From c5479131310de0ebf55647a865a1b309a22a5419 Mon Sep 17 00:00:00 2001
From: Jamie Longmuir <jlongmui@redhat.com>
Date: Fri, 27 Oct 2023 16:09:05 -0400
Subject: [PATCH 1/3] Add gateway config instructions and sample config

---
 bundle/README.md                    | 73 +++++++++++++++++++++++++--
 bundle/samples/ingress-gateway.yaml | 76 +++++++++++++++++++++++++++++
 2 files changed, 145 insertions(+), 4 deletions(-)
 create mode 100644 bundle/samples/ingress-gateway.yaml

diff --git a/bundle/README.md b/bundle/README.md
index 388ea73e68..c1218e9cb1 100644
--- a/bundle/README.md
+++ b/bundle/README.md
@@ -79,11 +79,76 @@ By deploying the `reviews` virtual service, you can specify a different behavior
 
 For more information, see [Bookinfo Application](https://istio.io/latest/docs/examples/bookinfo/) in the upstream Istio documentation.
 
-## Gateway Configuration
+After following the instructions to [Deploying the application](https://istio.io/latest/docs/examples/bookinfo/#start-the-application-services), **you will need to create and configure a gateway** for the `bookinfo` application to be accessible outside the cluster.
+
+## Creating and Configuring Gateways
 
 The Sail Operator does not deploy Ingress or Egress Gateways. Gateways are not part of the control plane. As a security best-practice, Ingress and Egress Gateways should be deployed in a different namespace than the namespace that contains the control plane.
 
-You can deploy gateways using either the Gateway API or Gateway Injection methods. Both are well documented in the Istio documentation.
+You can deploy gateways using either the Gateway API or Gateway Injection methods. 
+
+### Option 1: Istio Gateway Injection
+
+Gateway Injection uses the same mechanisms as Istio sidecar injection to create a gateway from a `Deployment` resource that is paired with a `Service` resource that can be made accessible from outside the cluster. For more information, see [Installing Gateways](https://preliminary.istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway).
+
+To configure gateway injection with the `bookinfo` application, we have provided a [sample gateway configuration](samples/ingress-gateway.yaml?raw=1) that should be applied in the namespace where the application is installed:
+
+1. Create the `istio-ingressgateway` deployment and service:
+
+    ```sh
+    $ oc apply -f ingress/gateway.yaml
+    ```
+
+2. Configure the `bookinfo` application with the new gateway:
+
+    ```sh
+    $ oc -n bookinfo apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yaml
+    ```
+
+3. On OpenShift, you can use a [Route](https://docs.openshift.com/container-platform/4.13/networking/routes/route-configuration.html) to expose the gateway externally: 
+
+    ```sh
+    $ oc expose service istio-ingressgateway
+    ```
+
+4. Finally, obtain the gateway host name and the URL of the product page:
+
+    ```sh
+    $ HOST=$(oc get route istio-ingressgateway -o jsonpath='{.spec.host}')
+    $ echo http://$HOST/productpage
+    ```
+
+Verify that the `productpage` is accessible from a web browser. 
+
+### Option 2: Kubernetes Gateway API
+
+Istio includes support for Kubernetes [Gateway API](https://gateway-api.sigs.k8s.io/) and intends to make it the default API for [traffic management in the future](https://istio.io/latest/blog/2022/gateway-api-beta/). For more information, see Istio's [Kubernetes Gateway API](https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/) page.
+
+As of Kubernetes 1.28 and OpenShift 4.14, the Kubernetes Gateway API CRDs are not available by default and must be enabled to be used. This can be done with the command:
+
+```sh
+$ oc get crd gateways.gateway.networking.k8s.io &> /dev/null ||  { oc kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.8.0" | oc apply -f -; }
+```
+
+To configure `bookinfo` with a gateway using `Gateway API`:
+
+1. Create and configure a gateway using a `Gateway` and `HTTPRoute` resource:
+
+    ```sh
+    $ oc apply -f https://raw.githubusercontent.com/istio/istio/release-1.19/samples/bookinfo/gateway-api/bookinfo-gateway.yaml
+    ```
+
+2. Retrieve the host, port and gateway URL:
+
+    ```sh
+    $ export INGRESS_HOST=$(oc get gtw bookinfo-gateway -o jsonpath='{.status.addresses[0].value}')
+    $ export INGRESS_PORT=$(oc get gtw bookinfo-gateway -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
+    $ export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
+    ```
+
+3. Obtain the `productpage` URL and check that you can visit it from a browser:
+
+   ```sh
+    $ echo "http://${GATEWAY_URL}/productpage"
+    ```
 
-- To use Gateway API, follow the instructions in the [Getting Started with Istio and Kubernetes Gateway API](https://preliminary.istio.io/latest/docs/setup/additional-setup/getting-started/) page.
-- To use Gateway Injection, use the `Helm` method described in the [Installing Gateways](https://preliminary.istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway) page.
diff --git a/bundle/samples/ingress-gateway.yaml b/bundle/samples/ingress-gateway.yaml
new file mode 100644
index 0000000000..64228de358
--- /dev/null
+++ b/bundle/samples/ingress-gateway.yaml
@@ -0,0 +1,76 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: istio-ingressgateway
+spec:
+  type: ClusterIP
+  selector:
+    istio: ingressgateway
+  ports:
+  - name: http2
+    port: 80
+    targetPort: 8080
+  - name: https
+    port: 443
+    targetPort: 8443
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: istio-ingressgateway
+spec:
+  selector:
+    matchLabels:
+      istio: ingressgateway
+  template:
+    metadata:
+      annotations:
+        # Select the gateway injection template (rather than the default sidecar template)
+        inject.istio.io/templates: gateway
+      labels:
+        # Set a unique label for the gateway. This is required to ensure Gateways can select this workload
+        istio: ingressgateway
+        # Enable gateway injection. If connecting to a revisioned control plane, replace with "istio.io/rev: revision-name"
+        sidecar.istio.io/inject: "true"
+    spec:
+      containers:
+      - name: istio-proxy
+        image: auto # The image will automatically update each time the pod starts.
+
+---
+# Set up roles to allow reading credentials for TLS
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: istio-ingressgateway-sds
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: istio-ingressgateway-sds
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: istio-ingressgateway-sds
+subjects:
+- kind: ServiceAccount
+  name: default
+---
+#Allow outside traffic to access the gateway 
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: gatewayingress
+spec:
+  podSelector:
+    matchLabels:
+      istio: ingressgateway
+  ingress:
+    - {}
+  policyTypes:
+  - Ingress
+

From 355481185c091b73c5595137370f1f371d5c6659 Mon Sep 17 00:00:00 2001
From: Jamie Longmuir <jlongmui@redhat.com>
Date: Fri, 27 Oct 2023 16:23:14 -0400
Subject: [PATCH 2/3] update gateway creation command to remove namespace

---
 bundle/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bundle/README.md b/bundle/README.md
index c1218e9cb1..8099142873 100644
--- a/bundle/README.md
+++ b/bundle/README.md
@@ -102,7 +102,7 @@ To configure gateway injection with the `bookinfo` application, we have provided
 2. Configure the `bookinfo` application with the new gateway:
 
     ```sh
-    $ oc -n bookinfo apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yaml
+    $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yaml
     ```
 
 3. On OpenShift, you can use a [Route](https://docs.openshift.com/container-platform/4.13/networking/routes/route-configuration.html) to expose the gateway externally: 

From 6a4db41dd069760155955c4014734fe507509025 Mon Sep 17 00:00:00 2001
From: Jamie Longmuir <jlongmui@redhat.com>
Date: Mon, 30 Oct 2023 16:10:48 -0400
Subject: [PATCH 3/3] Incorporating fixes and PR feedback

---
 bundle/README.md                                | 8 ++++----
 {bundle => config}/samples/ingress-gateway.yaml | 0
 2 files changed, 4 insertions(+), 4 deletions(-)
 rename {bundle => config}/samples/ingress-gateway.yaml (100%)

diff --git a/bundle/README.md b/bundle/README.md
index 8099142873..bd32308f4e 100644
--- a/bundle/README.md
+++ b/bundle/README.md
@@ -79,7 +79,7 @@ By deploying the `reviews` virtual service, you can specify a different behavior
 
 For more information, see [Bookinfo Application](https://istio.io/latest/docs/examples/bookinfo/) in the upstream Istio documentation.
 
-After following the instructions to [Deploying the application](https://istio.io/latest/docs/examples/bookinfo/#start-the-application-services), **you will need to create and configure a gateway** for the `bookinfo` application to be accessible outside the cluster.
+After following the instructions for [Deploying the application](https://istio.io/latest/docs/examples/bookinfo/#start-the-application-services), **you will need to create and configure a gateway** for the `bookinfo` application to be accessible outside the cluster.
 
 ## Creating and Configuring Gateways
 
@@ -91,12 +91,12 @@ You can deploy gateways using either the Gateway API or Gateway Injection method
 
 Gateway Injection uses the same mechanisms as Istio sidecar injection to create a gateway from a `Deployment` resource that is paired with a `Service` resource that can be made accessible from outside the cluster. For more information, see [Installing Gateways](https://preliminary.istio.io/latest/docs/setup/additional-setup/gateway/#deploying-a-gateway).
 
-To configure gateway injection with the `bookinfo` application, we have provided a [sample gateway configuration](samples/ingress-gateway.yaml?raw=1) that should be applied in the namespace where the application is installed:
+To configure gateway injection with the `bookinfo` application, we have provided a [sample gateway configuration](../config/samples/ingress-gateway.yaml?raw=1) that should be applied in the namespace where the application is installed:
 
 1. Create the `istio-ingressgateway` deployment and service:
 
     ```sh
-    $ oc apply -f ingress/gateway.yaml
+    $ oc apply -f -n <app-namespace> ingress-gateway.yaml
     ```
 
 2. Configure the `bookinfo` application with the new gateway:
@@ -135,7 +135,7 @@ To configure `bookinfo` with a gateway using `Gateway API`:
 1. Create and configure a gateway using a `Gateway` and `HTTPRoute` resource:
 
     ```sh
-    $ oc apply -f https://raw.githubusercontent.com/istio/istio/release-1.19/samples/bookinfo/gateway-api/bookinfo-gateway.yaml
+    $ oc apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/gateway-api/bookinfo-gateway.yaml
     ```
 
 2. Retrieve the host, port and gateway URL:
diff --git a/bundle/samples/ingress-gateway.yaml b/config/samples/ingress-gateway.yaml
similarity index 100%
rename from bundle/samples/ingress-gateway.yaml
rename to config/samples/ingress-gateway.yaml