diff --git a/content/docs/deploy/k8s/reference.md b/content/docs/deploy/k8s/reference.md
index f0592e946..c2fe41974 100644
--- a/content/docs/deploy/k8s/reference.md
+++ b/content/docs/deploy/k8s/reference.md
@@ -50,7 +50,8 @@ PomeriumSpec defines Pomerium-specific configuration parameters.
                 </p>
                 <p>
                     
-                    Authenticate sets authenticate service parameters. If not specified, a Pomerium-hosted authenticate service would be used.
+                    Authenticate sets authenticate service parameters.
+If not specified, a Pomerium-hosted authenticate service would be used.
                 </p>
                 
             </td>
@@ -135,7 +136,8 @@ PomeriumSpec defines Pomerium-specific configuration parameters.
                 </p>
                 <p>
                     
-                    IdentityProvider configure single-sign-on authentication and user identity details by integrating with your <a href="https://www.pomerium.com/docs/identity-providers/">Identity Provider</a>
+                    IdentityProvider configure single-sign-on authentication and user identity details
+by integrating with your <a href="https://www.pomerium.com/docs/identity-providers/">Identity Provider</a>
                 </p>
                 
             </td>
@@ -151,7 +153,11 @@ PomeriumSpec defines Pomerium-specific configuration parameters.
                 </p>
                 <p>
                     
-                    JWTClaimHeaders convert claims from the assertion token into HTTP headers and adds them into JWT assertion header. Please make sure to read <a href="https://www.pomerium.com/docs/topics/getting-users-identity"> Getting User Identity</a> guide.
+                    JWTClaimHeaders convert claims from the assertion token
+into HTTP headers and adds them into JWT assertion header.
+Please make sure to read
+<a href="https://www.pomerium.com/docs/topics/getting-users-identity">
+Getting User Identity</a> guide.
                 </p>
                 
             </td>
@@ -183,7 +189,8 @@ PomeriumSpec defines Pomerium-specific configuration parameters.
                 </p>
                 <p>
                     
-                    ProgrammaticRedirectDomains specifies a list of domains that can be used for <a href="https://www.pomerium.com/docs/capabilities/programmatic-access">programmatic redirects</a>.
+                    ProgrammaticRedirectDomains specifies a list of domains that can be used for
+<a href="https://www.pomerium.com/docs/capabilities/programmatic-access">programmatic redirects</a>.
                 </p>
                 
             </td>
@@ -200,8 +207,31 @@ PomeriumSpec defines Pomerium-specific configuration parameters.
                 </p>
                 <p>
                     <strong>Required.</strong>&#160;
-                    Secrets references a Secret with Pomerium bootstrap parameters. 
- <p> <ul> <li><a href="https://pomerium.com/docs/reference/shared-secret"><code>shared_secret</code></a> - secures inter-Pomerium service communications. </li> <li><a href="https://pomerium.com/docs/reference/cookie-secret"><code>cookie_secret</code></a> - encrypts Pomerium session browser cookie. See also other <a href="#cookie">Cookie</a> parameters. </li> <li><a href="https://pomerium.com/docs/reference/signing-key"><code>signing_key</code></a> signs Pomerium JWT assertion header. See <a href="https://www.pomerium.com/docs/topics/getting-users-identity">Getting the user's identity</a> guide. </li> </ul> </p> <p> In a default Pomerium installation manifest, they would be generated via a <a href="https://github.com/pomerium/ingress-controller/blob/main/config/gen_secrets/job.yaml">one-time job</a> and stored in a <code>pomerium/bootstrap</code> Secret. You may re-run the job to rotate the secrets, or update the Secret values manually. </p>
+                    Secrets references a Secret with Pomerium bootstrap parameters.
+
+
+<p>
+<ul>
+	<li><a href="https://pomerium.com/docs/reference/shared-secret"><code>shared_secret</code></a>
+		- secures inter-Pomerium service communications.
+	</li>
+	<li><a href="https://pomerium.com/docs/reference/cookie-secret"><code>cookie_secret</code></a>
+		- encrypts Pomerium session browser cookie.
+		See also other <a href="#cookie">Cookie</a> parameters.
+	</li>
+	<li><a href="https://pomerium.com/docs/reference/signing-key"><code>signing_key</code></a>
+		signs Pomerium JWT assertion header. See
+		<a href="https://www.pomerium.com/docs/topics/getting-users-identity">Getting the user's identity</a>
+		guide.
+	</li>
+</ul>
+</p>
+<p>
+In a default Pomerium installation manifest, they would be generated via a
+<a href="https://github.com/pomerium/ingress-controller/blob/main/config/gen_secrets/job.yaml">one-time job</a>
+and stored in a <code>pomerium/bootstrap</code> Secret.
+You may re-run the job to rotate the secrets, or update the Secret values manually.
+</p>
                 </p>
                 
                     Format: reference to Kubernetes resource with namespace prefix: <code>namespace/name</code> format.
@@ -219,7 +249,8 @@ PomeriumSpec defines Pomerium-specific configuration parameters.
                 </p>
                 <p>
                     
-                    SetResponseHeaders specifies a mapping of HTTP Header to be added globally to all managed routes and pomerium's authenticate service. See <a href="https://www.pomerium.com/docs/reference/set-response-headers">Set Response Headers</a>
+                    SetResponseHeaders specifies a mapping of HTTP Header to be added globally to all managed routes and pomerium's authenticate service.
+See <a href="https://www.pomerium.com/docs/reference/set-response-headers">Set Response Headers</a>
                 </p>
                 
             </td>
@@ -236,7 +267,9 @@ PomeriumSpec defines Pomerium-specific configuration parameters.
                 </p>
                 <p>
                     
-                    Storage defines persistent storage for sessions and other data. See <a href="https://www.pomerium.com/docs/topics/data-storage">Storage</a> for details. If no storage is specified, Pomerium would use a transient in-memory storage (not recommended for production).
+                    Storage defines persistent storage for sessions and other data.
+See <a href="https://www.pomerium.com/docs/topics/data-storage">Storage</a> for details.
+If no storage is specified, Pomerium would use a transient in-memory storage (not recommended for production).
                 </p>
                 
             </td>
@@ -282,7 +315,8 @@ PomeriumSpec defines Pomerium-specific configuration parameters.
 
 ### `authenticate`
 
-Authenticate sets authenticate service parameters. If not specified, a Pomerium-hosted authenticate service would be used.
+Authenticate sets authenticate service parameters.
+If not specified, a Pomerium-hosted authenticate service would be used.
 
 <table>
     <thead>
@@ -299,8 +333,12 @@ Authenticate sets authenticate service parameters. If not specified, a Pomerium-
                 </p>
                 <p>
                     
-                    CallbackPath sets the path at which the authenticate service receives callback responses from your identity provider. The value must exactly match one of the authorized redirect URIs for the OAuth 2.0 client. 
- <p>This value is referred to as the redirect_url in the OpenIDConnect and OAuth2 specs.</p> <p>Defaults to <code>/oauth2/callback</code></p>
+                    CallbackPath sets the path at which the authenticate service receives callback responses
+from your identity provider. The value must exactly match one of the authorized redirect URIs for the OAuth 2.0 client.
+
+
+<p>This value is referred to as the redirect_url in the OpenIDConnect and OAuth2 specs.</p>
+<p>Defaults to <code>/oauth2/callback</code></p>
                 </p>
                 
             </td>
@@ -317,8 +355,18 @@ Authenticate sets authenticate service parameters. If not specified, a Pomerium-
                 </p>
                 <p>
                     <strong>Required.</strong>&#160;
-                    AuthenticateURL is a dedicated domain URL the non-authenticated persons would be referred to. 
- <p><ul> <li>You do not need to create a dedicated <code>Ingress</code> for this virtual route, as it is handled by Pomerium internally. </li> <li>You do need create a secret with corresponding TLS certificate for this route and reference it via <a href="#prop-certificates"><code>certificates</code></a>. If you use <code>cert-manager</code> with <code>HTTP01</code> challenge, you may use <code>pomerium</code> <code>ingressClass</code> to solve it.</li> </ul></p>
+                    AuthenticateURL is a dedicated domain URL
+the non-authenticated persons would be referred to.
+
+
+<p><ul>
+ <li>You do not need to create a dedicated <code>Ingress</code> for this
+		virtual route, as it is handled by Pomerium internally. </li>
+	<li>You do need create a secret with corresponding TLS certificate for this route
+		and reference it via <a href="#prop-certificates"><code>certificates</code></a>.
+		If you use <code>cert-manager</code> with <code>HTTP01</code> challenge,
+		you may use <code>pomerium</code> <code>ingressClass</code> to solve it.</li>
+</ul></p>
                 </p>
                 
                     Format: an URI as parsed by Golang net/url.ParseRequestURI.
@@ -350,7 +398,8 @@ Cookie defines Pomerium session cookie options.
                 </p>
                 <p>
                     
-                    Domain defaults to the same host that set the cookie. If you specify the domain explicitly, then subdomains would also be included.
+                    Domain defaults to the same host that set the cookie.
+If you specify the domain explicitly, then subdomains would also be included.
                 </p>
                 
             </td>
@@ -367,7 +416,12 @@ Cookie defines Pomerium session cookie options.
                 </p>
                 <p>
                     
-                    Expire sets cookie and Pomerium session expiration time. Once session expires, users would have to re-login. If you change this parameter, existing sessions are not affected. <p>See <a href="https://www.pomerium.com/docs/enterprise/about#session-management">Session Management</a> (Enterprise) for a more fine-grained session controls.</p> <p>Defaults to 14 hours.</p>
+                    Expire sets cookie and Pomerium session expiration time.
+Once session expires, users would have to re-login.
+If you change this parameter, existing sessions are not affected.
+<p>See <a href="https://www.pomerium.com/docs/enterprise/about#session-management">Session Management</a>
+(Enterprise) for a more fine-grained session controls.</p>
+<p>Defaults to 14 hours.</p>
                 </p>
                 
                     Format: a duration string like "22s" as parsed by Golang time.ParseDuration.
@@ -385,7 +439,8 @@ Cookie defines Pomerium session cookie options.
                 </p>
                 <p>
                     
-                    HTTPOnly if set to <code>false</code>, the cookie would be accessible from within the JavaScript. Defaults to <code>true</code>.
+                    HTTPOnly if set to <code>false</code>, the cookie would be accessible from within the JavaScript.
+Defaults to <code>true</code>.
                 </p>
                 
             </td>
@@ -401,7 +456,8 @@ Cookie defines Pomerium session cookie options.
                 </p>
                 <p>
                     
-                    Name sets the Pomerium session cookie name. Defaults to <code>_pomerium</code>
+                    Name sets the Pomerium session cookie name.
+Defaults to <code>_pomerium</code>
                 </p>
                 
             </td>
@@ -417,7 +473,8 @@ Cookie defines Pomerium session cookie options.
                 </p>
                 <p>
                     
-                    SameSite sets the SameSite option for cookies. Defaults to <code></code>.
+                    SameSite sets the SameSite option for cookies.
+Defaults to <code></code>.
                 </p>
                 
             </td>
@@ -430,7 +487,8 @@ Cookie defines Pomerium session cookie options.
 
 ### `identityProvider`
 
-IdentityProvider configure single-sign-on authentication and user identity details by integrating with your <a href="https://www.pomerium.com/docs/identity-providers/">Identity Provider</a>
+IdentityProvider configure single-sign-on authentication and user identity details
+by integrating with your <a href="https://www.pomerium.com/docs/identity-providers/">Identity Provider</a>
 
 <table>
     <thead>
@@ -447,7 +505,8 @@ IdentityProvider configure single-sign-on authentication and user identity detai
                 </p>
                 <p>
                     <strong>Required.</strong>&#160;
-                    Provider is the short-hand name of a built-in OpenID Connect (oidc) identity provider to be used for authentication. To use a generic provider, set to <code>oidc</code>.
+                    Provider is the short-hand name of a built-in OpenID Connect (oidc) identity provider to be used for authentication.
+To use a generic provider, set to <code>oidc</code>.
                 </p>
                 
             </td>
@@ -464,7 +523,8 @@ IdentityProvider configure single-sign-on authentication and user identity detai
                 </p>
                 <p>
                     
-                    RefreshDirectory is no longer supported, please see <a href="https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync">Upgrade Guide</a>.
+                    RefreshDirectory is no longer supported,
+please see <a href="https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync">Upgrade Guide</a>.
                 </p>
                 
             </td>
@@ -515,7 +575,8 @@ IdentityProvider configure single-sign-on authentication and user identity detai
                 </p>
                 <p>
                     
-                    Scopes Identity provider scopes correspond to access privilege scopes as defined in Section 3.3 of OAuth 2.0 RFC6749.
+                    Scopes Identity provider scopes correspond to access privilege scopes
+as defined in Section 3.3 of OAuth 2.0 RFC6749.
                 </p>
                 
             </td>
@@ -532,7 +593,8 @@ IdentityProvider configure single-sign-on authentication and user identity detai
                 </p>
                 <p>
                     <strong>Required.</strong>&#160;
-                    Secret containing IdP provider specific parameters. and must contain at least <code>client_id</code> and <code>client_secret</code> values.
+                    Secret containing IdP provider specific parameters.
+and must contain at least <code>client_id</code> and <code>client_secret</code> values.
                 </p>
                 
                     Format: reference to Kubernetes resource with namespace prefix: <code>namespace/name</code> format.
@@ -550,7 +612,8 @@ IdentityProvider configure single-sign-on authentication and user identity detai
                 </p>
                 <p>
                     
-                    ServiceAccountFromSecret is no longer supported, see <a href="https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync">Upgrade Guide</a>.
+                    ServiceAccountFromSecret is no longer supported,
+see <a href="https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync">Upgrade Guide</a>.
                 </p>
                 
             </td>
@@ -567,7 +630,8 @@ IdentityProvider configure single-sign-on authentication and user identity detai
                 </p>
                 <p>
                     
-                    URL is the base path to an identity provider's OpenID connect discovery document. See <a href="https://pomerium.com/docs/identity-providers">Identity Providers</a> guides for details.
+                    URL is the base path to an identity provider's OpenID connect discovery document.
+See <a href="https://pomerium.com/docs/identity-providers">Identity Providers</a> guides for details.
                 </p>
                 
                     Format: an URI as parsed by Golang net/url.ParseRequestURI.
@@ -600,7 +664,8 @@ Postgres specifies PostgreSQL database connection parameters
                 </p>
                 <p>
                     
-                    CASecret should refer to a k8s secret with key <code>ca.crt</code> containing CA certificate that, if specified, would be used to populate <code>sslrootcert</code> parameter of the connection string.
+                    CASecret should refer to a k8s secret with key <code>ca.crt</code> containing CA certificate
+that, if specified, would be used to populate <code>sslrootcert</code> parameter of the connection string.
                 </p>
                 
                     Format: reference to Kubernetes resource with namespace prefix: <code>namespace/name</code> format.
@@ -619,7 +684,11 @@ Postgres specifies PostgreSQL database connection parameters
                 </p>
                 <p>
                     <strong>Required.</strong>&#160;
-                    Secret specifies a name of a Secret that must contain <code>connection</code> key. See <a href="https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING">DSN Format and Parameters</a>. Do not set <code>sslrootcert</code>, <code>sslcert</code> and <code>sslkey</code> via connection string, use <code>tlsSecret</code> and <code>caSecret</code> CRD options instead.
+                    Secret specifies a name of a Secret that must contain
+<code>connection</code> key. See
+<a href="https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING">DSN Format and Parameters</a>.
+Do not set <code>sslrootcert</code>, <code>sslcert</code> and <code>sslkey</code> via connection string,
+use <code>tlsSecret</code> and <code>caSecret</code> CRD options instead.
                 </p>
                 
                     Format: reference to Kubernetes resource with namespace prefix: <code>namespace/name</code> format.
@@ -638,7 +707,11 @@ Postgres specifies PostgreSQL database connection parameters
                 </p>
                 <p>
                     
-                    TLSSecret should refer to a k8s secret of type <code>kubernetes.io/tls</code> and allows to specify an optional client certificate and key, by constructing <code>sslcert</code> and <code>sslkey</code> connection string <a href="https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS"> parameter values</a>.
+                    TLSSecret should refer to a k8s secret of type <code>kubernetes.io/tls</code>
+and allows to specify an optional client certificate and key,
+by constructing <code>sslcert</code> and <code>sslkey</code> connection string
+<a href="https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS">
+parameter values</a>.
                 </p>
                 
                     Format: reference to Kubernetes resource with namespace prefix: <code>namespace/name</code> format.
@@ -653,7 +726,8 @@ Postgres specifies PostgreSQL database connection parameters
 
 ### `refreshDirectory`
 
-RefreshDirectory is no longer supported, please see <a href="https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync">Upgrade Guide</a>.
+RefreshDirectory is no longer supported,
+please see <a href="https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync">Upgrade Guide</a>.
 
 <table>
     <thead>
@@ -705,7 +779,9 @@ RefreshDirectory is no longer supported, please see <a href="https://docs.pomeri
 
 ### `storage`
 
-Storage defines persistent storage for sessions and other data. See <a href="https://www.pomerium.com/docs/topics/data-storage">Storage</a> for details. If no storage is specified, Pomerium would use a transient in-memory storage (not recommended for production).
+Storage defines persistent storage for sessions and other data.
+See <a href="https://www.pomerium.com/docs/topics/data-storage">Storage</a> for details.
+If no storage is specified, Pomerium would use a transient in-memory storage (not recommended for production).
 
 <table>
     <thead>
@@ -792,7 +868,9 @@ Timeout specifies the <a href="https://www.pomerium.com/docs/reference/global-ti
                 </p>
                 <p>
                     
-                    Write specifies max stream duration is the maximum time that a stream’s lifetime will span. An HTTP request/response exchange fully consumes a single stream. Therefore, this value must be greater than read_timeout as it covers both request and response time.
+                    Write specifies max stream duration is the maximum time that a stream’s lifetime will span.
+An HTTP request/response exchange fully consumes a single stream.
+Therefore, this value must be greater than read_timeout as it covers both request and response time.
                 </p>
                 
                     Format: a duration string like "22s" as parsed by Golang time.ParseDuration.
@@ -855,7 +933,8 @@ PomeriumStatus represents configuration and Ingress status.
 
 ### `ingress`
 
-ResourceStatus represents the outcome of the latest attempt to reconcile relevant Kubernetes resource with Pomerium.
+ResourceStatus represents the outcome of the latest attempt to reconcile
+relevant Kubernetes resource with Pomerium.
 
 <table>
     <thead>
