From a6b42dfa8a0c615502127f4353d4153c8ffb4602 Mon Sep 17 00:00:00 2001
From: Peter Jausovec <peterj@users.noreply.github.com>
Date: Thu, 4 Jan 2024 22:29:58 -0800
Subject: [PATCH] docs: fix rendering of links and code snippets (#3036)

Signed-off-by: Peter Jausovec <peter.jausovec@solo.io>
---
 mesh/v1alpha1/config.pb.go                    | 48 ++++++++------
 mesh/v1alpha1/config.proto                    | 48 ++++++++------
 mesh/v1alpha1/istio.mesh.v1alpha1.pb.html     | 62 ++++++++++---------
 mesh/v1alpha1/proxy.pb.go                     |  2 +-
 mesh/v1alpha1/proxy.proto                     |  2 +-
 .../v1alpha1/istio.operator.v1alpha1.pb.html  |  2 +-
 operator/v1alpha1/operator.pb.go              |  2 +-
 operator/v1alpha1/operator.proto              |  2 +-
 8 files changed, 95 insertions(+), 73 deletions(-)

diff --git a/mesh/v1alpha1/config.pb.go b/mesh/v1alpha1/config.pb.go
index 9075ccefdf9..b7e8fa95fc8 100644
--- a/mesh/v1alpha1/config.pb.go
+++ b/mesh/v1alpha1/config.pb.go
@@ -833,7 +833,7 @@ type MeshConfig struct {
 	//   - spark
 	//
 	// ```
-	// Refer to the [kubernetes selector docs](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors)
+	// Refer to the [Kubernetes selector docs](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors)
 	// for additional detail on selector semantics.
 	DiscoverySelectors []*v1.LabelSelector `protobuf:"bytes,59,rep,name=discovery_selectors,json=discoverySelectors,proto3" json:"discovery_selectors,omitempty"`
 	// ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are
@@ -857,6 +857,7 @@ type MeshConfig struct {
 	DefaultHttpRetryPolicy *v1alpha3.HTTPRetry `protobuf:"bytes,62,opt,name=default_http_retry_policy,json=defaultHttpRetryPolicy,proto3" json:"default_http_retry_policy,omitempty"`
 	// The below configuration parameters can be used to specify TLSConfig for mesh traffic.
 	// For example, a user could enable min TLS version for ISTIO_MUTUAL traffic and specify a curve for non ISTIO_MUTUAL traffic like below:
+	// ```yaml
 	// meshConfig:
 	//
 	//	meshMTLS:
@@ -867,7 +868,9 @@ type MeshConfig struct {
 	//	    - P-256
 	//	    - P-512
 	//
+	// ```
 	// Configuration of mTLS for traffic between workloads with ISTIO_MUTUAL TLS traffic.
+	//
 	// Note: Mesh mTLS does not respect ECDH curves.
 	MeshMTLS *MeshConfig_TLSConfig `protobuf:"bytes,63,opt,name=mesh_mTLS,json=meshMTLS,proto3" json:"mesh_mTLS,omitempty"`
 	// Configuration of TLS for all traffic except for ISTIO_MUTUAL mode.
@@ -2107,18 +2110,19 @@ type MeshConfig_TLSConfig struct {
 	// is TLS 1.3.
 	MinProtocolVersion MeshConfig_TLSConfig_TLSProtocol `protobuf:"varint,1,opt,name=min_protocol_version,json=minProtocolVersion,proto3,enum=istio.mesh.v1alpha1.MeshConfig_TLSConfig_TLSProtocol" json:"min_protocol_version,omitempty"`
 	// Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange.
-	// If not specified, the default curves enforced by envoy will be used. For details about the default curves, refer to
-	// [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto)
+	// If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to
+	// [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto).
 	EcdhCurves []string `protobuf:"bytes,2,rep,name=ecdh_curves,json=ecdhCurves,proto3" json:"ecdh_curves,omitempty"`
 	// Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2.
 	// If not specified, the following cipher suites will be used:
-	//
-	//		ECDHE-ECDSA-AES256-GCM-SHA384
-	//	 ECDHE-RSA-AES256-GCM-SHA384
-	//	 ECDHE-ECDSA-AES128-GCM-SHA256
-	//	 ECDHE-RSA-AES128-GCM-SHA256
-	//	 AES256-GCM-SHA384
-	//	 AES128-GCM-SHA256
+	// ```
+	// ECDHE-ECDSA-AES256-GCM-SHA384
+	// ECDHE-RSA-AES256-GCM-SHA384
+	// ECDHE-ECDSA-AES128-GCM-SHA256
+	// ECDHE-RSA-AES128-GCM-SHA256
+	// AES256-GCM-SHA384
+	// AES128-GCM-SHA256
+	// ```
 	CipherSuites []string `protobuf:"bytes,3,rep,name=cipher_suites,json=cipherSuites,proto3" json:"cipher_suites,omitempty"`
 }
 
@@ -2257,8 +2261,8 @@ type MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationRequestBody struct {
 	// indicating if the body data is partial.
 	AllowPartialMessage bool `protobuf:"varint,2,opt,name=allow_partial_message,json=allowPartialMessage,proto3" json:"allow_partial_message,omitempty"`
 	// If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
-	// in the raw_body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
-	// Otherwise, it will be filled with UTF-8 string in the body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
+	// in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
+	// Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
 	// This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.
 	PackAsBytes bool `protobuf:"varint,3,opt,name=pack_as_bytes,json=packAsBytes,proto3" json:"pack_as_bytes,omitempty"`
 }
@@ -2354,8 +2358,9 @@ type MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider struct
 	// request can include the buffered client request body (controlled by include_request_body_in_check setting),
 	// consequently the value of Content-Length of the authorization request reflects the size of its payload size.
 	//
-	// Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
-	// https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
+	// Exact, prefix and suffix matches are supported (similar to the
+	// [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
+	// except the presence match):
 	// - Exact match: "abc" will match on value "abc".
 	// - Prefix match: "abc*" will match on value "abc" and "abcd".
 	// - Suffix match: "*abc" will match on value "abc" and "xabc".
@@ -2371,8 +2376,9 @@ type MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider struct
 	// If not specified, the original request will not be modified and forwarded to backend as-is.
 	// Note, any existing headers will be overridden.
 	//
-	// Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
-	// https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
+	// Exact, prefix and suffix matches are supported (similar to the
+	// [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
+	// except the presence match):
 	// - Exact match: "abc" will match on value "abc".
 	// - Prefix match: "abc*" will match on value "abc" and "abcd".
 	// - Suffix match: "*abc" will match on value "abc" and "xabc".
@@ -2385,8 +2391,9 @@ type MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider struct
 	// automatically added.
 	// Note, the body from the authorization service is always included in the response to downstream.
 	//
-	// Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
-	// https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
+	// Exact, prefix and suffix matches are supported (similar to the
+	// [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
+	// except the presence match):
 	// - Exact match: "abc" will match on value "abc".
 	// - Prefix match: "abc*" will match on value "abc" and "abcd".
 	// - Suffix match: "*abc" will match on value "abc" and "xabc".
@@ -2396,8 +2403,9 @@ type MeshConfig_ExtensionProvider_EnvoyExternalAuthorizationHttpProvider struct
 	// If not specified, the original response will not be modified and forwarded to downstream as-is.
 	// Note, any existing headers will be overridden.
 	//
-	// Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
-	// https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
+	// Exact, prefix and suffix matches are supported (similar to the
+	// [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
+	// except the presence match):
 	// - Exact match: "abc" will match on value "abc".
 	// - Prefix match: "abc*" will match on value "abc" and "abcd".
 	// - Suffix match: "*abc" will match on value "abc" and "xabc".
diff --git a/mesh/v1alpha1/config.proto b/mesh/v1alpha1/config.proto
index 3bd7b876de0..d36d5a23aba 100644
--- a/mesh/v1alpha1/config.proto
+++ b/mesh/v1alpha1/config.proto
@@ -546,8 +546,8 @@ message MeshConfig {
       bool allow_partial_message = 2;
 
       // If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
-      // in the raw_body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
-      // Otherwise, it will be filled with UTF-8 string in the body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
+      // in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
+      // Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
       // This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.
       bool pack_as_bytes = 3;
     }
@@ -593,8 +593,9 @@ message MeshConfig {
       // request can include the buffered client request body (controlled by include_request_body_in_check setting),
       // consequently the value of Content-Length of the authorization request reflects the size of its payload size.
       //
-      // Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
-      // https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
+      // Exact, prefix and suffix matches are supported (similar to the
+      // [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
+      // except the presence match):
       // - Exact match: "abc" will match on value "abc".
       // - Prefix match: "abc*" will match on value "abc" and "abcd".
       // - Suffix match: "*abc" will match on value "abc" and "xabc".
@@ -613,8 +614,9 @@ message MeshConfig {
       // If not specified, the original request will not be modified and forwarded to backend as-is.
       // Note, any existing headers will be overridden.
       //
-      // Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
-      // https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
+      // Exact, prefix and suffix matches are supported (similar to the
+      // [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
+      // except the presence match):
       // - Exact match: "abc" will match on value "abc".
       // - Prefix match: "abc*" will match on value "abc" and "abcd".
       // - Suffix match: "*abc" will match on value "abc" and "xabc".
@@ -628,8 +630,9 @@ message MeshConfig {
       // automatically added.
       // Note, the body from the authorization service is always included in the response to downstream.
       //
-      // Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
-      // https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
+      // Exact, prefix and suffix matches are supported (similar to the
+      // [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
+      // except the presence match):
       // - Exact match: "abc" will match on value "abc".
       // - Prefix match: "abc*" will match on value "abc" and "abcd".
       // - Suffix match: "*abc" will match on value "abc" and "xabc".
@@ -640,8 +643,9 @@ message MeshConfig {
       // If not specified, the original response will not be modified and forwarded to downstream as-is.
       // Note, any existing headers will be overridden.
       //
-      // Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
-      // https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
+      // Exact, prefix and suffix matches are supported (similar to the
+      // [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
+      // except the presence match):
       // - Exact match: "abc" will match on value "abc".
       // - Prefix match: "abc*" will match on value "abc" and "abcd".
       // - Suffix match: "*abc" will match on value "abc" and "xabc".
@@ -1069,7 +1073,7 @@ message MeshConfig {
   //         - cassandra
   //         - spark
   // ```
-  // Refer to the [kubernetes selector docs](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors)
+  // Refer to the [Kubernetes selector docs](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors)
   // for additional detail on selector semantics.
   repeated k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector discovery_selectors = 59;
 
@@ -1139,23 +1143,26 @@ message MeshConfig {
     TLSProtocol min_protocol_version = 1;
     //
     // Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange.
-    // If not specified, the default curves enforced by envoy will be used. For details about the default curves, refer to
-    // [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto)
+    // If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to
+    // [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto).
     repeated string ecdh_curves = 2;
     //
     // Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2.
     // If not specified, the following cipher suites will be used:
-    // 	ECDHE-ECDSA-AES256-GCM-SHA384
-    //  ECDHE-RSA-AES256-GCM-SHA384
-    //  ECDHE-ECDSA-AES128-GCM-SHA256
-    //  ECDHE-RSA-AES128-GCM-SHA256
-    //  AES256-GCM-SHA384
-    //  AES128-GCM-SHA256
+    // ```
+    // ECDHE-ECDSA-AES256-GCM-SHA384
+    // ECDHE-RSA-AES256-GCM-SHA384
+    // ECDHE-ECDSA-AES128-GCM-SHA256
+    // ECDHE-RSA-AES128-GCM-SHA256
+    // AES256-GCM-SHA384
+    // AES128-GCM-SHA256
+    // ```
     repeated string cipher_suites = 3;
   }
 
   // The below configuration parameters can be used to specify TLSConfig for mesh traffic.
   // For example, a user could enable min TLS version for ISTIO_MUTUAL traffic and specify a curve for non ISTIO_MUTUAL traffic like below:
+  // ```yaml
   // meshConfig:
   //   meshMTLS:
   //     minProtocolVersion: TLSV1_3
@@ -1164,8 +1171,9 @@ message MeshConfig {
   //     ecdhCurves:
   //       - P-256
   //       - P-512
-  //
+  // ```
   // Configuration of mTLS for traffic between workloads with ISTIO_MUTUAL TLS traffic.
+  //
   // Note: Mesh mTLS does not respect ECDH curves.
   TLSConfig mesh_mTLS = 63;
   //
diff --git a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
index 4e1615cc461..1dd9f3f415a 100644
--- a/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
+++ b/mesh/v1alpha1/istio.mesh.v1alpha1.pb.html
@@ -560,7 +560,7 @@ <h2 id="MeshConfig">MeshConfig</h2>
         - cassandra
         - spark
 </code></pre>
-<p>Refer to the <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors">kubernetes selector docs</a>
+<p>Refer to the <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors">Kubernetes selector docs</a>
 for additional detail on selector semantics.</p>
 
 </td>
@@ -608,17 +608,18 @@ <h2 id="MeshConfig">MeshConfig</h2>
 <td><code><a href="#MeshConfig-TLSConfig">TLSConfig</a></code></td>
 <td>
 <p>The below configuration parameters can be used to specify TLSConfig for mesh traffic.
-For example, a user could enable min TLS version for ISTIO_MUTUAL traffic and specify a curve for non ISTIO_MUTUAL traffic like below:
-meshConfig:
-meshMTLS:
-minProtocolVersion: TLSV1_3
-tlsDefaults:
-Note: applicable only for non ISTIO_MUTUAL scenarios
-ecdhCurves:
-- P-256
-- P-512</p>
-<p>Configuration of mTLS for traffic between workloads with ISTIO_MUTUAL TLS traffic.
-Note: Mesh mTLS does not respect ECDH curves.</p>
+For example, a user could enable min TLS version for ISTIO_MUTUAL traffic and specify a curve for non ISTIO_MUTUAL traffic like below:</p>
+<pre><code class="language-yaml">meshConfig:
+  meshMTLS:
+    minProtocolVersion: TLSV1_3
+  tlsDefaults:
+    Note: applicable only for non ISTIO_MUTUAL scenarios
+    ecdhCurves:
+      - P-256
+      - P-512
+</code></pre>
+<p>Configuration of mTLS for traffic between workloads with ISTIO_MUTUAL TLS traffic.</p>
+<p>Note: Mesh mTLS does not respect ECDH curves.</p>
 
 </td>
 <td>
@@ -1134,8 +1135,8 @@ <h2 id="MeshConfig-TLSConfig">MeshConfig.TLSConfig</h2>
 <td><code>string[]</code></td>
 <td>
 <p>Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange.
-If not specified, the default curves enforced by envoy will be used. For details about the default curves, refer to
-<a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto">Ecdh Curves</a></p>
+If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to
+<a href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto">Ecdh Curves</a>.</p>
 
 </td>
 <td>
@@ -1147,13 +1148,14 @@ <h2 id="MeshConfig-TLSConfig">MeshConfig.TLSConfig</h2>
 <td><code>string[]</code></td>
 <td>
 <p>Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2.
-If not specified, the following cipher suites will be used:
-ECDHE-ECDSA-AES256-GCM-SHA384
+If not specified, the following cipher suites will be used:</p>
+<pre><code>ECDHE-ECDSA-AES256-GCM-SHA384
 ECDHE-RSA-AES256-GCM-SHA384
 ECDHE-ECDSA-AES128-GCM-SHA256
 ECDHE-RSA-AES128-GCM-SHA256
 AES256-GCM-SHA384
-AES128-GCM-SHA256</p>
+AES128-GCM-SHA256
+</code></pre>
 
 </td>
 <td>
@@ -1252,8 +1254,8 @@ <h2 id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationRequestBody">Mesh
 <td><code>bool</code></td>
 <td>
 <p>If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
-in the raw_body field (<a href="https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153)">https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153)</a>.
-Otherwise, it will be filled with UTF-8 string in the body field (<a href="https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147)">https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147)</a>.
+in the <a href="https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153">raw_body field</a>.
+Otherwise, it will be filled with UTF-8 string in the <a href="https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147">body field</a>.
 This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.</p>
 
 </td>
@@ -1376,8 +1378,9 @@ <h2 id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider">Mes
 request can include the buffered client request body (controlled by include_request_body_in_check setting),
 consequently the value of Content-Length of the authorization request reflects the size of its payload size.</li>
 </ol>
-<p>Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
-<a href="https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)">https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)</a>:</p>
+<p>Exact, prefix and suffix matches are supported (similar to the
+<a href="https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule">authorization policy rule syntax</a>
+except the presence match):</p>
 <ul>
 <li>Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.</li>
 <li>Prefix match: &ldquo;abc*&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.</li>
@@ -1421,8 +1424,9 @@ <h2 id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider">Mes
 forwarded to the upstream when the authorization check result is allowed (HTTP code 200).
 If not specified, the original request will not be modified and forwarded to backend as-is.
 Note, any existing headers will be overridden.</p>
-<p>Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
-<a href="https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)">https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)</a>:</p>
+<p>Exact, prefix and suffix matches are supported (similar to the
+<a href="https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule">authorization policy rule syntax</a>
+except the presence match):</p>
 <ul>
 <li>Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.</li>
 <li>Prefix match: &ldquo;abc*&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.</li>
@@ -1445,8 +1449,9 @@ <h2 id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider">Mes
 When a header is included in this list, <em>Path</em>, <em>Status</em>, <em>Content-Length</em>, <em>WWWAuthenticate</em> and <em>Location</em> are
 automatically added.
 Note, the body from the authorization service is always included in the response to downstream.</p>
-<p>Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
-<a href="https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)">https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)</a>:</p>
+<p>Exact, prefix and suffix matches are supported (similar to the
+<a href="https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule">authorization policy rule syntax</a>
+except the presence match):</p>
 <ul>
 <li>Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.</li>
 <li>Prefix match: &ldquo;abc*&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.</li>
@@ -1466,8 +1471,9 @@ <h2 id="MeshConfig-ExtensionProvider-EnvoyExternalAuthorizationHttpProvider">Mes
 check result is allowed (HTTP code 200).
 If not specified, the original response will not be modified and forwarded to downstream as-is.
 Note, any existing headers will be overridden.</p>
-<p>Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
-<a href="https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)">https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)</a>:</p>
+<p>Exact, prefix and suffix matches are supported (similar to the
+<a href="https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule">authorization policy rule syntax</a>
+except the presence match):</p>
 <ul>
 <li>Exact match: &ldquo;abc&rdquo; will match on value &ldquo;abc&rdquo;.</li>
 <li>Prefix match: &ldquo;abc*&rdquo; will match on value &ldquo;abc&rdquo; and &ldquo;abcd&rdquo;.</li>
@@ -2590,7 +2596,7 @@ <h2 id="Topology">Topology</h2>
 X-Envoy-External-Address header to the trusted client address before
 forwarding it to the upstream services in the cluster.
 The default value of num_trusted_proxies is 0.
-See [Envoy XFF] (<a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for">https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for</a>)
+See <a href="https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for">Envoy XFF</a>
 header handling for more details.</p>
 
 </td>
diff --git a/mesh/v1alpha1/proxy.pb.go b/mesh/v1alpha1/proxy.pb.go
index 045305aa832..cb252578dcb 100644
--- a/mesh/v1alpha1/proxy.pb.go
+++ b/mesh/v1alpha1/proxy.pb.go
@@ -671,7 +671,7 @@ type Topology struct {
 	// X-Envoy-External-Address header to the trusted client address before
 	// forwarding it to the upstream services in the cluster.
 	// The default value of num_trusted_proxies is 0.
-	// See [Envoy XFF] (https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for)
+	// See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for)
 	// header handling for more details.
 	NumTrustedProxies uint32 `protobuf:"varint,1,opt,name=num_trusted_proxies,json=numTrustedProxies,proto3" json:"num_trusted_proxies,omitempty"`
 	// Configures how the gateway proxy handles x-forwarded-client-cert (XFCC)
diff --git a/mesh/v1alpha1/proxy.proto b/mesh/v1alpha1/proxy.proto
index 668082fd6bb..d93bb73ddea 100644
--- a/mesh/v1alpha1/proxy.proto
+++ b/mesh/v1alpha1/proxy.proto
@@ -255,7 +255,7 @@ message Topology {
   // X-Envoy-External-Address header to the trusted client address before
   // forwarding it to the upstream services in the cluster.
   // The default value of num_trusted_proxies is 0.
-  // See [Envoy XFF] (https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for)
+  // See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for)
   // header handling for more details.
   uint32 num_trusted_proxies = 1;
 
diff --git a/operator/v1alpha1/istio.operator.v1alpha1.pb.html b/operator/v1alpha1/istio.operator.v1alpha1.pb.html
index a18fe483f22..fe3d55a3d1e 100644
--- a/operator/v1alpha1/istio.operator.v1alpha1.pb.html
+++ b/operator/v1alpha1/istio.operator.v1alpha1.pb.html
@@ -641,7 +641,7 @@ <h2 id="GatewaySpec">GatewaySpec</h2>
 </section>
 <h2 id="KubernetesResourcesSpec">KubernetesResourcesSpec</h2>
 <section>
-<p>KubernetesResourcesConfig is a common set of Kubernetes resource configs for components.</p>
+<p>KubernetesResourcesSpec is a common set of Kubernetes resource configs for components.</p>
 
 <table class="message-fields">
 <thead>
diff --git a/operator/v1alpha1/operator.pb.go b/operator/v1alpha1/operator.pb.go
index 93aad5bde6b..c1e44d174c8 100644
--- a/operator/v1alpha1/operator.pb.go
+++ b/operator/v1alpha1/operator.pb.go
@@ -850,7 +850,7 @@ func (x *GatewaySpec) GetK8S() *KubernetesResourcesSpec {
 	return nil
 }
 
-// KubernetesResourcesConfig is a common set of Kubernetes resource configs for components.
+// KubernetesResourcesSpec is a common set of Kubernetes resource configs for components.
 type KubernetesResourcesSpec struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
diff --git a/operator/v1alpha1/operator.proto b/operator/v1alpha1/operator.proto
index 400457cff65..167ad5e2291 100644
--- a/operator/v1alpha1/operator.proto
+++ b/operator/v1alpha1/operator.proto
@@ -245,7 +245,7 @@ message GatewaySpec {
     KubernetesResourcesSpec k8s = 50;
 }
 
-// KubernetesResourcesConfig is a common set of Kubernetes resource configs for components.
+// KubernetesResourcesSpec is a common set of Kubernetes resource configs for components.
 message KubernetesResourcesSpec {
     // Kubernetes affinity.
     // [https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)