gateway-api: add Gateway API instructions to egress gateways doc (#14473)

* gateway-api: add Gateway API instructions to egress gateways doc

* network policies

* regen snips

* gtw test

* demo profile

* fix test

* more test fixes

* use gw

* remove crds

* wait for routes

* fix snip

* try retry request

* sleep

* sleep longer

* try next section

* lint

* use profile none

* uninstall -y

* go.sum

content/en/boilerplates/gateway-api-experimental.md

@@ -1,18 +0,0 @@
----
----
-{{< tip >}}
-{{< boilerplate gateway-api-future >}}
-{{< boilerplate gateway-api-choose >}}
-{{< /tip >}}
-
-{{< warning >}}
-The following Gateway API instructions include features that are both
-[experimental](https://gateway-api.sigs.k8s.io/geps/overview/#status)
-and Istio specific. Before using the Gateway API instructions, make sure to
-install the **experimental version** of the Gateway API CRDs:
-
-{{< text syntax=bash snip_id=install_experimental_crds >}}
-$ kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref={{< k8s_gateway_api_version >}}" | kubectl apply -f -
-{{< /text >}}
-
-{{< /warning >}}

content/en/boilerplates/gateway-api-gamma-support.md

@@ -6,11 +6,10 @@
 {{< /tip >}}
 
 {{< warning >}}
-Note that this document uses the Gateway API to configure internal mesh (east-west) traffic,
-i.e., not just ingress (north-south) traffic.
-Configuring internal mesh traffic is an
-[experimental feature](https://gateway-api.sigs.k8s.io/geps/overview/#status)
-of the Gateway API, currently under development.
+This document configures internal mesh (east-west) traffic
+that requires Gateway API features that are either
+[experimental](https://gateway-api.sigs.k8s.io/geps/overview/#status)
+or Istio specific.
 Before using the Gateway API instructions, make sure to:
 
 1) Install the **experimental version** of the Gateway API CRDs:

content/en/docs/tasks/traffic-management/egress/egress-control/index.md

@@ -257,7 +257,7 @@ Similar to inter-cluster requests, routing rules
 can also be configured for external services that are accessed using `ServiceEntry` configurations.
 In this example, you set a timeout rule on calls to the `httpbin.org` service.
 
-{{< boilerplate gateway-api-experimental >}}
+{{< boilerplate gateway-api-gamma-support >}}
 
 1)  From inside the pod being used as the test source, make a _curl_ request to the `/delay` endpoint of the
     httpbin.org external service:

content/en/docs/tasks/traffic-management/egress/egress-control/snips.sh

@@ -19,7 +19,7 @@
 # WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
 #          docs/tasks/traffic-management/egress/egress-control/index.md
 ####################################################################################################
-source "content/en/boilerplates/snips/gateway-api-experimental.sh"
+source "content/en/boilerplates/snips/gateway-api-gamma-support.sh"
 
 snip_before_you_begin_1() {
 kubectl apply -f samples/sleep/sleep.yaml

content/en/docs/tasks/traffic-management/egress/egress-gateway/gtwapi_test.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC1090,SC2154
+
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+source "tests/util/gateway-api.sh"
+install_gateway_api_crds
+
+# @setup profile=none
+istioctl install --set profile=minimal --set values.pilot.env.PILOT_ENABLE_ALPHA_GATEWAY_API=true --set meshConfig.accessLogFile=/dev/stdout -y
+_wait_for_deployment istio-system istiod
+
+source "content/en/docs/tasks/traffic-management/egress/egress-gateway/test.sh"
+
+# @cleanup
+snip_cleanup_http_gateway_2
+snip_cleanup_https_gateway_2
+snip_cleanup_network_policies_2
+snip_cleanup_1
+
+istioctl uninstall --purge -y
+kubectl delete ns istio-system
+remove_gateway_api_crds

content/en/docs/tasks/traffic-management/egress/egress-gateway/snips.sh

@@ -19,7 +19,19 @@
 # WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
 #          docs/tasks/traffic-management/egress/egress-gateway/index.md
 ####################################################################################################
-source "content/en/boilerplates/snips/before-you-begin-egress.sh"
+source "content/en/boilerplates/snips/gateway-api-gamma-support.sh"
+
+snip_before_you_begin_1() {
+kubectl apply -f samples/sleep/sleep.yaml
+}
+
+snip_before_you_begin_2() {
+export SOURCE_POD=$(kubectl get pod -l app=sleep -o jsonpath={.items..metadata.name})
+}
+
+! read -r -d '' snip_before_you_begin_3 <<\ENDSNIP
+$ istioctl install --set values.pilot.env.PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING=true <flags-you-used-to-install-Istio> --set meshConfig.accessLogFile=/dev/stdout
+ENDSNIP
 
 snip_deploy_istio_egress_gateway_1() {
 kubectl get pod -l istio=egressgateway -n istio-system
@@ -99,6 +111,27 @@ EOF
 
 snip_egress_gateway_for_http_traffic_4() {
 kubectl apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: cnn-egress-gateway
+  annotations:
+    networking.istio.io/service-type: ClusterIP
+spec:
+  gatewayClassName: istio
+  listeners:
+  - name: http
+    hostname: edition.cnn.com
+    port: 80
+    protocol: HTTP
+    allowedRoutes:
+      namespaces:
+        from: Same
+EOF
+}
+
+snip_egress_gateway_for_http_traffic_5() {
+kubectl apply -f - <<EOF
 apiVersion: networking.istio.io/v1alpha3
 kind: VirtualService
 metadata:
@@ -134,11 +167,47 @@ spec:
 EOF
 }
 
-snip_egress_gateway_for_http_traffic_5() {
+snip_egress_gateway_for_http_traffic_6() {
+kubectl apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: direct-cnn-to-egress-gateway
+spec:
+  parentRefs:
+  - kind: ServiceEntry
+    group: networking.istio.io
+    name: cnn
+  hostnames:
+  - edition.cnn.com
+  rules:
+  - backendRefs:
+    - name: cnn-egress-gateway-istio
+      port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: forward-cnn-from-egress-gateway
+spec:
+  parentRefs:
+  - name: cnn-egress-gateway
+  hostnames:
+  - edition.cnn.com
+  rules:
+  - backendRefs:
+    - kind: Hostname
+      group: networking.istio.io
+      name: edition.cnn.com
+      port: 80
+EOF
+}
+
+snip_egress_gateway_for_http_traffic_7() {
 kubectl exec "$SOURCE_POD" -c sleep -- curl -sSL -o /dev/null -D - http://edition.cnn.com/politics
 }
 
-! read -r -d '' snip_egress_gateway_for_http_traffic_5_out <<\ENDSNIP
+! read -r -d '' snip_egress_gateway_for_http_traffic_7_out <<\ENDSNIP
 ...
 HTTP/1.1 301 Moved Permanently
 ...
@@ -150,21 +219,36 @@ Content-Type: text/html; charset=utf-8
 ...
 ENDSNIP
 
-snip_egress_gateway_for_http_traffic_6() {
+snip_egress_gateway_for_http_traffic_8() {
 kubectl logs -l istio=egressgateway -c istio-proxy -n istio-system | tail
 }
 
-! read -r -d '' snip_egress_gateway_for_http_traffic_7 <<\ENDSNIP
+! read -r -d '' snip_egress_gateway_for_http_traffic_9 <<\ENDSNIP
 [2019-09-03T20:57:49.103Z] "GET /politics HTTP/2" 301 - "-" "-" 0 0 90 89 "10.244.2.10" "curl/7.64.0" "ea379962-9b5c-4431-ab66-f01994f5a5a5" "edition.cnn.com" "151.101.65.67:80" outbound|80||edition.cnn.com - 10.244.1.5:80 10.244.2.10:50482 edition.cnn.com -
 ENDSNIP
 
+snip_egress_gateway_for_http_traffic_10() {
+kubectl logs -l istio.io/gateway-name=cnn-egress-gateway -c istio-proxy | tail
+}
+
+! read -r -d '' snip_egress_gateway_for_http_traffic_11 <<\ENDSNIP
+[2024-01-09T15:35:47.283Z] "GET /politics HTTP/1.1" 301 - via_upstream - "-" 0 0 2 2 "172.30.239.55" "curl/7.87.0-DEV" "6c01d65f-a157-97cd-8782-320a40026901" "edition.cnn.com" "151.101.195.5:80" outbound|80||edition.cnn.com 172.30.239.16:55636 172.30.239.16:80 172.30.239.55:59224 - default.forward-cnn-from-egress-gateway.0
+ENDSNIP
+
 snip_cleanup_http_gateway_1() {
-kubectl delete gateway istio-egressgateway
 kubectl delete serviceentry cnn
+kubectl delete gateway istio-egressgateway
 kubectl delete virtualservice direct-cnn-through-egress-gateway
 kubectl delete destinationrule egressgateway-for-cnn
 }
 
+snip_cleanup_http_gateway_2() {
+kubectl delete serviceentry cnn
+kubectl delete gtw cnn-egress-gateway
+kubectl delete httproute direct-cnn-to-egress-gateway
+kubectl delete httproute forward-cnn-from-egress-gateway
+}
+
 snip_egress_gateway_for_https_traffic_1() {
 kubectl apply -f - <<EOF
 apiVersion: networking.istio.io/v1alpha3
@@ -260,24 +344,87 @@ EOF
 }
 
 snip_egress_gateway_for_https_traffic_4() {
+kubectl apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: cnn-egress-gateway
+  annotations:
+    networking.istio.io/service-type: ClusterIP
+spec:
+  gatewayClassName: istio
+  listeners:
+  - name: tls
+    hostname: edition.cnn.com
+    port: 443
+    protocol: TLS
+    tls:
+      mode: Passthrough
+    allowedRoutes:
+      namespaces:
+        from: Same
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+  name: direct-cnn-to-egress-gateway
+spec:
+  parentRefs:
+  - kind: ServiceEntry
+    group: networking.istio.io
+    name: cnn
+  hostnames:
+  - edition.cnn.com
+  rules:
+  - backendRefs:
+    - name: cnn-egress-gateway-istio
+      port: 443
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+  name: forward-cnn-from-egress-gateway
+spec:
+  parentRefs:
+  - name: cnn-egress-gateway
+  hostnames:
+  - edition.cnn.com
+  rules:
+  - backendRefs:
+    - kind: Hostname
+      group: networking.istio.io
+      name: edition.cnn.com
+      port: 443
+EOF
+}
+
+snip_egress_gateway_for_https_traffic_5() {
 kubectl exec "$SOURCE_POD" -c sleep -- curl -sSL -o /dev/null -D - https://edition.cnn.com/politics
 }
 
-! read -r -d '' snip_egress_gateway_for_https_traffic_4_out <<\ENDSNIP
+! read -r -d '' snip_egress_gateway_for_https_traffic_5_out <<\ENDSNIP
 ...
 HTTP/2 200
 Content-Type: text/html; charset=utf-8
 ...
 ENDSNIP
 
-snip_egress_gateway_for_https_traffic_5() {
+snip_egress_gateway_for_https_traffic_6() {
 kubectl logs -l istio=egressgateway -n istio-system
 }
 
-! read -r -d '' snip_egress_gateway_for_https_traffic_6 <<\ENDSNIP
+! read -r -d '' snip_egress_gateway_for_https_traffic_7 <<\ENDSNIP
 [2019-01-02T11:46:46.981Z] "- - -" 0 - 627 1879689 44 - "-" "-" "-" "-" "151.101.129.67:443" outbound|443||edition.cnn.com 172.30.109.80:41122 172.30.109.80:443 172.30.109.112:59970 edition.cnn.com
 ENDSNIP
 
+snip_egress_gateway_for_https_traffic_8() {
+kubectl logs -l istio.io/gateway-name=cnn-egress-gateway -c istio-proxy | tail
+}
+
+! read -r -d '' snip_egress_gateway_for_https_traffic_9 <<\ENDSNIP
+[2024-01-11T21:09:42.835Z] "- - -" 0 - - - "-" 839 2504306 231 - "-" "-" "-" "-" "151.101.195.5:443" outbound|443||edition.cnn.com 172.30.239.8:34470 172.30.239.8:443 172.30.239.15:43956 edition.cnn.com -
+ENDSNIP
+
 snip_cleanup_https_gateway_1() {
 kubectl delete serviceentry cnn
 kubectl delete gateway istio-egressgateway
@@ -285,6 +432,13 @@ kubectl delete virtualservice direct-cnn-through-egress-gateway
 kubectl delete destinationrule egressgateway-for-cnn
 }
 
+snip_cleanup_https_gateway_2() {
+kubectl delete serviceentry cnn
+kubectl delete gtw cnn-egress-gateway
+kubectl delete tlsroute direct-cnn-to-egress-gateway
+kubectl delete tlsroute forward-cnn-from-egress-gateway
+}
+
 snip_apply_kubernetes_network_policies_1() {
 kubectl create namespace test-egress
 }
@@ -315,10 +469,15 @@ kubectl label namespace istio-system istio=system
 }
 
 snip_apply_kubernetes_network_policies_6() {
-kubectl label ns kube-system kube-system=true
+kubectl label namespace istio-system istio=system
+kubectl label namespace default gateway=true
 }
 
 snip_apply_kubernetes_network_policies_7() {
+kubectl label ns kube-system kube-system=true
+}
+
+snip_apply_kubernetes_network_policies_8() {
 cat <<EOF | kubectl apply -n test-egress -f -
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -343,11 +502,40 @@ spec:
 EOF
 }
 
-snip_apply_kubernetes_network_policies_8() {
+snip_apply_kubernetes_network_policies_9() {
+cat <<EOF | kubectl apply -n test-egress -f -
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-egress-to-istio-system-and-kube-dns
+spec:
+  podSelector: {}
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kube-system: "true"
+    ports:
+    - protocol: UDP
+      port: 53
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          istio: system
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          gateway: "true"
+EOF
+}
+
+snip_apply_kubernetes_network_policies_10() {
 kubectl exec "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress -c sleep -- curl -v -sS https://edition.cnn.com/politics
 }
 
-! read -r -d '' snip_apply_kubernetes_network_policies_8_out <<\ENDSNIP
+! read -r -d '' snip_apply_kubernetes_network_policies_10_out <<\ENDSNIP
 Hostname was NOT found in DNS cache
   Trying 151.101.65.67...
   Trying 2a04:4e42:200::323...
@@ -361,24 +549,24 @@ Immediate connect fail for 2a04:4e42::323: Cannot assign requested address
 connect to 151.101.65.67 port 443 failed: Connection timed out
 ENDSNIP
 
-snip_apply_kubernetes_network_policies_9() {
+snip_apply_kubernetes_network_policies_11() {
 kubectl label namespace test-egress istio-injection=enabled
 }
 
-snip_apply_kubernetes_network_policies_10() {
+snip_apply_kubernetes_network_policies_12() {
 kubectl delete deployment sleep -n test-egress
 kubectl apply -f samples/sleep/sleep.yaml -n test-egress
 }
 
-snip_apply_kubernetes_network_policies_11() {
+snip_apply_kubernetes_network_policies_13() {
 kubectl get pod "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress -o jsonpath='{.spec.containers[*].name}'
 }
 
-! read -r -d '' snip_apply_kubernetes_network_policies_11_out <<\ENDSNIP
+! read -r -d '' snip_apply_kubernetes_network_policies_13_out <<\ENDSNIP
 sleep istio-proxy
 ENDSNIP
 
-snip_apply_kubernetes_network_policies_12() {
+snip_apply_kubernetes_network_policies_14() {
 kubectl apply -n test-egress -f - <<EOF
 apiVersion: networking.istio.io/v1alpha3
 kind: DestinationRule
@@ -391,22 +579,38 @@ spec:
 EOF
 }
 
-snip_apply_kubernetes_network_policies_13() {
+snip_apply_kubernetes_network_policies_15() {
+kubectl get pod "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress -o jsonpath='{.spec.containers[*].name}'
+}
+
+! read -r -d '' snip_apply_kubernetes_network_policies_15_out <<\ENDSNIP
+sleep istio-proxy
+ENDSNIP
+
+snip_apply_kubernetes_network_policies_16() {
 kubectl exec "$(kubectl get pod -n test-egress -l app=sleep -o jsonpath={.items..metadata.name})" -n test-egress -c sleep -- curl -sS -o /dev/null -w "%{http_code}\n" https://edition.cnn.com/politics
 }
 
-! read -r -d '' snip_apply_kubernetes_network_policies_13_out <<\ENDSNIP
+! read -r -d '' snip_apply_kubernetes_network_policies_16_out <<\ENDSNIP
 200
 ENDSNIP
 
-snip_apply_kubernetes_network_policies_14() {
+snip_apply_kubernetes_network_policies_17() {
 kubectl logs -l istio=egressgateway -n istio-system
 }
 
-! read -r -d '' snip_apply_kubernetes_network_policies_15 <<\ENDSNIP
+! read -r -d '' snip_apply_kubernetes_network_policies_18 <<\ENDSNIP
 [2020-03-06T18:12:33.101Z] "- - -" 0 - "-" "-" 906 1352475 35 - "-" "-" "-" "-" "151.101.193.67:443" outbound|443||edition.cnn.com 172.30.223.53:39460 172.30.223.53:443 172.30.223.58:38138 edition.cnn.com -
 ENDSNIP
 
+snip_apply_kubernetes_network_policies_19() {
+kubectl logs -l istio.io/gateway-name=cnn-egress-gateway -c istio-proxy | tail
+}
+
+! read -r -d '' snip_apply_kubernetes_network_policies_20 <<\ENDSNIP
+[2024-01-12T19:54:01.821Z] "- - -" 0 - - - "-" 839 2504837 46 - "-" "-" "-" "-" "151.101.67.5:443" outbound|443||edition.cnn.com 172.30.239.60:49850 172.30.239.60:443 172.30.239.21:36512 edition.cnn.com -
+ENDSNIP
+
 snip_cleanup_network_policies_1() {
 kubectl delete -f samples/sleep/sleep.yaml -n test-egress
 kubectl delete destinationrule egressgateway-for-cnn -n test-egress
@@ -416,6 +620,15 @@ kubectl label namespace istio-system istio-
 kubectl delete namespace test-egress
 }
 
+snip_cleanup_network_policies_2() {
+kubectl delete -f samples/sleep/sleep.yaml -n test-egress
+kubectl delete networkpolicy allow-egress-to-istio-system-and-kube-dns -n test-egress
+kubectl label namespace kube-system kube-system-
+kubectl label namespace istio-system istio-
+kubectl label namespace default gateway-
+kubectl delete namespace test-egress
+}
+
 snip_troubleshooting_1() {
 kubectl exec -i -n istio-system "$(kubectl get pod -l istio=egressgateway -n istio-system -o jsonpath='{.items[0].metadata.name}')"  -- cat /etc/certs/cert-chain.pem | openssl x509 -text -noout  | grep 'Subject Alternative Name' -A 1
 }

content/en/docs/tasks/traffic-management/egress/egress-gateway/test.sh

@@ -21,6 +21,8 @@ set -e
 set -u
 set -o pipefail
 
+GATEWAY_API="${GATEWAY_API:-false}"
+
 source "tests/util/samples.sh"
 
 # Make sure default namespace is injected
@@ -36,23 +38,37 @@ snip_egress_gateway_for_http_traffic_1
 # Verify curl to cnn
 _verify_contains snip_egress_gateway_for_http_traffic_2 "HTTP/2 200"
 
-# Create Gateway
-snip_egress_gateway_for_http_traffic_3
-_wait_for_istio gateway default istio-egressgateway
-_wait_for_istio destinationrule default egressgateway-for-cnn
+# Create Gateway and Routes
+if [ "$GATEWAY_API" == "true" ]; then
+    snip_egress_gateway_for_http_traffic_4
+    snip_egress_gateway_for_http_traffic_6
+    _wait_for_gateway default cnn-egress-gateway
+    sleep 30 # TODO: remove this delay once we can reliably detect route rules have propogated
+else
+    snip_egress_gateway_for_http_traffic_3
+    _wait_for_istio gateway default istio-egressgateway
+    _wait_for_istio destinationrule default egressgateway-for-cnn
 
-# Create VS
-snip_egress_gateway_for_http_traffic_4
-_wait_for_istio virtualservice default direct-cnn-through-egress-gateway
+    snip_egress_gateway_for_http_traffic_5
+    _wait_for_istio virtualservice default direct-cnn-through-egress-gateway
+fi
 
 # Verify successful curl
-_verify_contains snip_egress_gateway_for_http_traffic_5 "HTTP/2 200"
+_verify_contains snip_egress_gateway_for_http_traffic_7 "HTTP/2 200"
 
 # Verify routing through gateway
-_verify_contains snip_egress_gateway_for_http_traffic_6 "GET /politics HTTP/2"
+if [ "$GATEWAY_API" == "true" ]; then
+    _verify_contains snip_egress_gateway_for_http_traffic_10 "outbound|80||edition.cnn.com"
+else
+    _verify_contains snip_egress_gateway_for_http_traffic_8 "outbound|80||edition.cnn.com"
+fi
 
 # cleanup http task
-snip_cleanup_http_gateway_1
+if [ "$GATEWAY_API" == "true" ]; then
+    snip_cleanup_http_gateway_2
+else
+    snip_cleanup_http_gateway_1
+fi
 
 # ServiceEntry for HTTPS
 snip_egress_gateway_for_https_traffic_1
@@ -60,20 +76,34 @@ snip_egress_gateway_for_https_traffic_1
 # Try and verify curl
 _verify_contains snip_egress_gateway_for_https_traffic_2 "HTTP/2 200"
 
-# Gateway Passthrough dr and vs
-snip_egress_gateway_for_https_traffic_3
-_wait_for_istio gateway default istio-egressgateway
-_wait_for_istio destinationrule default egressgateway-for-cnn
-_wait_for_istio virtualservice default direct-cnn-through-egress-gateway
+# Gateway Passthrough and routes
+if [ "$GATEWAY_API" == "true" ]; then
+    snip_egress_gateway_for_https_traffic_4
+    _wait_for_gateway default cnn-egress-gateway
+    sleep 30 # TODO: remove this delay once we can reliably detect route rules have propogated
+else
+    snip_egress_gateway_for_https_traffic_3
+    _wait_for_istio gateway default istio-egressgateway
+    _wait_for_istio destinationrule default egressgateway-for-cnn
+    _wait_for_istio virtualservice default direct-cnn-through-egress-gateway
+fi
 
 # Verify successful curl
-_verify_contains snip_egress_gateway_for_https_traffic_4 "HTTP/2 200"
+_verify_contains snip_egress_gateway_for_https_traffic_5 "HTTP/2 200"
 
 # Verify gateway routing
-_verify_contains snip_egress_gateway_for_https_traffic_5 "outbound|443||edition.cnn.com"
+if [ "$GATEWAY_API" == "true" ]; then
+    _verify_contains snip_egress_gateway_for_https_traffic_8 "outbound|443||edition.cnn.com"
+else
+    _verify_contains snip_egress_gateway_for_https_traffic_6 "outbound|443||edition.cnn.com"
+fi
 
 # cleanup https
-snip_cleanup_https_gateway_1
+#if [ "$GATEWAY_API" == "true" ]; then
+#    snip_cleanup_https_gateway_2
+#else
+#    snip_cleanup_https_gateway_1
+#fi
 
 ### Kubernetes netowkring policy test
 
@@ -87,39 +117,58 @@ snip_apply_kubernetes_network_policies_2
 _verify_contains snip_apply_kubernetes_network_policies_4 "200"
 
 # label
-snip_apply_kubernetes_network_policies_5
-snip_apply_kubernetes_network_policies_6
-
-# Apply kubernetes network policy
+if [ "$GATEWAY_API" == "true" ]; then
+    snip_apply_kubernetes_network_policies_6
+else
+    snip_apply_kubernetes_network_policies_5
+fi
 snip_apply_kubernetes_network_policies_7
 
+# Apply kubernetes network policy
+if [ "$GATEWAY_API" == "true" ]; then
+    snip_apply_kubernetes_network_policies_9
+else
+    snip_apply_kubernetes_network_policies_8
+fi
+
 # Verify failure
-#_verify_contains snip_apply_kubernetes_network_policies_8 "port 443 failed: Connection timed out"
+#_verify_contains snip_apply_kubernetes_network_policies_10 "port 443 failed: Connection timed out"
 # TODO: ^^^ this check fails as the test cluster doesn't have a network plugin
 # installed which can enforce network policies.
 
 # Enable sidecar injection
-snip_apply_kubernetes_network_policies_9
+snip_apply_kubernetes_network_policies_11
 
 # Delete older sleep and reapply
-snip_apply_kubernetes_network_policies_10
+snip_apply_kubernetes_network_policies_12
 _wait_for_deployment test-egress sleep
 
-# verify containers
-_verify_contains snip_apply_kubernetes_network_policies_11 "sleep istio-proxy"
+if [ "$GATEWAY_API" == "true" ]; then
+    # verify containers
+    _verify_contains snip_apply_kubernetes_network_policies_15 "sleep istio-proxy"
+else
+    # verify containers
+    _verify_contains snip_apply_kubernetes_network_policies_13 "sleep istio-proxy"
 
-# configure DR
-snip_apply_kubernetes_network_policies_12
-_wait_for_istio destinationrule test-egress egressgateway-for-cnn
+    # configure DR
+    snip_apply_kubernetes_network_policies_14
+    _wait_for_istio destinationrule test-egress egressgateway-for-cnn
+fi
 
 # Verify 200 response
-_verify_contains snip_apply_kubernetes_network_policies_13 "200"
+_verify_contains snip_apply_kubernetes_network_policies_16 "200"
 
 # Verify routing through gateway
-_verify_contains snip_apply_kubernetes_network_policies_14 "outbound|443||edition.cnn.com"
+if [ "$GATEWAY_API" == "true" ]; then
+    _verify_contains snip_apply_kubernetes_network_policies_19 "outbound|443||edition.cnn.com"
+else
+    _verify_contains snip_apply_kubernetes_network_policies_17 "outbound|443||edition.cnn.com"
+fi
 
 # @cleanup
-snip_cleanup_http_gateway_1
-snip_cleanup_https_gateway_1
-snip_cleanup_network_policies_1
-snip_cleanup_1
+if [ "$GATEWAY_API" != "true" ]; then
+    snip_cleanup_http_gateway_1
+    snip_cleanup_https_gateway_1
+    snip_cleanup_network_policies_1
+    snip_cleanup_1
+fi