From 01734fd530a4a92280967e5d53eed1083a71ce82 Mon Sep 17 00:00:00 2001
From: R-Lawton <rlawton@redhat.com>
Date: Thu, 21 Nov 2024 15:12:45 +0000
Subject: [PATCH] WIP

Signed-off-by: R-Lawton <rlawton@redhat.com>
---
 doc/apis-overview/rate-limiting.md            | 134 ++++++++++--------
 doc/apis-overview/tls.md                      |   2 +-
 doc/install/install-kubernetes.md             |  22 +--
 doc/reference/ratelimitpolicy.md              |  22 ++-
 .../dns/dns-excluding-specific-addresses.md   |   2 +-
 doc/user-guides/dns/gateway-dns.md            |  42 +++---
 doc/user-guides/dns/orphan-dns-records.md     |  38 ++---
 .../dnspolicy/basic-dns-configuration.md      |   4 +-
 doc/user-guides/dnspolicy/dnshealthchecks.md  |   2 +-
 ...nnect.md => secure-protect-connect-k8s.md} |   0
 ...md => secure-protect-connect-openshift.md} |   4 +-
 ...elopers.md => authenticated-rl-for-app.md} |   2 +-
 .../multi-auth-rlp-diff-section.md            |  42 +++---
 .../multi-auth-rlp-same-section.md            |  12 +-
 .../simple-rl-for-app-developers.md           |   7 -
 doc/user-guides/tls/gateway-tls.md            |  33 ++++-
 hack/quickstart-setup.sh                      |   4 -
 17 files changed, 205 insertions(+), 167 deletions(-)
 rename doc/user-guides/full-walkthrough/{secure-protect-connect.md => secure-protect-connect-k8s.md} (100%)
 rename doc/user-guides/full-walkthrough/{secure-protect-connect-single-multi-cluster.md => secure-protect-connect-openshift.md} (99%)
 rename doc/user-guides/ratelimiting/{authenticated-rl-for-app-developers.md => authenticated-rl-for-app.md} (99%)

diff --git a/doc/apis-overview/rate-limiting.md b/doc/apis-overview/rate-limiting.md
index 8ef7a6aec..b5533e8da 100644
--- a/doc/apis-overview/rate-limiting.md
+++ b/doc/apis-overview/rate-limiting.md
@@ -12,9 +12,10 @@ A Kuadrant RateLimitPolicy custom resource, often abbreviated "RateLimitPolicy":
 ### Envoy's Rate Limit Service Protocol
 
 Kuadrant's Rate Limit implementation relies on the Envoy's [Rate Limit Service (RLS)](https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/ratelimit/v3/rls.proto) protocol. The workflow per request goes:
+
 1. On incoming request, the gateway checks the matching rules for enforcing rate limits, as stated in the RateLimitPolicy custom resources and targeted Gateway API networking objects
 2. If the request matches, the gateway sends one [RateLimitRequest](https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/ratelimit/v3/rls.proto#service-ratelimit-v3-ratelimitrequest) to the external rate limiting service ("Limitador").
-1. The external rate limiting service responds with a [RateLimitResponse](https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/ratelimit/v3/rls.proto#service-ratelimit-v3-ratelimitresponse) back to the gateway with either an `OK` or `OVER_LIMIT` response code.
+3. The external rate limiting service responds with a [RateLimitResponse](https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/ratelimit/v3/rls.proto#service-ratelimit-v3-ratelimitresponse) back to the gateway with either an `OK` or `OVER_LIMIT` response code.
 
 A RateLimitPolicy and its targeted Gateway API networking resource contain all the statements to configure both the ingress gateway and the external rate limiting service.
 
@@ -24,13 +25,14 @@ A RateLimitPolicy and its targeted Gateway API networking resource contain all t
 
 The `RateLimitPolicy` spec includes, basically, two parts:
 
-* A reference to an existing Gateway API resource (`spec.targetRef`)
-* Limit definitions (`spec.limits`)
+- A reference to an existing Gateway API resource (`spec.targetRef`)
+- Limit definitions (`spec.limits`)
 
 Each limit definition includes:
-* A set of rate limits (`spec.limits.<limit-name>.rates[]`)
-* (Optional) A set of dynamic counter qualifiers (`spec.limits.<limit-name>.counters[]`)
-* (Optional) A set of additional dynamic conditions to activate the limit (`spec.limits.<limit-name>.when[]`)
+
+- A set of rate limits (`spec.limits.<limit-name>.rates[]`)
+- (Optional) A set of dynamic counter qualifiers (`spec.limits.<limit-name>.counters[]`)
+- (Optional) A set of additional dynamic conditions to activate the limit (`spec.limits.<limit-name>.when[]`)
 
 The limit definitions (`limits`) can be declared at the top-level level of the spec (with the semantics of _defaults_) or alternatively within explicit `defaults` or `overrides` blocks.
 
@@ -81,13 +83,13 @@ spec:
     # routes that lack a more specific policy attached to.
     # Mutually exclusive with `overrides` and with declaring `limits` at the top-level of the spec.
     defaults:
-      limits: {…}
+      limits: { … }
 
     # Overrides. Used in policies that target a Gateway object to be enforced on all routes linked to the gateway,
     # thus also overriding any more specific policy occasionally attached to any of those routes.
     # Mutually exclusive with `defaults` and with declaring `limits` at the top-level of the spec.
     overrides:
-      limits: {…}
+      limits: { … }
 ```
 
 ## Using the RateLimitPolicy
@@ -108,7 +110,7 @@ spec:
     group: gateway.networking.k8s.io
     kind: HTTPRoute
     name: <HTTPRoute Name>
-  limits: {…}
+  limits: { … }
 ```
 
 ![Rate limit policy targeting a HTTPRoute resource](https://i.imgur.com/ObfOp9u.png)
@@ -144,7 +146,7 @@ spec:
     kind: Gateway
     name: <Gateway Name>
   defaults: # alternatively: `overrides`
-    limits: {…}
+    limits: { … }
 ```
 
 ![rate limit policy targeting a Gateway resource](https://i.imgur.com/UkivAqA.png)
@@ -156,12 +158,14 @@ Two possible semantics are to be considered here – gateway policy _defaults_ v
 Gateway RateLimitPolicies that declare _defaults_ (or alternatively neither defaults nor overrides) protect all traffic routed through the gateway except where a more specific HTTPRoute RateLimitPolicy exists, in which case the HTTPRoute RateLimitPolicy prevails.
 
 Example with 4 RateLimitPolicies, 3 HTTPRoutes and 1 Gateway _default_ (plus 2 HTTPRoute and 2 Gateways without RateLimitPolicies attached):
+
 - RateLimitPolicy A → HTTPRoute A (`a.toystore.com`) → Gateway G (`*.com`)
 - RateLimitPolicy B → HTTPRoute B (`b.toystore.com`) → Gateway G (`*.com`)
 - RateLimitPolicy W → HTTPRoute W (`*.toystore.com`) → Gateway G (`*.com`)
 - RateLimitPolicy G (defaults) → Gateway G (`*.com`)
 
 Expected behavior:
+
 - Request to `a.toystore.com` → RateLimitPolicy A will be enforced
 - Request to `b.toystore.com` → RateLimitPolicy B will be enforced
 - Request to `other.toystore.com` → RateLimitPolicy W will be enforced
@@ -171,12 +175,14 @@ Expected behavior:
 Gateway RateLimitPolicies that declare _overrides_ protect all traffic routed through the gateway, regardless of existence of any more specific HTTPRoute RateLimitPolicy.
 
 Example with 4 RateLimitPolicies, 3 HTTPRoutes and 1 Gateway _override_ (plus 2 HTTPRoute and 2 Gateways without RateLimitPolicies attached):
+
 - RateLimitPolicy A → HTTPRoute A (`a.toystore.com`) → Gateway G (`*.com`)
 - RateLimitPolicy B → HTTPRoute B (`b.toystore.com`) → Gateway G (`*.com`)
 - RateLimitPolicy W → HTTPRoute W (`*.toystore.com`) → Gateway G (`*.com`)
 - RateLimitPolicy G (overrides) → Gateway G (`*.com`)
 
 Expected behavior:
+
 - Request to `a.toystore.com` → RateLimitPolicy G will be enforced
 - Request to `b.toystore.com` → RateLimitPolicy G will be enforced
 - Request to `other.toystore.com` → RateLimitPolicy G will be enforced
@@ -186,9 +192,11 @@ Expected behavior:
 ### Limit definition
 
 A limit will be activated whenever a request comes in and the request matches:
+
 - all of the `when` conditions specified in the limit.
 
 A limit can define:
+
 - counters that are qualified based on dynamic values fetched from the request, or
 - global counters (implicitly, when no qualified counter is specified)
 
@@ -201,31 +209,31 @@ spec:
   limits:
     "toystore-all":
       rates:
-      - limit: 5000
-        window: 1s
+        - limit: 5000
+          window: 1s
 
     "toystore-api-per-username":
       rates:
-      - limit: 100
-        window: 1s
-      - limit: 1000
-        window: 1m
+        - limit: 100
+          window: 1s
+        - limit: 1000
+          window: 1m
       counters:
-      - expression: auth.identity.username
+        - expression: auth.identity.username
       when:
-      - predicate: request.host == 'api.toystore.com'
+        - predicate: request.host == 'api.toystore.com'
 
     "toystore-admin-unverified-users":
       rates:
-      - limit: 250
-        window: 1s
+        - limit: 250
+          window: 1s
       when:
-      - predicate: request.host == 'admin.toystore.com'
-      - predicate: !auth.identity.email_verified
+        - predicate: request.host == 'admin.toystore.com'
+        - predicate: !auth.identity.email_verified
 ```
 
 | Request to           | Rate limits enforced                                         |
-|----------------------|--------------------------------------------------------------|
+| -------------------- | ------------------------------------------------------------ |
 | `api.toystore.com`   | 100rps/username or 1000rpm/username (whatever happens first) |
 | `admin.toystore.com` | 250rps                                                       |
 | `other.toystore.com` | 5000rps                                                      |
@@ -241,26 +249,27 @@ The selectors within the `when` conditions of a RateLimitPolicy are a subset of
 ### Examples
 
 Check out the following user guides for examples of rate limiting services with Kuadrant:
-* [Simple Rate Limiting for Application Developers](user-guides/simple-rl-for-app-developers.md)
-* [Authenticated Rate Limiting for Application Developers](user-guides/authenticated-rl-for-app-developers.md)
-* [Gateway Rate Limiting for Cluster Operators](user-guides/gateway-rl-for-cluster-operators.md)
-* [Authenticated Rate Limiting with JWTs and Kubernetes RBAC](user-guides/authenticated-rl-with-jwt-and-k8s-authnz.md)
+
+- [Simple Rate Limiting for Application Developers](user-guides/simple-rl-for-app-developers.md)
+- [Authenticated Rate Limiting for Application Developers](user-guides/authenticated-rl-for-app-developers.md)
+- [Gateway Rate Limiting for Cluster Operators](user-guides/gateway-rl-for-cluster-operators.md)
+- [Authenticated Rate Limiting with JWTs and Kubernetes RBAC](user-guides/authenticated-rl-with-jwt-and-k8s-authnz.md)
 
 ### Known limitations
 
-* RateLimitPolicies can only target HTTPRoutes/Gateways defined within the same namespace of the RateLimitPolicy.
-* 2+ RateLimitPolicies cannot target network resources that define/inherit the same exact hostname.
+- RateLimitPolicies can only target HTTPRoutes/Gateways defined within the same namespace of the RateLimitPolicy.
+- 2+ RateLimitPolicies cannot target network resources that define/inherit the same exact hostname.
 
 ## Implementation details
 
 Driven by limitations related to how Istio injects configuration in the filter chains of the ingress gateways, Kuadrant relies on Envoy's [Wasm Network](https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/wasm_filter) filter in the data plane, to manage the integration with rate limiting service ("Limitador"), instead of the [Rate Limit](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/rate_limit_filter) filter.
 
-**Motivation:** _Multiple rate limit domains_<br/>
+**Motivation:** _Multiple rate limit domains_
 The first limitation comes from having only one filter chain per listener. This often leads to one single global rate limiting filter configuration per gateway, and therefore to a shared rate limit [domain](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ratelimit/v3/rate_limit.proto#envoy-v3-api-msg-extensions-filters-http-ratelimit-v3-ratelimit) across applications and policies. Even though, in a rate limit filter, the triggering of rate limit calls, via [actions to build so-called "descriptors"](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/rate_limit_filter#composing-actions), can be defined at the level of the virtual host and/or specific route rule, the overall rate limit configuration is only one, i.e., always the same rate limit domain for all calls to Limitador.
 
 On the other hand, the possibility to configure and invoke the rate limit service for multiple domains depending on the context allows to isolate groups of policy rules, as well as to optimize performance in the rate limit service, which can rely on the domain for indexation.
 
-**Motivation:** _Fine-grained matching rules_<br/>
+**Motivation:** _Fine-grained matching rules_
 A second limitation of configuring the rate limit filter via Istio, particularly from [Gateway API](https://gateway-api.sigs.k8s.io) resources, is that [rate limit descriptors](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/rate_limit_filter#composing-actions) at the level of a specific HTTP route rule require "named routes" – defined only in an Istio [VirtualService](https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPRoute) resource and referred in an [EnvoyFilter](https://istio.io/latest/docs/reference/config/networking/envoy-filter/#EnvoyFilter-RouteConfigurationMatch-RouteMatch) one. Because Gateway API HTTPRoute rules lack a "name" property[^1], as well as the Istio VirtualService resources are only ephemeral data structures handled by Istio in-memory in its implementation of gateway configuration for Gateway API, where the names of individual route rules are auto-generated and not referable by users in a policy[^2][^3], rate limiting by attributes of the HTTP request (e.g., path, method, headers, etc) would be very limited while depending only on Envoy's [Rate Limit](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/rate_limit_filter) filter.
 
 [^1]: https://github.com/kubernetes-sigs/gateway-api/pull/996
@@ -272,6 +281,7 @@ Motivated by the desire to support multiple rate limit domains per ingress gatew
 The wasm module integrates with the gateway in the data plane via [Wasm Network](https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/wasm_filter) filter, and parses a configuration composed out of user-defined RateLimitPolicy resources by the Kuadrant control plane. Whereas the rate limiting service ("Limitador") remains an implementation of Envoy's RLS protocol, capable of being integrated directly via [Rate Limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/ratelimit/v3/rate_limit.proto#extension-envoy-filters-network-ratelimit) extension or by Kuadrant, via wasm module for the [Istio Gateway API implementation](https://gateway-api.sigs.k8s.io/implementations/#istio).
 
 As a consequence of this design:
+
 - Users can define fine-grained rate limit rules that match their Gateway and HTTPRoute definitions including for subsections of these.
 - Rate limit definitions are insulated, not leaking across unrelated policies or applications.
 - Conditions to activate limits are evaluated in the context of the gateway process, reducing the gRPC calls to the external rate limiting service only to the cases where rate limit counters are known in advance to have to be checked/incremented.
@@ -289,12 +299,12 @@ metadata:
   name: kuadrant-kuadrant-ingressgateway
   namespace: gateway-system
   ownerReferences:
-  - apiVersion: gateway.networking.k8s.io/v1
-    blockOwnerDeletion: true
-    controller: true
-    kind: Gateway
-    name: kuadrant-ingressgateway
-    uid: 0298355b-fb30-4442-af2b-88d0c05bd2bd
+    - apiVersion: gateway.networking.k8s.io/v1
+      blockOwnerDeletion: true
+      controller: true
+      kind: Gateway
+      name: kuadrant-ingressgateway
+      uid: 0298355b-fb30-4442-af2b-88d0c05bd2bd
   resourceVersion: "11253"
   uid: 36ef1fb7-9eca-46c7-af63-fe783f40148c
 spec:
@@ -308,37 +318,37 @@ spec:
     actionSets:
       - name: some_name_0
         routeRuleConditions:
-          hostnames: 
-          - '*.toystore.website'
-          - '*.toystore.io'
+          hostnames:
+            - "*.toystore.website"
+            - "*.toystore.io"
           predicates:
-          - request.url_path.startsWith("/assets")
+            - request.url_path.startsWith("/assets")
         actions:
-        - service: ratelimit-service
-          scope: gateway-system/app-rlp
-          predicates:
-          - request.host.endsWith('.toystore.website')
-          data:
-          - expression:
-              key: limit.toystore_assets_all_domains__b61ee8e6
-              value: "1"
+          - service: ratelimit-service
+            scope: gateway-system/app-rlp
+            predicates:
+              - request.host.endsWith('.toystore.website')
+            data:
+              - expression:
+                  key: limit.toystore_assets_all_domains__b61ee8e6
+                  value: "1"
       - name: some_name_1
         routeRuleConditions:
-          hostnames: 
-          - '*.toystore.website'
-          - '*.toystore.io'
+          hostnames:
+            - "*.toystore.website"
+            - "*.toystore.io"
           predicates:
-          - request.url_path.startsWith("/v1")
+            - request.url_path.startsWith("/v1")
         actions:
-        - service: ratelimit-service
-          scope: gateway-system/app-rlp
-          predicates:
-          - request.host.endsWith('.toystore.website')
-          - auth.identity.username == ""
-          data:
-          - expression:
-              key: limit.toystore_v1_website_unauthenticated__377837ee
-              value: "1"
+          - service: ratelimit-service
+            scope: gateway-system/app-rlp
+            predicates:
+              - request.host.endsWith('.toystore.website')
+              - auth.identity.username == ""
+            data:
+              - expression:
+                  key: limit.toystore_v1_website_unauthenticated__377837ee
+                  value: "1"
   targetRef:
     group: gateway.networking.k8s.io
     kind: Gateway
diff --git a/doc/apis-overview/tls.md b/doc/apis-overview/tls.md
index 10807e5af..d1be8e2f4 100644
--- a/doc/apis-overview/tls.md
+++ b/doc/apis-overview/tls.md
@@ -2,7 +2,7 @@
 
 A Kuadrant TLSPolicy custom resource:
 
-1. Targets Gateway API networking resources [Gateways](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Gateway) to provide tls for gateway listeners by managing the lifecycle of tls certificates using [`CertManager`](https://cert-manager.io).
+Targets Gateway API networking resources [Gateways](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Gateway) to provide tls for gateway listeners by managing the lifecycle of tls certificates using [`CertManager`](https://cert-manager.io).
 
 ## How it works
 
diff --git a/doc/install/install-kubernetes.md b/doc/install/install-kubernetes.md
index 1df642d39..324518e15 100644
--- a/doc/install/install-kubernetes.md
+++ b/doc/install/install-kubernetes.md
@@ -1,11 +1,9 @@
 # Install Kuadrant on a Kubernetes cluster
 
-!!! note
-
+>**Note:**
     You must perform these steps on each Kubernetes cluster where you want to use Kuadrant.
 
-!!! warning
-
+>**Warning:**
     Kuadrant uses a number of labels to search and filter resources on the cluster.
     All required labels are formatted as `kuadrant.io/*`.
     Removal of any labels with the prefix may cause unexpected behaviour and degradation of the product.
@@ -30,8 +28,7 @@ kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/downloa
 
 ### Install [OLM](https://olm.operatorframework.io/)
 
-!!! note
-
+>**Note:**
     Currently, we recommend installing our operator via OLM. We plan to support Helm soon.
 
 ```bash
@@ -40,13 +37,11 @@ curl -sL https://github.com/operator-framework/operator-lifecycle-manager/releas
 
 ### (Optional) Install Istio as a Gateway API provider
 
-!!! note
-
+>**Warning:**
     Skip this step if planing to use [Envoy Gateway](https://gateway.envoyproxy.io/) as Gateway API provider
 
-!!! note
 
-    There are several ways to install Istio (via `istioctl`, Helm chart or Operator) - this is just an example for starting from a bare Kubernetes cluster.
+There are several ways to install Istio (via `istioctl`, Helm chart or Operator) - this is just an example for starting from a bare Kubernetes cluster.
 
 ```bash
 curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.22.5 sh -
@@ -57,13 +52,10 @@ kubectl apply -f https://raw.githubusercontent.com/Kuadrant/kuadrant-operator/ma
 
 ### (Optional) Install Envoy Gateway as a Gateway API provider
 
-!!! note
-
+>**Warning:**
     Skip this step if planing to use [Istio](https://istio.io/) as Gateway API provider
 
-!!! note
-
-    There are several ways to install Envoy Gateway (via `egctl`, Helm chart or Kubernetes yaml) - this is just an example for starting from a bare Kubernetes cluster.
+There are several ways to install Envoy Gateway (via `egctl`, Helm chart or Kubernetes yaml) - this is just an example for starting from a bare Kubernetes cluster.
 
 ```bash
 helm install eg oci://docker.io/envoyproxy/gateway-helm --version v1.1.0 -n envoy-gateway-system --create-namespace
diff --git a/doc/reference/ratelimitpolicy.md b/doc/reference/ratelimitpolicy.md
index 105cea20c..ab2de0205 100644
--- a/doc/reference/ratelimitpolicy.md
+++ b/doc/reference/ratelimitpolicy.md
@@ -11,11 +11,31 @@
 
 | **Field**   | **Type**                                                                                                                                    | **Required** | **Description**                                                                                                                                                                             |
 |-------------|---------------------------------------------------------------------------------------------------------------------------------------------|--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `targetRef` | [LocalPolicyTargetReference](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReference) | Yes          | Reference to a Kubernetes resource that the policy attaches to                                                                                                                              |
+| `targetRef` | [LocalPolicyTargetReferenceWithSectionName](#localpolicytargetreferencewithsectionname) | Yes          | Reference to a Kubernetes resource that the policy attaches to. For more [info](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.LocalPolicyTargetReference)                                                                                                                              |
 | `defaults`  | [RateLimitPolicyCommonSpec](#rateLimitPolicyCommonSpec)                                                                                     | No           | Default limit definitions. This field is mutually exclusive with the `limits` field                                                                                                         |
 | `overrides` | [RateLimitPolicyCommonSpec](#rateLimitPolicyCommonSpec)                                                                                     | No           | Overrides limit definitions. This field is mutually exclusive with the `limits` field and `defaults` field. This field is only allowed for policies targeting `Gateway` in `targetRef.kind` |
 | `limits`    | Map<String: [Limit](#limit)>                                                                                                                | No           | Limit definitions. This field is mutually exclusive with the [`defaults`](#rateLimitPolicyCommonSpec) field                                                                                 |
 
+
+
+
+### LocalPolicyTargetReferenceWithSectionName
+| **Field**       | **Type**                                | **Required** | **Description**                                            |
+|------------------|-----------------------------------------|--------------|------------------------------------------------------------|
+| `LocalPolicyTargetReference`         | [LocalPolicyTargetReference](#localpolicytargetreference)          | Yes          | Reference to a local policy target.               |
+| `sectionName`    | [SectionName](#sectionname)                         | No           | Section name for further specificity (if needed). |
+
+### LocalPolicyTargetReference
+| **Field** | **Type**     | **Required** | **Description**                |
+|-----------|--------------|--------------|--------------------------------|
+| `group`   | `Group`      | Yes          | Group of the target resource. |
+| `kind`    | `Kind`       | Yes          | Kind of the target resource.  |
+| `name`    | `ObjectName` | Yes          | Name of the target resource.  |
+
+### SectionName
+| Field       | Type                     | Required | Description                                                                                                                                                                                                                         |
+|-------------|--------------------------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| SectionName | v1.SectionName (String)  | Yes      | SectionName is the name of a section in a Kubernetes resource. <br>In the following resources, SectionName is interpreted as the following: <br>* Gateway: Listener name<br>* HTTPRoute: HTTPRouteRule name<br>* Service: Port name |
 ### RateLimitPolicyCommonSpec
 
 | **Field** | **Type**                     | **Required** | **Description**                                                                                                              |
diff --git a/doc/user-guides/dns/dns-excluding-specific-addresses.md b/doc/user-guides/dns/dns-excluding-specific-addresses.md
index 1e2d6597b..1c073d7d9 100644
--- a/doc/user-guides/dns/dns-excluding-specific-addresses.md
+++ b/doc/user-guides/dns/dns-excluding-specific-addresses.md
@@ -8,7 +8,7 @@ To prevent a gateway address being published to the DNS provider, you can set th
 
 Below is an example of a DNSPolicy excluding a hostname:
 
-```
+```sh
 apiVersion: kuadrant.io/v1
 kind: DNSPolicy
 metadata:
diff --git a/doc/user-guides/dns/gateway-dns.md b/doc/user-guides/dns/gateway-dns.md
index 078cffee2..1a94ccb05 100644
--- a/doc/user-guides/dns/gateway-dns.md
+++ b/doc/user-guides/dns/gateway-dns.md
@@ -2,46 +2,32 @@
 
 This user guide walks you through an example of how to configure DNS for all routes attached to an ingress gateway.
 
-<br/>
-
 ## Requisites
 
 - [Docker](https://docker.io)
 - [Rout53 Hosted Zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingHostedZone.html)
 
-### Setup
-
-This step uses tooling from the Kuadrant Operator component to create a containerized Kubernetes server locally using [Kind](https://kind.sigs.k8s.io),
-where it installs Istio, Kubernetes Gateway API and Kuadrant itself.
-
-Clone the project:
-
-```shell
-git clone https://github.com/Kuadrant/kuadrant-operator && cd kuadrant-operator
-```
-
-Setup the environment:
+### Setup the environment
 
-```shell
-make local-setup
-```
+Follow this [setup doc](https://github.com/Kuadrant/kuadrant-operator/blob/main/doc/install/install-make-target.md) to set up your environment before continuing with this doc.
 
 Create a namespace:
+
 ```shell
 kubectl create namespace my-gateways
 ```
 
 Export a root domain and hosted zone id:
+
 ```shell
 export ROOT_DOMAIN=<ROOT_DOMAIN>
 ```
 
-> **Note:** ROOT_DOMAIN should be set to your AWS hosted zone *name*.
+> **Note:** ROOT_DOMAIN should be set to your AWS hosted zone _name_.
 
 ### Create a dns provider secret
 
-Create AWS provider secret. You should limit the permissions of this credential to only the zones you want us to access. 
-
+Create AWS provider secret. You should limit the permissions of this credential to only the zones you want us to access.
 
 ```shell
 export AWS_ACCESS_KEY_ID=<AWS_ACCESS_KEY_ID> AWS_SECRET_ACCESS_KEY=<AWS_SECRET_ACCESS_KEY>
@@ -55,6 +41,7 @@ kubectl -n my-gateways create secret generic aws-credentials \
 ### Create an ingress gateway
 
 Create a gateway using your ROOT_DOMAIN as part of a listener hostname:
+
 ```sh
 kubectl -n my-gateways apply -f - <<EOF
 apiVersion: gateway.networking.k8s.io/v1
@@ -75,10 +62,13 @@ EOF
 ```
 
 Check gateway status:
+
 ```shell
 kubectl get gateway prod-web -n my-gateways
 ```
+
 Response:
+
 ```shell
 NAME       CLASS   ADDRESS        PROGRAMMED   AGE
 prod-web   istio   172.18.200.1   True         25s
@@ -87,6 +77,7 @@ prod-web   istio   172.18.200.1   True         25s
 ### Enable DNS on the gateway
 
 Create a Kuadrant `DNSPolicy` to configure DNS:
+
 ```shell
 kubectl -n my-gateways apply -f - <<EOF
 apiVersion: kuadrant.io/v1
@@ -102,10 +93,13 @@ EOF
 ```
 
 Check policy status:
+
 ```shell
 kubectl get dnspolicy -o wide -n my-gateways
 ```
+
 Response:
+
 ```shell
 NAME       STATUS     TARGETREFKIND   TARGETREFNAME   AGE
 prod-web   Accepted   Gateway         prod-web        26s
@@ -114,12 +108,14 @@ prod-web   Accepted   Gateway         prod-web        26s
 ### Deploy a sample API to test DNS
 
 Deploy the sample API:
+
 ```shell
 kubectl -n my-gateways apply -f examples/toystore/toystore.yaml
 kubectl -n my-gateways wait --for=condition=Available deployments toystore --timeout=60s
 ```
 
 Route traffic to the API from our gateway:
+
 ```shell
 kubectl -n my-gateways apply -f - <<EOF
 apiVersion: gateway.networking.k8s.io/v1
@@ -140,6 +136,7 @@ EOF
 ```
 
 Verify a DNSRecord resource is created:
+
 ```shell
 kubectl get dnsrecords -n my-gateways
 NAME           READY
@@ -149,10 +146,13 @@ prod-web-api   True
 ### Verify DNS works by sending requests
 
 Verify DNS using dig:
+
 ```shell
 dig foo.$ROOT_DOMAIN +short
 ```
+
 Response:
+
 ```shell
 172.18.200.1
 ```
@@ -162,7 +162,9 @@ Verify DNS using curl:
 ```shell
 curl http://api.$ROOT_DOMAIN
 ```
+
 Response:
+
 ```shell
 {
   "method": "GET",
diff --git a/doc/user-guides/dns/orphan-dns-records.md b/doc/user-guides/dns/orphan-dns-records.md
index 9a44d2836..ba80ef58b 100644
--- a/doc/user-guides/dns/orphan-dns-records.md
+++ b/doc/user-guides/dns/orphan-dns-records.md
@@ -24,33 +24,37 @@ On cluster 2 the DNS Operator managing the existing DNSRecord in that cluster ha
 In prometheus alerts, it spots that the number of owners does not correlate to the number of DNSRecord resources and triggers an alert. 
 To remedy this rather than going to the DNS provider directly and trying to figure out which records to remove, you can instead follow the steps below.
 
-1) Get the owner id of the DNSRecord on cluster 2 for the shared host 
+Get the owner id of the DNSRecord on cluster 2 for the shared host 
 
-```
+```sh
 kubectl get dnsrecord somerecord -n my-gateway-ns -o=jsonpath='{.status.ownerID}'
 ```
 
-2) get all the owner ids
+Get all the owner ids
 
-```
+```sh
 kubectl get dnsrecord.kuadrant.io somerecord -n my-gateway-ns -o=jsonpath='{.status.domainOwners}'
 
-## output
-["26aacm1z","49qn0wp7"]
+# output
+# ["26aacm1z","49qn0wp7"]
 ```
 
-3) create a placeholder DNSRecord with none active ownerID
+Create a placeholder DNSRecord with none active ownerID
 
 
-for each owner id returned that isn't the owner id of the record we got earlier that we want to remove records for, we need to create a dnsrecord resource and delete it. This will trigger the running operator in this cluster to clean up those records.
+For each owner id returned that isn't the owner id of the record that we want to remove records for, we need to create a dnsrecord resource and delete it. This will trigger the running operator in this cluster to clean up those records.
+
+This is one of the owner id **not** in the existing dnsrecord on cluster
+```sh
 
-```
-# this is one of the owner id **not** in the existing dnsrecord on cluster
 export ownerID=26aacm1z  
 
 export rootHost=$(kubectl get dnsrecord.kuadrant.io somerecord -n  my-gateway-ns -o=jsonpath='{.spec.rootHost}')
+```
+
 
-# export a namespace with the aws credentials in it
+Export a namespace with the aws credentials in it
+```sh
 export targetNS=kuadrant-system 
 
 kubectl apply -f - <<EOF
@@ -74,21 +78,21 @@ EOF
 
 ```
 
-4) Delete the dnsrecord
+Delete the DNSrecord
 
-```
+```sh
 kubectl delete dnsrecord.kuadrant.io delete-old-loadbalanced-dnsrecord -n ${targetNS} 
 ```
 
-5) verify 
+Verification 
 
-We can verify by checking the dnsrecord again. Note it may take a several minutes for the other record to update. We can force it by adding a label to the record
+We can verify that the steps worked correctly, by checking the DNSRecord again. Note it may take a several minutes for the other record to update. We can force it by adding a label to the record
 
-```
+```sh
 kubectl label dnsrecord.kuadrant.io somerecord test=test -n ${targetNS}
 
 kubectl get dnsrecord.kuadrant.io somerecord -n my-gateway-ns -o=jsonpath='{.status.domainOwners}'
 
 ```
 
-We should also see our alert eventually stop triggering.
+You should also see your alert eventually stop triggering.
diff --git a/doc/user-guides/dnspolicy/basic-dns-configuration.md b/doc/user-guides/dnspolicy/basic-dns-configuration.md
index f8475637d..d701e7c80 100644
--- a/doc/user-guides/dnspolicy/basic-dns-configuration.md
+++ b/doc/user-guides/dnspolicy/basic-dns-configuration.md
@@ -87,7 +87,7 @@ spec:
 
 This resource also needs to be created in the same namespace as your Gateway and the `targetRef` needs to reference your gateway. When this is done we can check the status of the DNSPolicy and the Gateway to check when it is ready.
 
-```
+```sh
 kubectl wait dnspolicy/basic-dnspolicy -n my-gateway-namespace --for="condition=Ready=true" --timeout=300s
 
 ```
@@ -105,7 +105,7 @@ If you look at the gateway status you should also see:
 
 DNS is now setup for your Gateway. After allowing a little time for the DNS propagate to the nameservers, you should be able to test the DNS using a dig command alternatively you can curl your endpoint.
 
-```
+```sh
 dig test.example.com +short
 
 curl -v test.example.com/toy
diff --git a/doc/user-guides/dnspolicy/dnshealthchecks.md b/doc/user-guides/dnspolicy/dnshealthchecks.md
index 1c55a1675..929d37e68 100644
--- a/doc/user-guides/dnspolicy/dnshealthchecks.md
+++ b/doc/user-guides/dnspolicy/dnshealthchecks.md
@@ -130,7 +130,7 @@ If one or more of the health checks are failing you will see a status in the DNS
 
 Finally, you can also take a look at the underlying individual health check status by inspecting the `dnshealthcheckprobe` resource:
 
->Note: These resources are for view only interactions as they are controlled by the Kuadrant Operator based on the DNSPolicy API
+>**Note**: These resources are for view only interactions as they are controlled by the Kuadrant Operator based on the DNSPolicy API
 
 ```bash
 kubectl get dnshealthcheckprobes n my-dns-policy-namespace -o=wide
diff --git a/doc/user-guides/full-walkthrough/secure-protect-connect.md b/doc/user-guides/full-walkthrough/secure-protect-connect-k8s.md
similarity index 100%
rename from doc/user-guides/full-walkthrough/secure-protect-connect.md
rename to doc/user-guides/full-walkthrough/secure-protect-connect-k8s.md
diff --git a/doc/user-guides/full-walkthrough/secure-protect-connect-single-multi-cluster.md b/doc/user-guides/full-walkthrough/secure-protect-connect-openshift.md
similarity index 99%
rename from doc/user-guides/full-walkthrough/secure-protect-connect-single-multi-cluster.md
rename to doc/user-guides/full-walkthrough/secure-protect-connect-openshift.md
index ffa292684..99f45f995 100644
--- a/doc/user-guides/full-walkthrough/secure-protect-connect-single-multi-cluster.md
+++ b/doc/user-guides/full-walkthrough/secure-protect-connect-openshift.md
@@ -68,8 +68,8 @@ kubectl create ns ${gatewayNS}
 
 Create the secret credentials as follows:
 
-```
-kubectl -n ${gatewayNS} create secret generic aws-credentials \
+```sh
+kubectl -n cert-manager create secret generic aws-credentials \
   --type=kuadrant.io/aws \
   --from-literal=AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
   --from-literal=AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
diff --git a/doc/user-guides/ratelimiting/authenticated-rl-for-app-developers.md b/doc/user-guides/ratelimiting/authenticated-rl-for-app.md
similarity index 99%
rename from doc/user-guides/ratelimiting/authenticated-rl-for-app-developers.md
rename to doc/user-guides/ratelimiting/authenticated-rl-for-app.md
index f8314bcd2..5a1eb2b57 100644
--- a/doc/user-guides/ratelimiting/authenticated-rl-for-app-developers.md
+++ b/doc/user-guides/ratelimiting/authenticated-rl-for-app.md
@@ -1,4 +1,4 @@
-# Authenticated Rate Limiting for Application Developers
+# Authenticated Rate Limiting for Applications
 
 This user guide walks you through an example of how to configure authenticated rate limiting for an application using Kuadrant.
 
diff --git a/doc/user-guides/ratelimiting/multi-auth-rlp-diff-section.md b/doc/user-guides/ratelimiting/multi-auth-rlp-diff-section.md
index 07c7a8b91..e827ca686 100644
--- a/doc/user-guides/ratelimiting/multi-auth-rlp-diff-section.md
+++ b/doc/user-guides/ratelimiting/multi-auth-rlp-diff-section.md
@@ -43,6 +43,28 @@ spec:
 EOF
 ```
 
+### Route traffic to the API from both gateways listeners
+
+```sh
+kubectl apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: toystore
+spec:
+  parentRefs:
+  - name: environment
+    namespace: kuadrant-system
+  hostnames:
+  - "*.toystore.io"
+  - "*.toystore.local"
+  rules:
+  - backendRefs:
+    - name: toystore
+      port: 80
+EOF
+```
+
 ### Create a Kuadrant `RateLimitPolicy` to configure rate limiting for the external listener:
 
 ```sh
@@ -93,27 +115,7 @@ EOF
 
 > **Note:** It may take a couple of minutes for the RateLimitPolicy to be applied depending on your cluster.
 
-Route traffic to the API from both gateways:
 
-```sh
-kubectl apply -f - <<EOF
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: toystore
-spec:
-  parentRefs:
-  - name: environment
-    namespace: kuadrant-system
-  hostnames:
-  - "*.toystore.io"
-  - "*.toystore.local"
-  rules:
-  - backendRefs:
-    - name: toystore
-      port: 80
-EOF
-```
 
 ### Verify the rate limiting works by sending requests in a loop
 
diff --git a/doc/user-guides/ratelimiting/multi-auth-rlp-same-section.md b/doc/user-guides/ratelimiting/multi-auth-rlp-same-section.md
index d7f8a139c..303ee1733 100644
--- a/doc/user-guides/ratelimiting/multi-auth-rlp-same-section.md
+++ b/doc/user-guides/ratelimiting/multi-auth-rlp-same-section.md
@@ -23,13 +23,11 @@ Follow this [setup doc](https://github.com/Kuadrant/kuadrant-operator/blob/main/
 
 ### Deploy the Toy Store API
 
-Create the deployment:
-
 ```sh
 kubectl apply -f examples/toystore/toystore.yaml
 ```
 
-Create a HTTPRoute to route traffic to the service via Istio Ingress Gateway:
+### Create a HTTPRoute to route traffic to the service via Istio Ingress Gateway:
 
 ![](https://i.imgur.com/rdN8lo3.png)
 
@@ -61,7 +59,7 @@ spec:
 EOF
 ```
 
-Export the gateway hostname and port:
+### Export the gateway hostname and port:
 
 ```sh
 export INGRESS_HOST=$(kubectl get gtw kuadrant-ingressgateway -n gateway-system -o jsonpath='{.status.addresses[0].value}')
@@ -69,7 +67,7 @@ export INGRESS_PORT=$(kubectl get gtw kuadrant-ingressgateway -n gateway-system
 export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
 ```
 
-Verify the route works:
+### Verify the route works:
 
 ```sh
 curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy -i
@@ -125,7 +123,7 @@ spec:
 EOF
 ```
 
-Verify the authentication works by sending a request to the Toy Store API without API key:
+### Verify the authentication works by sending a request to the Toy Store API without API key:
 
 ```sh
 curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy -i
@@ -134,7 +132,7 @@ curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy -i
 # x-ext-auth-reason: "credential not found"
 ```
 
-Create API keys for users `alice` and `bob` to authenticate:
+### Create API keys for users `alice` and `bob` to authenticate:
 
 > **Note:** Kuadrant stores API keys as Kubernetes Secret resources. User metadata can be stored in the annotations of the resource.
 
diff --git a/doc/user-guides/ratelimiting/simple-rl-for-app-developers.md b/doc/user-guides/ratelimiting/simple-rl-for-app-developers.md
index 8b7a01130..fa8412aea 100644
--- a/doc/user-guides/ratelimiting/simple-rl-for-app-developers.md
+++ b/doc/user-guides/ratelimiting/simple-rl-for-app-developers.md
@@ -2,16 +2,10 @@
 
 This user guide walks you through an example of how to configure rate limiting for an endpoint of an application using Kuadrant.
 
-<br/>
-
 In this guide, we will rate limit a sample REST API called **Toy Store**. In reality, this API is just an echo service that echoes back to the user whatever attributes it gets in the request. The API listens to requests at the hostname `api.toystore.com`, where it exposes the endpoints `GET /toys*` and `POST /toys`, respectively, to mimic operations of reading and writing toy records.
 
 We will rate limit the `POST /toys` endpoint to a maximum of 5rp10s ("5 requests every 10 seconds").
 
-<br/>
-
-##
-
 ### Setup
 
 This step uses tooling from the Kuadrant Operator component to create a containerized Kubernetes server locally using [Kind](https://kind.sigs.k8s.io),
@@ -144,7 +138,6 @@ EOF
 
 > **Note:** It may take a couple of minutes for the RateLimitPolicy to be applied depending on your cluster.
 
-
 Verify the rate limiting works by sending requests in a loop.
 
 Up to 5 successful (`200 OK`) requests every 10 seconds to `POST /toys`, then `429 Too Many Requests`:
diff --git a/doc/user-guides/tls/gateway-tls.md b/doc/user-guides/tls/gateway-tls.md
index da673e930..e6952f0ce 100644
--- a/doc/user-guides/tls/gateway-tls.md
+++ b/doc/user-guides/tls/gateway-tls.md
@@ -2,8 +2,6 @@
 
 This user guide walks you through an example of how to configure TLS for all routes attached to an ingress gateway.
 
-<br/>
-
 ## Requisites
 
 - [Docker](https://docker.io)
@@ -26,6 +24,7 @@ make local-setup
 ```
 
 Create a namespace:
+
 ```shell
 kubectl create namespace my-gateways
 ```
@@ -33,6 +32,7 @@ kubectl create namespace my-gateways
 ### Create an ingress gateway
 
 Create a gateway:
+
 ```sh
 kubectl -n my-gateways apply -f - <<EOF
 apiVersion: gateway.networking.k8s.io/v1
@@ -62,6 +62,7 @@ EOF
 The TLSPolicy requires a reference to an existing [CertManager Issuer](https://cert-manager.io/docs/configuration/).
 
 Create a CertManager Issuer:
+
 ```shell
 kubectl apply -n my-gateways -f - <<EOF
 apiVersion: cert-manager.io/v1
@@ -78,13 +79,16 @@ EOF
 ```shell
 kubectl get issuer selfsigned-issuer -n my-gateways
 ```
+
 Response:
+
 ```shell
 NAME                        READY   AGE
 selfsigned-issuer   True    18s
 ```
 
 Create a Kuadrant `TLSPolicy` to configure TLS:
+
 ```sh
 kubectl apply -n my-gateways -f - <<EOF
 apiVersion: kuadrant.io/v1
@@ -104,20 +108,26 @@ EOF
 ```
 
 Check policy status:
+
 ```shell
 kubectl get tlspolicy -o wide -n my-gateways
 ```
+
 Response:
+
 ```shell
 NAME       STATUS     TARGETREFKIND   TARGETREFNAME   AGE
 prod-web   Accepted   Gateway         prod-web        13s
 ```
 
 Check a Certificate resource was created:
+
 ```shell
 kubectl get certificates -n my-gateways
 ```
+
 Response
+
 ```shell
 NAME                 READY   SECRET               AGE
 toystore-local-tls   True    toystore-local-tls   7m30s
@@ -125,10 +135,13 @@ toystore-local-tls   True    toystore-local-tls   7m30s
 ```
 
 Check a TLS Secret resource was created:
+
 ```shell
 kubectl get secrets -n my-gateways --field-selector="type=kubernetes.io/tls"
 ```
+
 Response:
+
 ```shell
 NAME                 TYPE                DATA   AGE
 toystore-local-tls   kubernetes.io/tls   3      7m42s
@@ -137,12 +150,14 @@ toystore-local-tls   kubernetes.io/tls   3      7m42s
 ### Deploy a sample API to test TLS
 
 Deploy the sample API:
+
 ```shell
 kubectl -n my-gateways apply -f examples/toystore/toystore.yaml
 kubectl -n my-gateways wait --for=condition=Available deployments toystore --timeout=60s
 ```
 
 Route traffic to the API from our gateway:
+
 ```shell
 kubectl -n my-gateways apply -f - <<EOF
 apiVersion: gateway.networking.k8s.io/v1
@@ -165,20 +180,26 @@ EOF
 ### Verify TLS works by sending requests
 
 Get the gateway address@
+
 ```shell
 GWADDRESS=`kubectl get gateway/prod-web -n my-gateways -o=jsonpath='{.status.addresses[?(@.type=="IPAddress")].value}'`
 echo $GWADDRESS
 ```
+
 Response:
+
 ```shell
 172.18.200.1
 ```
 
 Verify we can access the service via TLS:
+
 ```shell
 curl -vkI https://api.toystore.local --resolve "api.toystore.local:443:$GWADDRESS"
 ```
+
 Response:
+
 ```shell
 * Added api.toystore.local:443:172.18.200.1 to DNS cache
 * Hostname api.toystore.local was found in DNS cache
@@ -223,7 +244,7 @@ Response:
 > Host: api.toystore.local
 > user-agent: curl/7.85.0
 > accept: */*
-> 
+>
 * TLSv1.2 (IN), TLS header, Supplemental data (23):
 * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
 * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
@@ -232,8 +253,8 @@ Response:
 * Connection state changed (MAX_CONCURRENT_STREAMS == 2147483647)!
 * TLSv1.2 (OUT), TLS header, Supplemental data (23):
 * TLSv1.2 (IN), TLS header, Supplemental data (23):
-< HTTP/2 200 
-HTTP/2 200 
+< HTTP/2 200
+HTTP/2 200
 < content-type: application/json
 content-type: application/json
 < server: istio-envoy
@@ -245,7 +266,7 @@ content-length: 1658
 < x-envoy-upstream-service-time: 1
 x-envoy-upstream-service-time: 1
 
-< 
+<
 * Connection #0 to host api.toystore.local left intact
 ```
 
diff --git a/hack/quickstart-setup.sh b/hack/quickstart-setup.sh
index 6b776d2ad..cef963acd 100755
--- a/hack/quickstart-setup.sh
+++ b/hack/quickstart-setup.sh
@@ -67,10 +67,6 @@ if [ -z "$SAIL_VERSION" ] && [ "$ISTIO_INSTALL_SAIL" = "true" ]; then
   SAIL_VERSION=${SAIL_VERSION:="0.1.0"}
 fi
 
-echo "AWWWWWWWWWWWWWW $SAIL_VERSION"
-echo "OHHHHHHHHHHHHHH $ISTIO_INSTALL_SAIL"
-
-
 export TOOLS_IMAGE=quay.io/kuadrant/mgc-tools:latest
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 export TMP_DIR=$SCRIPT_DIR/tmp/mgc