OSDOCS-14879: add enablement procedure

[jldohmann]

Version(s): 4.19+

Issue: https://issues.redhat.com/browse/OSDOCS-14879

Link to docs preview: https://94480--ocpdocs-pr.netlify.app/openshift-enterprise/latest/networking/configuring_ingress_cluster_traffic/ingress-gateway-api.html#nw-ingress-gateway-api-enable_ingress-gateway-api

QE review:

• QE has approved this change.

Additional information:

[openshift-ci-robot]

@jldohmann: This pull request references OSDOCS-14879 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "4.20." or "openshift-4.20.", but it targets "openshift-4.19" instead.

Details

In response to this:

Version(s): 4.19+

Issue: https://issues.redhat.com/browse/OSDOCS-14879

Link to docs preview:

QE review:

• QE has approved this change.

Additional information:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ocpdocs-previewbot]

🤖 Fri Jun 13 19:10:27 - Prow CI generated the docs preview:

https://94480--ocpdocs-pr.netlify.app/openshift-enterprise/latest/networking/configuring_ingress_cluster_traffic/ingress-gateway-api.html

[openshift-ci-robot]

@jldohmann: This pull request references OSDOCS-14879 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "4.20." or "openshift-4.20.", but it targets "openshift-4.19" instead.

Details

In response to this:

Version(s): 4.19+

Issue: https://issues.redhat.com/browse/OSDOCS-14879

Link to docs preview: https://94480--ocpdocs-pr.netlify.app/openshift-enterprise/latest/networking/configuring_ingress_cluster_traffic/ingress-gateway-api.html#nw-ingress-gateway-api-enable_ingress-gateway-api

QE review:

• QE has approved this change.

Additional information:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jldohmann]

@rhamini3 could you PTAL at this docs PR for QE ack? thank you

[lahinson]

Nice work! Just a few nits for your consideration.

[rhamini3]

one small suggestion, otherwise
/label qe-approved

[openshift-ci-robot]

@jldohmann: This pull request references OSDOCS-14879 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target either version "4.20." or "openshift-4.20.", but it targets "openshift-4.19" instead.

Details

In response to this:

Version(s): 4.19+

Issue: https://issues.redhat.com/browse/OSDOCS-14879

Link to docs preview: https://94480--ocpdocs-pr.netlify.app/openshift-enterprise/latest/networking/configuring_ingress_cluster_traffic/ingress-gateway-api.html#nw-ingress-gateway-api-enable_ingress-gateway-api

QE review:

• QE has approved this change.

Additional information:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[candita]

/assign @candita
/assign @grzpiotrowski

@jldohmann would you mind waiting to merge until the two of us lgtm and approve?

[candita]

Does it tell them anywhere how to create the wildcard.crt and wildcard.key?

[jldohmann]

we have a lot of existing docs on creating certificates. do you mean something like this? https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/security_and_compliance/configuring-certificates i can link it

[grzpiotrowski]

In the tech preview guides we had this bit of context about the creation of a secret:

Certificates are handled differently in Gateway API compared to OpenShift Route objects. Gateway API uses references to
Kubernetes Secret objects whereas the OpenShift Route API embeds the certificate and key strings in the Route object.

WDYT about including it here @candita?

[candita]

I think we could do this in a followup.

[grzpiotrowski]

Actually after seeing What's New in 4.19, I think that the statement I quoted is not longer true as Routes can reference Secrets too.

[jldohmann]

@grzpiotrowski @candita so to clarify, is the request to add that snippet within this doc or create a new procedure for handling secrets for Gateway API?

[grzpiotrowski]

/lgtm
I'm ok with the changes I suggested to be included as a follow-up. Leaving the approve as @candita and @rhamini3 are going to have another pass too before merge.

[rhamini3]

This part is a bit confusing for me, If the user is using 4.19+ gatewayAPI is already enabled with the proper CRDs. From my understanding, the subscription, and operator are only installed after a gatewayclass is created.
CC @candita

[candita]

I think this is ok for now, but we could follow up after the docs freeze. The reader doesn't need to know all the specifics.

[candita]

Suggestion in https://github.com/openshift/openshift-docs/pull/94480/files#r2145713754

[rhamini3]

the gateway does not have to be in openshift-ingress namespace, might be better to change this to if it isn't created in openshift-ingress there will be no DNS management

[candita]

In the Getting Started guide, it's ok to get them started without extra work for DNS.

[rhamini3]

not finding the right output when using that command, this command has correct output
oc -n openshift-ingress get dnsrecord -l gateway.networking.k8s.io/gateway-name=example-gateway -o yaml

[candita]

@kalexand-rh @jldohmann Can this be fixed before merge?

[rhamini3]

the example output and oc command should be updated, the name of the service and deployment is not the same as the gateway name, it has a post-fix openshift-default (gatewayClass name)

iamin@iamin-mac Downloads % oc -n openshift-ingress get deployment
NAME                                READY   UP-TO-DATE   AVAILABLE   AGE
example-gateway-openshift-default   1/1     1            1           3m52s
istiod-openshift-gateway            1/1     1            1           16m
router-default                      2/2     2            2           80m
iamin@iamin-mac Downloads % oc -n openshift-ingress get service   
NAME                                TYPE           CLUSTER-IP       EXTERNAL-IP                                                               PORT(S)                                 AGE
example-gateway-openshift-default   LoadBalancer   172.30.168.184   a31cac2304a8249b697976d111041eeb-1454708237.us-east-2.elb.amazonaws.com   15021:30345/TCP,443:31776/TCP           4m16s
istiod-openshift-gateway            ClusterIP      172.30.211.131   <none>                                                                    15010/TCP,15012/TCP,443/TCP,15014/TCP   16m
router-default                      LoadBalancer   172.30.15.214    a20263ea8928442b1986ef3c08bfc7bb-1704144520.us-east-2.elb.amazonaws.com   80:30266/TCP,443:31405/TCP              80m
router-internal-default             ClusterIP      172.30.225.70    <none>         

[candita]

@kalexand-rh @jldohmann is there any way this can be fixed before docs freeze?

[candita]

These commands would also need to change:
[source,terminal]

$ oc get deployment -n openshift-ingress example-gateway-openshift-default

[source,terminal]

$ oc get service -n openshift-ingress example-gateway-openshift-default

[rhamini3]

Suggested change

	$ curl -I -cacert <local cert file> https://example.gwapi.${DOMAIN}:443
	$ curl -I --cacert /tmp/gwapi/ca.crt https://example.gwapi.${DOMAIN}:443

[candita]

Hm, the "-k" means don't validate certs. Is it really needed?

[rhamini3]

I noticed that in my cluster without the -k I get error:

curl: (60) SSL: certificate subject name '*.apps.iamin-aws0613.qe.devcluster.openshift.com' does not match target host name 'example.gwapi.apps.iamin-aws0613.qe.devcluster.openshift.com'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

[rhamini3]

-k not needed

[candita]

@kalexand-rh the "--cacert" is needed, please accept @rhamini3 's suggestion.

[candita]

This would need to change per https://github.com/openshift/openshift-docs/pull/94480/files#r2145462579:

Suggested change

	.. Optional: The Ingress Operator automatically creates a `DNSRecord` CR using the hostname from the listeners, and adds the label `istio.io/gateway-name=example-gateway`. Verify the status of the DNS record by running the following command:
	.. Optional: The Ingress Operator automatically creates a `DNSRecord` CR using the hostname from the listeners, and adds the label `gateway.networking.k8s.io/gateway-name=example-gateway`. Verify the status of the DNS record by running the following command:

[candita]

https://github.com/openshift/openshift-docs/pull/94480/files#r2145462579 should be here.

[candita]

Should be:
httproute.gateway.networking.k8s.io/example-route created

[candita]

Suggested change

	.. Optional: Verify that the new deployment, `istio-ingressgateway` is ready and available:
	.. Optional: Verify that the new deployment, `istiod-openshift-gateway` is ready and available:

[candita]

Suggested change

	. Create a secret by using the default certificate by running the following command:
	. Create a secret by running the following command:

[candita]

nit: might want to swap the positions of these two, putting the example output with the corresponding command.

[kalexand-rh]

[candita]

They should both be named "example-gateway-openshift-default" in the output.

[candita]

Suggested change

	When you enable Gateway API, it installs the subscription, the Istio operator, the custom resource definitions (CRDs), and creates the Istio resources.
	When you create a GatewayClass as shown in the first step, it configures Gateway API for use on your cluster.

[candita]

This can be handled in a follow up.

Suggested change

	<5> The name of the previously created secret using the default certificate.
	<5> The name of the previously created secret.

[candita]

Suggested change

	example-gateway 1/1 1 1 25s
	example-gateway-openshift-default 1/1 1 1 25s

[candita]

Suggested change

	rules: <4>
	- backendRefs:
	rules:
	- backendRefs: <4>

[candita]

Suggested change

	. Create an `HTTPRoute` resource that directs requests to your application:
	. Create an `HTTPRoute` resource that directs requests to your already-created namespace and application called `example-app/example-app`:

[candita]

Thanks @kalexand-rh !

/lgtm
/approve

[openshift-ci]

New changes are detected. LGTM label has been removed.

[candita]

/lgtm

[openshift-ci]

@jldohmann: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[kalexand-rh]

/cherrypick enterprise-4.19

[openshift-cherrypick-robot]

@kalexand-rh: new pull request created: #94790

Details

In response to this:

/cherrypick enterprise-4.19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.