Fixes: variable substitution, link path changes

calico-cloud/threat/web-application-firewall.mdx

@@ -220,7 +220,7 @@ By default WAF will not block a request even if it has matching rule violations.
 
 ##### Other basic customizations
 
-For basic customizations, it's best to add it after all the includes in `tigera.conf`. In fact, this is the reason why the `SecRuleEngine` directive and the rest of [our customizations](https://github.com/tigera/operator/blob/master/pkg/render/applicationlayer/embed/coreruleset/tigera.conf#L8-L17) are situated there.
+For basic customizations, it's best to add it after all the includes in `tigera.conf`. In fact, this is the reason why the `SecRuleEngine` directive and the rest of [our customizations](https://github.com/tigera/operator/blob/master/pkg/render/applicationlayer/ruleset/coreruleset/tigera.conf#L8-L17) are situated there.
 
 An example is adding a sampling mode. For that, the `tigera.conf` will look like this:
 

calico-cloud_versioned_docs/version-20-2/threat/web-application-firewall.mdx

@@ -220,7 +220,7 @@ By default WAF will not block a request even if it has matching rule violations.
 
 ##### Other basic customizations
 
-For basic customizations, it's best to add it after all the includes in `tigera.conf`. In fact, this is the reason why the `SecRuleEngine` directive and the rest of [our customizations](https://github.com/tigera/operator/blob/master/pkg/render/applicationlayer/embed/coreruleset/tigera.conf#L8-L17) are situated there.
+For basic customizations, it's best to add it after all the includes in `tigera.conf`. In fact, this is the reason why the `SecRuleEngine` directive and the rest of [our customizations](https://github.com/tigera/operator/blob/master/pkg/render/applicationlayer/ruleset/coreruleset/tigera.conf#L8-L17) are situated there.
 
 An example is adding a sampling mode. For that, the `tigera.conf` will look like this:
 

calico-enterprise/networking/gateway-api.mdx

@@ -16,13 +16,13 @@
 
 ## Value
 
-{{prodname}} includes support for the Kubernetes Gateway API, which allows advanced routing to services in a cluster, including weighted or blue-green load balancing.
+$[prodname] includes support for the Kubernetes Gateway API, which allows advanced routing to services in a cluster, including weighted or blue-green load balancing.
 
 ## Concepts
 
 ### Gateway API
 
-The Gateway API is an official Kubernetes API for advanced routing to services in a cluster.  To read about its use cases, structure and design, please see [the official docs](https://gateway-api.sigs.k8s.io/).  {{prodname}} provides the following resources and versions of the Gateway API.
+The Gateway API is an official Kubernetes API for advanced routing to services in a cluster.  To read about its use cases, structure and design, please see [the official docs](https://gateway-api.sigs.k8s.io/).  $[prodname] provides the following resources and versions of the Gateway API.
 
 | Resource         | Versions          |
 | ---------------- | ----------------- |
@@ -39,11 +39,11 @@
 
 ### Envoy Gateway
 
-Several implementations of the Gateway API are available, one of which is the [Envoy Gateway](https://gateway.envoyproxy.io/).  {{prodname}} integrates the Envoy Gateway implementation in order to provide support for the Gateway API.
+Several implementations of the Gateway API are available, one of which is the [Envoy Gateway](https://gateway.envoyproxy.io/).  $[prodname] integrates the Envoy Gateway implementation in order to provide support for the Gateway API.
 
 ### Access into a cluster from outside
 
-The Gateway API only provides access into a cluster from outside when the cluster is _also_ provisioned to support Kubernetes Services with `type: LoadBalancer`.  When a Gateway is configured, {{prodname}} creates a Deployment that does the actual work of routing and load balancing, etc., and a Service with `type: LoadBalancer` that fronts that Deployment.  If the cluster has a `type: LoadBalancer` provider, it will then allocate an IP outside the cluster and arrange for requests to that IP to be forwarded to the Gateway Service.
+The Gateway API only provides access into a cluster from outside when the cluster is _also_ provisioned to support Kubernetes Services with `type: LoadBalancer`.  When a Gateway is configured, $[prodname] creates a Deployment that does the actual work of routing and load balancing, etc., and a Service with `type: LoadBalancer` that fronts that Deployment.  If the cluster has a `type: LoadBalancer` provider, it will then allocate an IP outside the cluster and arrange for requests to that IP to be forwarded to the Gateway Service.
 
 Managed Kubernetes services like AKS, EKS and GKE include a `type: LoadBalancer` provider that automatically integrates with Azure, AWS and GCP respectively.  On-prem clusters and non-managed clusters in the cloud need to set up their own `type: LoadBalancer` support.
 
@@ -91,7 +91,7 @@
 udproutes                                                                           gateway.networking.k8s.io/v1alpha2          true         UDPRoute
 ```
 
-And also that there is a GatewayClass resource corresponding to the Envoy Gateway implementation included in {{prodname}}:
+And also that there is a GatewayClass resource corresponding to the Envoy Gateway implementation included in $[prodname]:
 
 ```bash
 kubectl get gatewayclass -o yaml | yq r - 'items[0].spec'
@@ -415,4 +415,4 @@
 EOF
 ```
 
-Please note that the Gateway API CRDs will be left in place.  This is to allow for the possibility of using other Gateway API implementations in addition to the one provided by {{prodname}}.
+Please note that the Gateway API CRDs will be left in place.  This is to allow for the possibility of using other Gateway API implementations in addition to the one provided by $[prodname].

calico-enterprise/threat/web-application-firewall.mdx

@@ -199,7 +199,7 @@ By default WAF will not block a request even if it has matching rule violations.
 
 #### Other basic customizations
 
-For basic customizations, it's best to add it after all the includes in `tigera.conf`. In fact, this is the reason why the `SecRuleEngine` directive and the rest of [our customizations](https://github.com/tigera/operator/blob/master/pkg/render/applicationlayer/embed/coreruleset/tigera.conf#L8-L17) are situated there.
+For basic customizations, it's best to add it after all the includes in `tigera.conf`. In fact, this is the reason why the `SecRuleEngine` directive and the rest of [our customizations](https://github.com/tigera/operator/blob/master/pkg/render/applicationlayer/ruleset/coreruleset/tigera.conf#L8-L17) are situated there.
 
 An example is adding a sampling mode. For that, the `tigera.conf` will look like this:
 

calico-enterprise_versioned_docs/version-3.17/threat/web-application-firewall.mdx

@@ -177,7 +177,7 @@
 
 By default, $[prodname] ships with Core Rule Set  v3.3.5 with the following setup files pre-loaded:
 
-- [tigera.conf](https://github.com/tigera/operator/blob/master/pkg/render/applicationlayer/embed/coreruleset/tigera.conf)
+- [tigera.conf](https://github.com/tigera/operator/blob/master/pkg/render/applicationlayer/ruleset/coreruleset/tigera.conf)
 
 To start creating your rules, it is recommended that you download the files (all three) and create your modifications from there, as follows:
 

calico-enterprise_versioned_docs/version-3.18-2/threat/web-application-firewall.mdx

@@ -26,7 +26,7 @@
 
 WAF is deployed in your cluster along with Envoy DaemonSet. $[prodname] proxies selected service traffic through Envoy, checking HTTP requests using the industry-standard
 [ModSecurity](https://owasp.org/www-project-modsecurity-core-rule-set/) with OWASP Core Rule Set v3.3.5 modified for kubernetes workloads.
-<!--To review the rules deployed with the WAF, see [Ruleset files](https://github.com/tigera/operator/tree/master/pkg/render/applicationlayer/embed/coreruleset/rules).-->
+<!--To review the rules deployed with the WAF, see [Ruleset files](https://github.com/tigera/operator/tree/master/pkg/render/applicationlayer/ruleset/coreruleset/rules).-->
 
 You simply enable WAF in Manager UI, and determine the services that you want to enable for WAF protection. By default WAF is set to `DetectionOnly` so no traffic will be denied until you are ready to turn on blocking mode.
 
@@ -177,7 +177,7 @@
 
 By default, $[prodname] ships with Core Rule Set  v3.3.5 with the following setup files pre-loaded:
 
-- [tigera.conf](https://github.com/tigera/operator/blob/master/pkg/render/applicationlayer/embed/coreruleset/tigera.conf)
+- [tigera.conf](https://github.com/tigera/operator/blob/master/pkg/render/applicationlayer/ruleset/coreruleset/tigera.conf)
 
 There are two ways to edit your rules.
 1. Edit the configmap directly using kubectl. The config map combines all the rule files together, so you will need to know how to search and find the exact place in the configmap that you want to update.

calico-enterprise_versioned_docs/version-3.19-2/threat/web-application-firewall.mdx

@@ -218,7 +218,7 @@ By default WAF will not block a request even if it has matching rule violations.
 
 ##### Other basic customizations
 
-For basic customizations, it's best to add it after all the includes in `tigera.conf`. In fact, this is the reason why the `SecRuleEngine` directive and the rest of [our customizations](https://github.com/tigera/operator/blob/master/pkg/render/applicationlayer/embed/coreruleset/tigera.conf#L8-L17) are situated there.
+For basic customizations, it's best to add it after all the includes in `tigera.conf`. In fact, this is the reason why the `SecRuleEngine` directive and the rest of [our customizations](https://github.com/tigera/operator/blob/master/pkg/render/applicationlayer/ruleset/coreruleset/tigera.conf#L8-L17) are situated there.
 
 An example is adding a sampling mode. For that, the `tigera.conf` will look like this:
 

calico-enterprise_versioned_docs/version-3.20-1/threat/web-application-firewall.mdx

@@ -218,7 +218,7 @@ By default WAF will not block a request even if it has matching rule violations.
 
 ##### Other basic customizations
 
-For basic customizations, it's best to add it after all the includes in `tigera.conf`. In fact, this is the reason why the `SecRuleEngine` directive and the rest of [our customizations](https://github.com/tigera/operator/blob/master/pkg/render/applicationlayer/embed/coreruleset/tigera.conf#L8-L17) are situated there.
+For basic customizations, it's best to add it after all the includes in `tigera.conf`. In fact, this is the reason why the `SecRuleEngine` directive and the rest of [our customizations](https://github.com/tigera/operator/blob/master/pkg/render/applicationlayer/ruleset/coreruleset/tigera.conf#L8-L17) are situated there.
 
 An example is adding a sampling mode. For that, the `tigera.conf` will look like this:
 

calico-enterprise_versioned_docs/version-3.20-2/threat/web-application-firewall.mdx

@@ -198,7 +198,7 @@ By default WAF will not block a request even if it has matching rule violations.
 
 #### Other basic customizations
 
-For basic customizations, it's best to add it after all the includes in `tigera.conf`. In fact, this is the reason why the `SecRuleEngine` directive and the rest of [our customizations](https://github.com/tigera/operator/blob/master/pkg/render/applicationlayer/embed/coreruleset/tigera.conf#L8-L17) are situated there.
+For basic customizations, it's best to add it after all the includes in `tigera.conf`. In fact, this is the reason why the `SecRuleEngine` directive and the rest of [our customizations](https://github.com/tigera/operator/blob/master/pkg/render/applicationlayer/ruleset/coreruleset/tigera.conf#L8-L17) are situated there.
 
 An example is adding a sampling mode. For that, the `tigera.conf` will look like this: