// +optional
  optional string hostIP = 5;

  // IP address allocated to the carp. Routable at least within the cluster.
  // Empty if not yet allocated.
  // +optional
  optional string carpIP = 6;

  // RFC 3339 date and time at which the object was acknowledged by the Kubelet.
  // This is before the Kubelet pulled the container image(s) for the carp.
  // +optional
  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time startTime = 7;

// match, then routed to the backend associated with the matching IngressRuleValue.
message IngressRule {
  // Host is the fully qualified domain name of a network host, as defined by RFC 3986.
  // Note the following deviations from the "host" part of the
  // URI as defined in RFC 3986:
  // 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
  //    the IP in the Spec of the parent Ingress.

communication. # Currently, two providers are supported: "kubernetes" and "istiod". # As some platforms may not have kubernetes signing APIs, # Istiod is the default pilotCertProvider: istiod sds: # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the # JWT is intended for the CA. token: aud: istio-ca sts: # The service port used by Security Token Service (STS) server to handle token...

  // This field IS NOT consulted in any way if "Allowed" is "true".
  // +optional
  optional k8s.io.apimachinery.pkg.apis.meta.v1.Status status = 3;

  // The patch body. Currently we only support "JSONPatch" which implements RFC 6902.
  // +optional
  optional bytes patch = 4;

  // The type of Patch. Currently we only allow "JSONPatch".
  // +optional
  optional string patchType = 5;

  //
  // * Un-prefixed protocol names - reserved for IANA standard service names (as per
  // RFC-6335 and https://www.iana.org/assignments/service-names).
  //
  // * Kubernetes-defined prefixed names:
  //   * 'kubernetes.io/h2c' - HTTP/2 over cleartext as described in https://www.rfc-editor.org/rfc/rfc7540
  //
  // * Other protocols should use implementation-defined prefixed names such as

    # As some platforms may not have kubernetes signing APIs,
    # Istiod is the default
    pilotCertProvider: istiod
    sds:
      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
      # JWT is intended for the CA.
      token:
        aud: istio-ca
    sts:

  // Null for lists.
  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
  // +optional
  optional Time creationTimestamp = 8;

  // DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This
  // field is set by the server when a graceful deletion is requested by the user, and is not

    # As some platforms may not have kubernetes signing APIs,
    # Istiod is the default
    pilotCertProvider: istiod

    sds:
      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
      # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
      # JWT is intended for the CA.
      token:
        aud: istio-ca

    sts:

    # As some platforms may not have kubernetes signing APIs,
    # Istiod is the default
    pilotCertProvider: istiod

    sds:
      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
      # When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the
      # JWT is intended for the CA.
      token:
        aud: istio-ca

    sts: