id="asm_01_0020__en-us_topic_0000001542706401_li105911243172720"><strong id="asm_01_0020__b1279363897">Sidecar Configuration</strong><p id="asm_01_0020__en-us_topic_0000001542706401_p0591154316270">Select a namespace and label it with <strong id="asm_01_0020__b1228706015">istio-injection=enabled</strong>. All pods in the namespace will be injected with an istio-proxy sidecar.</p>
 <p id="asm_01_0020__en-us_topic_0000001542706401_p1459184332714">You can inject a sidecar in <strong id="asm_01_0020__b441230997">Mesh Configuration</strong> &gt; <strong id="asm_01_0020__b844338891">Sidecar Management</strong> after the mesh is created. For details, see <a href="asm_01_0041.html#asm_01_0041__section65931513505">Injecting a Sidecar</a>.</p>
 </li><li id="asm_01_0020__en-us_topic_0000001542706401_li1059184310276"><strong id="asm_01_0020__b534709116">Restart Existing Services</strong><p id="asm_01_0020__en-us_topic_0000001542706401_p12591144362715"><span><img id="asm_01_0020__image879324619490" src="en-us_image_0000001920032153.png"></span>: Pods of the existing services in the namespace will be restarted, which will temporarily interrupt your services. The <strong id="asm_01_0020__b666069868">istio-proxy</strong> sidecar is automatically injected into the pods of the existing services.</p>
 <p id="asm_01_0020__en-us_topic_0000001542706401_p195911343162718"><span><img id="asm_01_0020__en-us_topic_0000001542706401_image1736110311031" src="en-us_image_0000001494249996.png"></span>: The <strong id="asm_01_0020__b166037221819">istio-proxy</strong> sidecar cannot be automatically injected into the pods of the existing services. You need to manually restart the workloads on the CCE console to inject the sidecar.</p>
 </li><li id="asm_01_0020__li103761117176"><strong id="asm_01_0020__b161488533415">Traffic Interception Settings</strong><div class="note" id="asm_01_0020__note9376117978"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="asm_01_0020__p2376181712720">By default, sidecars intercept all inbound and outbound traffic of pods. You can modify the default traffic rules in <strong id="asm_01_0020__b134331479345">Traffic Interception Settings</strong>.</p>
 </div></div>
 <p id="asm_01_0020__p93763174718"><strong id="asm_01_0020__b9810181314341">Inbound Ports</strong>: Inbound ports separated by commas (,). You can use this field to specify the ports that will be included or excluded for inbound traffic redirection.</p>
 <ul id="asm_01_0020__ul1376817679"><li id="asm_01_0020__li33768171718"><strong id="asm_01_0020__b16992015173412">Include only specified ports</strong> means that the traffic to services in a service mesh over specified ports will be redirected to the sidecar.</li></ul>
 <ul id="asm_01_0020__ul73766176715"><li id="asm_01_0020__li1137612175714"><strong id="asm_01_0020__b15386151833412">Exclude only specified ports</strong> means that the traffic to services in a service mesh over the ports except the specified ports will be redirected to the sidecar.</li></ul>
 <p id="asm_01_0020__p437612171973"><strong id="asm_01_0020__b155051822203412">Outbound Ports</strong>: Outbound ports separated by commas (,). You can use this field to specify the ports that will be included or excluded for outbound traffic redirection.</p>
 <ul id="asm_01_0020__ul10376151714710"><li id="asm_01_0020__li16376121711719"><strong id="asm_01_0020__b10871024123417">Include only specified ports</strong> means that the traffic from services in a service mesh over specified ports will be redirected to the sidecar.</li></ul>
 <ul id="asm_01_0020__ul337611714716"><li id="asm_01_0020__li1337717171578"><strong id="asm_01_0020__b67131127173417">Exclude only specified ports</strong> means that the traffic from services in a service mesh over the ports except the specified ports will be redirected to the sidecar.</li></ul>
 <p id="asm_01_0020__p11377181717712"><strong id="asm_01_0020__b1846318299347">Outbound IP Ranges</strong>: IP address ranges separated by commas (,) in CIDR format. You can use this field to specify the IP ranges that will be excluded from redirection to the sidecar.</p>
 <ul id="asm_01_0020__ul1337716172078"><li id="asm_01_0020__li1377417579"><strong id="asm_01_0020__b39502030153411">Include only specified IP ranges</strong> means that the traffic from specified IP ranges will be redirected to the sidecar.</li></ul>
 <ul id="asm_01_0020__ul14377181711717"><li id="asm_01_0020__li3377171710719"><strong id="asm_01_0020__b393303213347">Exclude only specified IP ranges</strong> means that the traffic from IP ranges except the specified IP ranges will be redirected to the sidecar.</li></ul>
 </li><li id="asm_01_0020__li1611138125316"><strong id="asm_01_0020__b1838169676">Resource Tags</strong><p id="asm_01_0020__p1711128135317">Enter the tag key and tag value. A maximum of 20 tags can be added.</p>
 </li></ul>
 </p></li><li id="asm_01_0020__en-us_topic_0000001542706401_li859154318271"><span>Review the service mesh configuration in the <strong id="asm_01_0020__b1200737994">Configuration List</strong> on the right of the page and click <strong id="asm_01_0020__b170596237">Submit</strong>.</span><p><p id="asm_01_0020__en-us_topic_0000001542706401_p13591174382714">It takes about 1 to 3 minutes to create a service mesh. If the service mesh status changes from <strong id="asm_01_0020__b1247244532">Installing</strong> to <strong id="asm_01_0020__b335797679">Running</strong>, the service mesh is successfully created.</p>
 <div class="note" id="asm_01_0020__en-us_topic_0000001542706401_note14591184342712"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="asm_01_0020__en-us_topic_0000001542706401_p1459119432275">When the service mesh is enabled, the following operations are performed:</p>
 <ul id="asm_01_0020__en-us_topic_0000001542706401_ul859134311276"><li id="asm_01_0020__en-us_topic_0000001542706401_li195911043152719">Helm orchestrates the application into a Release as the resource of the service mesh control plane.</li></ul>
 </div></div>
 </p></li></ol>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0017.html">Creating a Service Mesh</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0023.html
+++ b/docs/asm/umn/asm_01_0023.html
@ -0,0 +1,17 @@
 <a name="asm_01_0023"></a><a name="asm_01_0023"></a>
 <h1 class="topictitle1">Mesh Management</h1>
 <div id="body0000001158734023"></div>
 <div>
 <ul class="ullinks">
 <li class="ulchildlink"><strong><a href="asm_01_0133.html">Mesh Events</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_01_0086.html">Uninstalling a Mesh</a></strong><br>
 </li>
 </ul>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0000001627845328.html">User Guide</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0029.html
+++ b/docs/asm/umn/asm_01_0029.html
@ -0,0 +1,19 @@
 <a name="asm_01_0029"></a><a name="asm_01_0029"></a>
 <h1 class="topictitle1">Service Management</h1>
 <div id="body0000001130335659"></div>
 <div>
 <ul class="ullinks">
 <li class="ulchildlink"><strong><a href="asm_01_0031.html">Configuration Diagnosis</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_01_0060.html">Manual Fixing Items</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_01_0065.html">Auto Fixing Items</a></strong><br>
 </li>
 </ul>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0000001627845328.html">User Guide</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0031.html
+++ b/docs/asm/umn/asm_01_0031.html
@ -0,0 +1,21 @@
 <a name="asm_01_0031"></a><a name="asm_01_0031"></a>
 <h1 class="topictitle1">Configuration Diagnosis</h1>
 <div id="body0000001168358681"><p id="asm_01_0031__p136332164213">ASM diagnoses all services in a managed cluster. Traffic management and grayscale release are available only for normal services.</p>
 <div class="section" id="asm_01_0031__section1492016145439"><h4 class="sectiontitle">Constraints</h4><ul id="asm_01_0031__ul13586133513431"><li id="asm_01_0031__li1458616355432">If multiple services correspond to one deployment, these services cannot be added to the mesh. Otherwise, functions such as grayscale release or gateway access may fail.</li><li id="asm_01_0031__li12667143715435">If the workload of a service uses the host network mode (<strong id="asm_01_0031__b6019551881">hostNetwork: true</strong> is configured for the pod), sidecars cannot be injected for the service.</li></ul>
 </div>
 <div class="section" id="asm_01_0031__section12419144997"><h4 class="sectiontitle">Service Diagnosis</h4><ol id="asm_01_0031__ol1448417221398"><li id="asm_01_0031__li6469645181611"><span>Log in to the ASM console and click the name of the target service mesh to go to its details page.</span></li><li id="asm_01_0031__li196333015449"><span>In the navigation pane, choose <strong id="asm_01_0031__b1105438117102610">Service Management</strong>. The diagnosis results of services are displayed in the <strong id="asm_01_0031__b413973126102610">Configuration Diagnosis Result</strong> column.</span><p><p id="asm_01_0031__p1059141134414">If a service is abnormal, click <strong id="asm_01_0031__b392659170102610">Fix</strong> to fix the issues. For details, see <a href="#asm_01_0031__section104191546916">Service Issue Fixing</a>.</p>
 </p></li><li id="asm_01_0031__li793141204616"><span>After the issues are fixed, you can click <strong id="asm_01_0031__b1638257010102610">Diagnose Again</strong> to diagnose the service again.</span></li></ol>
 </div>
 <div class="section" id="asm_01_0031__section104191546916"><a name="asm_01_0031__section104191546916"></a><a name="section104191546916"></a><h4 class="sectiontitle">Service Issue Fixing</h4><p id="asm_01_0031__p114191214192412">If a service is abnormal, you need to manually fix the abnormal items and then perform auto fix for left issues.</p>
 <ol id="asm_01_0031__ol7957194914310"><li id="asm_01_0031__li79571649154313"><span>Click <strong id="asm_01_0031__b1342048372102610">Fix</strong> in the row of the abnormal service. If there are issues to be fixed manually, click <strong id="asm_01_0031__b19983173225119">View Solution</strong> to see how to fix them.</span></li><li id="asm_01_0031__li1264572716612"><span>Click <strong id="asm_01_0031__b91951837165410">Next</strong> to go to the auto fix page, and click <strong id="asm_01_0031__b6195153745412">Auto Fix</strong> to automatically fix left issues.</span><p><div class="note" id="asm_01_0031__note4360522174016"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="asm_01_0031__ul2016935475419"><li id="asm_01_0031__li19169175412543">If left issues cannot be fix automatically, click <strong id="asm_01_0031__b72222039102610">View Solution</strong> and fix them manually.</li><li id="asm_01_0031__li1030121545517">Auto fix does not support Services which have configured gateways or have created grayscale release tasks.</li><li id="asm_01_0031__li981319126141">If the service is not displayed in the service list, check whether the corresponding workload exists.</li></ul>
 </div></div>
 </p></li></ol>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0029.html">Service Management</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0033.html
+++ b/docs/asm/umn/asm_01_0033.html
@ -0,0 +1,17 @@
 <a name="asm_01_0033"></a><a name="asm_01_0033"></a>
 <h1 class="topictitle1">Gateway Management</h1>
 <div id="body0000001166607251"></div>
 <div>
 <ul class="ullinks">
 <li class="ulchildlink"><strong><a href="asm_01_0056.html">Adding a Gateway</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_01_0057.html">Adding a Route</a></strong><br>
 </li>
 </ul>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0000001627845328.html">User Guide</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0034.html
+++ b/docs/asm/umn/asm_01_0034.html
@ -0,0 +1,19 @@
 <a name="asm_01_0034"></a><a name="asm_01_0034"></a>
 <h1 class="topictitle1">Grayscale Release</h1>
 <div id="body0000001130052867"></div>
 <div>
 <ul class="ullinks">
 <li class="ulchildlink"><strong><a href="asm_01_0035.html">Grayscale Release Overview</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_01_0036.html">Creating a Grayscale Release Task</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_01_0037.html">Basic Operations on a Grayscale Task</a></strong><br>
 </li>
 </ul>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0000001627845328.html">User Guide</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0035.html
+++ b/docs/asm/umn/asm_01_0035.html
@ -0,0 +1,18 @@
 <a name="asm_01_0035"></a><a name="asm_01_0035"></a>
 <h1 class="topictitle1">Grayscale Release Overview</h1>
 <div id="body0000001130250039"><p id="asm_01_0035__p204251248299">When switching between old and new services, you may be challenged in ensuring the system service continuity. If a new service version is directly released to all users at a time, it can be risky because once an online accident or bug occurs, the impact on users is great. It could take a long time to fix the issue. Sometimes, the version has to be rolled back, which severely affects user experience.</p>
 <p id="asm_01_0035__p954014407530">Several release policies are developed for service upgrade: canary release, blue-green deployment, A/B testing, rolling upgrade, and batch suspension of release. Traffic loss or service unavailability caused by releases can be avoided as much as possible. Currently, ASM supports canary release and blue-green deployment.</p>
 <div class="section" id="asm_01_0035__section18766329162914"><h4 class="sectiontitle">Canary Release</h4><p id="asm_01_0035__p4541003362">Canary release is also called grayscale release. It is a smooth iteration mode for version upgrade. During the upgrade, some users use the new version, while other users continue to use the old version. After the new version is stable and ready, it gradually takes over all the live traffic. In this way, service risks brought by the release of the new version can be minimized, the impact of faults can be reduced, and quick rollback is supported.</p>
 <div class="fignone" id="asm_01_0035__fig109451130201"><span class="figcap"><b>Figure 1 </b>Canary release process</span><br><span><img id="asm_01_0035__image1519152581213" src="en-us_image_0000001254994475.png"></span></div>
 </div>
 <div class="section" id="asm_01_0035__section1192552994318"><h4 class="sectiontitle">Blue-Green Deployment</h4><p id="asm_01_0035__p420735819400">Blue-green deployment provides a zero-downtime, predictable manner for releasing applications to reduce service interruption during the release. A new version is deployed while the old version is retained. The two versions are online at the same time. The new and old versions work in hot backup mode. The route weight is switched (0 or 100) to enable different versions to go online or offline. If a problem occurs, the version can be quickly rolled back.</p>
 <div class="fignone" id="asm_01_0035__fig17374432214"><span class="figcap"><b>Figure 2 </b>Blue-green deployment process</span><br><span><img id="asm_01_0035__image12609632171216" src="en-us_image_0000001210274518.png"></span></div>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0034.html">Grayscale Release</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0036.html
+++ b/docs/asm/umn/asm_01_0036.html
@ -0,0 +1,51 @@
 <a name="asm_01_0036"></a><a name="asm_01_0036"></a>
 <h1 class="topictitle1">Creating a Grayscale Release Task</h1>
 <div id="body0000001130151131"><div class="section" id="asm_01_0036__section695502711820"><h4 class="sectiontitle">Basic Concepts</h4><ul id="asm_01_0036__ul1540612364188"><li id="asm_01_0036__li206717917229"><span class="keyword" id="asm_01_0036__keyword26724919224">Grayscale version</span><p id="asm_01_0036__p135211613172220">Only one grayscale version can be released for a service. You can configure grayscale policies for the version.</p>
 </li><li id="asm_01_0036__li17102132219228"><span class="keyword" id="asm_01_0036__keyword161031822192210">Grayscale policy</span><p id="asm_01_0036__p1686542219222">Before releasing a new service version in the production environment and letting it serve all the live traffic, you can add a grayscale version and configure grayscale policies to serve just a proportion of the traffic. After the grayscale version has run stably for a period, it can serve as the default version to take over all traffic in place of the original version in the production environment.</p>
 </li></ul>
 </div>
 <div class="section" id="asm_01_0036__section230105120212"><h4 class="sectiontitle">Creating a Grayscale Release Task</h4><ol id="asm_01_0036__ol923713456714"><li id="asm_01_0036__li0970112012172"><span>Log in to the ASM console and go to the <strong id="asm_01_0036__b13161141102511">Create a grayscale release task</strong> page by one of the following ways:</span><p><ul id="asm_01_0036__ul171761631102512"><li id="asm_01_0036__li7877104561515">(Shortcut) In the upper right corner of an Enterprise mesh, click <span><img id="asm_01_0036__image1891933718163" src="en-us_image_0000001254994843.png"></span>.</li><li id="asm_01_0036__li51767318252">(Shortcut) In the center of the target mesh, click <strong id="asm_01_0036__b1545983530102415">Create a grayscale release task</strong>.</li><li id="asm_01_0036__li746144374218">Create a grayscale release task on the mesh details page.<ol type="a" id="asm_01_0036__ol4373114819425"><li id="asm_01_0036__li123737481421">Click the target mesh and go to its details page, click <strong id="asm_01_0036__b1885266196102415">Grayscale Release</strong> in the navigation pane on the left.</li><li id="asm_01_0036__li4599125384218">If no grayscale task is running, click <strong id="asm_01_0036__b7201145816720">Create Release Task</strong> in the <strong id="asm_01_0036__b920820582075">Canary Release</strong> or <strong id="asm_01_0036__b16209135817711">Blue-Green Deployment</strong> area. If there is an ongoing grayscale task, click <strong id="asm_01_0036__b1620995818710">Grayscale Release</strong> in the upper right corner.</li></ol>
 </li></ul>
 </p></li><li id="asm_01_0036__li771712313588"><span>Configure basic information of the grayscale release task.</span><p><ul id="asm_01_0036__ul6468103391818"><li id="asm_01_0036__li182551458340"><strong id="asm_01_0036__b151365433183">Grayscale Release Form</strong><p id="asm_01_0036__p2064691819344">Select <strong id="asm_01_0036__b1497597343102415">Canary Release</strong> or <strong id="asm_01_0036__b2049366149102415">Blue-Green Deployment</strong> as required. For details about the differences between the two forms, see <a href="asm_01_0035.html">Grayscale Release Overview</a>.</p>
 </li><li id="asm_01_0036__li4938581353"><strong id="asm_01_0036__b743019103613">Task Name</strong><p id="asm_01_0036__p98958413619">Customize a grayscale release task name. Enter 4 to 63 characters, starting with a lowercase letter and ending with a letter or digit. Only lowercase letters, digits, and hyphens (-) are allowed.</p>
 </li><li id="asm_01_0036__li36212449385"><strong id="asm_01_0036__b13288953173816">Namespace</strong><p id="asm_01_0036__p26361500386">Select the namespace to which the service belongs.</p>
 </li><li id="asm_01_0036__li10113185692215"><strong id="asm_01_0036__b083101432311">Service</strong><p id="asm_01_0036__p11370657182210">Select the service to be released from the drop-down list box. Services that are running grayscale tasks cannot be selected. They are automatically filtered out from the list.</p>
 </li><li id="asm_01_0036__li164901553114017"><strong id="asm_01_0036__b486725564018">Workload</strong><p id="asm_01_0036__p614765119400">Select the workload to which the service belongs.</p>
 </li><li id="asm_01_0036__li16245142511413"><strong id="asm_01_0036__b2245142520413">Version</strong><p id="asm_01_0036__p5245132584112">Current service version number, which cannot be changed.</p>
 </li></ul>
 </p></li><li id="asm_01_0036__li1480323914110"><span>Configure grayscale version information.</span><p><ul id="asm_01_0036__ul11748103715413"><li id="asm_01_0036__li1074820373417"><strong id="asm_01_0036__b67471377410">Cluster</strong><p id="asm_01_0036__p7748103744117">Select the cluster on which the grayscale version of the service will be deployed.</p>
 </li><li id="asm_01_0036__li1574817374414"><strong id="asm_01_0036__b207485372415">Version</strong><p id="asm_01_0036__p187481537204112">Enter the grayscale version number of the service.</p>
 </li><li id="asm_01_0036__li1835217487279"><strong id="asm_01_0036__b96251705281">Pods</strong><p id="asm_01_0036__p6256649192710">Number of pods of the grayscale version. You can modify the number as required. Each pod of the grayscale version consists of containers deployed with the same image.</p>
 </li><li id="asm_01_0036__li17315175072717"><strong id="asm_01_0036__b3547182102812">Image Name</strong><p id="asm_01_0036__p1763125102711">The image of the service is selected by default.</p>
 </li><li id="asm_01_0036__li366895242717"><strong id="asm_01_0036__b16922517284">Image Tag</strong><p id="asm_01_0036__p058355372716">Select the image tag of the grayscale version.</p>
 </li></ul>
 </p></li><li id="asm_01_0036__li11228147115610"><span>Click <span class="uicontrol" id="asm_01_0036__uicontrol142518585718"><b>Release</b></span>. Wait for the grayscale version to be created.</span><p><p id="asm_01_0036__p157607115573">Ensure that all pods of the grayscale version are running normally and configure the traffic policy when the startup progress reaches 100%. You can view the pod monitoring information, including <strong id="asm_01_0036__b738282634102415">Start Logs</strong> and <strong id="asm_01_0036__b38129282102415">Performance Monitoring</strong> on the <strong id="asm_01_0036__b2126702874102415">View Status</strong> page.</p>
 </p></li><li id="asm_01_0036__li5242204519710"><span>(For canary release only) Click <strong id="asm_01_0036__b2127315232102415">Configure Traffic Policy</strong> to configure a traffic policy.</span><p><p id="asm_01_0036__p58080153163125"><strong id="asm_01_0036__b371783390102415">Policy Type</strong>: The value can be <strong id="asm_01_0036__b1569755184102415">Based on traffic ratio</strong> or <strong id="asm_01_0036__b1443871107102415">Based on request content</strong>.</p>
 <ul id="asm_01_0036__ul61311494163314"><li id="asm_01_0036__li1265865519290"><strong id="asm_01_0036__b179291468309">Based on traffic ratio</strong><p id="asm_01_0036__p910935618296">A specified ratio of traffic will be directed to the grayscale version. For example, 75% of the traffic is directed to the original version, and 25% is directed to the grayscale version. In actual applications, you can gradually increase the traffic ratio of the grayscale version and deliver policies to monitor the performance of the grayscale version.</p>
 <div class="fignone" id="asm_01_0036__fig1550914468143"><span class="figcap"><b>Figure 1 </b>Based on traffic ratio</span><br><span><img class="eddx" id="asm_01_0036__image45091246201417" src="en-us_image_0000001210438852.png"></span></div>
 <p id="asm_01_0036__p184331616162415"><strong id="asm_01_0036__b361084949102415">Traffic</strong> <strong id="asm_01_0036__b1076523187102415">ratio</strong>: You can set the traffic ratio for the original version and grayscale version. The system distributes traffic to the two versions based on the specific traffic ratio.</p>
 </li></ul>
 <ul id="asm_01_0036__ul21864151442"><li id="asm_01_0036__li1318621514442"><strong id="asm_01_0036__b1184715194414">Based on request content</strong><p id="asm_01_0036__p10186515104411">The grayscale version can be accessed only when the traffic meets the rules based on the cookies, custom headers, queries, operating systems, and browsers. For example, only HTTP requests whose cookies meet <strong id="asm_01_0036__b1217005551102415">User=Internal</strong> can be forwarded to the grayscale version. Other requests are still received by the original version.</p>
 <div class="fignone" id="asm_01_0036__fig19101134141212"><span class="figcap"><b>Figure 2 </b>Based on request content</span><br><span><img class="eddx" id="asm_01_0036__image1610220411210" src="en-us_image_0000001210119300.png"></span></div>
 <ul id="asm_01_0036__ul146803318438"><li id="asm_01_0036__li1765991217433"><strong id="asm_01_0036__b0949204010510">Cookie</strong><p id="asm_01_0036__p14135174411452"><strong id="asm_01_0036__b351285221111">Regular expression</strong>: When the cookie of a request matches the configured regular expression, the request will be distributed to the grayscale version.</p>
 </li><li id="asm_01_0036__li63161151174315"><strong id="asm_01_0036__b99941448155113">Header</strong><ul id="asm_01_0036__ul17661191910713"><li id="asm_01_0036__li111518584416"><strong id="asm_01_0036__b08691434192116">Full match</strong>: Only the URL that fully matches the values you set can be accessed. For example, if <strong id="asm_01_0036__b1697833709102415">Key</strong> is set to <strong id="asm_01_0036__b2061631694102415">User</strong> and <strong id="asm_01_0036__b781961949102415">Value</strong> is set to <strong id="asm_01_0036__b38182976102415">Internal</strong>, only requests whose headers contain <strong id="asm_01_0036__b1880166255102415">User</strong> with the value <strong id="asm_01_0036__b438277587102415">Internal</strong> are responded by the service of the grayscale version.</li><li id="asm_01_0036__li1830122117716"><strong id="asm_01_0036__b1433176777102415">Regular expression</strong>: When the header of a request matches the configured regular expression, the request will be distributed to the grayscale version.<p id="asm_01_0036__p530216211679">You can customize the key and value for filtering. The value supports the full match and regular expression.</p>
 </li></ul>
 </li><li id="asm_01_0036__li0455205112192"><strong id="asm_01_0036__b6293190135211">Query</strong><ul id="asm_01_0036__ul122705534206"><li id="asm_01_0036__li62701453112015"><strong id="asm_01_0036__b052280152213">Full match</strong>: Only the URL that fully matches the values you set can be accessed. For example, if <strong id="asm_01_0036__b1874948701102415">Key</strong> is set to <strong id="asm_01_0036__b1903766040102415">User</strong> and <strong id="asm_01_0036__b1996971534102415">Value</strong> is set to <strong id="asm_01_0036__b2112203613102415">Internal</strong>, only requests whose queries contain <strong id="asm_01_0036__b433224998102415">User</strong> with the value <strong id="asm_01_0036__b566472174102415">Internal</strong> are responded by the service of the grayscale version.</li><li id="asm_01_0036__li127075311208"><strong id="asm_01_0036__b1062257843102415">Regular expression</strong>: When the query of a request matches the configured regular expression, the request will be distributed to the grayscale version.<p id="asm_01_0036__p112701053182010">You can customize the key and value for filtering. The value supports the full match and regular expression.</p>
 </li></ul>
 </li><li id="asm_01_0036__li15787154419"><strong id="asm_01_0036__b649621384102415">Allowed OS</strong>: Select OSs that can access the grayscale version, including iOS, Android, Windows, and macOS.</li><li id="asm_01_0036__li526131604411"><strong id="asm_01_0036__b2030726272102415">Allowed Browser</strong>: Select browsers that can access the grayscale version, including Chrome and Internet Explorer.</li><li id="asm_01_0036__li1630402520442"><strong id="asm_01_0036__b1968871174102415">Traffic management YAML</strong>: The rule YAML is automatically generated based on the configured parameters.</li></ul>
 </li></ul>
 <div class="note" id="asm_01_0036__note197321798815"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="asm_01_0036__p10999132611241">A traffic policy based on request content is valid only for the entry service that is directly accessed. If you want the traffic policy to be applied to all services, the header information of HTTP requests needs to be transferred in the service code.</p>
 <p id="asm_01_0036__p3184131564415">For example, if you configured a grayscale policy based on the request content for service <strong id="asm_01_0036__b960115943102415">reviews</strong> and did not transfer the HTTP request header information in the service code, the grayscale policy will not take effect when you send requests to service <strong id="asm_01_0036__b910678144102415">productpage</strong>.</p>
 <p id="asm_01_0036__p8184815194414">The reason is that when the <strong id="asm_01_0036__b13915193132120">productpage</strong> service calls the <strong id="asm_01_0036__b1592293112212">reviews</strong> service, the header information of the HTTP request you sent to <strong id="asm_01_0036__b99231931132113">productpage</strong> will be lost. As a result, the <strong id="asm_01_0036__b20926133182113">reviews</strong> service receives a request without the header information. The grayscale policy will not take effect.</p>
 </div></div>
 </p></li><li id="asm_01_0036__li17696734191613"><span>Click <span class="uicontrol" id="asm_01_0036__uicontrol7839138133516"><b>Deliver Policy</b></span>.</span><p><p id="asm_01_0036__p1375153681612">It takes several seconds for a grayscale policy to take effect. You can view the traffic monitoring of the service and the health monitoring of the original version and grayscale version.</p>
 </p></li></ol>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0034.html">Grayscale Release</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0037.html
+++ b/docs/asm/umn/asm_01_0037.html
@ -0,0 +1,40 @@
 <a name="asm_01_0037"></a><a name="asm_01_0037"></a>
 <h1 class="topictitle1">Basic Operations on a Grayscale Task</h1>
 <div id="body0000001083233778"><div class="section" id="asm_01_0037__section1132195261519"><h4 class="sectiontitle">Description</h4><p id="asm_01_0037__p192151613161">Basic operations on a grayscale version are performed by modifying the configuration of the DestinationRule and VirtualService resources of Istio. After the modification is complete, wait for about 10 seconds for the new policy to take effect.</p>
 </div>
 <div class="section" id="asm_01_0037__section13277131491720"><h4 class="sectiontitle">Modifying the Traffic Policy of a Grayscale Version</h4><p id="asm_01_0037__p103820313582"><strong id="asm_01_0037__b6994123265817">Modifying a grayscale policy that is based on traffic ratio</strong></p>
 <p id="asm_01_0037__p954314915568">For such a grayscale policy that is based on traffic ratio, you can gradually increase the traffic ratio of the grayscale version to avoid service risks caused by direct traffic switchover. To change the traffic ratio, perform the following steps:</p>
 <ol id="asm_01_0037__ol22602493585"><li id="asm_01_0037__li172608490583"><span>Log in to the ASM console and click the name of the target service mesh to go to its details page.</span></li><li id="asm_01_0037__li1685515685910"><span>In the navigation pane, choose <strong id="asm_01_0037__b1198257152102457">Grayscale Release</strong>. Then click the target canary release task.</span></li><li id="asm_01_0037__li119651731195914"><span>On the <span class="uicontrol" id="asm_01_0037__uicontrol15603542195919"><b>Configure Traffic Policy</b></span> page, set the traffic ratio of the grayscale version.</span><p><p id="asm_01_0037__p204971340517">If the traffic ratio of the grayscale version is set to <strong id="asm_01_0037__b1049686697102457">x</strong>, the traffic ratio of the original version is automatically adjusted to <strong id="asm_01_0037__b1249862318102457">100-x</strong>.</p>
 </p></li><li id="asm_01_0037__li1654913119011"><span>Click <strong id="asm_01_0037__b2088803477102457">Deliver Policy</strong>.</span></li></ol>
 <p id="asm_01_0037__p229215343582"><strong id="asm_01_0037__b2085653513584">Modifying a grayscale policy that is based on request content</strong></p>
 <p id="asm_01_0037__p78315545421">With such a policy, a grayscale version can be accessed only when the traffic meets the rules based on Cookies, Headers, Queries, Allowed Operating Systems, and Allowed Browsers. In real-world use cases, rules may be modified for multiple times to fully verify the performance of the grayscale version.</p>
 <ol id="asm_01_0037__ol63435402427"><li id="asm_01_0037__li83431840114212"><span>Log in to the ASM console and click the name of the target service mesh to go to its details page.</span></li><li id="asm_01_0037__li1343134014429"><span>In the navigation pane on the left, choose <strong id="asm_01_0037__b808078738102457">Grayscale Release</strong> and click the target canary release task.</span></li><li id="asm_01_0037__li43433409426"><span>On the <span class="uicontrol" id="asm_01_0037__uicontrol221028061102457"><b>Configure Traffic Policy</b></span> page, reconfigure <strong id="asm_01_0037__b158529202102457">Cookie</strong>, <strong id="asm_01_0037__b1274928578102457">Header</strong>, <strong id="asm_01_0037__b1679842724102457">Query</strong>, <strong id="asm_01_0037__b227798411102457">Allowed OS</strong>, and <strong id="asm_01_0037__b323640813102457">Allowed Browser</strong>.</span></li><li id="asm_01_0037__li134315402422"><span>Click <strong id="asm_01_0037__b1247868421102457">Deliver Policy</strong>.</span></li></ol>
 </div>
 <div class="section" id="asm_01_0037__section1198719955819"><h4 class="sectiontitle">Switching the Grayscale Policy Type</h4><p id="asm_01_0037__p1938319221655">You can change the type of a grayscale policy from <span class="uicontrol" id="asm_01_0037__uicontrol196956419398"><b>based on request content</b></span> to <span class="uicontrol" id="asm_01_0037__uicontrol8517310113911"><b>based on traffic ratio</b></span> and vice versa. After this operation is complete, all configured rules become invalid and all traffic is redistributed based on the new policy.</p>
 <div class="notice" id="asm_01_0037__note084791961611"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="asm_01_0037__p071154481611">Grayscale policies can be changed only for running tasks. After a grayscale version is released (that is, the new version completely takes over the traffic and the old version has been brought offline), its grayscale policy cannot be reconfigured.</p>
 </div></div>
 <ol id="asm_01_0037__ol1210818591352"><li id="asm_01_0037__li52621017101914"><span>Log in to the ASM console and click the name of the target service mesh to go to its details page.</span></li><li id="asm_01_0037__li46935210529"><span>In the navigation pane on the left, choose <strong id="asm_01_0037__b245738102102457">Grayscale Release</strong> and click the target canary release task.</span></li><li id="asm_01_0037__li196067405229"><span>On the <span class="uicontrol" id="asm_01_0037__uicontrol85896715214"><b>Configure Traffic Policy</b></span> page, change the policy type.</span></li><li id="asm_01_0037__li188191539102411"><span>Click <strong id="asm_01_0037__b1743078927102457">Deliver Policy</strong>.</span></li></ol>
 </div>
 <div class="section" id="asm_01_0037__section124701017142211"><h4 class="sectiontitle">Taking Over All Traffic</h4><p id="asm_01_0037__p772618508120">After you click <span class="uicontrol" id="asm_01_0037__uicontrol6726125018123"><b>Take Over All Traffic</b></span>, the original version or grayscale version takes over all traffic.</p>
 <ol id="asm_01_0037__ol11726175016122"><li id="asm_01_0037__li590412592365"><span>Log in to the ASM console and click the name of the target service mesh to go to its details page.</span></li><li id="asm_01_0037__li167261550131217"><span>In the navigation pane on the left, choose <strong id="asm_01_0037__b2072504440102457">Grayscale Release</strong> and click the target grayscale release task.</span></li><li id="asm_01_0037__li11726450171215"><span>On the <strong id="asm_01_0037__b675106888102457">Monitor and Manage Traffic</strong> page, click <strong id="asm_01_0037__b2027459733102457">Take Over All Traffic</strong> next to the target version.</span></li><li id="asm_01_0037__li107261550141217"><span>In the displayed dialog box, click <strong id="asm_01_0037__b313926256102457">OK</strong>.</span></li></ol>
 </div>
 <div class="section" id="asm_01_0037__section315312842215"><h4 class="sectiontitle">Terminating a Grayscale Release Task</h4><p id="asm_01_0037__p12870125843218">After the grayscale version takes over all traffic, you can terminate the grayscale task. After the grayscale task is canceled, the original version will be brought offline, and all workloads and Istio configuration resources will be deleted.</p>
 <ol id="asm_01_0037__ol758780709"><li id="asm_01_0037__li10929204883211"><span>Log in to the ASM console and click the name of the target service mesh to go to its details page.</span></li><li id="asm_01_0037__li142039178448"><span>In the navigation pane on the left, choose <strong id="asm_01_0037__b2104194791102457">Grayscale Release</strong> and click the target grayscale release task.</span></li><li id="asm_01_0037__li17930204863217"><span>On the <strong id="asm_01_0037__b287496591102457">Monitor and Manage Traffic</strong> page, click <strong id="asm_01_0037__b269083596102457">Take Over All Traffic</strong> next to the grayscale version.</span></li><li id="asm_01_0037__li593017482325"><span>Click <strong id="asm_01_0037__b145186320102457">Terminate Task</strong> in the lower right corner.</span></li><li id="asm_01_0037__li940153111410"><span>In the displayed dialog box, click <strong id="asm_01_0037__b707808679102457">OK</strong>.</span><p><p id="asm_01_0037__p74963681419">You can go to the <strong id="asm_01_0037__b1712159922102457">Terminated Tasks</strong> tab page to view the finished grayscale task. The <strong id="asm_01_0037__b628015301102457">Release Result</strong> is <strong id="asm_01_0037__b686986172102457">Released successfully</strong>.</p>
 </p></li></ol>
 </div>
 <div class="section" id="asm_01_0037__section14397841183619"><h4 class="sectiontitle">Canceling a Grayscale Release Task</h4><p id="asm_01_0037__p172641546103619">After the original version takes over all traffic, you can cancel the grayscale task.</p>
 <ol id="asm_01_0037__ol614993610209"><li id="asm_01_0037__li17149203618204"><span>Log in to the ASM console and click the name of the target service mesh to go to its details page.</span></li><li id="asm_01_0037__li9602941162010"><span>In the navigation pane on the left, choose <strong id="asm_01_0037__b758139008102457">Grayscale Release</strong> and click the target grayscale release task.</span></li><li id="asm_01_0037__li68361823123315"><span>On the <strong id="asm_01_0037__b43010898102457">Monitor and Manage Traffic</strong> page, click <strong id="asm_01_0037__b765831614102457">Take Over All Traffic</strong> next to the original version.</span></li><li id="asm_01_0037__li31089354275"><span>Click <strong id="asm_01_0037__b651501629102457">Cancel Task</strong> in the lower right corner. You can also click <span><img id="asm_01_0037__image811561310322" src="en-us_image_0000001209978068.png"></span> in the upper right corner of a task in the grayscale task list.</span></li><li id="asm_01_0037__li133111045142015"><span>In the displayed dialog box, click <strong id="asm_01_0037__b500762591102457">OK</strong>.</span><p><p id="asm_01_0037__p1445312193414">You can go to the <strong id="asm_01_0037__b1319872632102457">Terminated Tasks</strong> tab page to view the finished grayscale task. The <strong id="asm_01_0037__b1291505820102457">Release Result</strong> is <strong id="asm_01_0037__b1932649443102457">Released canceled</strong>.</p>
 </p></li></ol>
 </div>
 <div class="section" id="asm_01_0037__section15383135483517"><h4 class="sectiontitle">Viewing Terminated Grayscale Release Tasks</h4><p id="asm_01_0037__p139585417360">You can view canceled and finished grayscale tasks on the <strong id="asm_01_0037__b1420952114102457">Terminated Tasks</strong> tab page.</p>
 <ol id="asm_01_0037__ol499611672411"><li id="asm_01_0037__li599615692414"><span>Log in to the ASM console and click the name of the target service mesh to go to its details page.</span></li><li id="asm_01_0037__li1261451182417"><span>In the navigation pane on the left, choose <strong id="asm_01_0037__b2092000304102457">Grayscale Release</strong> and click the <strong id="asm_01_0037__b850199559102457">Terminated Tasks</strong> tab page.</span><p><p id="asm_01_0037__p8782155210475">You can view the release task name, release result, service, and release time, and delete a terminated task.</p>
 </p></li></ol>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0034.html">Grayscale Release</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0038.html
+++ b/docs/asm/umn/asm_01_0038.html
@ -0,0 +1,21 @@
 <a name="asm_01_0038"></a><a name="asm_01_0038"></a>
 <h1 class="topictitle1">Mesh Configuration</h1>
 <div id="body0000001111911772"></div>
 <div>
 <ul class="ullinks">
 <li class="ulchildlink"><strong><a href="asm_01_0039.html">Overview</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_01_0041.html">Sidecar Management</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_01_0091.html">Istio Resource Management</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_01_0123.html">Service Mesh Extension</a></strong><br>
 </li>
 </ul>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0000001627845328.html">User Guide</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0039.html
+++ b/docs/asm/umn/asm_01_0039.html
@ -0,0 +1,14 @@
 <a name="asm_01_0039"></a><a name="asm_01_0039"></a>
 <h1 class="topictitle1">Overview</h1>
 <div id="body0000001130251799"><p id="asm_01_0039__p4238151805917">Mesh configuration provides cluster management, sidecar management, Istio resource management, and upgrade capabilities.</p>
 <p id="asm_01_0039__p163921786389">The <span class="keyword" id="asm_01_0039__keyword131251951123817">mesh control plane</span> workloads inject and manage sidecars of data plane pods, deliver policies and configurations, and collect monitoring data. Sidecars work with service containers in data plane pods, and they are in charge of routing and forwarding, traffic policy configuration, and monitoring data collection.</p>
 <p id="asm_01_0039__p1536713311506">The functions of each tab page in <strong id="asm_01_0039__b177799347410267">Mesh Configuration</strong> are as follows:</p>
 <ul id="asm_01_0039__ul9284111135016"><li id="asm_01_0039__li15284151145016"><strong id="asm_01_0039__b10692151818228">Basic Information</strong>: You can view the mesh name, ID, status, edition, version, observability, creation time, and clusters with the mesh enabled.</li><li id="asm_01_0039__li528481114502"><strong id="asm_01_0039__b19089497110267">Sidecar Management</strong>: You can view information about all workloads injected with sidecars, perform sidecar injection, and configure sidecar resource limits. For details, see <a href="asm_01_0041.html">Sidecar Management</a>.</li><li id="asm_01_0039__li1928421195014"><strong id="asm_01_0039__b31091261810267">Istio Resource Management</strong>: You can view all Istio resources (such as VirtualService and DestinationRule), create Istio resources in YAML or JSON format, and modify existing Istio resources. For details, see <a href="asm_01_0091.html">Istio Resource Management</a>.</li><li id="asm_01_0039__li5725212101718"><strong id="asm_01_0039__b1280153963219">Upgrade</strong>: You can upgrade the version of a service mesh.</li><li id="asm_01_0039__li95496517363">Mesh extension: provides the observability configuration. For details, see <a href="asm_01_0123.html">Service Mesh Extension</a>.</li></ul>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0038.html">Mesh Configuration</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0041.html
+++ b/docs/asm/umn/asm_01_0041.html
@ -0,0 +1,41 @@
 <a name="asm_01_0041"></a><a name="asm_01_0041"></a>
 <h1 class="topictitle1">Sidecar Management</h1>
 <div id="body0000001083107046"><p id="asm_01_0041__p84481631152714">On the <strong id="asm_01_0041__b712243010246">Sidecar Management</strong> page, you can view information about all workloads injected with sidecars, perform sidecar injection, and configure sidecar resource limits.</p>
 <div class="section" id="asm_01_0041__section65931513505"><a name="asm_01_0041__section65931513505"></a><a name="section65931513505"></a><h4 class="sectiontitle">Injecting a Sidecar</h4><p id="asm_01_0041__p1820212632111">You can view the namespace and cluster to which the injected sidecar belongs. If no sidecar has been injected or you need to inject sidecar for more namespaces, perform the following operations:</p>
 <ol id="asm_01_0041__ol13641175216560"><li id="asm_01_0041__li683575385614"><span>Log in to the ASM console and click the name of the target service mesh to go to its details page.</span></li><li id="asm_01_0041__li987742619292"><span>In the navigation pane, choose <strong id="asm_01_0041__b23024965310246">Mesh Configuration</strong>. Then click the <strong id="asm_01_0041__b79698741510246">Sidecar Management</strong> tab.</span></li><li id="asm_01_0041__li122863200343"><span>Click <strong id="asm_01_0041__b212025475310246">Sidecar Management</strong>, select a namespace, determine whether to restart the existing services, and click <strong id="asm_01_0041__b163426572510246">OK</strong>.</span><p><ul id="asm_01_0041__ul1213414267113"><li id="asm_01_0041__li151346264113"><strong id="asm_01_0041__b25961104110246">Namespace</strong>: Select one or more namespaces. The system labels the namespaces with <strong id="asm_01_0041__b86877081210246">istio-injection=enabled</strong>.</li><li id="asm_01_0041__li1283731219"><strong id="asm_01_0041__b176898850910246">Restart Existing Services</strong><p id="asm_01_0041__p16974516217"><span><img id="asm_01_0041__image1251935012150" src="en-us_image_0000001930216052.png"></span>: Pods of the existing services in the namespace will be restarted, which will temporarily interrupt your services. The <strong id="asm_01_0041__b35079130010246">istio-proxy</strong> sidecar is automatically injected into the pods of the existing services.</p>
 <p id="asm_01_0041__p45731657222"><span><img id="asm_01_0041__image1736110311031" src="en-us_image_0000001256463368.png"></span>: The <strong id="asm_01_0041__b19208133718302">istio-proxy</strong> sidecar cannot be automatically injected into the pods of the existing services. You need to manually restart the workloads on the CCE console to inject the sidecar. Whether to restart existing services affects only existing services. If the namespaces are labeled with <strong id="asm_01_0041__b1545117533412">istio-injection=enabled</strong>, sidecars will be automatically injected into new pods.</p>
 </li><li id="asm_01_0041__li975935132613"><strong id="asm_01_0041__b4935192843517">Traffic Interception Settings</strong><div class="note" id="asm_01_0041__note130182311537"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="asm_01_0041__p5301112325320">By default, sidecars intercept all inbound and outbound traffic of pods. You can modify the default traffic rules in <strong id="asm_01_0041__b15949143017359">Traffic Interception Settings</strong>.</p>
 </div></div>
 <p id="asm_01_0041__p10174123175619"><strong id="asm_01_0041__b97421432123511">Inbound Ports</strong>: Inbound ports separated by commas (,). You can use this field to specify the ports that will be included or excluded for inbound traffic redirection.</p>
 <ul id="asm_01_0041__ul19912133010017"><li id="asm_01_0041__li891233017016"><strong id="asm_01_0041__b13234113463514">Include only specified ports</strong> means that the traffic to services in a service mesh over specified ports will be redirected to the sidecar.</li></ul>
 <ul id="asm_01_0041__ul192771149401"><li id="asm_01_0041__li427774912017"><strong id="asm_01_0041__b954213352357">Exclude only specified ports</strong> means that the traffic to services in a service mesh over the ports except the specified ports will be redirected to the sidecar.</li></ul>
 <p id="asm_01_0041__p1492182965613"><strong id="asm_01_0041__b1262643613359">Outbound Ports</strong>: Outbound ports separated by commas (,). You can use this field to specify the ports that will be included or excluded for outbound traffic redirection.</p>
 <ul id="asm_01_0041__ul887675114113"><li id="asm_01_0041__li208771351116"><strong id="asm_01_0041__b20581938193512">Include only specified ports</strong> means that the traffic from services in a service mesh over specified ports will be redirected to the sidecar.</li></ul>
 <ul id="asm_01_0041__ul91091571217"><li id="asm_01_0041__li9109125715112"><strong id="asm_01_0041__b8850163916356">Exclude only specified ports</strong> means that the traffic from services in a service mesh over the ports except the specified ports will be redirected to the sidecar.</li></ul>
 <p id="asm_01_0041__p14346164816561"><strong id="asm_01_0041__b13849134010355">Outbound IP Ranges</strong>: IP address ranges separated by commas (,) in CIDR format. You can use this field to specify the IP ranges that will be excluded from redirection to the sidecar.</p>
 <ul id="asm_01_0041__ul13301528313"><li id="asm_01_0041__li5311221939"><strong id="asm_01_0041__b922854213514">Include only specified IP ranges</strong> means that the traffic from specified IP ranges will be redirected to the sidecar.</li></ul>
 <ul id="asm_01_0041__ul112121251130"><li id="asm_01_0041__li42121455318"><strong id="asm_01_0041__b19623164303511">Exclude only specified IP ranges</strong> means that the traffic from IP ranges except the specified IP ranges will be redirected to the sidecar.</li></ul>
 </li></ul>
 <div class="note" id="asm_01_0041__note1279618584133"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="asm_01_0041__ul97451116162713"><li id="asm_01_0041__li1974521615271">If the system displays a message indicating that modification of namespace injection is not enabled in the following clusters, you need to run the <strong id="asm_01_0041__b11447123395415">kubectl</strong> command to enable namespace injection. For details, see <a href="asm_faq_0036.html">How Do I Enable Namespace Injection for a Cluster?</a>.</li><li id="asm_01_0041__li12746181642719">After sidecar injection is enabled for a namespace of a cluster, sidecars are automatically injected for pods of all workloads in the namespace. If you do not want to inject sidecars for some workloads, see <a href="asm_faq_0037.html">How Do I Disable Sidecar Injection for Workloads?</a>.</li></ul>
 </div></div>
 </p></li></ol>
 </div>
 <div class="section" id="asm_01_0041__section259115115019"><h4 class="sectiontitle">Viewing Workload Details</h4><p id="asm_01_0041__p559725563016">The list displays all workloads created in the clusters managed by a mesh. You can view the workload name, cluster to which the workload belongs, service, and sidecar information of the workload, including the sidecar name, version, status, CPU usage, and memory usage. The procedure is as follows:</p>
 </div>
 <ol id="asm_01_0041__ol1959415165017"><li id="asm_01_0041__li98334469347"><span>In the drop-down list and search box in the upper right corner of the workload list, select a cluster and namespace, and enter the target workload name.</span></li><li id="asm_01_0041__li6382131161915"><span>Click <span><img id="asm_01_0041__image43913457208" src="en-us_image_0000001200574170.png"></span> in front of the workload to view the sidecar information of the workload.</span><p><p id="asm_01_0041__p742812107217">If the system displays a message indicating that there is no sidecar in the workload, no sidecar has been injected into the namespace to which the workload belongs. In this case, you can inject one into the namespace. For details, see <a href="#asm_01_0041__section65931513505">Injecting a Sidecar</a>.</p>
 </p></li></ol>
 <div class="section" id="asm_01_0041__section1260131575013"><h4 class="sectiontitle">Configuring Sidecar Resource Limits</h4><p id="asm_01_0041__p129031261127">You can configure the upper and lower limits of CPU and memory resources for sidecars (istio-proxy container). If the upper and lower resource limits are not set for a workload, a resource leak of this workload will make resources unavailable for other workloads deployed on the same node. In addition, workloads that do not have upper and lower resource limits cannot be accurately monitored.</p>
 <p id="asm_01_0041__p2666114504610">The default upper and lower limits of sidecar resources are as follows:</p>
 <ul id="asm_01_0041__ul1705179111210"><li id="asm_01_0041__li0705159111220">CPU (core): 0.1 to 2 (included)</li><li id="asm_01_0041__li17053919120">MEM (MiB): 128 to 1,024 (included)</li></ul>
 <p id="asm_01_0041__p73903163125">To change the value, perform the following operations:</p>
 <ol id="asm_01_0041__ol716113613716"><li id="asm_01_0041__li4161136476"><span>Click <strong id="asm_01_0041__b192440389810246">Set Resource Limit</strong> in the <strong id="asm_01_0041__b195764109210246">Operation</strong> column of the target workload. You can also select multiple workloads and click <strong id="asm_01_0041__b154266620810246">Set Resource Limit</strong> in the upper left corner of the workload list to configure sidecar resource limits in batches.</span><p><ul id="asm_01_0041__ul11852132105414"><li id="asm_01_0041__li25681305545">Minimum CPU: CPU request, the minimum number of CPU cores required by a container. Resources are scheduled for the container based on this value. The container can be scheduled to a node only when the total available CPU on the node is greater than or equal to the number of CPU cores applied for the container.</li><li id="asm_01_0041__li17568143045420">Maximum CPU: CPU limit, the maximum number of CPU cores required by a container.</li><li id="asm_01_0041__li155691330135411">Minimum memory: memory request, the minimum amount of memory required by a container. Resources are scheduled for the container based on this value. The container can be scheduled to this node only when the total available memory on the node is greater than or equal to the requested container memory.</li><li id="asm_01_0041__li95692304544">Maximum memory: memory limit, the maximum amount of memory required by a container. When the memory usage exceeds the specified memory limit, the pod may be restarted, which affects the normal use of the workload.</li></ul>
 </p></li></ol>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0038.html">Mesh Configuration</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0048.html
+++ b/docs/asm/umn/asm_01_0048.html
@ -0,0 +1,16 @@
 <a name="asm_01_0048"></a><a name="asm_01_0048"></a>
 <h1 class="topictitle1">Configuring Istio Resources Using YAML</h1>
 <div id="body0000001379514653"><p id="asm_01_0048__p16819323557">You can modify all Istio resources (such as VirtualService and DestinationRule) of a service in YAML or JSON format on the <strong id="asm_01_0048__b17594115103815">Istio Resource Management</strong> page. You can also create new Istio resources.</p>
 <div class="section" id="asm_01_0048__section126909124113"><h4 class="sectiontitle">Modifying an Existing Istio Resource</h4><ol id="asm_01_0048__ol64160411608"><li id="asm_01_0048__li1641617411906"><span>Log in to the ASM console and click the name of the target service mesh to go to its details page.</span></li><li id="asm_01_0048__li136201456709"><span>In the navigation pane, choose <strong id="asm_01_0048__b211850665843321">Mesh Configuration</strong>. Then click the <strong id="asm_01_0048__b69824789943321">Istio Resource Management</strong> tab.</span></li><li id="asm_01_0048__li99868151614"><span>In the drop-down list, select the Istio resource type (for example, Istio Resources: virtualservices) and the namespace to which the resource belongs.</span></li><li id="asm_01_0048__li12625134614345"><span>Click <strong id="asm_01_0048__b72038383043321">Edit</strong> in the <strong id="asm_01_0048__b154148889643321">Operation</strong> column. In the right pane, modify related configurations and click <strong id="asm_01_0048__b184844462043321">OK</strong>.</span><p><p id="asm_01_0048__p197224743417">The configuration file can be displayed in YAML or JSON format and can be downloaded to the local PC.</p>
 </p></li></ol>
 </div>
 <div class="section" id="asm_01_0048__section1969114121917"><h4 class="sectiontitle">Creating an Istio Resource</h4><ol id="asm_01_0048__ol1234918337357"><li id="asm_01_0048__li33491533103510"><span>Log in to the ASM console and click the name of the target service mesh to go to its details page.</span></li><li id="asm_01_0048__li14349193313359"><span>In the navigation pane, choose <strong id="asm_01_0048__b198816217464">Mesh Configuration</strong>. Then click the <strong id="asm_01_0048__b488110218464">Istio Resource Management</strong> tab.</span></li><li id="asm_01_0048__li17349123316357"><span>Click <strong id="asm_01_0048__b31118013243321">Create</strong> in the upper left corner of the list.</span></li><li id="asm_01_0048__li9349233133511"><span>Edit the file in the right pane, or click <strong id="asm_01_0048__b184815411432">Import File</strong> to upload the edited YAML or JSON file.</span></li><li id="asm_01_0048__li136335783815"><span>Confirm the file content and click <strong id="asm_01_0048__b89007089143321">OK</strong>.</span></li></ol>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0091.html">Istio Resource Management</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0049.html
+++ b/docs/asm/umn/asm_01_0049.html
--- a/docs/asm/umn/asm_01_0050.html
+++ b/docs/asm/umn/asm_01_0050.html
--- a/docs/asm/umn/asm_01_0051.html
+++ b/docs/asm/umn/asm_01_0051.html
@ -0,0 +1,15 @@
 <a name="asm_01_0051"></a><a name="asm_01_0051"></a>
 <h1 class="topictitle1">Viewing Traffic Monitoring</h1>
 <div id="body0000001083395158"><div class="section" id="asm_01_0051__section8518326102519"><h4 class="sectiontitle">Scenario</h4><p id="asm_01_0051__p948651862318">In the traffic management window, you can view the traffic monitoring data of the last hour, including RPS, success rate, and request latency.</p>
 </div>
 <div class="section" id="asm_01_0051__section127451436172517"><h4 class="sectiontitle">Procedure</h4><ol id="asm_01_0051__ol20995184283915"><li id="asm_01_0051__li18456728440"><span>Log in to the ASM console and click the name of the target service mesh to go to its details page.</span></li><li id="asm_01_0051__li2307164162712"><span>In the navigation pane, choose <strong id="asm_01_0051__b175996716557">Service Management</strong>. In the upper right corner of the list, select the namespace that your services belong to.</span></li><li id="asm_01_0051__li14961452719"><span>Locate the target service and click <strong id="asm_01_0051__b77661216173511">Manage Traffic</strong> in the <strong id="asm_01_0051__b877220163358">Operation</strong> column. In the window that slides out from the right, view the traffic monitoring data of the last hour.</span><p><div class="fignone" id="asm_01_0051__fig13667115162916"><span class="figcap"><b>Figure 1 </b>Traffic monitoring</span><br><span><img id="asm_01_0051__image86673516296" src="en-us_image_0000001280416429.png"></span></div>
 </p></li><li id="asm_01_0051__li148811724162819"><span>After real-time monitoring is enabled, data is dynamically refreshed every minute.</span></li></ol>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0085.html">Traffic Management</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0052.html
+++ b/docs/asm/umn/asm_01_0052.html
@ -0,0 +1,14 @@
 <a name="asm_01_0052"></a><a name="asm_01_0052"></a>
 <h1 class="topictitle1">Changing a Traffic Policy</h1>
 <div id="body0000001083235534"><div class="section" id="asm_01_0052__section18497174482412"><h4 class="sectiontitle">Scenario</h4><p id="asm_01_0052__p126341845122418">You can change the settings of a configured traffic policy. For example, you can change the load balancing algorithm from <span class="parmvalue" id="asm_01_0052__parmvalue227718914386"><b>Round robin</b></span> to <span class="parmvalue" id="asm_01_0052__parmvalue3283179183810"><b>Random</b></span>.</p>
 </div>
 <div class="section" id="asm_01_0052__section2340125512411"><h4 class="sectiontitle">Procedure</h4><ol id="asm_01_0052__ol75076624518"><li id="asm_01_0052__li359213189212"><span>Log in to the ASM console and click the name of the target service mesh to go to its details page.</span></li><li id="asm_01_0052__li34261121123718"><span>In the navigation pane, choose <span class="uicontrol" id="asm_01_0052__uicontrol10670066152041"><b>Service Management</b></span>. Locate the service whose traffic policy needs to be modified and click <span class="uicontrol" id="asm_01_0052__uicontrol159025963452041"><b>Manage Traffic</b></span> in the <strong id="asm_01_0052__b149172189152041">Operation</strong> column. In the window that slides out from the right, modify traffic policies.</span></li></ol>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0085.html">Traffic Management</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0056.html
+++ b/docs/asm/umn/asm_01_0056.html
@ -0,0 +1,41 @@
 <a name="asm_01_0056"></a><a name="asm_01_0056"></a>
 <h1 class="topictitle1">Adding a Gateway</h1>
 <div id="body0000001168400365"><p id="asm_01_0056__p1321231184215">A gateway enables unified entry, traffic management, security, and service isolation.</p>
 <div class="section" id="asm_01_0056__section141144268498"><h4 class="sectiontitle">Prerequisites</h4><p id="asm_01_0056__p119641350155219">Gateways use load balancers of ELB to provide network access. Before adding a gateway, you need to create a load balancer.</p>
 <p id="asm_01_0056__p113671654155016">When creating a load balancer, you need to ensure that it belongs to the same VPC as the cluster.</p>
 </div>
 <div class="section" id="asm_01_0056__section15169750114920"><h4 class="sectiontitle">Procedure</h4><ol id="asm_01_0056__ol4817103154612"><li id="asm_01_0056__li1433614120526"><span>Log in to the ASM console and click the name of the target service mesh to go to its details page.</span></li><li id="asm_01_0056__li218910061117"><span>In the navigation pane on the left, choose <strong id="asm_01_0056__b766458229102515">Gateway Management</strong> and click <strong id="asm_01_0056__b966014901102515">Add Gateway</strong>.</span></li><li id="asm_01_0056__li65921447162912"><span>Configure the following parameters.</span><p><ul id="asm_01_0056__ul1359211474297"><li id="asm_01_0056__li139001750192815"><strong id="asm_01_0056__b3657180102915">Gateway Name</strong><p id="asm_01_0056__p15441558132814">Enter a gateway name. Enter 4 to 59 characters starting with a lowercase letter and ending with a lowercase letter or digit. Only lowercase letters, digits, and hyphens (-) are allowed.</p>
 </li><li id="asm_01_0056__li205096299321"><strong id="asm_01_0056__b1576717357329">Cluster</strong><p id="asm_01_0056__p1719143716324">Select the cluster to which the gateway belongs.</p>
 </li><li id="asm_01_0056__li1627847173510"><strong id="asm_01_0056__b72023510139">Load Balancer</strong><ul id="asm_01_0056__ul198721433124110"><li id="asm_01_0056__li1373914385357">Gateways use shared load balancers of ELB for the access over both public and private IPv4 networks.</li></ul>
 </li><li id="asm_01_0056__li137621212344"><strong id="asm_01_0056__b82802248345">Listener</strong><p id="asm_01_0056__p103982038193113">Gateways configure a listener for the load balancer, which listens to requests from the load balancer and distributes traffic.</p>
 <ul id="asm_01_0056__ul1776173623113"><li id="asm_01_0056__li196722183918"><strong id="asm_01_0056__b1876120366312">External Protocol</strong><p id="asm_01_0056__p12761163618313">Select one to match the protocol type of your service. <strong id="asm_01_0056__b1196471084102515">HTTP</strong>, <strong id="asm_01_0056__b727748035102515">gRPC</strong>, <strong id="asm_01_0056__b2109712016102515">TCP</strong>, <strong id="asm_01_0056__b807938525102515">TLS</strong>, and <strong id="asm_01_0056__b1914909991102515">HTTPS</strong> are supported.</p>
 </li><li id="asm_01_0056__li776153618311"><strong id="asm_01_0056__b15761136173112">External Port</strong><p id="asm_01_0056__p17761036193110">Enter the port number exposed in the Load Balancer Service address. The port number can be specified randomly.</p>
 </li><li id="asm_01_0056__li10761203617318"><strong id="asm_01_0056__b2076153618317">TLS Termination</strong><p id="asm_01_0056__p894180479">If <strong id="asm_01_0056__b1792295615209">External Protocol</strong> is <strong id="asm_01_0056__b1068528152117">HTTPS</strong>, <strong id="asm_01_0056__b1655716263218">TLS Termination</strong> is enabled and cannot be disabled.</p>
 <p id="asm_01_0056__p19924132318564">If <strong id="asm_01_0056__b177679371212">External Protocol</strong> is <strong id="asm_01_0056__b3767173722110">TLS</strong>, you can enable or disable <strong id="asm_01_0056__b16767173718211">TLS Termination</strong>. If you enable TLS termination, bind a certificate to support TLS-based data transmission encryption and authentication. If you disable TLS termination, encrypted TLS data will be directly forwarded. </p>
 </li><li id="asm_01_0056__li57615366313"><strong id="asm_01_0056__b676114361312">Secret Certificate</strong><ul id="asm_01_0056__ul17984193594512"><li id="asm_01_0056__li1951811337458">When configuring a TLS protocol with TLS termination enabled, you need to bind a certificate to support TLS-based data transmission encryption and authentication.</li><li id="asm_01_0056__li714953811459">When configuring the HTTPS protocol, you need to bind a secret certificate.</li></ul>
 </li><li id="asm_01_0056__li185755272428"><strong id="asm_01_0056__b33038550462">Earliest TLS Version Supported/Latest TLS Version Supported</strong><p id="asm_01_0056__p16437125165612">When configuring a TLS protocol with TLS termination enabled or an HTTPS protocol, you can select the earliest and latest TLS versions.</p>
 </li></ul>
 </li></ul>
 </p></li><li id="asm_01_0056__li35552319193"><span>(Optional) Configure routing parameters.</span><p><p id="asm_01_0056__p350315261000">When the access address of a request matches the forwarding policy (which consists of a domain name and URL. If the domain name is left empty, the ELB IP address is used by default), the request is forwarded to the corresponding target Service for processing. Click <span><img id="asm_01_0056__image3642183711263" src="en-us_image_0000001209954130.png"></span>. The <strong id="asm_01_0056__b28836919618">Add Route</strong> dialog box is displayed.</p>
 <ul id="asm_01_0056__ul43052021171916"><li id="asm_01_0056__li103041421111912"><strong id="asm_01_0056__b20304152120193">Domain Name</strong><p id="asm_01_0056__p1330482114196">Enter the external domain name of the service. If this parameter is left blank, the IP address of the load balancer is used by default. If you enable TLS termination, enter a domain name configured in the certificate for SNI domain name verification.</p>
 </li><li id="asm_01_0056__li1230512118195"><strong id="asm_01_0056__b3304192131916">URL Matching Rule</strong><ul id="asm_01_0056__ul43041021141915"><li id="asm_01_0056__li193041021111910"><strong id="asm_01_0056__b1640956582102515">Prefix</strong>: A URL can be accessed if its prefix is the same as that you configure. For example, <strong id="asm_01_0056__b1627472063102515">/healthz/v1</strong> and <strong id="asm_01_0056__b2009910935102515">/healthz/v2</strong>.</li><li id="asm_01_0056__li2304821181912"><strong id="asm_01_0056__b167861112172215">Exact</strong>: Only the URL that fully matches the values you set can be accessed. For example, if the URL is set to <strong id="asm_01_0056__b1296786758102515">/healthz</strong>, only <strong id="asm_01_0056__b1008928963102515">/healthz</strong> can be accessed.</li></ul>
 </li><li id="asm_01_0056__li1305192141912"><strong id="asm_01_0056__b193051421101911">URL</strong><p id="asm_01_0056__p123051212194">Mapping URL supported by the service, for example, <strong id="asm_01_0056__b286376356102515">/example</strong>.</p>
 </li><li id="asm_01_0056__li133056214197"><strong id="asm_01_0056__b130522112199">Namespace</strong><p id="asm_01_0056__p18305421111919">Select the namespace to which the gateway belongs.</p>
 </li><li id="asm_01_0056__li33051621171912"><strong id="asm_01_0056__b11305121111916">Target Service</strong><p id="asm_01_0056__p134063347264">Service of the gateway. Select a value from the drop-down list box. The target service is filtered based on the corresponding gateway protocol. For details about the filtering rules, see <a href="asm_faq_0035.html">Why Cannot I Select the Corresponding Service When Adding a Route?</a></p>
 <p id="asm_01_0056__p18216183513118">The service which configuration diagnosis fails cannot be selected. You need to fix the issues first. For details, see <a href="asm_01_0060.html">Manual Fixing Items</a> or <a href="asm_01_0065.html">Auto Fixing Items</a>.</p>
 </li><li id="asm_01_0056__li10305621141916"><strong id="asm_01_0056__b5305121111910">Access Port</strong><p id="asm_01_0056__p9305182112191">Only ports that match external protocols are displayed.</p>
 </li><li id="asm_01_0056__li8016197318"><strong id="asm_01_0056__b1986112519313">Rewrite</strong><p id="asm_01_0056__p42700201559">(This parameter is configurable when the external protocol is HTTP.)</p>
 <p id="asm_01_0056__p149531923439">Rewrite the HTTP URI and host/authority header before forwarding. Disabled by default. To enable it, configure the following parameters:</p>
 <ul id="asm_01_0056__ul147951020181917"><li id="asm_01_0056__li279572091910">URI: This value is used to rewrite the URI or prefix.</li><li id="asm_01_0056__li3390152618199">Host/Authority Header: This value is used to rewrite the HTTP host/authority header.</li></ul>
 </li></ul>
 </p></li><li id="asm_01_0056__li19910958562"><span>Click <span class="uicontrol" id="asm_01_0056__uicontrol169158519564"><b>OK</b></span>.</span><p><p id="asm_01_0056__p688514211217">You can obtain the external network access address of the service in the <strong id="asm_01_0056__b840925467102515">Service Management</strong> page.</p>
 </p></li></ol>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0033.html">Gateway Management</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0057.html
+++ b/docs/asm/umn/asm_01_0057.html
@ -0,0 +1,27 @@
 <a name="asm_01_0057"></a><a name="asm_01_0057"></a>
 <h1 class="topictitle1">Adding a Route</h1>
 <div id="body0000001121400726"><div class="section" id="asm_01_0057__section195155335313"><h4 class="sectiontitle">Scenario</h4><p id="asm_01_0057__p931218541531">You can add multiple routes and configure multiple forwarding policies for a created gateway.</p>
 </div>
 <div class="section" id="asm_01_0057__section8243022955"><h4 class="sectiontitle">Procedure</h4><ol id="asm_01_0057__ol4817103154612"><li id="asm_01_0057__li218910061117"><span>Log in to the ASM console and click the name of the target service mesh to go to its details page.</span></li><li id="asm_01_0057__li4563349450"><span>In the navigation pane on the left, choose <strong id="asm_01_0057__b1723779989102359">Gateway Management</strong>, select the target gateway, click <span class="uicontrol" id="asm_01_0057__uicontrol1443280921102359"><b>Add Route</b></span> in the <strong id="asm_01_0057__b1193311901102359">Operation</strong> column, and configure the following parameters:</span><p><ul id="asm_01_0057__ul43052021171916"><li id="asm_01_0057__li103041421111912"><strong id="asm_01_0057__b20304152120193">Domain Name</strong><p id="asm_01_0057__p1330482114196">Enter the external domain name of the service. If this parameter is left blank, the IP address of the load balancer is used by default. If you enable TLS termination, enter a domain name configured in the certificate for SNI domain name verification.</p>
 </li><li id="asm_01_0057__li1230512118195"><strong id="asm_01_0057__b3304192131916">URL Matching Rule</strong><ul id="asm_01_0057__ul43041021141915"><li id="asm_01_0057__li193041021111910"><strong id="asm_01_0057__b962008790102359">Prefix</strong>: A URL can be accessed if its prefix is the same as that you configure. For example, <strong id="asm_01_0057__b518106701102359">/healthz/v1</strong> and <strong id="asm_01_0057__b1301388330102359">/healthz/v2</strong>.</li><li id="asm_01_0057__li2304821181912"><strong id="asm_01_0057__b1070295332113">Exact</strong>: Only the URL that fully matches the values you set can be accessed. For example, if the URL is set to <strong id="asm_01_0057__b1560656592102359">/healthz</strong>, only <strong id="asm_01_0057__b592325887102359">/healthz</strong> can be accessed.</li></ul>
 </li><li id="asm_01_0057__li1305192141912"><strong id="asm_01_0057__b193051421101911">URL</strong><p id="asm_01_0057__p123051212194">Mapping URL supported by the service, for example, <strong id="asm_01_0057__b1278776861102359">/example</strong>.</p>
 <div class="note" id="asm_01_0057__note1841442516472"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="asm_01_0057__p19415112514478">The URLs of the same gateway must be unique.</p>
 </div></div>
 </li><li id="asm_01_0057__li133056214197"><strong id="asm_01_0057__b130522112199">Namespace</strong><p id="asm_01_0057__p18305421111919">Select the namespace to which the gateway belongs.</p>
 </li><li id="asm_01_0057__li33051621171912"><strong id="asm_01_0057__b11305121111916">Target Service</strong><p id="asm_01_0057__p134063347264">Service of the gateway. Select a value from the drop-down list box. The target service is filtered based on the corresponding gateway protocol. For details about the filtering rules, see <a href="asm_faq_0035.html">Why Cannot I Select the Corresponding Service When Adding a Route?</a>.</p>
 <p id="asm_01_0057__p18216183513118">The service which configuration diagnosis fails cannot be selected. You need to fix the issues first. For details, see <a href="asm_01_0060.html">Manual Fixing Items</a> or <a href="asm_01_0065.html">Auto Fixing Items</a>.</p>
 </li><li id="asm_01_0057__li10305621141916"><strong id="asm_01_0057__b5305121111910">Access Port</strong><p id="asm_01_0057__p9305182112191">Only ports that match external protocols are displayed.</p>
 </li><li id="asm_01_0057__li8016197318"><strong id="asm_01_0057__b1986112519313">Rewrite</strong><p id="asm_01_0057__p42700201559">(This parameter is configurable when the external protocol is HTTP.)</p>
 <p id="asm_01_0057__p149531923439">Rewrite the HTTP URI and host/authority header before forwarding. Disabled by default. To enable it, configure the following parameters:</p>
 <ul id="asm_01_0057__ul147951020181917"><li id="asm_01_0057__li279572091910">URI: This value is used to rewrite the URI or prefix.</li><li id="asm_01_0057__li3390152618199">Host/Authority Header: This value is used to rewrite the HTTP host/authority header.</li></ul>
 </li></ul>
 </p></li><li id="asm_01_0057__li1666416119713"><span>Click <span class="uicontrol" id="asm_01_0057__uicontrol8784608473"><b>OK</b></span>.</span></li></ol>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0033.html">Gateway Management</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0060.html
+++ b/docs/asm/umn/asm_01_0060.html
@ -0,0 +1,19 @@
 <a name="asm_01_0060"></a><a name="asm_01_0060"></a>
 <h1 class="topictitle1">Manual Fixing Items</h1>
 <div id="body0000001175771819"></div>
 <div>
 <ul class="ullinks">
 <li class="ulchildlink"><strong><a href="asm_01_0061.html">All Pods Have the app and version Labels</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_01_0062.html">All Pods Share the Same app and version Labels</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_01_0063.html">All Pods Have Sidecars Injected</a></strong><br>
 </li>
 </ul>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0029.html">Service Management</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0061.html
+++ b/docs/asm/umn/asm_01_0061.html
@ -0,0 +1,31 @@
 <a name="asm_01_0061"></a><a name="asm_01_0061"></a>
 <h1 class="topictitle1">All Pods Have the app and version Labels</h1>
 <div id="body0000001129853084"><div class="section" id="asm_01_0061__section10293311125813"><h4 class="sectiontitle">Description</h4><p id="asm_01_0061__p1975831285817">All pods of a Service must be labeled with <strong id="asm_01_0061__b667471182102516">app</strong> and <strong id="asm_01_0061__b113851416102516">version</strong>. <strong id="asm_01_0061__b194376912102516">app</strong> traces traffic in traffic monitoring, and <strong id="asm_01_0061__b1168435401102516">version</strong> distinguishes different versions in grayscale release. If a pod is not labeled with <strong id="asm_01_0061__b1974294860102516">app</strong> or <strong id="asm_01_0061__b1181422169102516">version</strong>, this item is abnormal.</p>
 </div>
 <div class="section" id="asm_01_0061__section551915418912"><a name="asm_01_0061__section551915418912"></a><a name="section551915418912"></a><h4 class="sectiontitle">Rectification Guide</h4><p id="asm_01_0061__p14746526119">The labels of pods are configured in <strong id="asm_01_0061__b1192211683102516">spec.template.metadata.labels</strong> of the Deployment. The recommended configuration is as follows:</p>
 <pre class="screen" id="asm_01_0061__screen20963144716353">labels:
  app: {serviceName}
  version: v1</pre>
 <div class="caution" id="asm_01_0061__note74631640151718"><span class="cautiontitle"><img src="public_sys-resources/caution_3.0-en-us.png"> </span><div class="cautionbody"><p id="asm_01_0061__p74631408175">Modifying or deleting the Deployment will trigger pod rolling upgrade, which may cause temporary service interruption. Therefore, perform the operation at a proper time.</p>
 </div></div>
 <ol id="asm_01_0061__ol157611128133516"><li id="asm_01_0061__li67618288356"><span>Copy the original workload configuration and save it as a YAML file.</span><p><p id="asm_01_0061__p19914220007"><strong id="asm_01_0061__b0328115519544">kubectl get deployment</strong> {deploymentName} <strong id="asm_01_0061__b164251210553">-n</strong> {namespace} <strong id="asm_01_0061__b2022109135517">-o yaml &gt;</strong> {deploymentName}<strong id="asm_01_0061__b1065041207">-deployment.yaml</strong></p>
 <p id="asm_01_0061__p361217511877">For example:</p>
 <p id="asm_01_0061__p134614717016"><strong id="asm_01_0061__b46113501209">kubectl get deployment productpage -n default -o yaml &gt; productpage-deployment.yaml</strong></p>
 </p></li><li id="asm_01_0061__li127611428193520"><span>Modify the <strong id="asm_01_0061__b1916981420102516">productpage-deployment.yaml</strong> file. If the file does not contain <strong id="asm_01_0061__b1491123397102516">app</strong> and <strong id="asm_01_0061__b394260619102516">version</strong>, add them. You are advised to set <strong id="asm_01_0061__b62813455102516">app</strong> to the Service name and the <strong id="asm_01_0061__b1226345703102516">version</strong> to <strong id="asm_01_0061__b2029800709102516">v1</strong>.</span></li><li id="asm_01_0061__li107611528143516"><span>Delete the original workload.</span><p><p id="asm_01_0061__p132247102254"><strong id="asm_01_0061__b8613181519558">kubectl delete deployment</strong> {oldDeploymentName} <strong id="asm_01_0061__b53831120115516">-n</strong> {namespace}</p>
 </p></li><li id="asm_01_0061__li11761928193516"><span>Apply the new workload configuration.</span><p><p id="asm_01_0061__p679115231014"><strong id="asm_01_0061__b627632619113">kubectl apply -f productpage-deployment.yaml</strong></p>
 </p></li></ol>
 <div class="note" id="asm_01_0061__note5614125110710"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="asm_01_0061__p325044816182">For clusters of v1.15 or earlier, you can modify pod labels on the CCE console, but residual ReplicaSets may exist.</p>
 <p id="asm_01_0061__p884115412411">To check whether there are residual ReplicaSets, perform the following steps:</p>
 <ol id="asm_01_0061__ol1984332252"><li id="asm_01_0061__li1498733132513">Query the ReplicaSets of the Deployment.<p id="asm_01_0061__p994094416111"><a name="asm_01_0061__li1498733132513"></a><a name="li1498733132513"></a><strong id="asm_01_0061__b77562026195513">kubectl get replicaset | grep</strong> {deploymentName}</p>
 </li><li id="asm_01_0061__li192982046142615">Find the ReplicaSets containing more than one pod. These ReplicaSets may be residual after label modification. You need to delete the old ReplicaSets.<p id="asm_01_0061__p753518581914"><a name="asm_01_0061__li192982046142615"></a><a name="li192982046142615"></a><strong id="asm_01_0061__b10918182955519">kubectl delete replicaset</strong> {replicaSetName} <strong id="asm_01_0061__b181557349551">-n</strong> {namespace}</p>
 </li></ol>
 </div></div>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0060.html">Manual Fixing Items</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0062.html
+++ b/docs/asm/umn/asm_01_0062.html
@ -0,0 +1,31 @@
 <a name="asm_01_0062"></a><a name="asm_01_0062"></a>
 <h1 class="topictitle1">All Pods Share the Same app and version Labels</h1>
 <div id="body0000001175892783"><div class="section" id="asm_01_0062__section871654644012"><h4 class="sectiontitle">Description</h4><p id="asm_01_0062__p31319487407">All pods of a Service must share the same <strong id="asm_01_0062__b1541538899102422">app</strong> and <strong id="asm_01_0062__b84944479102422">version</strong> labels. <strong id="asm_01_0062__b468418259102422">app</strong> traces traffic in traffic monitoring, and <strong id="asm_01_0062__b829078207102422">version</strong> distinguishes different versions in grayscale release. If pods with different <strong id="asm_01_0062__b545469730102422">app</strong> or <strong id="asm_01_0062__b796028921102422">version</strong> labels exist, this item is abnormal.</p>
 </div>
 <div class="section" id="asm_01_0062__section761818153105"><h4 class="sectiontitle">Rectification Guide</h4><p id="asm_01_0062__p14746526119">The labels of pods are configured in <strong id="asm_01_0062__b1766435924102422">spec.template.metadata.labels</strong> of the Deployment. The recommended configuration is as follows:</p>
 <pre class="screen" id="asm_01_0062__screen20963144716353">labels:
  app: {serviceName}
  version: v1</pre>
 <p id="asm_01_0062__p116146511072">To modify the labels of multiple pods to the same value, perform the following steps:</p>
 <ol id="asm_01_0062__ol13194528396"><li id="asm_01_0062__li1819413273917"><span>View the labels configured for <strong id="asm_01_0062__b806212425102422">spec.selector</strong>.</span><p><p id="asm_01_0062__p8128617823"><strong id="asm_01_0062__b122056400559">kubectl get svc</strong> {serviceName} <strong id="asm_01_0062__b1846914210558">-o yaml</strong></p>
 <p id="asm_01_0062__p196151151574">For example, the labels are <strong id="asm_01_0062__b381443968102422">app: ratings</strong> and <strong id="asm_01_0062__b833110333102422">release: istio-bookinfo</strong>.</p>
 </p></li><li id="asm_01_0062__li1519462133916"><span>Search for the pods of a Service by label.</span><p><p id="asm_01_0062__p1454130727"><strong id="asm_01_0062__b3392174525511">kubectl get pod -n</strong> {namespace} <strong id="asm_01_0062__b897184719559">-l app=ratings,release=istio-bookinfo</strong></p>
 <div class="note" id="asm_01_0062__note1861515512712"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="asm_01_0062__p3960162145315"><strong id="asm_01_0062__b721707003102422">{namespace}</strong> is the same as the namespace of the Service.</p>
 </div></div>
 </p></li><li id="asm_01_0062__li1910515123393"><span>Find the workload of a pod by the pod name.</span><p><p id="asm_01_0062__p88271853920"><strong id="asm_01_0062__b19735451105514">kubectl get deployment</strong> {deploymentName} <strong id="asm_01_0062__b15625795519">-n</strong> {namespace}</p>
 <div class="note" id="asm_01_0062__note156161513718"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="asm_01_0062__ul1861611516718"><li id="asm_01_0062__li661516519719">Generally, the pod name is in the format of <strong id="asm_01_0062__b1626122629102422">{deploymentName}-{random character string}-{random character string}</strong>.</li><li id="asm_01_0062__li146161451174">If no workload of a pod is found by the pod name, you need to delete residual ReplicaSets.<p id="asm_01_0062__p461613511972"><a name="asm_01_0062__li146161451174"></a><a name="li146161451174"></a>To check whether there are residual ReplicaSets, perform the following steps:</p>
 <ol type="a" id="asm_01_0062__ol1984332252"><li id="asm_01_0062__li1498733132513">Query the ReplicaSets of the Deployment.<p id="asm_01_0062__p994094416111"><a name="asm_01_0062__li1498733132513"></a><a name="li1498733132513"></a><strong id="asm_01_0062__b417016010566">kubectl get replicaset | grep</strong> {deploymentName}</p>
 </li><li id="asm_01_0062__li192982046142615">Find the ReplicaSets containing more than one pod. These ReplicaSets may be residual after label modification. You need to delete the old ReplicaSets.<p id="asm_01_0062__p753518581914"><a name="asm_01_0062__li192982046142615"></a><a name="li192982046142615"></a><strong id="asm_01_0062__b3665625567">kubectl delete replicaset</strong> {replicaSetName} <strong id="asm_01_0062__b1950920635612">-n</strong> {namespace}</p>
 </li></ol>
 </li></ul>
 </div></div>
 </p></li><li id="asm_01_0062__li610515124396"><span>For details about how to modify the <strong id="asm_01_0062__b912998563102422">app</strong> and <strong id="asm_01_0062__b590109138102422">version</strong> labels of a pod, see <a href="asm_01_0061.html#asm_01_0061__section551915418912">Rectification Guide</a>.</span></li></ol>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0060.html">Manual Fixing Items</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0063.html
+++ b/docs/asm/umn/asm_01_0063.html
@ -0,0 +1,26 @@
 <a name="asm_01_0063"></a><a name="asm_01_0063"></a>
 <h1 class="topictitle1">All Pods Have Sidecars Injected</h1>
 <div id="body0000001175772865"><div class="section" id="asm_01_0063__section146041745338"><h4 class="sectiontitle">Description</h4><p id="asm_01_0063__p1487717583317">An <strong id="asm_01_0063__b8850152035217">istio-proxy</strong> container must exist in all pods of a Service. Otherwise, this item is abnormal.</p>
 </div>
 <div class="section" id="asm_01_0063__section1457519694110"><h4 class="sectiontitle">Rectification Guide</h4><ol id="asm_01_0063__ol11865432551"><li id="asm_01_0063__li12186243175513"><span>Log in to the ASM console and click the name of the service mesh that the Service is added to. Choose <strong id="asm_01_0063__b761794971520">Mesh Configuration</strong> in the navigation pane, click the <strong id="asm_01_0063__b861824921513">Sidecar Management</strong> tab, and check whether a sidecar is injected into the namespace that the Service belongs to.</span><p><ul id="asm_01_0063__ul1680513160015"><li id="asm_01_0063__li1680515161008">If no, go to <a href="#asm_01_0063__li1665121115612">2</a>.</li><li id="asm_01_0063__li198192408015">If yes, go to <a href="#asm_01_0063__li127525055610">3</a>.</li></ul>
 </p></li><li id="asm_01_0063__li1665121115612"><a name="asm_01_0063__li1665121115612"></a><a name="li1665121115612"></a><span>Inject a sidecar.</span><p><p id="asm_01_0063__p126911222119">You can inject sidecars for pods of all workloads in the namespace. For details, see <a href="asm_01_0041.html#asm_01_0041__section65931513505">Injecting a Sidecar</a>. You can also inject sidecars for a workload as follows:</p>
 <ol type="a" id="asm_01_0063__ol12815202013285"><li id="asm_01_0063__li1581512002813">Label the namespace where the workload is located with <strong id="asm_01_0063__b1443112112588">istio-injection=enabled</strong>.<p id="asm_01_0063__p135581615312"><strong id="asm_01_0063__b1635231118566">kubectl label ns</strong> &lt;namespace&gt; <strong id="asm_01_0063__b44311413135617">istio-injection=enabled</strong></p>
 </li><li id="asm_01_0063__li2511172882919">Add the <strong id="asm_01_0063__b169051134115811">annotations</strong> field for the workload on the CCE console.<pre class="screen" id="asm_01_0063__screen575018269110">      annotations:
        sidecar.istio.io/inject: 'true'</pre>
 <p id="asm_01_0063__p1794791520305"><span><img id="asm_01_0063__image115521522121112" src="en-us_image_0000001394586873.png"></span></p>
 </li></ol>
 <p id="asm_01_0063__p18904104210315">For more details about sidecar injection, see <a href="https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/" target="_blank" rel="noopener noreferrer">Installing the Sidecar</a>.</p>
 </p></li><li id="asm_01_0063__li127525055610"><a name="asm_01_0063__li127525055610"></a><a name="li127525055610"></a><span>If namespace injection is enabled for the cluster but no sidecar is injected into the pod, you need to manually restart the pod on the CCE console as follows:</span><p><p id="asm_01_0063__p6931112013420">On the CCE console, choose <strong id="asm_01_0063__b51514267743241">More</strong> &gt; <strong id="asm_01_0063__b185900250343241">Redeploy</strong> in the <strong id="asm_01_0063__b143167820043241">Operation</strong> column of the target workload.</p>
 </p></li><li id="asm_01_0063__li10713191914412"><span>Check whether the host network mode is configured for the workload as follows:</span><p><p id="asm_01_0063__p31276451075">On the CCE console, choose <strong id="asm_01_0063__b1371751914718">More</strong> &gt; <strong id="asm_01_0063__b15717191914719">Edit YAML</strong> in the <strong id="asm_01_0063__b07176192714">Operation</strong> column of the target workload, and check whether <strong id="asm_01_0063__b1178116582714">spec.template.spec.hostNetwork: true</strong> is configured. If yes, check whether this field can be deleted or set to <strong id="asm_01_0063__b1692120472143">false</strong>. Otherwise, sidecars cannot be injected.</p>
 <p id="asm_01_0063__p196591218181315"><span><img id="asm_01_0063__image1665921861311" src="en-us_image_0000001344069664.png"></span></p>
 </p></li><li id="asm_01_0063__li127567207111"><span>Check whether the number of pods exceeds the service mesh scale.</span><p><p id="asm_01_0063__p1075619201610">If the number exceeds , the excess pods cannot be injected with sidecars.</p>
 </p></li></ol>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0060.html">Manual Fixing Items</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0065.html
+++ b/docs/asm/umn/asm_01_0065.html
@ -0,0 +1,19 @@
 <a name="asm_01_0065"></a><a name="asm_01_0065"></a>
 <h1 class="topictitle1">Auto Fixing Items</h1>
 <div id="body0000001175891735"></div>
 <div>
 <ul class="ullinks">
 <li class="ulchildlink"><strong><a href="asm_01_0066.html">The Service Port Name Complies with the Istio Specifications</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_01_0067.html">The Service Selector Cannot Contain version Labels</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_01_0069.html">The Service Is Configured with a Default-version Route and The Route Configuration Is Correct</a></strong><br>
 </li>
 </ul>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0029.html">Service Management</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0066.html
+++ b/docs/asm/umn/asm_01_0066.html
@ -0,0 +1,18 @@
 <a name="asm_01_0066"></a><a name="asm_01_0066"></a>
 <h1 class="topictitle1">The Service Port Name Complies with the Istio Specifications</h1>
 <div id="body0000001129853086"><div class="section" id="asm_01_0066__section19345459151110"><h4 class="sectiontitle">Description</h4><p id="asm_01_0066__p45943017128">The Service port name must contain the specified protocol and prefix and must be in the following format:</p>
 <pre class="screen" id="asm_01_0066__screen19867100101914">name: &lt;protocol&gt;[-&lt;suffix&gt;]</pre>
 <p id="asm_01_0066__p0468101021218"><strong id="asm_01_0066__b1009304413102627">&lt;protocol&gt;</strong> can be <strong id="asm_01_0066__b2134182545102627">http</strong>, <strong id="asm_01_0066__b426502840102627">tcp</strong>, or <strong id="asm_01_0066__b1310352250102627">grpc</strong>. Istio provides routing capabilities based on protocols defined on ports. For example, <strong id="asm_01_0066__b413874376102627">name: http-service0</strong> and <strong id="asm_01_0066__b1009174383102627">name: tcp</strong> are valid port names, while <strong id="asm_01_0066__b1702190975102627">name: httpforecast</strong> is not.</p>
 <p id="asm_01_0066__p122601816122117">If the Service port name is invalid, this item is abnormal.</p>
 </div>
 <div class="section" id="asm_01_0066__section727870104217"><h4 class="sectiontitle">Rectification Guide</h4><ol id="asm_01_0066__ol1727810104213"><li id="asm_01_0066__li102781407429"><span>Log in to the CCE console.</span></li><li id="asm_01_0066__li52781302422"><span>Click the cluster name to go to the cluster console. In the navigation pane on the left, choose <strong id="asm_01_0066__b1122812414343">Services &amp; Ingresses</strong>. On the <strong id="asm_01_0066__b8234191818357">Services</strong> tab, search for the Service by cluster name and namespace and click <strong id="asm_01_0066__b993119232010">Edit YAML</strong>. Then, view the Service protocol and add a protocol type before the service name.</span><p><p id="asm_01_0066__p142784012424"><span><img id="asm_01_0066__image112786012424" src="en-us_image_0000001254992703.png"></span></p>
 </p></li><li id="asm_01_0066__li9278600425"><span>Click <strong id="asm_01_0066__b1508075284102627">OK</strong>.</span></li></ol>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0065.html">Auto Fixing Items</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0067.html
+++ b/docs/asm/umn/asm_01_0067.html
@ -0,0 +1,15 @@
 <a name="asm_01_0067"></a><a name="asm_01_0067"></a>
 <h1 class="topictitle1">The Service Selector Cannot Contain version Labels</h1>
 <div id="body0000001175892785"><div class="section" id="asm_01_0067__section53791230142415"><h4 class="sectiontitle">Description</h4><p id="asm_01_0067__p18675632152410">The <strong id="asm_01_0067__b9712182727">spec.selector</strong> of a Service cannot be labeled with <strong id="asm_01_0067__b127131229217">version</strong>. Otherwise, this item is abnormal.</p>
 </div>
 <div class="section" id="asm_01_0067__section1746811221448"><h4 class="sectiontitle">Rectification Guide</h4><ol id="asm_01_0067__ol2046892274413"><li id="asm_01_0067__li194682224444"><span>Log in to the CCE console.</span></li><li id="asm_01_0067__li134681722134416"><span>Click the cluster name to go to the cluster console. In the navigation pane on the left, choose <strong id="asm_01_0067__b8572121620382">Services &amp; Ingresses</strong>. On the <strong id="asm_01_0067__b1457214161384">Services</strong> tab, search for the Service by cluster name and namespace and click <strong id="asm_01_0067__b05722016133815">Edit YAML</strong>. Then, view the selector (specified by <strong id="asm_01_0067__b7653142303911">spec.selector</strong>) of the Service and delete the <strong id="asm_01_0067__b4417142944010">version</strong> label.</span><p><p id="asm_01_0067__p74682223442"><span><img id="asm_01_0067__image11468192210442" src="en-us_image_0000001254992865.png"></span></p>
 </p></li></ol>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0065.html">Auto Fixing Items</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0069.html
+++ b/docs/asm/umn/asm_01_0069.html
@ -0,0 +1,20 @@
 <a name="asm_01_0069"></a><a name="asm_01_0069"></a>
 <h1 class="topictitle1">The Service Is Configured with a Default-version Route and The Route Configuration Is Correct</h1>
 <div id="body0000001129693296"><div class="section" id="asm_01_0069__section338613811422"><h4 class="sectiontitle">Description</h4><p id="asm_01_0069__p73411754171">Istio defines service traffic routing rules in <strong id="asm_01_0069__b327293546102357">VirtualService</strong> and <strong id="asm_01_0069__b1336703240102357">DestinationRule</strong>. Therefore, you need to configure <strong id="asm_01_0069__b1307529050102357">VirtualService</strong> and <strong id="asm_01_0069__b531862740102357">DestinationRule</strong> for each service. The following rules must be met:</p>
 <ul id="asm_01_0069__ul14631191075912"><li id="asm_01_0069__li26691915135918">All ports of a Service must be configured in <strong id="asm_01_0069__b840689012102357">VirtualService</strong>.</li><li id="asm_01_0069__li56311510165920">The protocol type in <strong id="asm_01_0069__b303546881102357">VirtualService</strong> must be the same as that of the ports of a Service.</li><li id="asm_01_0069__li332613014131">The default service version must be configured in <strong id="asm_01_0069__b946334923102357">VirtualService</strong> and <strong id="asm_01_0069__b252832806102357">DestinationRule</strong>.</li></ul>
 <div class="note" id="asm_01_0069__note8326150111318"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="asm_01_0069__p77811347151319">If the check result changes, the port number or port name of a Service may be changed.</p>
 </div></div>
 </div>
 <div class="section" id="asm_01_0069__section624392141516"><h4 class="sectiontitle">Rectification Guide</h4><ol id="asm_01_0069__ol3920164917593"><li id="asm_01_0069__li838612632311"><span>Log in to the ASM console. Select the mesh where the service is located. In the navigation pane on the left, choose <strong id="asm_01_0069__b878750622102357">Mesh Configuration</strong>, click <strong id="asm_01_0069__b1226361881102357">Istio Resource Management</strong>, and select <strong id="asm_01_0069__b837251692102357">Istio resources: virtualservices</strong> and the namespace to which the service belongs.</span></li><li id="asm_01_0069__li1692014919593"><span>Ensure that all ports of the Service are configured in <strong id="asm_01_0069__b2054550668102357">VirtualService</strong>.</span><p><p id="asm_01_0069__p162121357614"><span><img id="asm_01_0069__image92051657313" src="en-us_image_0000001201276836.png"></span></p>
 </p></li><li id="asm_01_0069__li14920184911596"><span>Ensure that the protocol type in <strong id="asm_01_0069__b1067945585102357">VirtualService</strong> is the same as that of the ports of the Service.</span><p><div class="fignone" id="asm_01_0069__fig153427541779"><span class="figcap"><b>Figure 1 </b>Protocol type in VirtualService</span><br><span><img id="asm_01_0069__image9794953429" src="en-us_image_0000001201436796.png"></span></div>
 <div class="fignone" id="asm_01_0069__fig1134212541476"><span class="figcap"><b>Figure 2 </b>Port protocol type of the Service</span><br><span><img id="asm_01_0069__image5444611533" src="en-us_image_0000001246196675.png"></span></div>
 </p></li></ol>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0065.html">Auto Fixing Items</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0085.html
+++ b/docs/asm/umn/asm_01_0085.html
@ -0,0 +1,21 @@
 <a name="asm_01_0085"></a><a name="asm_01_0085"></a>
 <h1 class="topictitle1">Traffic Management</h1>
 <div id="body0000001254431529"></div>
 <div>
 <ul class="ullinks">
 <li class="ulchildlink"><strong><a href="asm_01_0049.html">Overview</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_01_0050.html">Configuring a Traffic Policy</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_01_0051.html">Viewing Traffic Monitoring</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_01_0052.html">Changing a Traffic Policy</a></strong><br>
 </li>
 </ul>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0000001627845328.html">User Guide</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0086.html
+++ b/docs/asm/umn/asm_01_0086.html
@ -0,0 +1,22 @@
 <a name="asm_01_0086"></a><a name="asm_01_0086"></a>
 <h1 class="topictitle1">Uninstalling a Mesh</h1>
 <div id="body0000001210431052"><div class="section" id="asm_01_0086__en-us_topic_0000001233246629_section7549333407"><h4 class="sectiontitle">Scenario</h4><p id="asm_01_0086__en-us_topic_0000001233246629_p13506115164417">When a mesh is no longer needed, you can uninstall it.</p>
 </div>
 <div class="section" id="asm_01_0086__en-us_topic_0000001233246629_section1099812136478"><h4 class="sectiontitle">Constraints</h4><ul id="asm_01_0086__en-us_topic_0000001233246629_ul9996319104819"><li id="asm_01_0086__en-us_topic_0000001233246629_li56665210482">To uninstall a mesh in which a grayscale release task is running, you need to complete the grayscale release first.</li><li id="asm_01_0086__en-us_topic_0000001233246629_li7988148121612">You need to ensure available nodes exist in the clusters for running the cleanup task to avoid uninstallation failure.</li></ul>
 </div>
 <div class="section" id="asm_01_0086__section66831866261"><h4 class="sectiontitle">Procedure</h4><ol id="asm_01_0086__en-us_topic_0000001233246629_ol13341319164012"><li id="asm_01_0086__li2790345102618"><span>Log in to the ASM console.</span></li><li id="asm_01_0086__en-us_topic_0000001233246629_li434101915404"><span>Click <span><img id="asm_01_0086__image19970230134618" src="en-us_image_0000001255111219.png"></span> in the target mesh.</span></li><li id="asm_01_0086__en-us_topic_0000001233246629_li1424023724312"><span>On the dialogue box displayed, select whether to restart existing services and read the precautions.</span><p><p id="asm_01_0086__en-us_topic_0000001233246629_p7846131215117">By default, existing services are not restarted during the uninstallation. The injected istio-poxy sidecar is removed only after the existing services are restarted. If you want to restart the services, select <strong id="asm_01_0086__b19442022154616">Yes</strong>. Restarting the services will interrupt your services temporarily.</p>
 <div class="note" id="asm_01_0086__note1480104418566"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="asm_01_0086__p8801164415563">You are advised to restart existing services to avoid the following exceptions: If the cluster enables the current mesh again after it is uninstalled, gateway access failed.</p>
 </div></div>
 <ul id="asm_01_0086__en-us_topic_0000001233246629_ul208862207544"><li id="asm_01_0086__en-us_topic_0000001233246629_li38863209544">Uninstalling a mesh will uninstall its control plane components and data plane sidecars.</li><li id="asm_01_0086__en-us_topic_0000001233246629_li198861320195413">After the uninstallation, service gateways of applications cannot be used. Configure Services for external access to applications.<p id="asm_01_0086__en-us_topic_0000001233246629_p2075734025514"><a name="asm_01_0086__en-us_topic_0000001233246629_li198861320195413"></a><a name="en-us_topic_0000001233246629_li198861320195413"></a>To update the external access mode, log in to the CCE console and click the cluster name to go to the cluster console. Then, choose <strong id="asm_01_0086__b6890105019318">Services &amp; Ingresses</strong> &gt; <strong id="asm_01_0086__b7901253183119">Services</strong>.</p>
 </li><li id="asm_01_0086__en-us_topic_0000001233246629_li338853717588">Uninstalling a mesh will delete the labels of the mesh exclusive nodes, but the Istio-master node will not be automatically deleted. You can delete it on the CCE console.<p id="asm_01_0086__en-us_topic_0000001233246629_p0805412135912"><a name="asm_01_0086__en-us_topic_0000001233246629_li338853717588"></a><a name="en-us_topic_0000001233246629_li338853717588"></a>To view node information, log in to the CCE console and click the cluster name to go to the cluster console. In the navigation pane on the left, choose <strong id="asm_01_0086__b10143645153018">Nodes</strong> &gt; <strong id="asm_01_0086__b1894316482307">Nodes</strong>.</p>
 </li></ul>
 </p></li></ol>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0023.html">Mesh Management</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0087.html
+++ b/docs/asm/umn/asm_01_0087.html
@ -0,0 +1,19 @@
 <a name="asm_01_0087"></a><a name="asm_01_0087"></a>
 <h1 class="topictitle1">Security</h1>
 <div id="body0000001234774044"></div>
 <div>
 <ul class="ullinks">
 <li class="ulchildlink"><strong><a href="asm_01_0088.html">Configuring a Security Policy</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_01_0096.html">JWT Authentication Principles</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_01_0097.html">Authenticating JWT Requests on the Ingress Gateway Using ASM</a></strong><br>
 </li>
 </ul>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="en-us_topic_0000001627845328.html">User Guide</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0088.html
+++ b/docs/asm/umn/asm_01_0088.html
@ -0,0 +1,51 @@
 <a name="asm_01_0088"></a><a name="asm_01_0088"></a>
 <h1 class="topictitle1">Configuring a Security Policy</h1>
 <div id="body0000001234454836"><p id="asm_01_0088__p1347415315207">ASM security functions include <strong id="asm_01_0088__b317844618376">Access Authorization</strong>, <strong id="asm_01_0088__b1515245373712">Peer Authentication</strong>, <strong id="asm_01_0088__b91349303817">JWT Authentication</strong> to ensure the reliable service communication.</p>
 <div class="section" id="asm_01_0088__section94901507173"><h4 class="sectiontitle">Procedure</h4><ol id="asm_01_0088__ol45250152481"><li id="asm_01_0088__li1312216018017"><span>Log in to the ASM console and click the name of the target service mesh to go to its details page.</span></li><li id="asm_01_0088__li1442714155498"><span>In the navigation pane, choose <strong id="asm_01_0088__b27638561235">Service Management</strong>. In the upper right corner of the list, select the namespace that your services belong to.</span></li><li id="asm_01_0088__li8181195172812"><span>Locate the target service and click <span class="uicontrol" id="asm_01_0088__uicontrol108394511052052"><b>Security</b></span> in the <span class="uicontrol" id="asm_01_0088__uicontrol175322372052052"><b>Operation</b></span> column. In the window that slides out from the right, configure access authorization and peer authentication.</span><p><p id="asm_01_0088__p344313256297"><strong id="asm_01_0088__b9563298293">Access Authorization</strong></p>
 <p id="asm_01_0088__p195756344103">Access authorization controls the access to services in the mesh and determines whether a request can be sent to the current service.</p>
 <p id="asm_01_0088__p553824310916">On the <strong id="asm_01_0088__b1529133462815">Access Authorization</strong> tab, click <strong id="asm_01_0088__b1029603419287">Configure now</strong>. In the displayed dialog box, click <span><img id="asm_01_0088__image35657146119" src="en-us_image_0000001374968509.png"></span> to select one or more services in a specified namespace.</p>
 <p id="asm_01_0088__p175497263299"><strong id="asm_01_0088__b7886163582718">Peer Authentication</strong></p>
 <p id="asm_01_0088__p1629911482104">Istio enables communication between service pods using the Policy Enforcement Point (PEP) tunnel between clients and servers. Peer authentication defines how traffic reaches the current service pod through the tunnel (or not through the tunnel). By default, service pods that have sidecars injected communicate with each other through tunnels. Traffic is automatically encrypted using TLS.</p>
 <p id="asm_01_0088__p4695835131211">On the <strong id="asm_01_0088__b48210718288">Peer Authentication</strong> tab, click <strong id="asm_01_0088__b7600316152816">Configure now</strong>. In the displayed dialog box, select an authentication policy.</p>
 <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="asm_01_0088__table192939523213" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Authentication policies</caption><thead align="left"><tr id="asm_01_0088__row182932521527"><th align="left" class="cellrowborder" valign="top" width="28.51%" id="mcps1.3.2.2.3.2.7.2.3.1.1"><p id="asm_01_0088__p182931152420">Parameter</p>
 </th>
 <th align="left" class="cellrowborder" valign="top" width="71.49%" id="mcps1.3.2.2.3.2.7.2.3.1.2"><p id="asm_01_0088__p142931521029">Description</p>
 </th>
 </tr>
 </thead>
 <tbody><tr id="asm_01_0088__row15293195212216"><td class="cellrowborder" valign="top" width="28.51%" headers="mcps1.3.2.2.3.2.7.2.3.1.1 "><p id="asm_01_0088__p111705451310">UNSET</p>
 </td>
 <td class="cellrowborder" valign="top" width="71.49%" headers="mcps1.3.2.2.3.2.7.2.3.1.2 "><p id="asm_01_0088__p18116185471315">If a peer authentication policy is configured for the parent scope, the service inherits the policy.</p>
 </td>
 </tr>
 <tr id="asm_01_0088__row529365215211"><td class="cellrowborder" valign="top" width="28.51%" headers="mcps1.3.2.2.3.2.7.2.3.1.1 "><p id="asm_01_0088__p2011645419131">PERMISSIVE</p>
 </td>
 <td class="cellrowborder" valign="top" width="71.49%" headers="mcps1.3.2.2.3.2.7.2.3.1.2 "><p id="asm_01_0088__p13116165411130">Traffic can be transmitted without passing through the tunnel. Workloads accept both mutual TLS and plain text traffic. By default, the mesh is configured with a peer authentication policy in PERMISSIVE mode.</p>
 </td>
 </tr>
 <tr id="asm_01_0088__row12293452325"><td class="cellrowborder" valign="top" width="28.51%" headers="mcps1.3.2.2.3.2.7.2.3.1.1 "><p id="asm_01_0088__p1611618545137">STRICT</p>
 </td>
 <td class="cellrowborder" valign="top" width="71.49%" headers="mcps1.3.2.2.3.2.7.2.3.1.2 "><p id="asm_01_0088__p179495491320">Traffic is transmitted only through the tunnel because the request must be encrypted using TLS and must contain the client certificate.</p>
 </td>
 </tr>
 </tbody>
 </table>
 </div>
 <p id="asm_01_0088__p20273184615449"><strong id="asm_01_0088__b1939152722315">JWT Authentication</strong></p>
 <p id="asm_01_0088__p123235364412">You can configure JWT authentication on ASM. With JWT, ASM authenticates whether the access token in a request header is trusted and authorize the valid user requests.</p>
 <div class="note" id="asm_01_0088__note1364912291619"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="asm_01_0088__p5649724166">JWT authentication can be configured only for HTTP services.</p>
 </div></div>
 <p id="asm_01_0088__p2044454894512">On the <strong id="asm_01_0088__b7218122314343">JWT Authentication</strong> tab, click <strong id="asm_01_0088__b16218142314340">Configure now</strong>. In the displayed dialog box, set the following parameters:</p>
 <ul id="asm_01_0088__ul11959165474711"><li id="asm_01_0088__li17959354124710"><strong id="asm_01_0088__b105221210184912">Issuer</strong>: issuer of the JWT</li><li id="asm_01_0088__li97930110487"><strong id="asm_01_0088__b052017221493">Audiences</strong>: audiences who use the JWT token to access the service. Separate audiences by commas (,). A null value indicates that the service can be accessed by any audiences.</li><li id="asm_01_0088__li19105201054819"><strong id="asm_01_0088__b994312588490">JWKS</strong>: JWT rule set</li></ul>
 <p id="asm_01_0088__p14761136183314">For details about the principles and application examples of JWT authentication, see <a href="asm_01_0096.html">JWT Authentication Principles</a> and <a href="asm_01_0097.html">Authenticating JWT Requests on the Ingress Gateway Using ASM</a>.</p>
 </p></li></ol>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0087.html">Security</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0091.html
+++ b/docs/asm/umn/asm_01_0091.html
@ -0,0 +1,15 @@
 <a name="asm_01_0091"></a><a name="asm_01_0091"></a>
 <h1 class="topictitle1">Istio Resource Management</h1>
 <div id="body0000001130054627"></div>
 <div>
 <ul class="ullinks">
 <li class="ulchildlink"><strong><a href="asm_01_0048.html">Configuring Istio Resources Using YAML</a></strong><br>
 </li>
 </ul>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0038.html">Mesh Configuration</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0096.html
+++ b/docs/asm/umn/asm_01_0096.html
@ -0,0 +1,58 @@
 <a name="asm_01_0096"></a><a name="asm_01_0096"></a>
 <h1 class="topictitle1">JWT Authentication Principles</h1>
 <div id="body0000001527767249"><div class="section" id="asm_01_0096__section464417112143"><h4 class="sectiontitle">JWT Authentication Principles</h4><p id="asm_01_0096__p218512321416">JWT is an authentication mode in which the server issues tokens to the client. When a user logs in to the client using the username and password, the server generates and returns a token to the client. The client only needs to carry the token when sending a request to the server. The server verifies the token to determine whether the request is from a valid client and determines whether to return a response to the client. This method, which connects authenticated clients based on tokens in requests, solves various stateful problems of storing sessions on a server at an early stage.</p>
 <p id="asm_01_0096__p65857320143">In Istio, the JWT token is generated by a specific authentication service and verified by meshes, completely decoupling the authentication logic in user services and enabling applications to focus on their own services. <a href="#asm_01_0096__fig184171654514">Figure 1</a> shows the complete Istio-based JWT mechanism.</p>
 <div class="fignone" id="asm_01_0096__fig184171654514"><a name="asm_01_0096__fig184171654514"></a><a name="fig184171654514"></a><span class="figcap"><b>Figure 1 </b>Istio JWT authentication process</span><br><span><img id="asm_01_0096__image1651116144513" src="en-us_image_0000001477127516.png"></span></div>
 <p id="asm_01_0096__p931719814145">1. The client connects the authentication service by logging with the user name and password.</p>
 <p id="asm_01_0096__p9624151833416">2. The authentication service verifies the username and password, generates a JWT token (including the user ID and expiration time), and signs the token with the private key of the authentication service.</p>
 <p id="asm_01_0096__p1085461116356">3. The authentication service returns the JWT token to the client.</p>
 <p id="asm_01_0096__p188134883515">4. The client stores the JWT token locally for subsequent requests.</p>
 <p id="asm_01_0096__p67571911163617">5. When requesting to another service, the client carries the JWT token and does not need to provide information such as the username and password.</p>
 <p id="asm_01_0096__p723305810572">6. The mesh data plane proxy intercepts the traffic and verifies the JWT token using the configured public key.</p>
 <p id="asm_01_0096__p12372145893619">7. Once the JWT token is verified, the mesh proxy forwards the request to the server.</p>
 <p id="asm_01_0096__p161994421339">8. The server processes the request.</p>
 <p id="asm_01_0096__p19176956185815">9. The server returns the response data to the mesh proxy.</p>
 <p id="asm_01_0096__p10471151102319">10. The mesh data plane proxy forwards the response data to the caller.</p>
 <p id="asm_01_0096__p4377174223317">The step 6 is important because the JWT authentication function is migrated from the server to the mesh proxy. The mesh data plane obtains, from the authentication policy configured by the control plane, the public key for verifying the JWT token. The public key may be one configured on the JWKS (JSON Web Key Set) or one obtained from a public key address configured by jwksUri. After obtaining the public key, the mesh proxy uses it to verify the token signed by the private key of the authentication service, decrypts the <strong id="asm_01_0096__b1465116553115">iss</strong> in the token, and verifies whether the issuer information in the authentication policy is matched. If the verification is successful, the request is sent to the application. If not, the request is rejected.</p>
 </div>
 <div class="section" id="asm_01_0096__section1695162651116"><h4 class="sectiontitle">JWT Structure</h4><p id="asm_01_0096__p18271933101112">JWT is of the JSON structure that contains specific declarations. Step 6 of the JWT authentication process shows the request identity can be confirmed by verifying the JSON structure. Querying the backend service is not needed. The following shows how the authentication information is carried by parsing the JWT structure.</p>
 <p id="asm_01_0096__p13181602132">A JWT token consists of three parts: header, payload, and signature.</p>
 <ul id="asm_01_0096__ul1890112184131"><li id="asm_01_0096__li1690121821315">Header<p id="asm_01_0096__p1425912298135"><a name="asm_01_0096__li1690121821315"></a><a name="li1690121821315"></a>Describes the JWT metadata, including the algorithm <strong id="asm_01_0096__b1414613981814">alg</strong> and type <strong id="asm_01_0096__b9894104210181">typ</strong>. <strong id="asm_01_0096__b1222103621915">alg</strong> describes the signature algorithm so that the receiver can verify the signature based on the corresponding algorithm. The default algorithm is <strong id="asm_01_0096__b119262046152011">HS256</strong> (as follows), indicating <strong id="asm_01_0096__b191742443203">HMAC-SHA256</strong>. <strong id="asm_01_0096__b594518913216">typ</strong> indicates the token type. If <strong id="asm_01_0096__b153511840112116">typ</strong> is <strong id="asm_01_0096__b15955194410213">JWT</strong>, indicating that the token is of the JWT type.</p>
 <pre class="screen" id="asm_01_0096__screen3425202101414">{
  "alg": "HS256",
  "typ": "JWT"
 }</pre>
 </li><li id="asm_01_0096__li16261420101313">Payload<p id="asm_01_0096__p141736300137"><a name="asm_01_0096__li16261420101313"></a><a name="li16261420101313"></a>Stores the main content of the token. The authentication service AuthN generates related information and places the information in the token payload. The attributes of <strong id="asm_01_0096__b1828064019266">payload</strong> include:</p>
 <ul id="asm_01_0096__ul15130105111518"><li id="asm_01_0096__li1213014591512"><strong id="asm_01_0096__b1431011587269">iss</strong>: token issuer</li><li id="asm_01_0096__li1892234410155"><strong id="asm_01_0096__b56601420275">aud</strong>: token audience</li></ul>
 <p id="asm_01_0096__p1910525631417">During JWT verification, the <strong id="asm_01_0096__b918712473271">iss</strong> and <strong id="asm_01_0096__b1846417521273">aud</strong> will be verified to check whether they are matched with the token issuer and audience. The JWT content is not encrypted. All services that obtain the token can view the content in the token payload. You are advised not to store private information in the payload.</p>
 </li><li id="asm_01_0096__li34541624181317">Signature<p id="asm_01_0096__p6896531101318"><a name="asm_01_0096__li34541624181317"></a><a name="li34541624181317"></a>Signature of the header and payload, ensuring that only the specific legitimate authentication services can issue tokens. Generally, the header and payload are converted into strings using Base64, and then the private key of the authentication service is used to sign the strings. The signature algorithm is the <strong id="asm_01_0096__b1821253115526">alg</strong> defined in the header.</p>
 </li></ul>
 <div class="p" id="asm_01_0096__p176156021316">The following is a complete JWT example. Signature is obtained by signing the header and payload.<pre class="screen" id="asm_01_0096__screen2034919802118"># Header:
 {
  "alg": "RS512",
  "typ": "JWT"
 }
 # Payload
 {
  "iss": "weather@cloudnative-istio",
  "audience": "weather@cloudnative-istio"
 }
 # Signature
 RSASHA512(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload)
  )</pre>
 </div>
 <p id="asm_01_0096__p1139215622110">The token output of the preceding structure is as follows. The three strings separated by periods (.) correspond to the header, payload, and signature of the JWT structure, respectively.</p>
 <pre class="screen" id="asm_01_0096__screen65361821182218">eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjQ2ODU5ODk3MDAsInZlciI6IjIuMCIsImlhdCI6MTUzMjM4OTcwMCwiaXNzIjoid2VhdGhlckBjbG91ZG5hdGl2ZS1pc3Rpby5ib29rIiwic3ViIjoid2VhdGhlckBjbG91ZG5hdGl2ZS1pc3Rpby5ib29rIn0.SEp-8qiMwI45BuBgQPH-wTHvOYxcE_jPI0wqOxEpauw</pre>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0087.html">Security</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0097.html
+++ b/docs/asm/umn/asm_01_0097.html
@ -0,0 +1,57 @@
 <a name="asm_01_0097"></a><a name="asm_01_0097"></a>
 <h1 class="topictitle1">Authenticating JWT Requests on the Ingress Gateway Using ASM</h1>
 <div id="body0000001476967356"><p id="asm_01_0097__p93564210389">This section describes how to authenticate JWT requests on the ingress gateway using ASM to ensure that users access services through the ingress gateway with a reliable access token.</p>
 <div class="section" id="asm_01_0097__section3564173202917"><h4 class="sectiontitle">Preparations</h4><ol id="asm_01_0097__ol15987183732917"><li id="asm_01_0097__li5987183718296">A mesh of version 1.15 or 1.18 has been created.</li><li id="asm_01_0097__li1943518417306">The <strong id="asm_01_0097__b98651043464">httpbin</strong> service that passes the diagnosis exists in the mesh. The image is <strong id="asm_01_0097__b17441838124617">httpbin</strong>, the port protocol is <strong id="asm_01_0097__b3571124314612">HTTP</strong>, and the port number is <strong id="asm_01_0097__b171204715463">80</strong>.</li><li id="asm_01_0097__li14330133703019">An accessible gateway has been created for the <strong id="asm_01_0097__b1454812177479">httpbin</strong> service in the mesh.</li></ol>
 </div>
 <div class="section" id="asm_01_0097__section112090163819"><h4 class="sectiontitle">Creating JWT Authentication</h4><ol id="asm_01_0097__ol1660199171718"><li id="asm_01_0097__li116016915174"><a name="asm_01_0097__li116016915174"></a><a name="li116016915174"></a><span>Create a JWK.</span><p><ol type="a" id="asm_01_0097__ol5148943182011"><li id="asm_01_0097__li10148154317206"><a name="asm_01_0097__li10148154317206"></a><a name="li10148154317206"></a>Visit <a href="https://jwt.io/" target="_blank" rel="noopener noreferrer">JWT tool website</a>, set <strong id="asm_01_0097__b18235153518488">Algorithm</strong> to <strong id="asm_01_0097__b2950153715489">RS512</strong>, and obtain the public key (PUBLIC KEY).<div class="fignone" id="asm_01_0097__fig9556762255"><span class="figcap"><b>Figure 1 </b>Generating a public key</span><br><span><img id="asm_01_0097__image755613642519" src="en-us_image_0000001476967692.png"></span></div>
 </li><li id="asm_01_0097__li157481253202315">Select <strong id="asm_01_0097__b94991017154919">PEM-to-JWK (RSA Only)</strong> in the <a href="https://8gwifi.org/jwkconvertfunctions.jsp?spm=a2c4g.11186623.0.0.79074d9bGGmlXG&amp;file=jwkconvertfunctions.jsp" target="_blank" rel="noopener noreferrer">JWK to PEM Convertor online</a> tool, enter the public key obtained in the previous step, and click <strong id="asm_01_0097__b1367965506">submit</strong> to convert the public key into a JWK.<div class="fignone" id="asm_01_0097__fig9353553117"><span class="figcap"><b>Figure 2 </b>Converting the public key to a JWK</span><br><span><img id="asm_01_0097__image441354311" src="en-us_image_0000001477287480.png"></span></div>
 <pre class="screen" id="asm_01_0097__screen184612312322">{"kty":"RSA","e":"AQAB","kid":"a78641b9-d81e-4241-b35a-71726c3fa053","n":"u1SU1LfVLPHCozMxH2Mo4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0_IzW7yWR7QkrmBL7jTKEn5u-qKhbwKfBstIs-bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyehkd3qqGElvW_VDL5AaWTg0nLVkjRo9z-40RQzuVaE8AkAFmxZzow3x-VJYKdjykkJ0iT9wCS0DRTXu269V264Vf_3jvredZiKRkgwlL9xNAwxXFg0x_XFw005UWVRIkdgcKWTjpBP2dPwVZ4WWC-9aGVd-Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbcmw"}</pre>
 </li></ol>
 </p></li><li id="asm_01_0097__li20211184081913"><a name="asm_01_0097__li20211184081913"></a><a name="li20211184081913"></a><span>Create JWT authentication.</span><p><ol type="a" id="asm_01_0097__ol129001459163220"><li id="asm_01_0097__li1590065915326">Log in to the ASM console and click the name of the target service mesh to go to its details page.</li><li id="asm_01_0097__li01744105347">In the navigation pane, choose <strong id="asm_01_0097__b124721149102220">Service Management</strong>. In the upper right corner of the list, select the namespace that your services belong to.</li><li id="asm_01_0097__li5738817173416">Locate the <strong id="asm_01_0097__b62093281528">httpbin</strong> service and click <span class="uicontrol" id="asm_01_0097__uicontrol20550132215912"><b>Security</b></span> in the <strong id="asm_01_0097__b3931111425212">Operation</strong> column. In the window that slides out from the right, click <strong id="asm_01_0097__b197131514145310">JWT Authentication</strong> and then <strong id="asm_01_0097__b868332725315">Configure now</strong>. In the displayed dialog box, set the following parameters:<ul id="asm_01_0097__ul1484945763712"><li id="asm_01_0097__li38491757203715"><strong id="asm_01_0097__b1060944211555">Issuer</strong>: issuer of the JWT. Set this parameter to <strong id="asm_01_0097__b149141553559">test</strong>.</li><li id="asm_01_0097__li11162424386"><strong id="asm_01_0097__b1999113467552">Audience</strong>: JWT audiences who use the JWT token to access the target service. Set this parameter to <strong id="asm_01_0097__b2020314445616">ASM</strong>.</li><li id="asm_01_0097__li1469166123818"><strong id="asm_01_0097__b2746195010568">JWKS</strong>: JWT information. Set this parameter to <strong id="asm_01_0097__b11710820575">{"keys": [<em id="asm_01_0097__i1290611124570">JWK created in</em><em id="asm_01_0097__i1990613159613"> <a href="#asm_01_0097__li116016915174">1</a></em>]}</strong>. For example, if the JWK created in <a href="#asm_01_0097__li116016915174">1</a> is <strong id="asm_01_0097__b1492203805710">{"kty":"RSA","e":"AQAB","kid":"a78641b9-d81e-4241-b35a-71726c3****"}</strong>, the value of <strong id="asm_01_0097__b1447516459572">JWKS</strong> is <strong id="asm_01_0097__b1445155717576">{"keys": [{"kty":"RSA","e":"AQAB","kid":"a78641b9-d81e-4241-b35a-71726c3****"}]}</strong>.</li></ul>
 <div class="fignone" id="asm_01_0097__fig206874290371"><span class="figcap"><b>Figure 3 </b>Creating JWT authentication</span><br><span><img id="asm_01_0097__image146881929123710" src="en-us_image_0000001528087425.png"></span></div>
 </li><li id="asm_01_0097__li11652172314352">Click <strong id="asm_01_0097__b76407585623539">OK</strong>.</li></ol>
 </p></li></ol>
 </div>
 <div class="section" id="asm_01_0097__section62018017388"><h4 class="sectiontitle">Checking Whether JWT Authentication Takes Effect</h4><ol id="asm_01_0097__ol194941050163811"><li id="asm_01_0097__li174941250183818"><a name="asm_01_0097__li174941250183818"></a><a name="li174941250183818"></a><span>Use <a href="https://jwt.io/" target="_blank" rel="noopener noreferrer">JWT tool</a> to encode the JWT request information into a JWT token.</span><p><p id="asm_01_0097__p119411751143916">Enter the following JWT request information in the <strong id="asm_01_0097__b429413161005">Decoded</strong> area. The automatically converted JWT token is displayed in the <strong id="asm_01_0097__b22823281105">Encode</strong> area.</p>
 <ul id="asm_01_0097__ul923025224115"><li id="asm_01_0097__li1023055274118"><strong id="asm_01_0097__b38657281911">HEADER</strong>: Set <strong id="asm_01_0097__b16363931118">alg</strong> to <strong id="asm_01_0097__b16762733218">RS512</strong>, enter <strong id="asm_01_0097__b12441439018">kid</strong> in the JWK created in <a href="#asm_01_0097__li116016915174">1</a>, and set <strong id="asm_01_0097__b178322110215">typ</strong> to <strong id="asm_01_0097__b1721185216376">JWT</strong>.</li><li id="asm_01_0097__li1983313145427"><strong id="asm_01_0097__b1368371810310">PAYLOAD</strong>: Set <strong id="asm_01_0097__b455122732">iss</strong> to <strong id="asm_01_0097__b837817251735">test</strong> and <strong id="asm_01_0097__b1184212299319">aud</strong> to <strong id="asm_01_0097__b74883321333">ASM</strong>. Ensure that the values are the same as the issuer and token audience configured in <a href="#asm_01_0097__li20211184081913">2</a>.</li><li id="asm_01_0097__li146912111423"><strong id="asm_01_0097__b1842617581639">VERIFY SIGNATURE</strong>: The value must be the same as the public key in <a href="#asm_01_0097__li10148154317206">1.a</a>.</li></ul>
 <div class="fignone" id="asm_01_0097__fig13104185815316"><span class="figcap"><b>Figure 4 </b>Creating a JWT token</span><br><span><img id="asm_01_0097__image1810565865315" src="en-us_image_0000001527927469.png"></span></div>
 </p></li><li id="asm_01_0097__li44611647153914"><span>Access the <strong id="asm_01_0097__b46898231946">httpbin</strong> service through the ingress gateway.</span><p><ol type="a" id="asm_01_0097__ol18291029205515"><li id="asm_01_0097__li14829172955513">Run the following commands to access the service with the JWT token created in <a href="#asm_01_0097__li174941250183818">1</a>:<p id="asm_01_0097__p337115465013"><strong id="asm_01_0097__b124441850608">TOKEN</strong>=<em id="asm_01_0097__i18269175915518">JWT token created by the <a href="#asm_01_0097__li174941250183818">1</a></em>.</p>
 <p id="asm_01_0097__p1678085545613"><strong id="asm_01_0097__b15821924900">curl -I -H "Authorization: Bearer $TOKEN" http://</strong> {<em id="asm_01_0097__i698018413619">External access address of the <strong id="asm_01_0097__b2415551268">httpbin</strong> service</em>}/</p>
 <p id="asm_01_0097__p8210151013018">Expected outputs:</p>
 <pre class="screen" id="asm_01_0097__screen582017142113">HTTP/1.1 200 OK
 server: istio-envoy
 date: Wed, 21 Sep 2022 03:11:48 GMT</pre>
 </li><li id="asm_01_0097__li764415541567">Run the following command to access the service with an invalid JWT token:<p id="asm_01_0097__p21877251631"><a name="asm_01_0097__li764415541567"></a><a name="li764415541567"></a><strong id="asm_01_0097__b1136117351335">curl -I -H "Authorization: Bearer invalidToken" http://</strong> {<em id="asm_01_0097__i724715363711">External access address of the <strong id="asm_01_0097__b398134419719">httpbin</strong> service</em>}/</p>
 <p id="asm_01_0097__p114322036233">Expected outputs:</p>
 <pre class="screen" id="asm_01_0097__screen19621138420">HTTP/1.1 401 Unauthorized
 www-authenticate: Bearer realm="http://***.***.***.***:***/", error="invalid_token"
 content-length: 145
 content-type: text/plain
 date: Wed, 21 Sep 2022 03:12:54 GMT
 server: istio-envoy
 x-envoy-upstream-service-time: 19</pre>
 </li><li id="asm_01_0097__li178821323735">Modify the JWT authentication created in <a href="#asm_01_0097__li20211184081913">2</a>, leave the <strong id="asm_01_0097__b53443515918">aud</strong> empty (indicating that the service can be accessed by any services), and run the following command to access the service with the JWT token created in <a href="#asm_01_0097__li174941250183818">1</a>:<p id="asm_01_0097__p1160993014289"><strong id="asm_01_0097__b7609163032812">curl -I -H "Authorization: Bearer $TOKEN" http://</strong> {<em id="asm_01_0097__i16721182118910">External access address of the <strong id="asm_01_0097__b7167271192">httpbin</strong> service</em>}/</p>
 <p id="asm_01_0097__p98464912284">Expected outputs:</p>
 <pre class="screen" id="asm_01_0097__screen9316145914283">HTTP/1.1 200 OK
 server: istio-envoy
 date: Wed, 21 Sep 2022 03:20:07 GMT</pre>
 </li><li id="asm_01_0097__li588295310563">Run the following command to access the service without the JWT token:<p id="asm_01_0097__p1456620893014"><a name="asm_01_0097__li588295310563"></a><a name="li588295310563"></a><strong id="asm_01_0097__b13631543133011">curl -I http://</strong> {<em id="asm_01_0097__i203231251181018">External access address of the <strong id="asm_01_0097__b119041545107">httpbin</strong> service</em>}/</p>
 <p id="asm_01_0097__p272145393019">Expected outputs:</p>
 <pre class="screen" id="asm_01_0097__screen573171914314">HTTP/1.1 403 Forbidden
 content-length: 85
 content-type: text/plain
 date: Wed, 21 Sep 2022 03:29:31 GMT
 server: istio-envoy
 x-envoy-upstream-service-time: 6</pre>
 </li></ol>
 <p id="asm_01_0097__p163452113323">According to the preceding outputs, the request with the correct JWT token can access the service, and the request with an incorrect JWT token or without a JWT token cannot access the service, which indicate that the request identity authentication takes effect.</p>
 </p></li></ol>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0087.html">Security</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0123.html
+++ b/docs/asm/umn/asm_01_0123.html
@ -0,0 +1,20 @@
 <a name="asm_01_0123"></a><a name="asm_01_0123"></a>
 <h1 class="topictitle1">Service Mesh Extension</h1>
 <div id="body0000001735894325"><p id="asm_01_0123__p165881813132813">Observability configuration includes access logs, application metrics, and traces of the current service mesh. You can enable application metric collection and access logging.</p>
 <div class="note" id="asm_01_0123__note550441752819"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="asm_01_0123__p1850591782810">Tracing can be enabled only when a service mesh is created.</p>
 </div></div>
 <div class="section" id="asm_01_0123__section25119231362"><h4 class="sectiontitle">Constraints</h4><p id="asm_01_0123__p14955835664">Only Istio 1.18 or later can work with LTS to collect and store access logs. To enable access logging, install CCE Log-Agent on the <strong id="asm_01_0123__b180611013502">Add-ons</strong> page in advance.</p>
 </div>
 <div class="section" id="asm_01_0123__section33990233516"><h4 class="sectiontitle">Enabling Application Metrics</h4><ol id="asm_01_0123__ol1593715983510"><li id="asm_01_0123__li139376973512"><span>Log in to the ASM console.</span></li><li id="asm_01_0123__li5937796354"><span>Click the name of the service mesh to go to its details page.</span></li><li id="asm_01_0123__li79374912354"><span>In the navigation pane, choose <strong id="asm_01_0123__b1839933112714">Mesh Configuration</strong>. Then click the tab for displaying service mesh extension.</span></li><li id="asm_01_0123__li179377911352"><span>Enable application metrics, select an AOM instance, and click <strong id="asm_01_0123__b14965154084214">OK</strong>.</span></li></ol>
 </div>
 <div class="section" id="asm_01_0123__section163119494613"><h4 class="sectiontitle">Enabling Access Logging</h4><ol id="asm_01_0123__ol1131119492069"><li id="asm_01_0123__li1631013491365"><span>Log in to the ASM console.</span></li><li id="asm_01_0123__li1531010494612"><span>Click the name of the service mesh to go to its details page.</span></li><li id="asm_01_0123__li1531074916617"><span>In the navigation pane, choose <strong id="asm_01_0123__b394565251019">Mesh Configuration</strong>. Then click the tab for displaying service mesh extension.</span></li><li id="asm_01_0123__li183117498610"><span>Enable access logging, select the log group and log stream, and click <strong id="asm_01_0123__b1744441015274">OK</strong>.</span></li></ol>
 </div>
 <p id="asm_01_0123__p8060118"></p>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0038.html">Mesh Configuration</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_01_0133.html
+++ b/docs/asm/umn/asm_01_0133.html
@ -0,0 +1,19 @@
 <a name="asm_01_0133"></a><a name="asm_01_0133"></a>
 <h1 class="topictitle1">Mesh Events</h1>
 <div id="body0000001698194042"><div class="section" id="asm_01_0133__en-us_topic_0000001245220449_section4882153517306"><h4 class="sectiontitle">Scenario</h4><p id="asm_01_0133__en-us_topic_0000001245220449_p6387194691713">ASM supports the event center, which allows you to query details about important operations such as mesh creation and deletion and gateway creation and deletion.</p>
 <div class="note" id="asm_01_0133__note198721932184717"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="asm_01_0133__p10331731132415">You can view events in a mesh of the Basic edition (1.15 or later).</p>
 </div></div>
 </div>
 <div class="section" id="asm_01_0133__section655465134710"><h4 class="sectiontitle">Procedure</h4><ol id="asm_01_0133__en-us_topic_0000001245220449_ol3932132211530"><li id="asm_01_0133__en-us_topic_0000001245220449_li3932122212534"><span>Log in to the ASM console and search for the mesh of the Basic edition by edition.</span></li><li id="asm_01_0133__en-us_topic_0000001245220449_li10538191319558"><span>Click <span><img id="asm_01_0133__image689423910493" src="en-us_image_0000001698197390.png"></span> in the upper right corner. In the window that slides out from the right, view mesh events.</span><p><p id="asm_01_0133__p1728984312421"></p>
 </p></li></ol>
 <p id="asm_01_0133__p539616711425"></p>
 </div>
 <p id="asm_01_0133__p8060118"></p>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_01_0023.html">Mesh Management</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_bestpractice_0003.html
+++ b/docs/asm/umn/asm_bestpractice_0003.html
@ -0,0 +1,47 @@
 <a name="asm_bestpractice_0003"></a><a name="asm_bestpractice_0003"></a>
 <h1 class="topictitle1">Upgrading Data Plane Sidecars Without Service Interruption</h1>
 <div id="body1562746525802"><p id="asm_bestpractice_0003__p1193563316504">ASM enables you to manage the traffic of services added into a service mesh. Sidecars are important components in ASM data plane. The upgrade of sidecars involves the re-injection of sidecars into data plane service pods, which requires the pods to be updated.</p>
 <p id="asm_bestpractice_0003__p39171649142012">This section describes how to avoid service interruption during sidecar upgrade.</p>
 <div class="section" id="asm_bestpractice_0003__section1344318497218"><h4 class="sectiontitle">Configuring the Number of Service Pods</h4><p id="asm_bestpractice_0003__p1471954115015">Ensure that the number of service pods is greater than or equal to <strong id="asm_bestpractice_0003__b9511243172615">2</strong> and the upgrade policy is set to <strong id="asm_bestpractice_0003__b10550113219263">RollingUpdate</strong>.</p>
 <p id="asm_bestpractice_0003__p8060118">Sample configurations:</p>
 <p id="asm_bestpractice_0003__p993316556199"><strong id="asm_bestpractice_0003__b72781017171611">kubectl get deploy nginx -n</strong> <em id="asm_bestpractice_0003__i9669173571517">namespace_name</em> <strong id="asm_bestpractice_0003__b2966120131611">-oyaml | grep strategy -a10</strong></p>
 <p id="asm_bestpractice_0003__p51225179207"><span><img id="asm_bestpractice_0003__image461012317217" src="en-us_image_0000001145684268.png"></span></p>
 <p id="asm_bestpractice_0003__p175833321213"><strong id="asm_bestpractice_0003__b107921117519">Configuration description:</strong></p>
 <ul id="asm_bestpractice_0003__ul11496821185111"><li id="asm_bestpractice_0003__li13497172185110">Number of service pods: deployment.spec.replicas &gt;= 2</li><li id="asm_bestpractice_0003__li154971221105114">Upgrade policy: deployment.spec.strategy.type == RollingUpdate</li><li id="asm_bestpractice_0003__li5497122105114">Minimum number of alive pods in rolling upgrade: deployment.spec.replicas - deployment.spec.strategy.maxUnavailable &gt; 0</li></ul>
 </div>
 <div class="section" id="asm_bestpractice_0003__section1324111014226"><h4 class="sectiontitle">Adding a Readiness Probe</h4><p id="asm_bestpractice_0003__p7511210115213">Readiness probes help you ensure that new service pods take over traffic only when they are ready. This prevents access failures caused by unready new pods.</p>
 <p id="asm_bestpractice_0003__p5978143116227">The configurations are as follows:</p>
 <p id="asm_bestpractice_0003__p13225135817272"><strong id="asm_bestpractice_0003__b27051933193020">kubectl get deploy nginx -n</strong> <em id="asm_bestpractice_0003__i151411047131511">namespace_name</em> <strong id="asm_bestpractice_0003__b1070664193012">-oyaml | grep readinessProbe -a10</strong></p>
 <p id="asm_bestpractice_0003__p428018952818"><span><img id="asm_bestpractice_0003__image12545114142815" src="en-us_image_0000001191764069.png"></span></p>
 <p id="asm_bestpractice_0003__p17161182032815"><strong id="asm_bestpractice_0003__b9834171873811">Configuration description:</strong></p>
 <p id="asm_bestpractice_0003__p191011716304">Configuring a readiness probe: deployment.spec.template.spec.containers[i].readinessProbe</p>
 <p id="asm_bestpractice_0003__p19391851123011">The configuration includes the initial check time, check interval, and timeout duration.</p>
 </div>
 <div class="section" id="asm_bestpractice_0003__section845914363222"><h4 class="sectiontitle">Setting the Service Ready Time</h4><p id="asm_bestpractice_0003__p124715578547"><strong id="asm_bestpractice_0003__b1817317159446">minReadySeconds</strong> is used to specify the minimum number of seconds for which a newly created pod should be ready without any of its containers crashing, for it to be considered available.</p>
 <p id="asm_bestpractice_0003__p2500195314226">The configurations are as follows:</p>
 <p id="asm_bestpractice_0003__p15675111817390"><strong id="asm_bestpractice_0003__b1498004616307">kubectl get deploy nginx -n</strong> <em id="asm_bestpractice_0003__i0324165281515">namespace_name</em> <strong id="asm_bestpractice_0003__b29388504300">-oyaml | grep minReadySeconds -a1</strong></p>
 <p id="asm_bestpractice_0003__p139821937143914"><span><img id="asm_bestpractice_0003__image1582244116396" src="en-us_image_0000001191923931.png"></span></p>
 <p id="asm_bestpractice_0003__p379010446396"><strong id="asm_bestpractice_0003__b165117911468">Configuration description:</strong></p>
 <p id="asm_bestpractice_0003__p096416511397">The service ready time: deployment.spec.minReadySeconds. Configure this parameter based on the live environment.</p>
 </div>
 <div class="section" id="asm_bestpractice_0003__section9379325152319"><h4 class="sectiontitle">Configuring a Graceful Shutdown Time</h4><p id="asm_bestpractice_0003__p1634864915408"><strong id="asm_bestpractice_0003__b0528153385017">terminationGracePeriodSeconds</strong> is used to configure a graceful shutdown time. During a rolling upgrade, the endpoint of an old service pod is removed and the pod status is set to <strong id="asm_bestpractice_0003__b5859338227">Terminating</strong>. A SIGTERM signal is then sent to the pod. After the graceful shutdown time you configured, the pod will be forcibly terminated. The graceful deletion time allows the pod to keep processing unfinished requests, if any, to avoid hard termination.</p>
 <p id="asm_bestpractice_0003__p479731716535"><strong id="asm_bestpractice_0003__b1083125643017">kubectl get deploy nginx -n</strong> <em id="asm_bestpractice_0003__i6364257111517">namespace_name</em> <strong id="asm_bestpractice_0003__b19750141173115">-oyaml | grep terminationGracePeriodSeconds -a1</strong></p>
 <p id="asm_bestpractice_0003__p151911538112316"><span><img id="asm_bestpractice_0003__image59021924105312" src="en-us_image_0000001191923929.png"></span></p>
 <p id="asm_bestpractice_0003__p84581127195319"><strong id="asm_bestpractice_0003__b14451381903">Configuration description:</strong></p>
 <p id="asm_bestpractice_0003__p1841333615313">The graceful shutdown time: deployment.spec.template.spec.terminationGracePeriodSeconds. The default value is 30s. Configure this parameter based on the live environment.</p>
 </div>
 <div class="section" id="asm_bestpractice_0003__section1453854922316"><h4 class="sectiontitle">Configuring the preStop</h4><p id="asm_bestpractice_0003__p8167564553"><strong id="asm_bestpractice_0003__b16927121901914">preStop</strong> enabled you to perform certain execution before a service pod is stopped. In this way, it helps you gracefully shut down a service pod. Configure this parameter based on service requirements. Nginx is used as an example here.</p>
 <p id="asm_bestpractice_0003__p333918155913"><strong id="asm_bestpractice_0003__b184851999316">kubectl get deploy nginx -n</strong> <em id="asm_bestpractice_0003__i1042284111610">namespace_name</em> <strong id="asm_bestpractice_0003__b106117123319">-oyaml | grep lifec -a10</strong></p>
 <p id="asm_bestpractice_0003__p113056112410"><span><img id="asm_bestpractice_0003__image6101162115345" src="en-us_image_0000001493677652.png"></span></p>
 <p id="asm_bestpractice_0003__p19235130586">In the <strong id="asm_bestpractice_0003__b7658163861717">lifecycle.preStop</strong> field, the <strong id="asm_bestpractice_0003__b1097518924710">nginx -s quit; sleep 10</strong> command is defined. This command first sends a graceful shutdown signal to the Nginx process and then the pod termination pauses for 10 seconds. In this way, Nginx has enough time to complete the ongoing requests and gracefully close the pod before it terminates.</p>
 <p id="asm_bestpractice_0003__p84779414389"><strong id="asm_bestpractice_0003__b154143812267">10</strong> in <strong id="asm_bestpractice_0003__b12467011102620">sleep 10</strong> is an example value. You can change it based on the actual requirements and application performance. The key should be a proper value so that Nginx has enough time to gracefully shut down the process.</p>
 <p id="asm_bestpractice_0003__p55331016155918">Alternatively, you can run custom commands or scripts to gracefully shut down your service process.</p>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_bp_0001.html">Best Practices</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_bestpractice_1009.html
+++ b/docs/asm/umn/asm_bestpractice_1009.html
@ -0,0 +1,92 @@
 <a name="asm_bestpractice_1009"></a><a name="asm_bestpractice_1009"></a>
 <h1 class="topictitle1">Creating a Service Mesh with IPv4/IPv6 Dual Stack Enabled</h1>
 <div id="body0000001735119876"><p id="asm_bestpractice_1009__p1629514211458">You can create a CCE cluster with IPv4/IPv6 dual stack enabled and enable IPv4/IPv6 dual stack for the service mesh that the cluster is added to. IPv4/IPv6 dual stack allows services in the service mesh to use both IPv4 and IPv6 addresses for service-to-service interactions. After an IPv4/IPv6 dual-stack gateway is added for the service mesh, you can provide services for users using an IPv6 client. This section describes how you can create a service mesh with IPv4/IPv6 dual stack, so that services in the service mesh can communicate with each other using IPv6 addresses.</p>
 <div class="section" id="asm_bestpractice_1009__section241033319520"><h4 class="sectiontitle">Application Scenarios</h4><ul id="asm_bestpractice_1009__ul1891110468467"><li id="asm_bestpractice_1009__li1191184617465">If an IPv6 address is required for service access and traffic management, you can enable IPv4/IPv6 dual stack.</li><li id="asm_bestpractice_1009__li162511452164617">If you provide services for users who use IPv6 clients, you can create a gateway for a service mesh with IPv4/IPv6 dual stack enabled.</li></ul>
 </div>
 <div class="section" id="asm_bestpractice_1009__section10909135625310"><h4 class="sectiontitle">Constraints</h4><ul id="asm_bestpractice_1009__ul89074563534"><li id="asm_bestpractice_1009__li490735665310">Constraints on enabling IPv4/IPv6 dual stack for a service mesh</li></ul>
 <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="asm_bestpractice_1009__table990895610539" frame="border" border="1" rules="all"><thead align="left"><tr id="asm_bestpractice_1009__row179081156175318"><th align="left" class="cellrowborder" valign="top" width="12.379999999999999%" id="mcps1.3.3.3.1.6.1.1"><p id="asm_bestpractice_1009__p89071156165312">Service Mesh Edition</p>
 </th>
 <th align="left" class="cellrowborder" valign="top" width="14.91%" id="mcps1.3.3.3.1.6.1.2"><p id="asm_bestpractice_1009__p19907155675311">Istio Version</p>
 </th>
 <th align="left" class="cellrowborder" valign="top" width="15.260000000000002%" id="mcps1.3.3.3.1.6.1.3"><p id="asm_bestpractice_1009__p189071556185316">Cluster Type</p>
 </th>
 <th align="left" class="cellrowborder" valign="top" width="20.4%" id="mcps1.3.3.3.1.6.1.4"><p id="asm_bestpractice_1009__p179081656165310">Cluster Network Type</p>
 </th>
 <th align="left" class="cellrowborder" valign="top" width="37.05%" id="mcps1.3.3.3.1.6.1.5"><p id="asm_bestpractice_1009__p17908175655314">Remarks</p>
 </th>
 </tr>
 </thead>
 <tbody><tr id="asm_bestpractice_1009__row69081356125311"><td class="cellrowborder" valign="top" width="12.379999999999999%" headers="mcps1.3.3.3.1.6.1.1 "><p id="asm_bestpractice_1009__p189081056185311">Basic</p>
 </td>
 <td class="cellrowborder" valign="top" width="14.91%" headers="mcps1.3.3.3.1.6.1.2 "><p id="asm_bestpractice_1009__p1590855665316">1.18 or later</p>
 </td>
 <td class="cellrowborder" valign="top" width="15.260000000000002%" headers="mcps1.3.3.3.1.6.1.3 "><p id="asm_bestpractice_1009__p16908175615532">CCE Turbo clusters</p>
 </td>
 <td class="cellrowborder" valign="top" width="20.4%" headers="mcps1.3.3.3.1.6.1.4 "><p id="asm_bestpractice_1009__p1890865611530">Cloud native network 2.0</p>
 </td>
 <td class="cellrowborder" valign="top" width="37.05%" headers="mcps1.3.3.3.1.6.1.5 "><p id="asm_bestpractice_1009__p9169234132610">IPv6 needs to be enabled for the clusters.</p>
 </td>
 </tr>
 </tbody>
 </table>
 </div>
 <ul id="asm_bestpractice_1009__ul17908756195318"><li id="asm_bestpractice_1009__li49081056125319">Constraints on creating an IPv4/IPv6 dual-stack gateway</li></ul>
 <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="asm_bestpractice_1009__table69092056105316" frame="border" border="1" rules="all"><thead align="left"><tr id="asm_bestpractice_1009__row109093569534"><th align="left" class="cellrowborder" valign="top" width="12.379999999999999%" id="mcps1.3.3.5.1.6.1.1"><p id="asm_bestpractice_1009__p290975645312">Service Mesh Edition</p>
 </th>
 <th align="left" class="cellrowborder" valign="top" width="14.91%" id="mcps1.3.3.5.1.6.1.2"><p id="asm_bestpractice_1009__p59096565536">Istio Version</p>
 </th>
 <th align="left" class="cellrowborder" valign="top" width="15.260000000000002%" id="mcps1.3.3.5.1.6.1.3"><p id="asm_bestpractice_1009__p1990935615534">Load Balancer Type</p>
 </th>
 <th align="left" class="cellrowborder" valign="top" width="20.4%" id="mcps1.3.3.5.1.6.1.4"><p id="asm_bestpractice_1009__p6909856115320">Load Balancer Specification</p>
 </th>
 <th align="left" class="cellrowborder" valign="top" width="37.05%" id="mcps1.3.3.5.1.6.1.5"><p id="asm_bestpractice_1009__p149091456195315">Remarks</p>
 </th>
 </tr>
 </thead>
 <tbody><tr id="asm_bestpractice_1009__row1290905613534"><td class="cellrowborder" valign="top" width="12.379999999999999%" headers="mcps1.3.3.5.1.6.1.1 "><p id="asm_bestpractice_1009__p1390910562539">Basic</p>
 </td>
 <td class="cellrowborder" valign="top" width="14.91%" headers="mcps1.3.3.5.1.6.1.2 "><p id="asm_bestpractice_1009__p590916564532">1.18 or later</p>
 </td>
 <td class="cellrowborder" valign="top" width="15.260000000000002%" headers="mcps1.3.3.5.1.6.1.3 "><p id="asm_bestpractice_1009__p9909145615539">Dedicated</p>
 </td>
 <td class="cellrowborder" valign="top" width="20.4%" headers="mcps1.3.3.5.1.6.1.4 "><p id="asm_bestpractice_1009__p1190911564535">Network load balancing (Layer 4)</p>
 </td>
 <td class="cellrowborder" valign="top" width="37.05%" headers="mcps1.3.3.5.1.6.1.5 "><p id="asm_bestpractice_1009__p17909165616539">The load balancer has an IPv6 address.</p>
 </td>
 </tr>
 </tbody>
 </table>
 </div>
 <ul id="asm_bestpractice_1009__ul14909156105316"><li id="asm_bestpractice_1009__li5909356155310">IPv4/IPv6 dual stack cannot be disabled once it is enabled for a service mesh. IPv4/IPv6 dual stack cannot be enabled for an existing service mesh.</li><li id="asm_bestpractice_1009__li149091556195310">IPv4/IPv6 dual stack is only available for service meshes of v1.18 or later, but it cannot be enabled for a service mesh that is upgraded to v1.18 or later.</li></ul>
 </div>
 <div class="section" id="asm_bestpractice_1009__section22981733145214"><h4 class="sectiontitle">Creating a Service Mesh with IPv6 Addresses</h4><ol id="asm_bestpractice_1009__ol19298733165212"><li id="asm_bestpractice_1009__li162971334529"><span>Log in to the ASM console,  a service mesh, and configure the parameters as follows:</span><p><ul id="asm_bestpractice_1009__ul102971334524"><li id="asm_bestpractice_1009__li122971133185210"><strong id="asm_bestpractice_1009__b1875558867">Mesh Edition</strong>: Select <strong id="asm_bestpractice_1009__b1587615581168">Basic edition</strong>.</li><li id="asm_bestpractice_1009__li152975338522"><strong id="asm_bestpractice_1009__b14671113820712">Mesh Name</strong>: Enter a service mesh name.</li><li id="asm_bestpractice_1009__li18297113395211"><strong id="asm_bestpractice_1009__b117461951185">Istio Version</strong>: Select 1.18 or later.</li><li id="asm_bestpractice_1009__li102972033125213"><strong id="asm_bestpractice_1009__b51711227082">Enable IPv6</strong>: If this option is enabled, CCE clusters that meet the conditions will be displayed.</li></ul>
 <p id="asm_bestpractice_1009__p6297533195217"></p>
 <p id="asm_bestpractice_1009__p266122616264"></p>
 <p id="asm_bestpractice_1009__p943184717542"></p>
 <p id="asm_bestpractice_1009__p1029714339528">Configure other parameters based on site requirements.</p>
 </p></li><li id="asm_bestpractice_1009__li1229773335218"><span id="asm_bestpractice_1009__p4163181041415">Click the service mesh name to access the details page.</span><p><p id="asm_bestpractice_1009__li1229773335218p0">On the <strong id="asm_bestpractice_1009__b070135181319">Mesh Configuration</strong> &gt; <strong id="asm_bestpractice_1009__b18828199101318">Basic Information</strong> tab, you can see that IPv4/IPv6 dual stack has been enabled.</p>
 <p id="asm_bestpractice_1009__p4297103325211"></p>
 </p></li></ol>
 </div>
 <div class="section" id="asm_bestpractice_1009__section298835975218"><h4 class="sectiontitle">Adding an IPv4/IPv6 Dual-Stack Gateway</h4><ol id="asm_bestpractice_1009__ol9988145915521"><li id="asm_bestpractice_1009__li1988145935214"><span>Log in to the ASM console. On the service mesh list page, click the name of the service mesh with IPv4/IPv6 dual stack enabled. In the navigation pane, choose <strong id="asm_bestpractice_1009__b79310287197">Gateway Management</strong>. Click <strong id="asm_bestpractice_1009__b015913417193">Add Gateway</strong> and configure the parameters as follows:</span><p><ul id="asm_bestpractice_1009__ul1373720311571"><li id="asm_bestpractice_1009__li157373310578"><strong id="asm_bestpractice_1009__b4980016216">Access Mode</strong>: Select IPv4/IPv6 dual stack.</li><li id="asm_bestpractice_1009__li19421168575"><strong id="asm_bestpractice_1009__b1976727122115">Load Balancer</strong>: Select <strong id="asm_bestpractice_1009__b22471645182115">Dedicated</strong>. The dedicated load balancer must have an IPv6 address.</li></ul>
 <p id="asm_bestpractice_1009__p642152211499"></p>
 <p id="asm_bestpractice_1009__p098885915528">Configure other parameters based on site requirements.</p>
 <div class="note" id="asm_bestpractice_1009__note29881559125210"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="asm_bestpractice_1009__p09881659185219">If IPv4/IPv6 dual stack is enabled, only domain names are allowed to access the gateway.</p>
 </div></div>
 </p></li></ol>
 </div>
 <div class="section" id="asm_bestpractice_1009__section12477132535"><h4 class="sectiontitle">Verification</h4><ol id="asm_bestpractice_1009__ol9195130066"><li id="asm_bestpractice_1009__li1195106617">Configure domain name resolution for the client, so that the domain name is mapped to the IPv6 address of the gateway. This way, the client can access the gateway using the domain name.</li></ol>
 <p id="asm_bestpractice_1009__p297011549710"><span><img id="asm_bestpractice_1009__image73981551077" src="en-us_image_0000001741270036.png"></span></p>
 <ol start="2" id="asm_bestpractice_1009__ol1195701564"><li id="asm_bestpractice_1009__li141954014614">View the IPv6 request information in the ingressgateway log.</li></ol>
 <p id="asm_bestpractice_1009__p524701318533"><span><img id="asm_bestpractice_1009__image1824711317535" src="en-us_image_0000001786644069.png"></span></p>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_bp_0001.html">Best Practices</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_bestpractice_3001.html
+++ b/docs/asm/umn/asm_bestpractice_3001.html
@ -0,0 +1,19 @@
 <a name="asm_bestpractice_3001"></a><a name="asm_bestpractice_3001"></a>
 <h1 class="topictitle1">Service Governance for Dubbo-based Applications</h1>
 <div id="body1568601267887"></div>
 <div>
 <ul class="ullinks">
 <li class="ulchildlink"><strong><a href="asm_bestpractice_3002.html">Introduction</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_bestpractice_3008.html">Service Discovery Model</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_bestpractice_3003.html">SDK Adaptation Mode</a></strong><br>
 </li>
 </ul>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_bp_0001.html">Best Practices</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_bestpractice_3002.html
+++ b/docs/asm/umn/asm_bestpractice_3002.html
@ -0,0 +1,13 @@
 <a name="asm_bestpractice_3002"></a><a name="asm_bestpractice_3002"></a>
 <h1 class="topictitle1">Introduction</h1>
 <div id="body1568601267887"><p id="asm_bestpractice_3002__p637810612810">Dubbo is a special protocol which needs the following supports:</p>
 <ul id="asm_bestpractice_3002__ul419611400289"><li id="asm_bestpractice_3002__li19196840112810">Envoy on the service mesh data plane supports the parsing and traffic management of the Dubbo protocol.</li><li id="asm_bestpractice_3002__li5893131682919">The mesh control plane supports the configuration of Dubbo governance rules to manage services such as grayscale release, load balancing, and access authorization.</li></ul>
 <p id="asm_bestpractice_3002__p163331137142817">In addition, the service discovery model of Dubbo is different from that of Kubernetes and Spring Cloud. Therefore, additional processing is required.</p>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_bestpractice_3001.html">Service Governance for Dubbo-based Applications</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_bestpractice_3003.html
+++ b/docs/asm/umn/asm_bestpractice_3003.html
@ -0,0 +1,17 @@
 <a name="asm_bestpractice_3003"></a><a name="asm_bestpractice_3003"></a>
 <h1 class="topictitle1">SDK Adaptation Mode</h1>
 <div id="body1568601267887"></div>
 <div>
 <ul class="ullinks">
 <li class="ulchildlink"><strong><a href="asm_bestpractice_3004.html">PASSTHROUGH Solution</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_bestpractice_3005.html">Static Target Service</a></strong><br>
 </li>
 </ul>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_bestpractice_3001.html">Service Governance for Dubbo-based Applications</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_bestpractice_3004.html
+++ b/docs/asm/umn/asm_bestpractice_3004.html
@ -0,0 +1,18 @@
 <a name="asm_bestpractice_3004"></a><a name="asm_bestpractice_3004"></a>
 <h1 class="topictitle1">PASSTHROUGH Solution</h1>
 <div id="body1568601267887"><div class="section" id="asm_bestpractice_3004__section31341036202718"><h4 class="sectiontitle">Introduction</h4><p id="asm_bestpractice_3004__p113281537152719">When the client in the SDK calls the target service by an interface, the client accesses the service name, instead of the service instance.</p>
 <p id="asm_bestpractice_3004__p1558213370273"><span><img class="eddx" id="asm_bestpractice_3004__image3665173692010" src="en-us_image_0000001181766534.png"></span></p>
 </div>
 <div class="section" id="asm_bestpractice_3004__section142081854182714"><h4 class="sectiontitle">Description</h4><p id="asm_bestpractice_3004__p952312555275">Cases are different based on the Dubbo protocol versions:</p>
 <ul id="asm_bestpractice_3004__ul0462214112111"><li id="asm_bestpractice_3004__li194621614122116">2.7.4 and later versions: Cloud Native 2.7.4 and later versions have reconstructed the service discovery model which is consistent with that of Kubernetes. Service information can be directly obtained via interfaces.</li><li id="asm_bestpractice_3004__li646034722212">2.7.3 and earlier versions: The Dubbo community versions do not provide the level-2 relationship between interfaces and services. The SDK needs to maintain the mapping from interfaces to services based on the actual usage mode. For example, information such as a service name may be provided in extended information during service registration.</li></ul>
 <p id="asm_bestpractice_3004__p118134052818">You can select a processing mode based on your SDK. The SDK of an earlier version can perform the following operations in the existing service registration and discovery processes:</p>
 <ol id="asm_bestpractice_3004__ol575422915251"><li id="asm_bestpractice_3004__li1175432914256">Extend the definition of <strong id="asm_bestpractice_3004__b1518364252719">Service</strong> in the registration information. During service deployment, service metadata can be injected into the SDK as environment variables, including <strong id="asm_bestpractice_3004__b1767912538289">appname</strong> and <strong id="asm_bestpractice_3004__b280315546281">namespace</strong>, which indicate the name and namespace of the deployed service, respectively.</li><li id="asm_bestpractice_3004__li153893585258">When the service is started, the relationship between the Dubbo interface and Kubernetes service name and namespace is registered in the Registry.</li><li id="asm_bestpractice_3004__li1320631142612">When a client initiates an access request, the service metadata is queried by the interface according to the original service discovery process, and the corresponding service information is used to assemble an RPC request. The extended field <strong id="asm_bestpractice_3004__b98596335188">Attachment</strong> is advised to be used to store the <strong id="asm_bestpractice_3004__b9194138143016">appname</strong> and <strong id="asm_bestpractice_3004__b14152201083015">namespace</strong> information in the Dubbo request.</li></ol>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_bestpractice_3003.html">SDK Adaptation Mode</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_bestpractice_3005.html
+++ b/docs/asm/umn/asm_bestpractice_3005.html
@ -0,0 +1,22 @@
 <a name="asm_bestpractice_3005"></a><a name="asm_bestpractice_3005"></a>
 <h1 class="topictitle1">Static Target Service</h1>
 <div id="body1568601267888"><div class="section" id="asm_bestpractice_3005__section1421042416286"><h4 class="sectiontitle">Introduction</h4><p id="asm_bestpractice_3005__p1330417254285">Use <a href="https://dubbo.apache.org/en/docs/v2.7/user/references/xml/dubbo-reference/" target="_blank" rel="noopener noreferrer">dubbo:reference</a> to configure the referenced service provider in the service consumer of the Dubbo service. Use the <strong id="asm_bestpractice_3005__b105746911459">url</strong> option to define the address of the point-to-point direct connection service provider to bypass the Registry and directly call the target service.</p>
 </div>
 <div class="section" id="asm_bestpractice_3005__section1510833172818"><h4 class="sectiontitle">Description</h4><p id="asm_bestpractice_3005__p12186132172817">If the original Dubbo service uses the <strong id="asm_bestpractice_3005__b95719522484">.xml</strong> configuration file, only the configuration file needs to be modified.</p>
 <pre class="screen" id="asm_bestpractice_3005__screen10360121814339"><strong id="asm_bestpractice_3005__b115511191332">&lt;?xml version="1.0" encoding="UTF-8"?&gt;</strong>
 &lt;beans&gt;
    <em id="asm_bestpractice_3005__i115517196339">&lt;!-- </em><em id="asm_bestpractice_3005__i2551519153313">Interfaces that can be called --&gt;</em>
    &lt;dubbo:reference id="helloService " interface="com.dubbo.service.HelloService " url = "dubbo://helloService:20880" /&gt;
 &lt;/beans&gt;</pre>
 <p id="asm_bestpractice_3005__p1824662453419">If an annotation is used to define the referenced target service, only the annotation of the target service in the code needs to be modified.</p>
 <pre class="screen" id="asm_bestpractice_3005__screen532018377342"><strong id="asm_bestpractice_3005__b13340154211348">@Reference</strong>(url = "dubbo://helloService:20880")
 HelloService helloService;</pre>
 </div>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_bestpractice_3003.html">SDK Adaptation Mode</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_bestpractice_3008.html
+++ b/docs/asm/umn/asm_bestpractice_3008.html
@ -0,0 +1,16 @@
 <a name="asm_bestpractice_3008"></a><a name="asm_bestpractice_3008"></a>
 <h1 class="topictitle1">Service Discovery Model</h1>
 <div id="body1568970862475"><p id="asm_bestpractice_3008__p1990012073215">Problems in the existing Dubbo model (summarized from the Dubbo community version 2.7.4):</p>
 <ul id="asm_bestpractice_3008__ul116499357325"><li id="asm_bestpractice_3008__li1064933543211">In the microservice architecture, the Registry manages applications (services) instead of external service interfaces. However, the Dubbo Registry manages Dubbo service interfaces, contrary to the Spring Cloud or Cloud Native registration mode.</li><li id="asm_bestpractice_3008__li9177125414336">A Dubbo application (service) allows N Dubbo service interfaces to be registered. The more interfaces, the heavier the load of the Registry.</li></ul>
 <p id="asm_bestpractice_3008__p16244123463218">The existing Dubbo service model searches for service instances based on the Dubbo interface.</p>
 <p id="asm_bestpractice_3008__p142014122418"><span><img class="eddx" id="asm_bestpractice_3008__image112041210415" src="en-us_image_0000001181759886.png"></span></p>
 <p id="asm_bestpractice_3008__p126069483342">The Dubbo Cloud Native service discovery model adds an app layer to search for instances.</p>
 <p id="asm_bestpractice_3008__p9673641144710"><span><img class="eddx" id="asm_bestpractice_3008__image767311418471" src="en-us_image_0000001227360319.png"></span></p>
 </div>
 <div>
 <div class="familylinks">
 <div class="parentlink"><strong>Parent topic:</strong> <a href="asm_bestpractice_3001.html">Service Governance for Dubbo-based Applications</a></div>
 </div>
 </div>
--- a/docs/asm/umn/asm_bp_0001.html
+++ b/docs/asm/umn/asm_bp_0001.html
@ -0,0 +1,15 @@
 <a name="asm_bp_0001"></a><a name="asm_bp_0001"></a>
 <h1 class="topictitle1">Best Practices</h1>
 <div id="body0000001215189750"></div>
 <div>
 <ul class="ullinks">
 <li class="ulchildlink"><strong><a href="asm_bestpractice_0003.html">Upgrading Data Plane Sidecars Without Service Interruption</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_bestpractice_3001.html">Service Governance for Dubbo-based Applications</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="asm_bestpractice_1009.html">Creating a Service Mesh with IPv4/IPv6 Dual Stack Enabled</a></strong><br>
 </li>
 </ul>
 </div>
--- a/Show More
+++ b/Show More