Add ambient mode caveats (#3517)

* Add ambient mode caveats

* Subsets

* Some corrections

* Remove subset notes
* Add source_* notes

* Add warning about virtual service being alpha

* Revert non-serviceentry related changes

* Typo and clarification

Author: Stevenjin8

networking/v1alpha3/service_entry.pb.go

@@ -464,6 +464,9 @@ message ServiceEntry {
   // 1. subjectAltNames: In addition to verifying the SANs of the
   //    service accounts associated with the pods of the service, the
   //    SANs specified here will also be verified.
+  //
+  // **NOTE 3:** Ztunnel and Waypoint proxies do not support wildcard hosts.
+  //
   // +kubebuilder:validation:MinItems=1
   // +kubebuilder:validation:MaxItems=256
   // +protoc-gen-crd:list-value-validation:XValidation:message="hostname cannot be wildcard",rule="self != '*'"
@@ -614,6 +617,8 @@ message ServiceEntry {
   // For a Kubernetes Service, the equivalent effect can be achieved by setting
   // the annotation "networking.istio.io/exportTo" to a comma-separated list
   // of namespace names.
+  //
+  // **Note:** Ztunnel and Waypoint proxies not support this field and will read it at "*".
   repeated string export_to = 7;
 
   // If specified, the proxy will verify that the server certificate's