gateway-api: add Gateway API instructions to wildcard egress doc (#14654)

* gateway-api: add Gateway API instructions to wildcard egress doc

* v1beta1

* regen

content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/gtwapi_test.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC1090,SC2154
+
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+source "tests/util/gateway-api.sh"
+install_gateway_api_crds
+
+# @setup profile=none
+source "content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/test.sh"
+
+# @cleanup
+snip_cleanup_egress_gateway_traffic_to_a_wildcard_host_2
+snip_cleanup_1
+snip_cleanup_2
+kubectl delete ns istio-system
+kubectl label namespace default istio-injection-
+remove_gateway_api_crds

content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/index.md

@@ -23,22 +23,42 @@ Each version of `wikipedia.org` in a particular language has its own hostname, e
 You want to enable egress traffic by common configuration items for all the Wikipedia sites,
 without the need to specify every language's site separately.
 
+{{< boilerplate gateway-api-gamma-support >}}
+
 ## Before you begin
 
-*   Install Istio using the `demo` [configuration profile](/docs/setup/additional-setup/config-profiles/)
-    and with the blocking-by-default outbound traffic policy:
+*   Install Istio with access logging enabled and with the blocking-by-default outbound traffic policy:
 
-    {{< text bash >}}
-    $ istioctl install --set profile=demo --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
-    {{< /text >}}
+{{< tabset category-name="config-api" >}}
 
-    {{< tip >}}
-    You can run this task on an Istio configuration other than the `demo` profile as long as you make sure to
-    [deploy the Istio egress gateway](/docs/tasks/traffic-management/egress/egress-gateway/#deploy-istio-egress-gateway),
-    [enable Envoy’s access logging](/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging), and
-    [apply the blocking-by-default outbound traffic policy](/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy)
-    in your installation.
-    {{< /tip >}}
+{{< tab name="Istio APIs" category-value="istio-apis" >}}
+
+{{< text bash >}}
+$ istioctl install --set profile=demo --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
+{{< /text >}}
+
+{{< tip >}}
+You can run this task on an Istio configuration other than the `demo` profile as long as you make sure to
+[deploy the Istio egress gateway](/docs/tasks/traffic-management/egress/egress-gateway/#deploy-istio-egress-gateway),
+[enable Envoy’s access logging](/docs/tasks/observability/logs/access-log/#enable-envoy-s-access-logging), and
+[apply the blocking-by-default outbound traffic policy](/docs/tasks/traffic-management/egress/egress-control/#change-to-the-blocking-by-default-policy)
+in your installation.
+{{< /tip >}}
+
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+{{< text bash >}}
+$ istioctl install --set profile=minimal -y \
+    --set values.pilot.env.PILOT_ENABLE_ALPHA_GATEWAY_API=true \
+    --set meshConfig.accessLogFile=/dev/stdout \
+    --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
 
 *   Deploy the [sleep]({{< github_tree >}}/samples/sleep) sample app to use as a test source for sending requests.
     If you have
@@ -124,77 +144,154 @@ the configured route destination will not be the same as the configured host,
 i.e., the wildcard. It will instead be configured with the host of the single server for
 the set of domains.
 
-1.  Create an egress `Gateway` for _*.wikipedia.org_, a destination rule and a virtual service
-    to direct the traffic through the egress gateway and from the egress gateway to the external service.
+1.  Create an egress `Gateway` for _*.wikipedia.org_ and route rules
+    to direct the traffic through the egress gateway and from the egress gateway to the external service:
 
-    {{< text bash >}}
-    $ kubectl apply -f - <<EOF
-    apiVersion: networking.istio.io/v1alpha3
-    kind: Gateway
-    metadata:
-      name: istio-egressgateway
-    spec:
-      selector:
-        istio: egressgateway
-      servers:
-      - port:
-          number: 443
-          name: https
-          protocol: HTTPS
-        hosts:
-        - "*.wikipedia.org"
-        tls:
-          mode: PASSTHROUGH
-    ---
-    apiVersion: networking.istio.io/v1alpha3
-    kind: DestinationRule
-    metadata:
-      name: egressgateway-for-wikipedia
-    spec:
-      host: istio-egressgateway.istio-system.svc.cluster.local
-      subsets:
-        - name: wikipedia
-    ---
-    apiVersion: networking.istio.io/v1alpha3
-    kind: VirtualService
-    metadata:
-      name: direct-wikipedia-through-egress-gateway
-    spec:
-      hosts:
-      - "*.wikipedia.org"
-      gateways:
+{{< tabset category-name="config-api" >}}
+
+{{< tab name="Istio APIs" category-value="istio-apis" >}}
+
+{{< text bash >}}
+$ kubectl apply -f - <<EOF
+apiVersion: networking.istio.io/v1alpha3
+kind: Gateway
+metadata:
+  name: istio-egressgateway
+spec:
+  selector:
+    istio: egressgateway
+  servers:
+  - port:
+      number: 443
+      name: https
+      protocol: HTTPS
+    hosts:
+    - "*.wikipedia.org"
+    tls:
+      mode: PASSTHROUGH
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: DestinationRule
+metadata:
+  name: egressgateway-for-wikipedia
+spec:
+  host: istio-egressgateway.istio-system.svc.cluster.local
+  subsets:
+    - name: wikipedia
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: direct-wikipedia-through-egress-gateway
+spec:
+  hosts:
+  - "*.wikipedia.org"
+  gateways:
+  - mesh
+  - istio-egressgateway
+  tls:
+  - match:
+    - gateways:
       - mesh
+      port: 443
+      sniHosts:
+      - "*.wikipedia.org"
+    route:
+    - destination:
+        host: istio-egressgateway.istio-system.svc.cluster.local
+        subset: wikipedia
+        port:
+          number: 443
+      weight: 100
+  - match:
+    - gateways:
       - istio-egressgateway
-      tls:
-      - match:
-        - gateways:
-          - mesh
-          port: 443
-          sniHosts:
-          - "*.wikipedia.org"
-        route:
-        - destination:
-            host: istio-egressgateway.istio-system.svc.cluster.local
-            subset: wikipedia
-            port:
-              number: 443
-          weight: 100
-      - match:
-        - gateways:
-          - istio-egressgateway
-          port: 443
-          sniHosts:
-          - "*.wikipedia.org"
-        route:
-        - destination:
-            host: www.wikipedia.org
-            port:
-              number: 443
-          weight: 100
-    EOF
-    {{< /text >}}
+      port: 443
+      sniHosts:
+      - "*.wikipedia.org"
+    route:
+    - destination:
+        host: www.wikipedia.org
+        port:
+          number: 443
+      weight: 100
+EOF
+{{< /text >}}
 
-1.  Create a `ServiceEntry` for the destination server, _www.wikipedia.org_.
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+{{< text bash >}}
+$ kubectl apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: wikipedia-egress-gateway
+  annotations:
+    networking.istio.io/service-type: ClusterIP
+spec:
+  gatewayClassName: istio
+  listeners:
+  - name: tls
+    hostname: "*.wikipedia.org"
+    port: 443
+    protocol: TLS
+    tls:
+      mode: Passthrough
+    allowedRoutes:
+      namespaces:
+        from: Same
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+  name: direct-wikipedia-to-egress-gateway
+spec:
+  parentRefs:
+  - kind: ServiceEntry
+    group: networking.istio.io
+    name: wikipedia
+  rules:
+  - backendRefs:
+    - name: wikipedia-egress-gateway-istio
+      port: 443
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+  name: forward-wikipedia-from-egress-gateway
+spec:
+  parentRefs:
+  - name: wikipedia-egress-gateway
+  hostnames:
+  - "*.wikipedia.org"
+  rules:
+  - backendRefs:
+    - kind: Hostname
+      group: networking.istio.io
+      name: www.wikipedia.org
+      port: 443
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: wikipedia
+spec:
+  hosts:
+  - "*.wikipedia.org"
+  ports:
+  - number: 443
+    name: https
+    protocol: HTTPS
+EOF
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
+2)  Create a `ServiceEntry` for the destination server, _www.wikipedia.org_:
 
     {{< text bash >}}
     $ kubectl apply -f - <<EOF
@@ -213,7 +310,7 @@ the set of domains.
     EOF
     {{< /text >}}
 
-1.  Send HTTPS requests to
+3)  Send HTTPS requests to
     [https://en.wikipedia.org](https://en.wikipedia.org) and [https://de.wikipedia.org](https://de.wikipedia.org):
 
     {{< text bash >}}
@@ -222,17 +319,37 @@ the set of domains.
     <title>Wikipedia – Die freie Enzyklopädie</title>
     {{< /text >}}
 
-1.  Check the statistics of the egress gateway's proxy for the counter that corresponds to your
-    requests to _*.wikipedia.org_. If Istio is deployed in the `istio-system` namespace, the command to print the
-    counter is:
+4)  Check the statistics of the egress gateway's proxy for the counter that corresponds to your
+    requests to _*.wikipedia.org_:
 
-    {{< text bash >}}
-    $ kubectl exec "$(kubectl get pod -l istio=egressgateway -n istio-system -o jsonpath='{.items[0].metadata.name}')" -c istio-proxy -n istio-system -- pilot-agent request GET clusters | grep '^outbound|443||www.wikipedia.org.*cx_total:'
-    outbound|443||www.wikipedia.org::208.80.154.224:443::cx_total::2
-    {{< /text >}}
+{{< tabset category-name="config-api" >}}
+
+{{< tab name="Istio APIs" category-value="istio-apis" >}}
+
+{{< text bash >}}
+$ kubectl exec "$(kubectl get pod -l istio=egressgateway -n istio-system -o jsonpath='{.items[0].metadata.name}')" -c istio-proxy -n istio-system -- pilot-agent request GET clusters | grep '^outbound|443||www.wikipedia.org.*cx_total:'
+outbound|443||www.wikipedia.org::208.80.154.224:443::cx_total::2
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+{{< text bash >}}
+$ kubectl exec "$(kubectl get pod -l gateway.networking.k8s.io/gateway-name=wikipedia-egress-gateway -o jsonpath='{.items[0].metadata.name}')" -c istio-proxy -- pilot-agent request GET clusters | grep '^outbound|443||www.wikipedia.org.*cx_total:'
+outbound|443||www.wikipedia.org::208.80.154.224:443::cx_total::2
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
 
 ### Cleanup egress gateway traffic to a wildcard host
 
+{{< tabset category-name="config-api" >}}
+
+{{< tab name="Istio APIs" category-value="istio-apis" >}}
+
 {{< text bash >}}
 $ kubectl delete serviceentry www-wikipedia
 $ kubectl delete gateway istio-egressgateway
@@ -240,6 +357,22 @@ $ kubectl delete virtualservice direct-wikipedia-through-egress-gateway
 $ kubectl delete destinationrule egressgateway-for-wikipedia
 {{< /text >}}
 
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+{{< text bash >}}
+$ kubectl delete se wikipedia
+$ kubectl delete se www-wikipedia
+$ kubectl delete gtw wikipedia-egress-gateway
+$ kubectl delete tlsroute direct-wikipedia-to-egress-gateway
+$ kubectl delete tlsroute forward-wikipedia-from-egress-gateway
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
 ## Wildcard configuration for arbitrary domains
 
 The configuration in the previous section worked because all the `*.wikipedia.org` sites can be served by any one

content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/snips.sh

@@ -19,20 +19,28 @@
 # WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
 #          docs/tasks/traffic-management/egress/wildcard-egress-hosts/index.md
 ####################################################################################################
+source "content/en/boilerplates/snips/gateway-api-gamma-support.sh"
 
 snip_before_you_begin_1() {
 istioctl install --set values.pilot.env.PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING=true --set profile=demo --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
 }
 
 snip_before_you_begin_2() {
-kubectl apply -f samples/sleep/sleep.yaml
+istioctl install --set values.pilot.env.PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING=true --set profile=minimal -y \
+    --set values.pilot.env.PILOT_ENABLE_ALPHA_GATEWAY_API=true \
+    --set meshConfig.accessLogFile=/dev/stdout \
+    --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY
 }
 
 snip_before_you_begin_3() {
-kubectl apply -f <(istioctl kube-inject -f samples/sleep/sleep.yaml)
+kubectl apply -f samples/sleep/sleep.yaml
 }
 
 snip_before_you_begin_4() {
+kubectl apply -f <(istioctl kube-inject -f samples/sleep/sleep.yaml)
+}
+
+snip_before_you_begin_5() {
 export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
 }
 
@@ -134,6 +142,71 @@ EOF
 
 snip_configure_egress_gateway_traffic_to_a_wildcard_host_2() {
 kubectl apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: wikipedia-egress-gateway
+  annotations:
+    networking.istio.io/service-type: ClusterIP
+spec:
+  gatewayClassName: istio
+  listeners:
+  - name: tls
+    hostname: "*.wikipedia.org"
+    port: 443
+    protocol: TLS
+    tls:
+      mode: Passthrough
+    allowedRoutes:
+      namespaces:
+        from: Same
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+  name: direct-wikipedia-to-egress-gateway
+spec:
+  parentRefs:
+  - kind: ServiceEntry
+    group: networking.istio.io
+    name: wikipedia
+  rules:
+  - backendRefs:
+    - name: wikipedia-egress-gateway-istio
+      port: 443
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+  name: forward-wikipedia-from-egress-gateway
+spec:
+  parentRefs:
+  - name: wikipedia-egress-gateway
+  hostnames:
+  - "*.wikipedia.org"
+  rules:
+  - backendRefs:
+    - kind: Hostname
+      group: networking.istio.io
+      name: www.wikipedia.org
+      port: 443
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: ServiceEntry
+metadata:
+  name: wikipedia
+spec:
+  hosts:
+  - "*.wikipedia.org"
+  ports:
+  - number: 443
+    name: https
+    protocol: HTTPS
+EOF
+}
+
+snip_configure_egress_gateway_traffic_to_a_wildcard_host_3() {
+kubectl apply -f - <<EOF
 apiVersion: networking.istio.io/v1alpha3
 kind: ServiceEntry
 metadata:
@@ -149,20 +222,28 @@ spec:
 EOF
 }
 
-snip_configure_egress_gateway_traffic_to_a_wildcard_host_3() {
+snip_configure_egress_gateway_traffic_to_a_wildcard_host_4() {
 kubectl exec "$SOURCE_POD" -c sleep -- sh -c 'curl -s https://en.wikipedia.org/wiki/Main_Page | grep -o "<title>.*</title>"; curl -s https://de.wikipedia.org/wiki/Wikipedia:Hauptseite | grep -o "<title>.*</title>"'
 }
 
-! read -r -d '' snip_configure_egress_gateway_traffic_to_a_wildcard_host_3_out <<\ENDSNIP
+! read -r -d '' snip_configure_egress_gateway_traffic_to_a_wildcard_host_4_out <<\ENDSNIP
 <title>Wikipedia, the free encyclopedia</title>
 <title>Wikipedia – Die freie Enzyklopädie</title>
 ENDSNIP
 
-snip_configure_egress_gateway_traffic_to_a_wildcard_host_4() {
+snip_configure_egress_gateway_traffic_to_a_wildcard_host_5() {
 kubectl exec "$(kubectl get pod -l istio=egressgateway -n istio-system -o jsonpath='{.items[0].metadata.name}')" -c istio-proxy -n istio-system -- pilot-agent request GET clusters | grep '^outbound|443||www.wikipedia.org.*cx_total:'
 }
 
-! read -r -d '' snip_configure_egress_gateway_traffic_to_a_wildcard_host_4_out <<\ENDSNIP
+! read -r -d '' snip_configure_egress_gateway_traffic_to_a_wildcard_host_5_out <<\ENDSNIP
+outbound|443||www.wikipedia.org::208.80.154.224:443::cx_total::2
+ENDSNIP
+
+snip_configure_egress_gateway_traffic_to_a_wildcard_host_6() {
+kubectl exec "$(kubectl get pod -l gateway.networking.k8s.io/gateway-name=wikipedia-egress-gateway -o jsonpath='{.items[0].metadata.name}')" -c istio-proxy -- pilot-agent request GET clusters | grep '^outbound|443||www.wikipedia.org.*cx_total:'
+}
+
+! read -r -d '' snip_configure_egress_gateway_traffic_to_a_wildcard_host_6_out <<\ENDSNIP
 outbound|443||www.wikipedia.org::208.80.154.224:443::cx_total::2
 ENDSNIP
 
@@ -173,6 +254,14 @@ kubectl delete virtualservice direct-wikipedia-through-egress-gateway
 kubectl delete destinationrule egressgateway-for-wikipedia
 }
 
+snip_cleanup_egress_gateway_traffic_to_a_wildcard_host_2() {
+kubectl delete se wikipedia
+kubectl delete se www-wikipedia
+kubectl delete gtw wikipedia-egress-gateway
+kubectl delete tlsroute direct-wikipedia-to-egress-gateway
+kubectl delete tlsroute forward-wikipedia-from-egress-gateway
+}
+
 snip_cleanup_1() {
 kubectl delete -f samples/sleep/sleep.yaml
 }

content/en/docs/tasks/traffic-management/egress/wildcard-egress-hosts/test.sh

@@ -21,14 +21,20 @@ set -e
 set -u
 set -o pipefail
 
-echo y | snip_before_you_begin_1
+GATEWAY_API="${GATEWAY_API:-false}"
+
+if [ "$GATEWAY_API" == "true" ]; then
+    snip_before_you_begin_2
+else
+    echo y | snip_before_you_begin_1
+fi
 _wait_for_deployment istio-system istiod
 
 kubectl label namespace default istio-injection=enabled --overwrite
 
-snip_before_you_begin_2
+snip_before_you_begin_3
 _wait_for_deployment default sleep
-snip_before_you_begin_4
+snip_before_you_begin_5
 
 confirm_blocking() {
 kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -I https://www.google.com | grep  "HTTP/"; kubectl exec "$SOURCE_POD" -c sleep -- curl -sS -I https://edition.cnn.com | grep "HTTP/"
@@ -42,27 +48,35 @@ _verify_same snip_configure_direct_traffic_to_a_wildcard_host_2 "$snip_configure
 
 snip_cleanup_direct_traffic_to_a_wildcard_host_1
 
-snip_configure_egress_gateway_traffic_to_a_wildcard_host_1
-_wait_for_istio gateway default istio-egressgateway
-_wait_for_istio destinationrule default egressgateway-for-wikipedia
-_wait_for_istio virtualservice default direct-wikipedia-through-egress-gateway
+if [ "$GATEWAY_API" == "true" ]; then
+    snip_configure_egress_gateway_traffic_to_a_wildcard_host_2
+    kubectl wait --for=condition=programmed gtw wikipedia-egress-gateway
+else
+    snip_configure_egress_gateway_traffic_to_a_wildcard_host_1
+    _wait_for_istio gateway default istio-egressgateway
+    _wait_for_istio destinationrule default egressgateway-for-wikipedia
+    _wait_for_istio virtualservice default direct-wikipedia-through-egress-gateway
+fi
 
-snip_configure_egress_gateway_traffic_to_a_wildcard_host_2
+snip_configure_egress_gateway_traffic_to_a_wildcard_host_3
 _wait_for_istio serviceentry default www-wikipedia
 
-_verify_same snip_configure_egress_gateway_traffic_to_a_wildcard_host_3 "$snip_configure_egress_gateway_traffic_to_a_wildcard_host_3_out"
+_verify_same snip_configure_egress_gateway_traffic_to_a_wildcard_host_4 "$snip_configure_egress_gateway_traffic_to_a_wildcard_host_4_out"
 
-_verify_contains snip_configure_egress_gateway_traffic_to_a_wildcard_host_4 "outbound|443||www.wikipedia.org"
-
-snip_cleanup_egress_gateway_traffic_to_a_wildcard_host_1
+if [ "$GATEWAY_API" == "true" ]; then
+    _verify_contains snip_configure_egress_gateway_traffic_to_a_wildcard_host_6 "outbound|443||www.wikipedia.org"
+    snip_cleanup_egress_gateway_traffic_to_a_wildcard_host_2
+else
+    _verify_contains snip_configure_egress_gateway_traffic_to_a_wildcard_host_5 "outbound|443||www.wikipedia.org"
+    snip_cleanup_egress_gateway_traffic_to_a_wildcard_host_1
+fi
 
 # @cleanup
-snip_cleanup_direct_traffic_to_a_wildcard_host_1
-
-snip_cleanup_egress_gateway_traffic_to_a_wildcard_host_1
-
-snip_cleanup_1
-echo y | snip_cleanup_2
-
-kubectl delete ns istio-system
-kubectl label namespace default istio-injection-
+if [ "$GATEWAY_API" != "true" ]; then
+    snip_cleanup_direct_traffic_to_a_wildcard_host_1
+    snip_cleanup_egress_gateway_traffic_to_a_wildcard_host_1
+    snip_cleanup_1
+    snip_cleanup_2
+    kubectl delete ns istio-system
+    kubectl label namespace default istio-injection-
+fi