gateway-api: add instructions to gateway topology doc (#12889)

* gateway-api: add instructions to gateway topology doc

* fix test

* fix numbering

content/en/docs/ops/configuration/traffic-management/network-topologies/gtwapi_test.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC1090,SC2154
+
+# Copyright Istio Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+source "tests/util/gateway-api.sh"
+install_gateway_api_crds
+
+# @setup profile=none
+source "content/en/docs/ops/configuration/traffic-management/network-topologies/test.sh"
+
+# @cleanup
+kubectl delete -f samples/httpbin/gateway-api/httpbin-gateway.yaml
+kubectl delete -f samples/httpbin/httpbin.yaml
+kubectl delete ns httpbin
+
+# Delete the Istio this test installed
+echo y | istioctl uninstall --revision "default"
+kubectl delete ns istio-system
+
+remove_gateway_api_crds

content/en/docs/ops/configuration/traffic-management/network-topologies/index.md

@@ -10,6 +10,8 @@ status: Alpha
 
 {{< boilerplate alpha >}}
 
+{{< boilerplate gateway-api-support >}}
+
 ## Forwarding external client attributes (IP address, certificate info) to destination workloads
 
 Many applications require knowing the client IP address and certificate information of the originating request to behave
@@ -111,25 +113,58 @@ to understand how `X-Forwarded-For` headers and trusted client addresses are det
 1. Deploy `httpbin` in the `httpbin` namespace:
 
     {{< text syntax=bash snip_id=apply_httpbin >}}
-    $ kubectl apply -n httpbin -f samples/httpbin/httpbin.yaml
+    $ kubectl apply -n httpbin -f @samples/httpbin/httpbin.yaml@
     {{< /text >}}
 
 1. Deploy a gateway associated with `httpbin`:
 
-    {{< text syntax=bash snip_id=deploy_httpbin_gateway >}}
-    $ kubectl apply -n httpbin -f samples/httpbin/httpbin-gateway.yaml
-    {{< /text >}}
+{{< tabset category-name="config-api" >}}
 
-1. Set a local `GATEWAY_URL` environmental variable based on your Istio ingress gateway's IP address:
+{{< tab name="Istio classic" category-value="istio-classic" >}}
 
-    {{< text syntax=bash snip_id=export_gateway_url >}}
-    $ export GATEWAY_URL=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
-    {{< /text >}}
+{{< text syntax=bash snip_id=deploy_httpbin_gateway >}}
+$ kubectl apply -n httpbin -f @samples/httpbin/httpbin-gateway.yaml@
+{{< /text >}}
 
-1. Run the following `curl` command to simulate a request with proxy addresses in the `X-Forwarded-For` header:
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+{{< text syntax=bash snip_id=deploy_httpbin_k8s_gateway >}}
+$ kubectl apply -n httpbin -f @samples/httpbin/gateway-api/httpbin-gateway.yaml@
+$ kubectl wait --for=condition=ready gtw -n httpbin httpbin-gateway
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
+6) Set a local `GATEWAY_URL` environmental variable based on your Istio ingress gateway's IP address:
+
+{{< tabset category-name="config-api" >}}
+
+{{< tab name="Istio classic" category-value="istio-classic" >}}
+
+{{< text syntax=bash snip_id=export_gateway_url >}}
+$ export GATEWAY_URL=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+{{< text syntax=bash snip_id=export_k8s_gateway_url >}}
+$ export GATEWAY_URL=$(kubectl get gateways.gateway.networking.k8s.io httpbin-gateway -n httpbin -ojsonpath='{.status.addresses[*].value}')
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
+7) Run the following `curl` command to simulate a request with proxy addresses in the `X-Forwarded-For` header:
 
     {{< text syntax=bash snip_id=curl_xff_headers >}}
-    $ curl -s -H 'X-Forwarded-For: 56.5.6.7, 72.9.5.6, 98.1.2.3' "$GATEWAY_URL"/get?show_env=true
+    $ curl -s -H 'X-Forwarded-For: 56.5.6.7, 72.9.5.6, 98.1.2.3' "$GATEWAY_URL/get?show_env=true"
     {
     "args": {
       "show_env": "true"
@@ -213,6 +248,10 @@ PROXY protocol should not be used for L7 traffic, or for Istio gateways behind L
 
 If your external TCP load balancer is configured to forward TCP traffic and use the PROXY protocol, the Istio Gateway TCP listener must also be configured to accept the PROXY protocol. Enabling this requires adding the [Envoy Proxy Protocol filter](https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listener_filters/proxy_protocol) using an `EnvoyFilter` applied on the gateway workload. For example:
 
+{{< tabset category-name="config-api" >}}
+
+{{< tab name="Istio classic" category-value="istio-classic" >}}
+
 {{< text syntax=yaml snip_id=none >}}
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
@@ -233,6 +272,34 @@ spec:
       istio: ingressgateway
 {{< /text >}}
 
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+{{< text syntax=yaml snip_id=none >}}
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: proxy-protocol
+  namespace: istio-system
+spec:
+  configPatches:
+  - applyTo: LISTENER
+    patch:
+      operation: MERGE
+      value:
+        listener_filters:
+        - name: envoy.listener.proxy_protocol
+        - name: envoy.listener.tls_inspector
+  workloadSelector:
+    labels:
+      istio.io/gateway-name: <GATEWAY_NAME>
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
 The client IP is retrieved from the PROXY protocol by the gateway and set (or appended) in the `X-Forwarded-For` and `X-Envoy-External-Address` header. Note that the PROXY protocol is mutually exclusive with L7 headers like `X-Forwarded-For` and `X-Envoy-External-Address`. When PROXY protocol is used in conjunction with the `gatewayTopology` configuration, the `numTrustedProxies` and the received `X-Forwarded-For` header takes precedence in determining the trusted client addresses, and PROXY protocol client information will be ignored.
 
 Note that the above example only configures the Gateway to accept incoming PROXY protocol TCP traffic - See the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/other_features/ip_transparency#proxy-protocol) for examples of how to configure Envoy itself to communicate with upstream services using PROXY protocol.

content/en/docs/ops/configuration/traffic-management/network-topologies/snips.sh

@@ -19,6 +19,7 @@
 # WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
 #          docs/ops/configuration/traffic-management/network-topologies/index.md
 ####################################################################################################
+source "content/en/boilerplates/snips/gateway-api-support.sh"
 
 snip_install_num_trusted_proxies_two() {
 cat <<EOF > topology.yaml
@@ -57,12 +58,21 @@ snip_deploy_httpbin_gateway() {
 kubectl apply -n httpbin -f samples/httpbin/httpbin-gateway.yaml
 }
 
+snip_deploy_httpbin_k8s_gateway() {
+kubectl apply -n httpbin -f samples/httpbin/gateway-api/httpbin-gateway.yaml
+kubectl wait --for=condition=ready gtw -n httpbin httpbin-gateway
+}
+
 snip_export_gateway_url() {
 export GATEWAY_URL=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
 }
 
+snip_export_k8s_gateway_url() {
+export GATEWAY_URL=$(kubectl get gateways.gateway.networking.k8s.io httpbin-gateway -n httpbin -ojsonpath='{.status.addresses[*].value}')
+}
+
 snip_curl_xff_headers() {
-curl -s -H 'X-Forwarded-For: 56.5.6.7, 72.9.5.6, 98.1.2.3' "$GATEWAY_URL"/get?show_env=true
+curl -s -H 'X-Forwarded-For: 56.5.6.7, 72.9.5.6, 98.1.2.3' "$GATEWAY_URL/get?show_env=true"
 }
 
 ! read -r -d '' snip_curl_xff_headers_out <<\ENDSNIP

content/en/docs/ops/configuration/traffic-management/network-topologies/test.sh

@@ -19,6 +19,8 @@ set -e
 set -u
 set -o pipefail
 
+GATEWAY_API="${GATEWAY_API:-false}"
+
 # ingressgateway is necessary, but we need to do a custom install
 # @setup profile=none
 
@@ -35,13 +37,18 @@ snip_apply_httpbin
 _wait_for_deployment httpbin httpbin
 
 echo '*** apply httpbin gateway ***'
-snip_deploy_httpbin_gateway
+if [ "$GATEWAY_API" == "true" ]; then
+    snip_deploy_httpbin_k8s_gateway
+    snip_export_k8s_gateway_url
+else
+    snip_deploy_httpbin_gateway
 
-# wait for for the rules to propagate
-_wait_for_istio gateway httpbin httpbin-gateway
-_wait_for_istio virtualservice httpbin httpbin
+    # wait for for the rules to propagate
+    _wait_for_istio gateway httpbin httpbin-gateway
+    _wait_for_istio virtualservice httpbin httpbin
 
-snip_export_gateway_url
+    snip_export_gateway_url
+fi
 echo "*** GATEWAY_URL = $GATEWAY_URL ***"
 
 _verify_like snip_curl_xff_headers "$snip_curl_xff_headers_out"

content/en/docs/tasks/security/authorization/authz-ingress/index.md

@@ -1,5 +1,5 @@
 ---
-title: Ingress Gateway Access Control
+title: Ingress Access Control
 description: Shows how to set up access control on an ingress gateway.
 weight: 50
 keywords: [security,access-control,rbac,authorization,ingress,ip,allowlist,denylist]