diff --git a/content/docs/setup/kubernetes/helm-install.md b/content/docs/setup/kubernetes/helm-install.md
index 6d09b43034..4f33c40e20 100644
--- a/content/docs/setup/kubernetes/helm-install.md
+++ b/content/docs/setup/kubernetes/helm-install.md
@@ -27,18 +27,18 @@ recommended.
 
 1. Render Istio's core components to a Kubernetes manifest called `istio.yaml`:
 
-   * With [automatic sidecar injection](/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection)
-     (requires Kubernetes >=1.9.0):
+    * With [automatic sidecar injection](/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection)
+      (requires Kubernetes >=1.9.0):
 
-    ```command
-    $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system --set sidecar-injector.enabled=true --set global.proxy.image=proxyv2
-    ```
+        ```command
+        $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system --set sidecar-injector.enabled=true --set global.proxy.image=proxyv2
+        ```
 
-   * Without sidecar injection:
+    * Without sidecar injection:
 
-    ```command
-    $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system > $HOME/istio.yaml
-    ```
+        ```command
+        $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system > $HOME/istio.yaml
+        ```
 
 1. Install the components via the manifest:
 
@@ -57,29 +57,29 @@ to manage the lifecycle of Istio.
 
 1. If a service account has not already been installed for Tiller, install one:
 
-   ```command
-   $ kubectl create -f install/kubernetes/helm/helm-service-account.yaml
-   ```
+    ```command
+    $ kubectl create -f install/kubernetes/helm/helm-service-account.yaml
+    ```
 
 1. Install Tiller on your cluster with the service account:
 
-   ```command
-   $ helm init --service-account tiller
-   ```
+    ```command
+    $ helm init --service-account tiller
+    ```
 
 1. Install Istio:
 
-   * With [automatic sidecar injection](/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection) (requires Kubernetes >=1.9.0):
+    * With [automatic sidecar injection](/docs/setup/kubernetes/sidecar-injection/#automatic-sidecar-injection) (requires Kubernetes >=1.9.0):
 
-     ```command
-     $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system --set global.proxy.image=proxyv2
-     ```
+        ```command
+        $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system --set global.proxy.image=proxyv2
+        ```
 
-   * Without the sidecar injection webhook:
+    * Without the sidecar injection webhook:
 
-     ```command
-     $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system --set sidecarInjectorWebhook.enabled=false --set global.proxy.image=proxyv2
-     ```
+        ```command
+        $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system --set sidecarInjectorWebhook.enabled=false --set global.proxy.image=proxyv2
+        ```
 
 ## Customization with Helm
 
@@ -118,12 +118,12 @@ See the sample [Bookinfo](/docs/guides/bookinfo/) application.
 
 * For option 1, uninstall using kubectl:
 
-  ```command
-  $ kubectl delete -f $HOME/istio.yaml
-  ```
+    ```command
+    $ kubectl delete -f $HOME/istio.yaml
+    ```
 
 * For option 2, uninstall using Helm:
 
-  ```command
-  $ helm delete --purge istio
-  ```
+    ```command
+    $ helm delete --purge istio
+    ```
diff --git a/content/docs/tasks/security/mutual-tls.md b/content/docs/tasks/security/mutual-tls.md
index 898916367d..59607046a9 100644
--- a/content/docs/tasks/security/mutual-tls.md
+++ b/content/docs/tasks/security/mutual-tls.md
@@ -59,59 +59,67 @@ and send request to other services by curl.
 There are several steps:
 
 1. get the productpage pod name
-   ```command
-   $ kubectl get pods -l app=productpage
-   NAME                              READY     STATUS    RESTARTS   AGE
-   productpage-v1-4184313719-5mxjc   2/2       Running   0          23h
-   ```
+   
+    ```command
+    $ kubectl get pods -l app=productpage
+    NAME                              READY     STATUS    RESTARTS   AGE
+    productpage-v1-4184313719-5mxjc   2/2       Running   0          23h
+    ```
 
-   Make sure the pod is "Running".
+    Make sure the pod is "Running".
 
 1. ssh into the Envoy container
-   ```command
-   $ kubectl exec -it productpage-v1-4184313719-5mxjc -c istio-proxy /bin/bash
-   ```
+   
+    ```command
+    $ kubectl exec -it productpage-v1-4184313719-5mxjc -c istio-proxy /bin/bash
+    ```
 
 1. make sure the key/cert is in /etc/certs/ directory
-   ```command
-   $ ls /etc/certs/
-   cert-chain.pem   key.pem   root-cert.pem
-   ```
+   
+    ```command
+    $ ls /etc/certs/
+    cert-chain.pem   key.pem   root-cert.pem
+    ```
 
-   > `cert-chain.pem` is Envoy's cert that needs to present to the other side. `key.pem` is Envoy's private key
-   paired with Envoy's cert in `cert-chain.pem`. `root-cert.pem` is the root cert to verify the peer's cert.
-   In this example, we only have one Citadel in a cluster, so all Envoys have the same `root-cert.pem`.
+    > `cert-chain.pem` is Envoy's cert that needs to present to the other side. `key.pem` is Envoy's private key
+    paired with Envoy's cert in `cert-chain.pem`. `root-cert.pem` is the root cert to verify the peer's cert.
+    In this example, we only have one Citadel in a cluster, so all Envoys have the same `root-cert.pem`.
 
 1. make sure 'curl' is installed by
-   ```command
-   $ curl
-   ```
-   If curl is installed, you should see something like
-   ```plain
-   curl: try 'curl --help' or 'curl --manual' for more information
-   ```
+   
+    ```command
+    $ curl
+    ```
+    
+    If curl is installed, you should see something like
+   
+    ```plain
+    curl: try 'curl --help' or 'curl --manual' for more information
+    ```
 
-   Otherwise run the command below to start over
-   ```command
-   $ kubectl apply -f <(istioctl kube-inject --debug -f samples/bookinfo/kube/bookinfo.yaml)
-   ```
+    Otherwise run the command below to start over
+   
+    ```command
+    $ kubectl apply -f <(istioctl kube-inject --debug -f samples/bookinfo/kube/bookinfo.yaml)
+    ```
 
-   > Istio proxy image does not have curl installed while the debug image does. The "--debug" flag in above command redeploys the service with debug image.
+    > Istio proxy image does not have curl installed while the debug image does. The "--debug" flag in above command redeploys the service with debug image.
 
 1. send requests to another service, for example, details.
-   ```command
-   $ curl https://details:9080/details/0 -v --key /etc/certs/key.pem --cert /etc/certs/cert-chain.pem --cacert /etc/certs/root-cert.pem -k
-   ...
-   error fetching CN from cert:The requested data were not available.
-   ...
-   < HTTP/1.1 200 OK
-   < content-type: text/html; charset=utf-8
-   < content-length: 1867
-   < server: envoy
-   < date: Thu, 11 May 2017 18:59:42 GMT
-   < x-envoy-upstream-service-time: 2
-   ...
-   ```
+   
+    ```command
+    $ curl https://details:9080/details/0 -v --key /etc/certs/key.pem --cert /etc/certs/cert-chain.pem --cacert /etc/certs/root-cert.pem -k
+    ...
+    error fetching CN from cert:The requested data were not available.
+    ...
+    < HTTP/1.1 200 OK
+    < content-type: text/html; charset=utf-8
+    < content-length: 1867
+    < server: envoy
+    < date: Thu, 11 May 2017 18:59:42 GMT
+    < x-envoy-upstream-service-time: 2
+    ...
+    ```
 
 The service name and port are defined [here](https://github.com/istio/istio/blob/master/samples/bookinfo/kube/bookinfo.yaml).
 
diff --git a/content/docs/tasks/traffic-management/ingress.md b/content/docs/tasks/traffic-management/ingress.md
index ea45129652..340194e817 100644
--- a/content/docs/tasks/traffic-management/ingress.md
+++ b/content/docs/tasks/traffic-management/ingress.md
@@ -204,52 +204,52 @@ In this subsection we add to our gateway the port 443 to handle the HTTPS traffi
 
 1. Create a Kubernetes `Secret` to hold the key/cert
 
-   Create the secret `istio-ingressgateway-certs` in namespace `istio-system` using `kubectl`. The Istio gateway
-   will automatically load the secret.
+    Create the secret `istio-ingressgateway-certs` in namespace `istio-system` using `kubectl`. The Istio gateway
+    will automatically load the secret.
 
-   > The secret MUST be called `istio-ingressgateway-certs` in the `istio-system` namespace, or it will not
-   be mounted and available to the Istio gateway.
+    > The secret MUST be called `istio-ingressgateway-certs` in the `istio-system` namespace, or it will not
+    be mounted and available to the Istio gateway.
 
-   ```command
-   $ kubectl create -n istio-system secret tls istio-ingressgateway-certs --key /tmp/tls.key --cert /tmp/tls.crt
-   ```
+    ```command
+    $ kubectl create -n istio-system secret tls istio-ingressgateway-certs --key /tmp/tls.key --cert /tmp/tls.crt
+    ```
 
-   Note that by default all service accounts in the `istio-system` namespace can access this ingress key/cert,
-   which risks leaking the key/cert. You can change the Role-Based Access Control (RBAC) rules to protect them.
-   See (Link TBD) for details.
+    Note that by default all service accounts in the `istio-system` namespace can access this ingress key/cert,
+    which risks leaking the key/cert. You can change the Role-Based Access Control (RBAC) rules to protect them.
+    See (Link TBD) for details.
 
 1. Add to the previous `Gateway` definition a server section for the port 443.
 
-   > The location of the certificate and the private key MUST be `/etc/istio/ingressgateway-certs`, or the gateway will fail to load them.
+    > The location of the certificate and the private key MUST be `/etc/istio/ingressgateway-certs`, or the gateway will fail to load them.
 
-   ```bash
-       cat <<EOF | istioctl replace -f -
-       apiVersion: networking.istio.io/v1alpha3
-       kind: Gateway
-       metadata:
-         name: httpbin-gateway
-       spec:
-         selector:
-           istio: ingressgateway # use istio default ingress gateway
-         servers:
-         - port:
-             number: 80
-             name: http
-             protocol: HTTP
-           hosts:
-           - "httpbin.example.com"
-         - port:
-             number: 443
-             name: https
-             protocol: HTTPS
-           tls:
-             mode: SIMPLE
-             serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
-             privateKey: /etc/istio/ingressgateway-certs/tls.key
-           hosts:
-           - "httpbin.example.com"
-       EOF
-   ```
+    ```bash
+        cat <<EOF | istioctl replace -f -
+        apiVersion: networking.istio.io/v1alpha3
+        kind: Gateway
+        metadata:
+          name: httpbin-gateway
+        spec:
+          selector:
+            istio: ingressgateway # use istio default ingress gateway
+          servers:
+          - port:
+              number: 80
+              name: http
+              protocol: HTTP
+            hosts:
+            - "httpbin.example.com"
+          - port:
+              number: 443
+              name: https
+              protocol: HTTPS
+            tls:
+              mode: SIMPLE
+              serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
+              privateKey: /etc/istio/ingressgateway-certs/tls.key
+            hosts:
+            - "httpbin.example.com"
+        EOF
+    ```
 
 ### Verifying the gateway for HTTPS
 
@@ -259,17 +259,17 @@ In this subsection we add to our gateway the port 443 to handle the HTTPS traffi
 Here we use _curl_'s `-k` option to instruct _curl_ not to check our certificate
 (since it is a fake certificate we created for testing the Gateway only, _curl_ is not aware of it).
 
-   ```command
-   $ curl --resolve httpbin.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST -I -k https://httpbin.example.com:$SECURE_INGRESS_PORT/status/200
-   HTTP/2 200
-   server: envoy
-   date: Mon, 14 May 2018 13:54:53 GMT
-   content-type: text/html; charset=utf-8
-   access-control-allow-origin: *
-   access-control-allow-credentials: true
-   content-length: 0
-   x-envoy-upstream-service-time: 6
-   ```
+    ```command
+    $ curl --resolve httpbin.example.com:$SECURE_INGRESS_PORT:$INGRESS_HOST -I -k https://httpbin.example.com:$SECURE_INGRESS_PORT/status/200
+    HTTP/2 200
+    server: envoy
+    date: Mon, 14 May 2018 13:54:53 GMT
+    content-type: text/html; charset=utf-8
+    access-control-allow-origin: *
+    access-control-allow-credentials: true
+    content-length: 0
+    x-envoy-upstream-service-time: 6
+    ```
 
 ### Disable the HTTP port