oke-py/en.diff

## en.diff
diff --git a/content/en/docs/setup/best-practices/certificates.md b/content/en/docs/setup/best-practices/certificates.md
index 6169b3f87..9e27b4094 100644
--- a/content/en/docs/setup/best-practices/certificates.md
+++ b/content/en/docs/setup/best-practices/certificates.md
@@ -2,20 +2,20 @@
 title: PKI certificates and requirements
 reviewers:
 - sig-cluster-lifecycle
-content_template: templates/concept
+content_type: concept
 weight: 40
 ---

-{{% capture overview %}}
+<!-- overview -->

 Kubernetes requires PKI certificates for authentication over TLS.
 If you install Kubernetes with [kubeadm](/docs/reference/setup-tools/kubeadm/kubeadm/), the certificates that your cluster requires are automatically generated.
 You can also generate your own certificates -- for example, to keep your private keys more secure by not storing them on the API server.
 This page explains the certificates that your cluster requires.

-{{% /capture %}}

-{{% capture body %}}
+
+<!-- body -->

 ## How certificates are used by your cluster

@@ -28,10 +28,10 @@ Kubernetes requires PKI for the following operations:
 * Client certificate for the API server to talk to etcd
 * Client certificate/kubeconfig for the controller manager to talk to the API server
 * Client certificate/kubeconfig for the scheduler to talk to the API server.
-* Client and server certificates for the [front-proxy][proxy]
+* Client and server certificates for the [front-proxy](/docs/tasks/extend-kubernetes/configure-aggregation-layer/)

 {{< note >}}
-`front-proxy` certificates are required only if you run kube-proxy to support [an extension API server](/docs/tasks/access-kubernetes-api/setup-extension-api-server/).
+`front-proxy` certificates are required only if you run kube-proxy to support [an extension API server](/docs/tasks/extend-kubernetes/setup-extension-api-server/).
 {{< /note >}}

 etcd also implements mutual TLS to authenticate clients and peers.
@@ -54,7 +54,7 @@ Required CAs:
 |------------------------|---------------------------|----------------------------------|
 | ca.crt,key             | kubernetes-ca             | Kubernetes general CA            |
 | etcd/ca.crt,key        | etcd-ca                   | For all etcd-related functions   |
-| front-proxy-ca.crt,key | kubernetes-front-proxy-ca | For the [front-end proxy][proxy] |
+| front-proxy-ca.crt,key | kubernetes-front-proxy-ca | For the [front-end proxy](/docs/tasks/extend-kubernetes/configure-aggregation-layer/) |

 On top of the above CAs, it is also necessary to get a public/private key pair for service account management, `sa.key` and `sa.pub`.

@@ -74,10 +74,11 @@ Required certificates:
 | kube-apiserver-kubelet-client | kubernetes-ca             | system:masters | client                                 |                                             |
 | front-proxy-client            | kubernetes-front-proxy-ca |                | client                                 |                                             |

-[1]: any other IP or DNS name you contact your cluster on (as used by [kubeadm][kubeadm] the load balancer stable IP and/or DNS name, `kubernetes`, `kubernetes.default`, `kubernetes.default.svc`,
+[1]: any other IP or DNS name you contact your cluster on (as used by [kubeadm](/docs/reference/setup-tools/kubeadm/kubeadm/)
+the load balancer stable IP and/or DNS name, `kubernetes`, `kubernetes.default`, `kubernetes.default.svc`,
 `kubernetes.default.svc.cluster`, `kubernetes.default.svc.cluster.local`)

-where `kind` maps to one or more of the [x509 key usage][usage] types:
+where `kind` maps to one or more of the [x509 key usage](https://godoc.org/k8s.io/api/certificates/v1beta1#KeyUsage) types:

 | kind   | Key usage                                                                       |
 |--------|---------------------------------------------------------------------------------|
@@ -99,7 +100,8 @@ For kubeadm users only:

 ### Certificate paths

-Certificates should be placed in a recommended path (as used by [kubeadm][kubeadm]). Paths should be specified using the given argument regardless of location.
+Certificates should be placed in a recommended path (as used by [kubeadm](/docs/reference/setup-tools/kubeadm/kubeadm/)).
+Paths should be specified using the given argument regardless of location.

 | Default CN                   | recommended key path         | recommended cert path       | command        | key argument                 | cert argument                             |
 |------------------------------|------------------------------|-----------------------------|----------------|------------------------------|-------------------------------------------|
@@ -160,8 +162,4 @@ These files are used as follows:
 | controller-manager.conf | kube-controller-manager | Must be added to manifest in `manifests/kube-controller-manager.yaml` |
 | scheduler.conf          | kube-scheduler          | Must be added to manifest in `manifests/kube-scheduler.yaml`          |

-[usage]: https://godoc.org/k8s.io/api/certificates/v1beta1#KeyUsage
-[kubeadm]: /docs/reference/setup-tools/kubeadm/kubeadm/
-[proxy]: /docs/tasks/access-kubernetes-api/configure-aggregation-layer/

-{{% /capture %}}
	diff --git a/content/en/docs/setup/best-practices/certificates.md b/content/en/docs/setup/best-practices/certificates.md
	index 6169b3f87..9e27b4094 100644
	--- a/content/en/docs/setup/best-practices/certificates.md
	+++ b/content/en/docs/setup/best-practices/certificates.md
	@@ -2,20 +2,20 @@
	title: PKI certificates and requirements
	reviewers:
	- sig-cluster-lifecycle
	-content_template: templates/concept
	+content_type: concept
	weight: 40
	---

	-{{% capture overview %}}
	+<!-- overview -->

	Kubernetes requires PKI certificates for authentication over TLS.
	If you install Kubernetes with [kubeadm](/docs/reference/setup-tools/kubeadm/kubeadm/), the certificates that your cluster requires are automatically generated.
	You can also generate your own certificates -- for example, to keep your private keys more secure by not storing them on the API server.
	This page explains the certificates that your cluster requires.

	-{{% /capture %}}

	-{{% capture body %}}
	+
	+<!-- body -->

	## How certificates are used by your cluster

	@@ -28,10 +28,10 @@ Kubernetes requires PKI for the following operations:
	* Client certificate for the API server to talk to etcd
	* Client certificate/kubeconfig for the controller manager to talk to the API server
	* Client certificate/kubeconfig for the scheduler to talk to the API server.
	-* Client and server certificates for the [front-proxy][proxy]
	+* Client and server certificates for the [front-proxy](/docs/tasks/extend-kubernetes/configure-aggregation-layer/)

	{{< note >}}
	-`front-proxy` certificates are required only if you run kube-proxy to support [an extension API server](/docs/tasks/access-kubernetes-api/setup-extension-api-server/).
	+`front-proxy` certificates are required only if you run kube-proxy to support [an extension API server](/docs/tasks/extend-kubernetes/setup-extension-api-server/).
	{{< /note >}}

	etcd also implements mutual TLS to authenticate clients and peers.
	@@ -54,7 +54,7 @@ Required CAs:
	\|------------------------\|---------------------------\|----------------------------------\|
	\| ca.crt,key \| kubernetes-ca \| Kubernetes general CA \|
	\| etcd/ca.crt,key \| etcd-ca \| For all etcd-related functions \|
	-\| front-proxy-ca.crt,key \| kubernetes-front-proxy-ca \| For the [front-end proxy][proxy] \|
	+\| front-proxy-ca.crt,key \| kubernetes-front-proxy-ca \| For the [front-end proxy](/docs/tasks/extend-kubernetes/configure-aggregation-layer/) \|

	On top of the above CAs, it is also necessary to get a public/private key pair for service account management, `sa.key` and `sa.pub`.

	@@ -74,10 +74,11 @@ Required certificates:
	\| kube-apiserver-kubelet-client \| kubernetes-ca \| system:masters \| client \| \|
	\| front-proxy-client \| kubernetes-front-proxy-ca \| \| client \| \|

	-[1]: any other IP or DNS name you contact your cluster on (as used by [kubeadm][kubeadm] the load balancer stable IP and/or DNS name, `kubernetes`, `kubernetes.default`, `kubernetes.default.svc`,
	+[1]: any other IP or DNS name you contact your cluster on (as used by [kubeadm](/docs/reference/setup-tools/kubeadm/kubeadm/)
	+the load balancer stable IP and/or DNS name, `kubernetes`, `kubernetes.default`, `kubernetes.default.svc`,
	`kubernetes.default.svc.cluster`, `kubernetes.default.svc.cluster.local`)

	-where `kind` maps to one or more of the [x509 key usage][usage] types:
	+where `kind` maps to one or more of the [x509 key usage](https://godoc.org/k8s.io/api/certificates/v1beta1#KeyUsage) types:

	\| kind \| Key usage \|
	\|--------\|---------------------------------------------------------------------------------\|
	@@ -99,7 +100,8 @@ For kubeadm users only:

	### Certificate paths

	-Certificates should be placed in a recommended path (as used by [kubeadm][kubeadm]). Paths should be specified using the given argument regardless of location.
	+Certificates should be placed in a recommended path (as used by [kubeadm](/docs/reference/setup-tools/kubeadm/kubeadm/)).
	+Paths should be specified using the given argument regardless of location.

	\| Default CN \| recommended key path \| recommended cert path \| command \| key argument \| cert argument \|
	\|------------------------------\|------------------------------\|-----------------------------\|----------------\|------------------------------\|-------------------------------------------\|
	@@ -160,8 +162,4 @@ These files are used as follows:
	\| controller-manager.conf \| kube-controller-manager \| Must be added to manifest in `manifests/kube-controller-manager.yaml` \|
	\| scheduler.conf \| kube-scheduler \| Must be added to manifest in `manifests/kube-scheduler.yaml` \|

	-[usage]: https://godoc.org/k8s.io/api/certificates/v1beta1#KeyUsage
	-[kubeadm]: /docs/reference/setup-tools/kubeadm/kubeadm/
	-[proxy]: /docs/tasks/access-kubernetes-api/configure-aggregation-layer/

	-{{% /capture %}}