From e06061c9e86910f18341da0ee9f908bb53d68ffe Mon Sep 17 00:00:00 2001 From: mtail Date: Mon, 11 Mar 2019 22:27:58 -0700 Subject: [PATCH] Fix some doc errors. This started out to just fix a bad link to unblock work on istio.io, but I ended up fixing a bunch of typos/incorrect format throughout. --- .../istio.authentication.v1alpha1.pb.html | 2 +- authentication/v1alpha1/policy.pb.go | 2 +- authentication/v1alpha1/policy.proto | 2 +- dictionaries/custom.txt | 4 ++++ .../http/jwt_auth/v2alpha1/config.pb.go | 12 +++++------ .../http/jwt_auth/v2alpha1/config.proto | 12 +++++------ mesh/v1alpha1/config.pb.go | 12 +++++------ mesh/v1alpha1/config.proto | 12 +++++------ mesh/v1alpha1/istio.mesh.v1alpha1.pb.html | 12 +++++------ mesh/v1alpha1/network.pb.go | 2 +- mesh/v1alpha1/network.proto | 4 ++-- mesh/v1alpha1/proxy.pb.go | 2 +- mesh/v1alpha1/proxy.proto | 4 ++-- mixer/v1/config/client/service.proto | 2 +- networking/v1alpha3/gateway.pb.go | 18 ++++++++-------- networking/v1alpha3/gateway.pb.html | 16 +++++++------- networking/v1alpha3/gateway.proto | 18 ++++++++-------- networking/v1alpha3/service_entry.pb.go | 21 +++++++++---------- networking/v1alpha3/service_entry.pb.html | 21 +++++++++---------- networking/v1alpha3/service_entry.proto | 21 +++++++++---------- networking/v1alpha3/sidecar.pb.go | 8 +++---- networking/v1alpha3/sidecar.pb.html | 8 +++---- networking/v1alpha3/sidecar.proto | 8 +++---- networking/v1alpha3/virtual_service.pb.go | 8 +++---- networking/v1alpha3/virtual_service.pb.html | 8 +++---- networking/v1alpha3/virtual_service.proto | 8 +++---- policy/v1beta1/cfg.pb.go | 8 +++---- policy/v1beta1/cfg.proto | 8 +++---- policy/v1beta1/istio.policy.v1beta1.pb.html | 8 +++---- rbac/v1alpha1/istio.rbac.v1alpha1.pb.html | 6 +++--- rbac/v1alpha1/rbac.pb.go | 6 +++--- rbac/v1alpha1/rbac.proto | 8 +++---- 32 files changed, 141 insertions(+), 150 deletions(-) diff --git a/authentication/v1alpha1/istio.authentication.v1alpha1.pb.html b/authentication/v1alpha1/istio.authentication.v1alpha1.pb.html index 65acfb5a37..4d144436f4 100644 --- a/authentication/v1alpha1/istio.authentication.v1alpha1.pb.html +++ b/authentication/v1alpha1/istio.authentication.v1alpha1.pb.html @@ -118,7 +118,7 @@

Jwt

the issuer or (b) inferred from the email domain of the issuer (e.g. a Google service account).

-

Example: https://www.googleapis.com/oauth2/v1/certs

+

Example: https://www.googleapis.com/oauth2/v1/certs

diff --git a/authentication/v1alpha1/policy.pb.go b/authentication/v1alpha1/policy.pb.go index 0954be05da..9dd5783f15 100644 --- a/authentication/v1alpha1/policy.pb.go +++ b/authentication/v1alpha1/policy.pb.go @@ -431,7 +431,7 @@ type Jwt struct { // the issuer or (b) inferred from the email domain of the issuer (e.g. a // Google service account). // - // Example: https://www.googleapis.com/oauth2/v1/certs + // Example: `https://www.googleapis.com/oauth2/v1/certs` JwksUri string `protobuf:"bytes,3,opt,name=jwks_uri,json=jwksUri,proto3" json:"jwks_uri,omitempty"` // JWT is sent in a request header. `header` represents the // header name. diff --git a/authentication/v1alpha1/policy.proto b/authentication/v1alpha1/policy.proto index 916270f965..f9156eb75b 100644 --- a/authentication/v1alpha1/policy.proto +++ b/authentication/v1alpha1/policy.proto @@ -155,7 +155,7 @@ message Jwt { // the issuer or (b) inferred from the email domain of the issuer (e.g. a // Google service account). // - // Example: https://www.googleapis.com/oauth2/v1/certs + // Example: `https://www.googleapis.com/oauth2/v1/certs` string jwks_uri = 3; // Two fields below define where to extract the JWT from an HTTP request. diff --git a/dictionaries/custom.txt b/dictionaries/custom.txt index 14c8b03d73..f056b95fd0 100644 --- a/dictionaries/custom.txt +++ b/dictionaries/custom.txt @@ -13,6 +13,7 @@ jitter JSON JWT Kubernetes +LightStep MCP multicluster NACK @@ -27,6 +28,7 @@ scalability SDS SNI SPIFFE +subnet TCP TLS UDP @@ -35,3 +37,5 @@ unmanaged unterminated URI URL +VM +Zipkin diff --git a/envoy/config/filter/http/jwt_auth/v2alpha1/config.pb.go b/envoy/config/filter/http/jwt_auth/v2alpha1/config.pb.go index 87ce22a8f3..d05358fc7e 100644 --- a/envoy/config/filter/http/jwt_auth/v2alpha1/config.pb.go +++ b/envoy/config/filter/http/jwt_auth/v2alpha1/config.pb.go @@ -348,15 +348,14 @@ func _DataSource_OneofSizer(msg proto.Message) (n int) { return n } -// This message specifies how a JSON Web Token (JWT) can be verified. JWT format is defined -// `here `_. Please see `OAuth2.0 -// `_ and `OIDC1.0 `_ for +// This message specifies how a JSON Web Token (JWT) can be verified. See the [JWT format definition](https://tools.ietf.org/html/rfc7519) +// for details. Please see [OAuth2.0](https://tools.ietf.org/html/rfc6749) and +// [OIDC1.0](http://openid.net/connect) for // the authentication flow. // // Example: // -// .. code-block:: yaml -// +// ```yaml // issuer: https://example.com // audiences: // - bookstore_android.apps.googleusercontent.com @@ -367,8 +366,7 @@ func _DataSource_OneofSizer(msg proto.Message) (n int) { // cluster: example_jwks_cluster // cache_duration: // - seconds: 300 -// -// [#not-implemented-hide:] +// ``` type JwtRule struct { // Identifies the principal that issued the JWT. See `here // `_. Usually a URL or an email address. diff --git a/envoy/config/filter/http/jwt_auth/v2alpha1/config.proto b/envoy/config/filter/http/jwt_auth/v2alpha1/config.proto index 477be41f75..ec4cb9200b 100644 --- a/envoy/config/filter/http/jwt_auth/v2alpha1/config.proto +++ b/envoy/config/filter/http/jwt_auth/v2alpha1/config.proto @@ -69,15 +69,14 @@ message DataSource { } } -// This message specifies how a JSON Web Token (JWT) can be verified. JWT format is defined -// `here `_. Please see `OAuth2.0 -// `_ and `OIDC1.0 `_ for +// This message specifies how a JSON Web Token (JWT) can be verified. See the [JWT format definition](https://tools.ietf.org/html/rfc7519) +// for details. Please see [OAuth2.0](https://tools.ietf.org/html/rfc6749) and +// [OIDC1.0](http://openid.net/connect) for // the authentication flow. // // Example: // -// .. code-block:: yaml -// +// ```yaml // issuer: https://example.com // audiences: // - bookstore_android.apps.googleusercontent.com @@ -88,8 +87,7 @@ message DataSource { // cluster: example_jwks_cluster // cache_duration: // - seconds: 300 -// -// [#not-implemented-hide:] +// ``` message JwtRule { // Identifies the principal that issued the JWT. See `here // `_. Usually a URL or an email address. diff --git a/mesh/v1alpha1/config.pb.go b/mesh/v1alpha1/config.pb.go index 2adfe66184..9fdc0a9033 100644 --- a/mesh/v1alpha1/config.pb.go +++ b/mesh/v1alpha1/config.pb.go @@ -239,7 +239,7 @@ type MeshConfig struct { ConfigSources []*ConfigSource `protobuf:"bytes,22,rep,name=config_sources,json=configSources,proto3" json:"config_sources,omitempty"` // $hide_from_docs // This flag is used by secret discovery service(SDS). - // If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount + // If set to true ([prerequisite](https://kubernetes.io/docs/concepts/storage/volumes/#projected)), Istio will inject volumes mount // for Kubernetes service account trustworthy JWT(which is available with Kubernetes 1.12 or higher), so that the Kubernetes API server // mounts Kubernetes service account trustworthy JWT to the Envoy container, which will be used to request key/cert eventually. // This isn't supported for non-Kubernetes cases. @@ -298,7 +298,7 @@ type MeshConfig struct { DefaultDestinationRuleExportTo []string `protobuf:"bytes,33,rep,name=default_destination_rule_export_to,json=defaultDestinationRuleExportTo,proto3" json:"default_destination_rule_export_to,omitempty"` // $hide_from_docs // The namespace to treat as the administrative root namespace for - // istio configuration. When processing a leaf namespace Istio will search for + // Istio configuration. When processing a leaf namespace Istio will search for // declarations in that namespace first and if none are found it will // search in the root namespace. Any matching declaration found in the root // namespace is processed as if it were declared in the leaf namespace. @@ -307,8 +307,8 @@ type MeshConfig struct { // type. // // There is no default value for this flag in 1.1 but in later releases it - // is expected to default to a new namespace, "istio-config", which is - // maintained separately from the "istio-system" namespace where an instance + // is expected to default to a new namespace, `istio-config`, which is + // maintained separately from the `istio-system` namespace where an instance // of the control plane runtime is deployed. This separates the concerns of // configuring the control-plane runtime from configuration of the mesh. RootNamespace string `protobuf:"bytes,34,opt,name=root_namespace,json=rootNamespace,proto3" json:"root_namespace,omitempty"` @@ -653,7 +653,7 @@ type ConfigSource struct { Address string `protobuf:"bytes,1,opt,name=address,proto3" json:"address,omitempty"` // Use the tls_settings to specify the tls mode to use. If the MCP server // uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS - // mode as ISTIO_MUTUAL. + // mode as `ISTIO_MUTUAL`. TlsSettings *v1alpha3.TLSSettings `protobuf:"bytes,2,opt,name=tls_settings,json=tlsSettings,proto3" json:"tls_settings,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` @@ -757,7 +757,7 @@ func (m *ConfigSource) GetTlsSettings() *v1alpha3.TLSSettings { type LocalityLoadBalancerSetting struct { // Optional: only one of distribute or failover can be set. // Explicitly specify loadbalancing weight across different zones and geographical locations. - // Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing.html?highlight=load_balancing_weight#locality-weighted-load-balancing) + // Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing/locality_weight) // If empty, the locality weight is set according to the endpoints number within it. Distribute []*LocalityLoadBalancerSetting_Distribute `protobuf:"bytes,1,rep,name=distribute,proto3" json:"distribute,omitempty"` // Optional: only failover or distribute can be set. diff --git a/mesh/v1alpha1/config.proto b/mesh/v1alpha1/config.proto index 062e1e60e8..c35e2b2434 100644 --- a/mesh/v1alpha1/config.proto +++ b/mesh/v1alpha1/config.proto @@ -196,7 +196,7 @@ message MeshConfig { // $hide_from_docs // This flag is used by secret discovery service(SDS). - // If set to true(prerequisite: https://kubernetes.io/docs/concepts/storage/volumes/#projected), Istio will inject volumes mount + // If set to true ([prerequisite](https://kubernetes.io/docs/concepts/storage/volumes/#projected)), Istio will inject volumes mount // for Kubernetes service account trustworthy JWT(which is available with Kubernetes 1.12 or higher), so that the Kubernetes API server // mounts Kubernetes service account trustworthy JWT to the Envoy container, which will be used to request key/cert eventually. // This isn't supported for non-Kubernetes cases. @@ -261,7 +261,7 @@ message MeshConfig { // $hide_from_docs // The namespace to treat as the administrative root namespace for - // istio configuration. When processing a leaf namespace Istio will search for + // Istio configuration. When processing a leaf namespace Istio will search for // declarations in that namespace first and if none are found it will // search in the root namespace. Any matching declaration found in the root // namespace is processed as if it were declared in the leaf namespace. @@ -270,8 +270,8 @@ message MeshConfig { // type. // // There is no default value for this flag in 1.1 but in later releases it - // is expected to default to a new namespace, "istio-config", which is - // maintained separately from the "istio-system" namespace where an instance + // is expected to default to a new namespace, `istio-config`, which is + // maintained separately from the `istio-system` namespace where an instance // of the control plane runtime is deployed. This separates the concerns of // configuring the control-plane runtime from configuration of the mesh. string root_namespace = 34; @@ -297,7 +297,7 @@ message ConfigSource { // Use the tls_settings to specify the tls mode to use. If the MCP server // uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS - // mode as ISTIO_MUTUAL. + // mode as `ISTIO_MUTUAL`. istio.networking.v1alpha3.TLSSettings tls_settings = 2; } @@ -385,7 +385,7 @@ message LocalityLoadBalancerSetting{ // Optional: only one of distribute or failover can be set. // Explicitly specify loadbalancing weight across different zones and geographical locations. - // Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing.html?highlight=load_balancing_weight#locality-weighted-load-balancing) + // Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/load_balancing/locality_weight) // If empty, the locality weight is set according to the endpoints number within it. repeated Distribute distribute = 1; diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html index d4d0be852a..0a654fad29 100644 --- a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html +++ b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html @@ -77,9 +77,9 @@

ConfigSource

tlsSettings istio.networking.v1alpha3.TLSSettings -

Use the tlssettings to specify the tls mode to use. If the MCP server +

Use the tls_settings to specify the tls mode to use. If the MCP server uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS -mode as ISTIOMUTUAL.

+mode as ISTIO_MUTUAL.

@@ -150,7 +150,7 @@

LocalityLoadBalancerSetting

Optional: only one of distribute or failover can be set. Explicitly specify loadbalancing weight across different zones and geographical locations. -Refer to Locality weighted load balancing +Refer to Locality weighted load balancing If empty, the locality weight is set according to the endpoints number within it.

@@ -755,7 +755,7 @@

Network.NetworkEndpoints

  • Implicitly: If the registry explicitly provides information about the network to which the endpoint belongs to. In some cases, its possible to indicate the network associated with the endpoint by -adding ISTIOMETANETWORK environment variable to the sidecar.

    • +adding the ISTIO_META_NETWORK environment variable to the sidecar.

  • Explicitly:

    • @@ -794,7 +794,7 @@

    Network.NetworkEndpoints

    Add all endpoints from the specified registry into this network. The names of the registries should correspond to the secret name -that was used to configure the registry (kubernetes multicluster) or +that was used to configure the registry (Kubernetes multicluster) or supplied by MCP server.

    @@ -909,7 +909,7 @@

    ProxyConfig

    string

    Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000). -See https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto +See Metric Service for details about Envoy’s Metrics Service API.

    diff --git a/mesh/v1alpha1/network.pb.go b/mesh/v1alpha1/network.pb.go index 078d6a2610..ccd7f8e0b7 100644 --- a/mesh/v1alpha1/network.pb.go +++ b/mesh/v1alpha1/network.pb.go @@ -92,7 +92,7 @@ func (m *Network) GetGateways() []*Network_IstioNetworkGateway { // 1. Implicitly: If the registry explicitly provides information about // the network to which the endpoint belongs to. In some cases, its // possible to indicate the network associated with the endpoint by -// adding ISTIO_META_NETWORK environment variable to the sidecar. +// adding the `ISTIO_META_NETWORK` environment variable to the sidecar. // // 2. Explicitly: // diff --git a/mesh/v1alpha1/network.proto b/mesh/v1alpha1/network.proto index a55c416cfe..8260072a34 100644 --- a/mesh/v1alpha1/network.proto +++ b/mesh/v1alpha1/network.proto @@ -31,7 +31,7 @@ message Network { // 1. Implicitly: If the registry explicitly provides information about // the network to which the endpoint belongs to. In some cases, its // possible to indicate the network associated with the endpoint by - // adding ISTIO_META_NETWORK environment variable to the sidecar. + // adding the `ISTIO_META_NETWORK` environment variable to the sidecar. // // 2. Explicitly: // @@ -52,7 +52,7 @@ message Network { // Add all endpoints from the specified registry into this network. // The names of the registries should correspond to the secret name - // that was used to configure the registry (kubernetes multicluster) or + // that was used to configure the registry (Kubernetes multicluster) or // supplied by MCP server. string from_registry = 2; } diff --git a/mesh/v1alpha1/proxy.pb.go b/mesh/v1alpha1/proxy.pb.go index 0056c3caf6..10950ac4c8 100644 --- a/mesh/v1alpha1/proxy.pb.go +++ b/mesh/v1alpha1/proxy.pb.go @@ -414,7 +414,7 @@ type ProxyConfig struct { // IP Address and Port of a statsd UDP listener (e.g. _10.75.241.127:9125_). StatsdUdpAddress string `protobuf:"bytes,10,opt,name=statsd_udp_address,json=statsdUdpAddress,proto3" json:"statsd_udp_address,omitempty"` // Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000). - // See https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto + // See [Metric Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto) // for details about Envoy's Metrics Service API. EnvoyMetricsServiceAddress string `protobuf:"bytes,20,opt,name=envoy_metrics_service_address,json=envoyMetricsServiceAddress,proto3" json:"envoy_metrics_service_address,omitempty"` // Port on which Envoy should listen for administrative commands. diff --git a/mesh/v1alpha1/proxy.proto b/mesh/v1alpha1/proxy.proto index 576289c8ad..a08d122c59 100644 --- a/mesh/v1alpha1/proxy.proto +++ b/mesh/v1alpha1/proxy.proto @@ -120,13 +120,13 @@ message ProxyConfig { string statsd_udp_address = 10; // Address of the Envoy Metrics Service implementation (e.g. metrics-service:15000). - // See https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto + // See [Metric Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto) // for details about Envoy's Metrics Service API. string envoy_metrics_service_address = 20; // Port on which Envoy should listen for administrative commands. int32 proxy_admin_port = 11; - + // $hide_from_docs string availability_zone = 12 [deprecated=true]; diff --git a/mixer/v1/config/client/service.proto b/mixer/v1/config/client/service.proto index d00937a84a..01de2e9737 100644 --- a/mixer/v1/config/client/service.proto +++ b/mixer/v1/config/client/service.proto @@ -30,7 +30,7 @@ option (gogoproto.stable_marshaler_all) = true; // // Mixer protobufs have gogoproto specific options which are not // compatiable with the proxy's vanilla protobufs. Ideally, these -// protobuf options be reconciled so fundamental istio concepts and +// protobuf options be reconciled so fundamental Istio concepts and // types can be shared by components. Until then, make a copy of // IstioService for mixerclient to use. diff --git a/networking/v1alpha3/gateway.pb.go b/networking/v1alpha3/gateway.pb.go index 53ff90247b..5764c93c26 100644 --- a/networking/v1alpha3/gateway.pb.go +++ b/networking/v1alpha3/gateway.pb.go @@ -52,7 +52,7 @@ // - "bookinfo-namespace/*.bookinfo.com" // tls: // mode: SIMPLE # enables HTTPS on this port -// credentialName: bookinfo-secret # fetches certs from kubernetes secret +// credentialName: bookinfo-secret # fetches certs from Kubernetes secret // - port: // number: 9080 // name: http-wildcard @@ -72,15 +72,15 @@ // the forwarding of traffic arriving at a particular host or gateway port. // // For example, the following VirtualService splits traffic for -// "https://uk.bookinfo.com/reviews", "https://eu.bookinfo.com/reviews", -// "http://uk.bookinfo.com:9080/reviews", -// "http://eu.bookinfo.com:9080/reviews" into two versions (prod and qa) of +// `https://uk.bookinfo.com/reviews`, `https://eu.bookinfo.com/reviews`, +// `http://uk.bookinfo.com:9080/reviews`, +// `http://eu.bookinfo.com:9080/reviews` into two versions (prod and qa) of // an internal reviews service on port 9080. In addition, requests // containing the cookie "user: dev-123" will be sent to special port 7777 // in the qa version. The same rule is also applicable inside the mesh for // requests to the "reviews.prod.svc.cluster.local" service. This rule is -// applicable across ports 443, 9080. Note that "http://uk.bookinfo.com" -// gets redirected to "https://uk.bookinfo.com" (i.e. 80 redirects to 443). +// applicable across ports 443, 9080. Note that `http://uk.bookinfo.com` +// gets redirected to `https://uk.bookinfo.com` (i.e. 80 redirects to 443). // // ```yaml // apiVersion: networking.istio.io/v1alpha3 @@ -410,14 +410,14 @@ type Server struct { // $hide_from_docs // The ip or the Unix domain socket to which the listener should be bound // to. Format: `x.x.x.x` or `unix:///path/to/uds` or `unix://@foobar` - // (Linux abstract namespace). When using unix domain sockets, the port + // (Linux abstract namespace). When using Unix domain sockets, the port // number should be 0. Bind string `protobuf:"bytes,4,opt,name=bind,proto3" json:"bind,omitempty"` // REQUIRED. One or more hosts exposed by this gateway. // While typically applicable to // HTTP services, it can also be used for TCP services using TLS with SNI. // A host is specified as a `dnsName` with an optional `namespace/` prefix. - // The `dnsName` should be specified using FQDN format, opionally including + // The `dnsName` should be specified using FQDN format, optionally including // a wildcard character in the left-most component (e.g., `prod/*.example.com`). // Set the `dnsName` to `*` to select all `VirtualService` hosts from the // specified namespace (e.g.,`prod/*`). If no `namespace/` is specified, @@ -542,7 +542,7 @@ type Server_TLSOptions struct { // credentialName appended with suffix "-cacert" is used to identify // the CaCertificates associated with this server. Gateway workloads // capable of fetching credentials from a remote credential store such - // as kubernetes secrets, will be configured to retrieve the + // as Kubernetes secrets, will be configured to retrieve the // serverCertificate and the privateKey using credentialName, instead // of using the file system paths specified above. If using mutual TLS, // gateway workloads will retrieve the CaCertificates using diff --git a/networking/v1alpha3/gateway.pb.html b/networking/v1alpha3/gateway.pb.html index 2e8bd131e7..670df0918e 100644 --- a/networking/v1alpha3/gateway.pb.html +++ b/networking/v1alpha3/gateway.pb.html @@ -56,7 +56,7 @@ - "bookinfo-namespace/*.bookinfo.com" tls: mode: SIMPLE # enables HTTPS on this port - credentialName: bookinfo-secret # fetches certs from kubernetes secret + credentialName: bookinfo-secret # fetches certs from Kubernetes secret - port: number: 9080 name: http-wildcard @@ -76,15 +76,15 @@ the forwarding of traffic arriving at a particular host or gateway port.

    For example, the following VirtualService splits traffic for -“https://uk.bookinfo.com/reviews”, “https://eu.bookinfo.com/reviews”, -“http://uk.bookinfo.com:9080/reviews”, -“http://eu.bookinfo.com:9080/reviews” into two versions (prod and qa) of +https://uk.bookinfo.com/reviews, https://eu.bookinfo.com/reviews, +http://uk.bookinfo.com:9080/reviews, +http://eu.bookinfo.com:9080/reviews into two versions (prod and qa) of an internal reviews service on port 9080. In addition, requests containing the cookie “user: dev-123” will be sent to special port 7777 in the qa version. The same rule is also applicable inside the mesh for requests to the “reviews.prod.svc.cluster.local” service. This rule is -applicable across ports 443, 9080. Note that “http://uk.bookinfo.com” -gets redirected to “https://uk.bookinfo.com” (i.e. 80 redirects to 443).

    +applicable across ports 443, 9080. Note that http://uk.bookinfo.com +gets redirected to https://uk.bookinfo.com (i.e. 80 redirects to 443).

    apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
@@ -337,7 +337,7 @@ 
    Server
    
 While typically applicable to
 HTTP services, it can also be used for TCP services using TLS with SNI.
 A host is specified as a dnsName with an optional namespace/ prefix.
-The dnsName should be specified using FQDN format, opionally including
+The dnsName should be specified using FQDN format, optionally including
 a wildcard character in the left-most component (e.g., prod/*.example.com).
 Set the dnsName to * to select all VirtualService hosts from the
 specified namespace (e.g.,prod/*). If no namespace/ is specified,
@@ -450,7 +450,7 @@ 
    Server.TLSOptions
    
 credentialName appended with suffix “-cacert” is used to identify
 the CaCertificates associated with this server. Gateway workloads
 capable of fetching credentials from a remote credential store such
-as kubernetes secrets, will be configured to retrieve the
+as Kubernetes secrets, will be configured to retrieve the
 serverCertificate and the privateKey using credentialName, instead
 of using the file system paths specified above. If using mutual TLS,
 gateway workloads will retrieve the CaCertificates using
diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto
index ea314aa192..4ae5e7983c 100644
--- a/networking/v1alpha3/gateway.proto
+++ b/networking/v1alpha3/gateway.proto
@@ -69,7 +69,7 @@ syntax = "proto3";
 //     - "bookinfo-namespace/*.bookinfo.com"
 //     tls:
 //       mode: SIMPLE # enables HTTPS on this port
-//       credentialName: bookinfo-secret # fetches certs from kubernetes secret
+//       credentialName: bookinfo-secret # fetches certs from Kubernetes secret
 //   - port:
 //       number: 9080
 //       name: http-wildcard
@@ -89,15 +89,15 @@ syntax = "proto3";
 // the forwarding of traffic arriving at a particular host or gateway port.
 //
 // For example, the following VirtualService splits traffic for
-// "https://uk.bookinfo.com/reviews", "https://eu.bookinfo.com/reviews",
-// "http://uk.bookinfo.com:9080/reviews",
-// "http://eu.bookinfo.com:9080/reviews" into two versions (prod and qa) of
+// `https://uk.bookinfo.com/reviews`, `https://eu.bookinfo.com/reviews`,
+// `http://uk.bookinfo.com:9080/reviews`,
+// `http://eu.bookinfo.com:9080/reviews` into two versions (prod and qa) of
 // an internal reviews service on port 9080. In addition, requests
 // containing the cookie "user: dev-123" will be sent to special port 7777
 // in the qa version. The same rule is also applicable inside the mesh for
 // requests to the "reviews.prod.svc.cluster.local" service. This rule is
-// applicable across ports 443, 9080. Note that "http://uk.bookinfo.com"
-// gets redirected to "https://uk.bookinfo.com" (i.e. 80 redirects to 443).
+// applicable across ports 443, 9080. Note that `http://uk.bookinfo.com`
+// gets redirected to `https://uk.bookinfo.com` (i.e. 80 redirects to 443).
 //
 // ```yaml
 // apiVersion: networking.istio.io/v1alpha3
@@ -274,7 +274,7 @@ message Server {
   // $hide_from_docs
   // The ip or the Unix domain socket to which the listener should be bound
   // to. Format: `x.x.x.x` or `unix:///path/to/uds` or `unix://@foobar`
-  // (Linux abstract namespace). When using unix domain sockets, the port
+  // (Linux abstract namespace). When using Unix domain sockets, the port
   // number should be 0.
   string bind = 4;
 
@@ -282,7 +282,7 @@ message Server {
   // While typically applicable to
   // HTTP services, it can also be used for TCP services using TLS with SNI.
   // A host is specified as a `dnsName` with an optional `namespace/` prefix.
-  // The `dnsName` should be specified using FQDN format, opionally including
+  // The `dnsName` should be specified using FQDN format, optionally including
   // a wildcard character in the left-most component (e.g., `prod/*.example.com`).
   // Set the `dnsName` to `*` to select all `VirtualService` hosts from the
   // specified namespace (e.g.,`prod/*`). If no `namespace/` is specified,
@@ -359,7 +359,7 @@ message Server {
     // credentialName appended with suffix "-cacert" is used to identify
     // the CaCertificates associated with this server. Gateway workloads
     // capable of fetching credentials from a remote credential store such
-    // as kubernetes secrets, will be configured to retrieve the
+    // as Kubernetes secrets, will be configured to retrieve the
     // serverCertificate and the privateKey using credentialName, instead
     // of using the file system paths specified above. If using mutual TLS,
     // gateway workloads will retrieve the CaCertificates using
diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go
index 6168b16ee6..4e6de8be9d 100644
--- a/networking/v1alpha3/service_entry.pb.go
+++ b/networking/v1alpha3/service_entry.pb.go
@@ -167,8 +167,8 @@
 //    - "*"
 // ```
 //
-// And the associated VirtualService to route from the sidecar to the
-// gateway service (istio-egressgateway.istio-system.svc.cluster.local), as
+// And the associated `VirtualService` to route from the sidecar to the
+// gateway service (`istio-egressgateway.istio-system.svc.cluster.local`), as
 // well as route from the gateway to the external service. Note that the
 // virtual service is exported to all namespaces enabling them to route traffic
 // through the gateway to the external service. Forcing traffic to go through
@@ -228,7 +228,7 @@
 //
 // The following example demonstrates a service that is available via a
 // Unix Domain Socket on the host of the client. The resolution must be
-// set to STATIC to use unix address endpoints.
+// set to STATIC to use Unix address endpoints.
 //
 // ```yaml
 // apiVersion: networking.istio.io/v1alpha3
@@ -248,10 +248,10 @@
 //   - address: unix:///var/run/example/socket
 // ```
 //
-// For HTTP-based services, it is possible to create a VirtualService
+// For HTTP-based services, it is possible to create a `VirtualService`
 // backed by multiple DNS addressable endpoints. In such a scenario, the
-// application can use the HTTP_PROXY environment variable to transparently
-// reroute API calls for the VirtualService to a chosen backend. For
+// application can use the `HTTP_PROXY` environment variable to transparently
+// reroute API calls for the `VirtualService` to a chosen backend. For
 // example, the following configuration creates a non-existent external
 // service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
 // uk.foo.bar.com:9080, and in.foo.bar.com:7080
@@ -287,10 +287,9 @@
 // specified above. In other words, a call to `http://foo.bar.com/baz` would
 // be translated to `http://uk.foo.bar.com/baz`.
 //
-// The following example illustrates the usage of a ServiceEntry
+// The following example illustrates the usage of a `ServiceEntry`
 // containing a subject alternate name
-// whose format conforms to the SPIFEE standard
-// :
+// whose format conforms to the [SPIFEE standard](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md):
 //
 // ```yaml
 // apiVersion: networking.istio.io/v1alpha3
@@ -399,7 +398,7 @@ const (
 	// will resolve the DNS address specified in the hosts field, if
 	// wildcards are not used. If endpoints are specified, the DNS
 	// addresses specified in the endpoints will be resolved to determine
-	// the destination IP address.  DNS resolution cannot be used with unix
+	// the destination IP address.  DNS resolution cannot be used with Unix
 	// domain socket endpoints.
 	ServiceEntry_DNS ServiceEntry_Resolution = 2
 )
@@ -593,7 +592,7 @@ type ServiceEntry_Endpoint struct {
 	Address string `protobuf:"bytes,1,opt,name=address,proto3" json:"address,omitempty"`
 	// Set of ports associated with the endpoint. The ports must be
 	// associated with a port name that was declared as part of the
-	// service. Do not use for unix:// addresses.
+	// service. Do not use for `unix://` addresses.
 	Ports map[string]uint32 `protobuf:"bytes,2,rep,name=ports,proto3" json:"ports,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"varint,2,opt,name=value,proto3"`
 	// One or more labels associated with the endpoint.
 	Labels map[string]string `protobuf:"bytes,3,rep,name=labels,proto3" json:"labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
diff --git a/networking/v1alpha3/service_entry.pb.html b/networking/v1alpha3/service_entry.pb.html
index 419590bd63..a0b6499949 100644
--- a/networking/v1alpha3/service_entry.pb.html
+++ b/networking/v1alpha3/service_entry.pb.html
@@ -165,8 +165,8 @@
    - "*"
    -

    And the associated VirtualService to route from the sidecar to the -gateway service (istio-egressgateway.istio-system.svc.cluster.local), as +

    And the associated VirtualService to route from the sidecar to the +gateway service (istio-egressgateway.istio-system.svc.cluster.local), as well as route from the gateway to the external service. Note that the virtual service is exported to all namespaces enabling them to route traffic through the gateway to the external service. Forcing traffic to go through @@ -224,7 +224,7 @@

    The following example demonstrates a service that is available via a Unix Domain Socket on the host of the client. The resolution must be -set to STATIC to use unix address endpoints.

    +set to STATIC to use Unix address endpoints.

    apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
@@ -243,10 +243,10 @@
   - address: unix:///var/run/example/socket
    -

    For HTTP-based services, it is possible to create a VirtualService +

    For HTTP-based services, it is possible to create a VirtualService backed by multiple DNS addressable endpoints. In such a scenario, the -application can use the HTTP_PROXY environment variable to transparently -reroute API calls for the VirtualService to a chosen backend. For +application can use the HTTP_PROXY environment variable to transparently +reroute API calls for the VirtualService to a chosen backend. For example, the following configuration creates a non-existent external service called foo.bar.com backed by three domains: us.foo.bar.com:8080, uk.foo.bar.com:9080, and in.foo.bar.com:7080

    @@ -281,10 +281,9 @@ specified above. In other words, a call to http://foo.bar.com/baz would be translated to http://uk.foo.bar.com/baz.

    -

    The following example illustrates the usage of a ServiceEntry +

    The following example illustrates the usage of a ServiceEntry containing a subject alternate name -whose format conforms to the SPIFEE standard -https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md:

    +whose format conforms to the SPIFEE standard:

    apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
@@ -464,7 +463,7 @@ 
    ServiceEntry.Endpoint
    
 
 
    Set of ports associated with the endpoint. The ports must be
 associated with a port name that was declared as part of the
-service. Do not use for unix:// addresses.
    
+service. Do not use for unix:// addresses.
    
 
 
 
@@ -613,7 +612,7 @@ 
    ServiceEntry.Resolution
    
 will resolve the DNS address specified in the hosts field, if
 wildcards are not used. If endpoints are specified, the DNS
 addresses specified in the endpoints will be resolved to determine
-the destination IP address.  DNS resolution cannot be used with unix
+the destination IP address.  DNS resolution cannot be used with Unix
 domain socket endpoints.
    
 
 
diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto
index 7a61b47aae..9fa0578625 100644
--- a/networking/v1alpha3/service_entry.proto
+++ b/networking/v1alpha3/service_entry.proto
@@ -186,8 +186,8 @@ import "networking/v1alpha3/gateway.proto";
 //    - "*"
 // ```
 //
-// And the associated VirtualService to route from the sidecar to the
-// gateway service (istio-egressgateway.istio-system.svc.cluster.local), as
+// And the associated `VirtualService` to route from the sidecar to the
+// gateway service (`istio-egressgateway.istio-system.svc.cluster.local`), as
 // well as route from the gateway to the external service. Note that the
 // virtual service is exported to all namespaces enabling them to route traffic
 // through the gateway to the external service. Forcing traffic to go through
@@ -247,7 +247,7 @@ import "networking/v1alpha3/gateway.proto";
 //
 // The following example demonstrates a service that is available via a
 // Unix Domain Socket on the host of the client. The resolution must be
-// set to STATIC to use unix address endpoints.
+// set to STATIC to use Unix address endpoints.
 //
 // ```yaml
 // apiVersion: networking.istio.io/v1alpha3
@@ -267,10 +267,10 @@ import "networking/v1alpha3/gateway.proto";
 //   - address: unix:///var/run/example/socket
 // ```
 //
-// For HTTP-based services, it is possible to create a VirtualService
+// For HTTP-based services, it is possible to create a `VirtualService`
 // backed by multiple DNS addressable endpoints. In such a scenario, the
-// application can use the HTTP_PROXY environment variable to transparently
-// reroute API calls for the VirtualService to a chosen backend. For
+// application can use the `HTTP_PROXY` environment variable to transparently
+// reroute API calls for the `VirtualService` to a chosen backend. For
 // example, the following configuration creates a non-existent external
 // service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
 // uk.foo.bar.com:9080, and in.foo.bar.com:7080
@@ -306,10 +306,9 @@ import "networking/v1alpha3/gateway.proto";
 // specified above. In other words, a call to `http://foo.bar.com/baz` would
 // be translated to `http://uk.foo.bar.com/baz`.
 //
-// The following example illustrates the usage of a ServiceEntry
+// The following example illustrates the usage of a `ServiceEntry`
 // containing a subject alternate name
-// whose format conforms to the SPIFEE standard
-// :
+// whose format conforms to the [SPIFEE standard](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md):
 //
 // ```yaml
 // apiVersion: networking.istio.io/v1alpha3
@@ -418,7 +417,7 @@ message ServiceEntry {
     // will resolve the DNS address specified in the hosts field, if
     // wildcards are not used. If endpoints are specified, the DNS
     // addresses specified in the endpoints will be resolved to determine
-    // the destination IP address.  DNS resolution cannot be used with unix
+    // the destination IP address.  DNS resolution cannot be used with Unix
     // domain socket endpoints.
     DNS = 2;
   };
@@ -440,7 +439,7 @@ message ServiceEntry {
 
     // Set of ports associated with the endpoint. The ports must be
     // associated with a port name that was declared as part of the
-    // service. Do not use for unix:// addresses.
+    // service. Do not use for `unix://` addresses.
     map ports = 2;
 
     // One or more labels associated with the endpoint.
diff --git a/networking/v1alpha3/sidecar.pb.go b/networking/v1alpha3/sidecar.pb.go
index 9224c76070..dfc84815f8 100644
--- a/networking/v1alpha3/sidecar.pb.go
+++ b/networking/v1alpha3/sidecar.pb.go
@@ -84,7 +84,7 @@
 // resource in the prod-us1 namespace for all pods with labels "app:
 // productpage" belonging to the productpage.prod-us1 service. Assuming
 // that these pods are deployed without IPtable rules (i.e. the Istio init
-// container) and the proxy metadata ISTIO_META_INTERCEPTION_MODE is set to
+// container) and the proxy metadata `ISTIO_META_INTERCEPTION_MODE` is set to
 // NONE, the specification below allows such pods to receive HTTP traffic
 // on port 9080 and forward it to the application listening on
 // 127.0.0.1:8080. It also allows the application to communicate with a
@@ -146,7 +146,7 @@
 // traffic. The following Sidecar configuration allows the VM to expose a
 // listener on 172.16.1.32:80 (the VM's IP) for traffic arriving from the
 // 172.16.0.0/16 subnet. Note that in this scenario, the
-// ISTIO_META_INTERCEPTION_MODE metadata on the proxy in the VM should
+// `ISTIO_META_INTERCEPTION_MODE` metadata on the proxy in the VM should
 // contain "REDIRECT" or "TPROXY" as its value, implying that IP tables
 // based traffic capture is active.
 //
@@ -334,7 +334,7 @@ type IstioIngressListener struct {
 	// traffic should be forwarded to. This configuration can be used to
 	// redirect traffic arriving at the bind point on the sidecar to a port
 	// or Unix domain socket where the application workload is listening for
-	// connections. Format should be 127.0.0.1:PORT or unix:///path/to/socket
+	// connections. Format should be 127.0.0.1:PORT or `unix:///path/to/socket`
 	DefaultEndpoint      string   `protobuf:"bytes,4,opt,name=default_endpoint,json=defaultEndpoint,proto3" json:"default_endpoint,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
@@ -435,7 +435,7 @@ type IstioEgressListener struct {
 	// using a `ServiceEntry` or `VirtualService` configuration. Any
 	// associated `DestinationRule` in the same namespace will also be used.
 	//
-	// The `dnsName` should be specified using FQDN format, opionally including
+	// The `dnsName` should be specified using FQDN format, optionally including
 	// a wildcard character in the left-most component (e.g., `prod/*.example.com`).
 	// Set the `dnsName` to `*` to select all services from the specified namespace
 	// (e.g.,`prod/*`). The `namespace` can also be set to `*` to select a particular
diff --git a/networking/v1alpha3/sidecar.pb.html b/networking/v1alpha3/sidecar.pb.html
index c7cbb3970f..a4a209a5bf 100644
--- a/networking/v1alpha3/sidecar.pb.html
+++ b/networking/v1alpha3/sidecar.pb.html
@@ -87,7 +87,7 @@
 resource in the prod-us1 namespace for all pods with labels “app:
 productpage” belonging to the productpage.prod-us1 service. Assuming
 that these pods are deployed without IPtable rules (i.e. the Istio init
-container) and the proxy metadata ISTIOMETAINTERCEPTION_MODE is set to
+container) and the proxy metadata ISTIO_META_INTERCEPTION_MODE is set to
 NONE, the specification below allows such pods to receive HTTP traffic
 on port 9080 and forward it to the application listening on
 127.0.0.1:8080. It also allows the application to communicate with a
@@ -147,7 +147,7 @@
 traffic. The following Sidecar configuration allows the VM to expose a
 listener on 172.16.1.32:80 (the VM’s IP) for traffic arriving from the
 172.16.0.0/16 subnet. Note that in this scenario, the
-ISTIOMETAINTERCEPTION_MODE metadata on the proxy in the VM should
+ISTIO_META_INTERCEPTION_MODE metadata on the proxy in the VM should
 contain “REDIRECT” or “TPROXY” as its value, implying that IP tables
 based traffic capture is active.
    
 
@@ -285,7 +285,7 @@ 
    IstioEgressListener
    
 using a ServiceEntry or VirtualService configuration. Any
 associated DestinationRule in the same namespace will also be used.
    
 
-
    The dnsName should be specified using FQDN format, opionally including
+
    The dnsName should be specified using FQDN format, optionally including
 a wildcard character in the left-most component (e.g., prod/*.example.com).
 Set the dnsName to * to select all services from the specified namespace
 (e.g.,prod/*). The namespace can also be set to * to select a particular
@@ -356,7 +356,7 @@ 
    IstioIngressListener
    
 traffic should be forwarded to. This configuration can be used to
 redirect traffic arriving at the bind point on the sidecar to a port
 or Unix domain socket where the application workload is listening for
-connections. Format should be 127.0.0.1:PORT or unix:///path/to/socket
    
+connections. Format should be 127.0.0.1:PORT or unix:///path/to/socket
    
 
 
 
diff --git a/networking/v1alpha3/sidecar.proto b/networking/v1alpha3/sidecar.proto
index e3a5be2545..3e05e714a2 100644
--- a/networking/v1alpha3/sidecar.proto
+++ b/networking/v1alpha3/sidecar.proto
@@ -103,7 +103,7 @@ import "networking/v1alpha3/gateway.proto";
 // resource in the prod-us1 namespace for all pods with labels "app:
 // productpage" belonging to the productpage.prod-us1 service. Assuming
 // that these pods are deployed without IPtable rules (i.e. the Istio init
-// container) and the proxy metadata ISTIO_META_INTERCEPTION_MODE is set to
+// container) and the proxy metadata `ISTIO_META_INTERCEPTION_MODE` is set to
 // NONE, the specification below allows such pods to receive HTTP traffic
 // on port 9080 and forward it to the application listening on
 // 127.0.0.1:8080. It also allows the application to communicate with a
@@ -165,7 +165,7 @@ import "networking/v1alpha3/gateway.proto";
 // traffic. The following Sidecar configuration allows the VM to expose a
 // listener on 172.16.1.32:80 (the VM's IP) for traffic arriving from the
 // 172.16.0.0/16 subnet. Note that in this scenario, the
-// ISTIO_META_INTERCEPTION_MODE metadata on the proxy in the VM should
+// `ISTIO_META_INTERCEPTION_MODE` metadata on the proxy in the VM should
 // contain "REDIRECT" or "TPROXY" as its value, implying that IP tables
 // based traffic capture is active.
 //
@@ -247,7 +247,7 @@ message IstioIngressListener {
   // traffic should be forwarded to. This configuration can be used to
   // redirect traffic arriving at the bind point on the sidecar to a port
   // or Unix domain socket where the application workload is listening for
-  // connections. Format should be 127.0.0.1:PORT or unix:///path/to/socket
+  // connections. Format should be 127.0.0.1:PORT or `unix:///path/to/socket`
   string default_endpoint = 4;
 }
 
@@ -287,7 +287,7 @@ message IstioEgressListener {
   // using a `ServiceEntry` or `VirtualService` configuration. Any
   // associated `DestinationRule` in the same namespace will also be used.
   //
-  // The `dnsName` should be specified using FQDN format, opionally including
+  // The `dnsName` should be specified using FQDN format, optionally including
   // a wildcard character in the left-most component (e.g., `prod/*.example.com`).
   // Set the `dnsName` to `*` to select all services from the specified namespace
   // (e.g.,`prod/*`). The `namespace` can also be set to `*` to select a particular
diff --git a/networking/v1alpha3/virtual_service.pb.go b/networking/v1alpha3/virtual_service.pb.go
index dc79fdf24e..e6f416e349 100644
--- a/networking/v1alpha3/virtual_service.pb.go
+++ b/networking/v1alpha3/virtual_service.pb.go
@@ -1998,9 +1998,8 @@ type HTTPRetry struct {
 	PerTryTimeout *types.Duration `protobuf:"bytes,2,opt,name=per_try_timeout,json=perTryTimeout,proto3" json:"per_try_timeout,omitempty"`
 	// Specifies the conditions under which retry takes place.
 	// One or more policies can be specified using a ‘,’ delimited list.
-	// The supported policies can be found in
-	// 
-	// and 
+	// See the [supported policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-on)
+	// and [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-grpc-on) for more details.
 	RetryOn              string   `protobuf:"bytes,3,opt,name=retry_on,json=retryOn,proto3" json:"retry_on,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
@@ -2062,8 +2061,7 @@ func (m *HTTPRetry) GetRetryOn() string {
 }
 
 // Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
-// service. Refer to
-// 
+// service. Refer to [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS)
 // for further details about cross origin resource sharing. For example,
 // the following rule restricts cross origin requests to those originating
 // from example.com domain using HTTP POST/GET, and sets the
diff --git a/networking/v1alpha3/virtual_service.pb.html b/networking/v1alpha3/virtual_service.pb.html
index c55e804f1f..553bd484ee 100644
--- a/networking/v1alpha3/virtual_service.pb.html
+++ b/networking/v1alpha3/virtual_service.pb.html
@@ -95,8 +95,7 @@
 
    CorsPolicy
    
 
    
 
    Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
-service. Refer to
-https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
+service. Refer to CORS
 for further details about cross origin resource sharing. For example,
 the following rule restricts cross origin requests to those originating
 from example.com domain using HTTP POST/GET, and sets the
@@ -829,9 +828,8 @@ 
    HTTPRetry
    
 
 
    Specifies the conditions under which retry takes place.
 One or more policies can be specified using a ‘,’ delimited list.
-The supported policies can be found in
-https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-on
-and https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-grpc-on
    
+See the supported policies
+and here for more details.
    
 
 
 
diff --git a/networking/v1alpha3/virtual_service.proto b/networking/v1alpha3/virtual_service.proto
index dadf6fe195..f69937399e 100644
--- a/networking/v1alpha3/virtual_service.proto
+++ b/networking/v1alpha3/virtual_service.proto
@@ -916,15 +916,13 @@ message HTTPRetry {
 
   // Specifies the conditions under which retry takes place.
   // One or more policies can be specified using a ‘,’ delimited list.
-  // The supported policies can be found in
-  // 
-  // and 
+  // See the [supported policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-on)
+  // and [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-grpc-on) for more details.
   string retry_on = 3;
 }
 
 // Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
-// service. Refer to
-// 
+// service. Refer to [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS)
 // for further details about cross origin resource sharing. For example,
 // the following rule restricts cross origin requests to those originating
 // from example.com domain using HTTP POST/GET, and sets the
diff --git a/policy/v1beta1/cfg.pb.go b/policy/v1beta1/cfg.pb.go
index 1feea86699..5ddb5b7582 100644
--- a/policy/v1beta1/cfg.pb.go
+++ b/policy/v1beta1/cfg.pb.go
@@ -118,7 +118,7 @@ type AttributeManifest struct {
 	// Optional. The revision of this document. Assigned by server.
 	Revision string `protobuf:"bytes,1,opt,name=revision,proto3" json:"revision,omitempty"`
 	// Required. Name of the component producing these attributes. This can be
-	// the proxy (with the canonical name "istio-proxy") or the name of an
+	// the proxy (with the canonical name `istio-proxy`) or the name of an
 	// `attributes` kind adapter in Mixer.
 	Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
 	// The set of attributes this Istio component will be responsible for producing at runtime.
@@ -131,9 +131,9 @@ type AttributeManifest struct {
 	// match the regular expression `[\.-]`.
 	//
 	// Attribute names must be unique within a single Istio deployment. The set of canonical
-	// attributes are described at https://istio.io/docs/reference/attribute-vocabulary.html.
+	// attributes are described at [here](https://istio.io/docs/reference/attribute-vocabulary.html).
 	// Attributes not in that list should be named with a component-specific suffix such as
-	// request.count-my.component.
+	// `request.count-my.component`.
 	Attributes map[string]*AttributeManifest_AttributeInfo `protobuf:"bytes,3,rep,name=attributes,proto3" json:"attributes,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
 }
 
@@ -287,7 +287,7 @@ func (m *AttributeManifest_AttributeInfo) GetValueType() ValueType {
 // A Rule is a selector and a set of intentions to be executed when the
 // selector is `true`
 //
-// The following example instructs Mixer to invoke 'prometheus-handler' handler for all services and pass it the
+// The following example instructs Mixer to invoke `prometheus-handler` handler for all services and pass it the
 // instance constructed using the 'RequestCountByService' instance.
 //
 // ```yaml
diff --git a/policy/v1beta1/cfg.proto b/policy/v1beta1/cfg.proto
index a32277c9ee..5175e4acc9 100644
--- a/policy/v1beta1/cfg.proto
+++ b/policy/v1beta1/cfg.proto
@@ -29,7 +29,7 @@ message AttributeManifest {
   // Optional. The revision of this document. Assigned by server.
   string revision = 1;
   // Required. Name of the component producing these attributes. This can be
-  // the proxy (with the canonical name "istio-proxy") or the name of an
+  // the proxy (with the canonical name `istio-proxy`) or the name of an
   // `attributes` kind adapter in Mixer.
   string name = 2;
 
@@ -91,16 +91,16 @@ message AttributeManifest {
   // match the regular expression `[\.-]`.
   //
   // Attribute names must be unique within a single Istio deployment. The set of canonical
-  // attributes are described at https://istio.io/docs/reference/attribute-vocabulary.html.
+  // attributes are described at [here](https://istio.io/docs/reference/attribute-vocabulary.html).
   // Attributes not in that list should be named with a component-specific suffix such as
-  // request.count-my.component.
+  // `request.count-my.component`.
   map attributes = 3;
 }
 
 // A Rule is a selector and a set of intentions to be executed when the
 // selector is `true`
 //
-// The following example instructs Mixer to invoke 'prometheus-handler' handler for all services and pass it the
+// The following example instructs Mixer to invoke `prometheus-handler` handler for all services and pass it the
 // instance constructed using the 'RequestCountByService' instance.
 //
 // ```yaml
diff --git a/policy/v1beta1/istio.policy.v1beta1.pb.html b/policy/v1beta1/istio.policy.v1beta1.pb.html
index b5ad9f807d..147eda3f17 100644
--- a/policy/v1beta1/istio.policy.v1beta1.pb.html
+++ b/policy/v1beta1/istio.policy.v1beta1.pb.html
@@ -87,7 +87,7 @@ 
    AttributeManifest
    
 string
 
 
    Required. Name of the component producing these attributes. This can be
-the proxy (with the canonical name “istio-proxy”) or the name of an
+the proxy (with the canonical name istio-proxy) or the name of an
 attributes kind adapter in Mixer.
    
 
 
@@ -107,9 +107,9 @@ 
    AttributeManifest
    
 match the regular expression [\.-].
    
 
 
    Attribute names must be unique within a single Istio deployment. The set of canonical
-attributes are described at https://istio.io/docs/reference/attribute-vocabulary.html.
+attributes are described at here.
 Attributes not in that list should be named with a component-specific suffix such as
-request.count-my.component.
    
+request.count-my.component.
    
 
 
 
@@ -1082,7 +1082,7 @@ 
    Rule
    
 
    A Rule is a selector and a set of intentions to be executed when the
 selector is true
    
 
-
    The following example instructs Mixer to invoke ‘prometheus-handler’ handler for all services and pass it the
+
    The following example instructs Mixer to invoke prometheus-handler handler for all services and pass it the
 instance constructed using the ‘RequestCountByService’ instance.
    
 
 
    - match: match(destination.service.host, "*")
diff --git a/rbac/v1alpha1/istio.rbac.v1alpha1.pb.html b/rbac/v1alpha1/istio.rbac.v1alpha1.pb.html
index edc324f0e8..ed19826593 100644
--- a/rbac/v1alpha1/istio.rbac.v1alpha1.pb.html
+++ b/rbac/v1alpha1/istio.rbac.v1alpha1.pb.html
@@ -173,11 +173,11 @@ 
    RbacConfig
    
 
    
 
    RbacConfig defines the global config to control Istio RBAC behavior.
 This Custom Resource is a singleton where only one Custom Resource should be created globally in
-the mesh and the namespace should be the same to other Istio components, which usually is istio-system.
-Note: This is enforced in both istioctl and server side, new Custom Resource will be rejected if found any
+the mesh and the namespace should be the same to other Istio components, which usually is istio-system.
+Note: This is enforced in both istioctl and server side, new Custom Resource will be rejected if found any
 existing one, the user should either delete the existing one or change the existing one directly.
    
 
-
    Below is an example of RbacConfig object “istio-rbac-config” which enables Istio RBAC for all
+
    Below is an example of an RbacConfig resource called istio-rbac-config which enables Istio RBAC for all
 services in the default namespace.
    
 
 
    apiVersion: "rbac.istio.io/v1alpha1"
diff --git a/rbac/v1alpha1/rbac.pb.go b/rbac/v1alpha1/rbac.pb.go
index 297f24ca19..dc346f1214 100644
--- a/rbac/v1alpha1/rbac.pb.go
+++ b/rbac/v1alpha1/rbac.pb.go
@@ -836,11 +836,11 @@ func (m *RoleRef) GetName() string {
 
 // RbacConfig defines the global config to control Istio RBAC behavior.
 // This Custom Resource is a singleton where only one Custom Resource should be created globally in
-// the mesh and the namespace should be the same to other Istio components, which usually is istio-system.
-// Note: This is enforced in both istioctl and server side, new Custom Resource will be rejected if found any
+// the mesh and the namespace should be the same to other Istio components, which usually is `istio-system`.
+// Note: This is enforced in both `istioctl` and server side, new Custom Resource will be rejected if found any
 // existing one, the user should either delete the existing one or change the existing one directly.
 //
-// Below is an example of RbacConfig object "istio-rbac-config" which enables Istio RBAC for all
+// Below is an example of an `RbacConfig` resource called `istio-rbac-config` which enables Istio RBAC for all
 // services in the default namespace.
 //
 // ```yaml
diff --git a/rbac/v1alpha1/rbac.proto b/rbac/v1alpha1/rbac.proto
index 85ea2a666f..a5a30608ec 100644
--- a/rbac/v1alpha1/rbac.proto
+++ b/rbac/v1alpha1/rbac.proto
@@ -296,11 +296,11 @@ message RoleRef {
 
 // RbacConfig defines the global config to control Istio RBAC behavior.
 // This Custom Resource is a singleton where only one Custom Resource should be created globally in
-// the mesh and the namespace should be the same to other Istio components, which usually is istio-system.
-// Note: This is enforced in both istioctl and server side, new Custom Resource will be rejected if found any
+// the mesh and the namespace should be the same to other Istio components, which usually is `istio-system`.
+// Note: This is enforced in both `istioctl` and server side, new Custom Resource will be rejected if found any
 // existing one, the user should either delete the existing one or change the existing one directly.
 //
-// Below is an example of RbacConfig object "istio-rbac-config" which enables Istio RBAC for all
+// Below is an example of an `RbacConfig` resource called `istio-rbac-config` which enables Istio RBAC for all
 // services in the default namespace.
 //
 // ```yaml
@@ -355,7 +355,7 @@ message RbacConfig {
 
   // $hide_from_docs
   // Indicates enforcement mode of the RbacConfig, in ENFORCED mode by default.
-  // It's used to verify new RbacConfig work as expected before rolling to production. 
+  // It's used to verify new RbacConfig work as expected before rolling to production.
   // When setting as PERMISSIVE, RBAC isn't enforced and has no impact on users.
   // RBAC engine run RbacConfig in PERMISSIVE mode and logs stats.
   // Invalid to set RbacConfig in PERMISSIVE and ServiceRoleBinding in ENFORCED mode.