Provider agnostic gateway name/namespace (#771)

* Provider agnostic gateway name/namespace Signed-off-by: Adam Cattermole <[email protected]> * Update docs gateway name/namespace Signed-off-by: Adam Cattermole <[email protected]> * Use istio/envoy-gateway for provider namespace Signed-off-by: Adam Cattermole <[email protected]> * Use EG_NAMESPACE when patching Signed-off-by: Adam Cattermole <[email protected]> --------- Signed-off-by: Adam Cattermole <[email protected]>
Kuadrant · Sep 18, 2024 · 9362ff9 · 9362ff9
1 parent 48d308a
commit 9362ff9
Show file tree

Hide file tree

Showing 25 changed files with 96 additions and 84 deletions.
diff --git a/config/dependencies/envoy-gateway/gateway/gateway.yaml b/config/dependencies/envoy-gateway/gateway/gateway.yaml
@@ -2,7 +2,7 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: Gateway
 metadata:
-  name: eg
+  name: kuadrant-ingressgateway
 spec:
   gatewayClassName: envoygateway
   listeners:

diff --git a/config/dependencies/envoy-gateway/gateway/kustomization.yaml b/config/dependencies/envoy-gateway/gateway/kustomization.yaml
@@ -1,6 +1,7 @@
 ---
 # Adds namespace to all resources.
-namespace: envoy-gateway-system
+namespace: gateway-system
 resources:
+- namespace.yaml
 - gateway-class.yaml
 - gateway.yaml
diff --git a/config/dependencies/envoy-gateway/gateway/namespace.yaml b/config/dependencies/envoy-gateway/gateway/namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gateway-system
diff --git a/config/dependencies/istio/gateway/gateway.yaml b/config/dependencies/istio/gateway/gateway.yaml
@@ -4,7 +4,7 @@ kind: Gateway
 metadata:
   labels:
     istio: ingressgateway
-  name: istio-ingressgateway
+  name: kuadrant-ingressgateway
 spec:
   gatewayClassName: istio
   listeners:

diff --git a/config/dependencies/istio/gateway/kustomization.yaml b/config/dependencies/istio/gateway/kustomization.yaml
@@ -1,5 +1,6 @@
 ---
 # Adds namespace to all resources.
-namespace: istio-system
+namespace: gateway-system
 resources:
+- namespace.yaml
 - gateway.yaml
diff --git a/config/dependencies/istio/gateway/namespace.yaml b/config/dependencies/istio/gateway/namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gateway-system
diff --git a/config/observability/openshift/telemetry.yaml b/config/observability/openshift/telemetry.yaml
@@ -2,7 +2,7 @@ apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
   name: namespace-metrics
-  namespace: istio-system
+  namespace: gateway-system
 spec:
   metrics:
   - providers:

diff --git a/config/observability/prometheus/monitors/pod-monitor-envoy.yaml b/config/observability/prometheus/monitors/pod-monitor-envoy.yaml
@@ -5,10 +5,10 @@ metadata:
 spec:
   namespaceSelector:
     matchNames:
-    - istio-system
+    - gateway-system
   selector:
     matchLabels:
-      app: istio-ingressgateway
+      app: kuadrant-ingressgateway
   podMetricsEndpoints:
   - port: http-envoy-prom
     path: /stats/prometheus
diff --git a/config/observability/prometheus/monitors/service-monitor-istiod.yaml b/config/observability/prometheus/monitors/service-monitor-istiod.yaml
@@ -5,7 +5,7 @@ metadata:
 spec:
   namespaceSelector:
     matchNames:
-    - istio-system
+    - gateway-system
   selector:
     matchLabels:
       app: istiod

diff --git a/config/observability/prometheus/telemetry.yaml b/config/observability/prometheus/telemetry.yaml
@@ -2,7 +2,7 @@ apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
   name: namespace-metrics
-  namespace: istio-system
+  namespace: gateway-system
 spec:
   metrics:
   - providers:

diff --git a/doc/install/install-openshift.md b/doc/install/install-openshift.md
@@ -61,7 +61,7 @@ Kuadrant integrates with Istio as a Gateway API provider. You can set up an Isti
 To install the Istio Gateway provider, run the following commands:
 
 ```bash
-kubectl create ns istio-system
+kubectl create ns gateway-system
 ```
 
 ```bash
@@ -70,15 +70,15 @@ kind: OperatorGroup
 apiVersion: operators.coreos.com/v1
 metadata:
   name: sail
-  namespace: istio-system
+  namespace: gateway-system
 spec:
   upgradeStrategy: Default
 ---
 apiVersion: operators.coreos.com/v1alpha1
 kind: Subscription
 metadata:
   name: sailoperator
-  namespace: istio-system
+  namespace: gateway-system
 spec:
   channel: 3.0-dp1
   installPlanApproval: Automatic
@@ -91,7 +91,7 @@ EOF
 Check the status of the installation as follows:
 
 ```bash
-kubectl get installplan -n istio-system -o=jsonpath='{.items[0].status.phase}'
+kubectl get installplan -n gateway-system -o=jsonpath='{.items[0].status.phase}'
 ```
 
 When ready, the status will change from `installing` to `complete`.
@@ -108,7 +108,7 @@ metadata:
   name: default
 spec:
   version: v1.21.0
-  namespace: istio-system
+  namespace: gateway-system
   # Disable autoscaling to reduce dev resources
   values:
     pilot:
@@ -119,7 +119,7 @@ EOF
 Wait for Istio to be ready as follows:
 
 ```bash
-kubectl wait istio/default -n istio-system --for="condition=Ready=true"
+kubectl wait istio/default -n gateway-system --for="condition=Ready=true"
 ```
 
 ### Step 5 - (Optional) Install Envoy Gateway as a Gateway API provider

diff --git a/doc/observability/metrics.md b/doc/observability/metrics.md
@@ -47,7 +47,7 @@ apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
   name: namespace-metrics
-  namespace: istio-system
+  namespace: gateway-system
 spec:
   metrics:
   - providers:

diff --git a/doc/observability/tracing.md b/doc/observability/tracing.md
@@ -22,7 +22,7 @@ apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
   name: mesh-default
-  namespace: istio-system
+  namespace: gateway-system
 spec:
   tracing:
   - providers:
@@ -34,7 +34,7 @@ kind: Istio
 metadata:
   name: default
 spec:
-  namespace: istio-system
+  namespace: gateway-system
   values:
     meshConfig:
       defaultConfig:

diff --git a/doc/rate-limiting.md b/doc/rate-limiting.md
@@ -391,19 +391,19 @@ A Kuadrant wasm-shim configuration for 2 RateLimitPolicy custom resources (a Gat
 apiVersion: extensions.istio.io/v1alpha1
 kind: WasmPlugin
 metadata:
-  name: kuadrant-istio-ingressgateway
-  namespace: istio-system
+  name: kuadrant-kuadrant-ingressgateway
+  namespace: gateway-system
   …
 spec:
   phase: STATS
   pluginConfig:
     failureMode: deny
     rateLimitPolicies:
-    - domain: istio-system/gw-rlp # allows isolating policy rules and improve performance of the rate limit service
+    - domain: gateway-system/gw-rlp # allows isolating policy rules and improve performance of the rate limit service
       hostnames:
       - '*.website'
       - '*.io'
-      name: istio-system/gw-rlp
+      name: gateway-system/gw-rlp
       rules: # match rules from the gateway and according to conditions specified in the policy
       - conditions:
         - allOf:
@@ -478,6 +478,6 @@ spec:
       service: kuadrant-rate-limiting-service
   selector:
     matchLabels:
-      istio.io/gateway-name: istio-ingressgateway
+      istio.io/gateway-name: kuadrant-ingressgateway
   url: oci://quay.io/kuadrant/wasm-shim:v0.3.0
 ```
diff --git a/doc/user-guides/auth-for-app-devs-and-platform-engineers.md b/doc/user-guides/auth-for-app-devs-and-platform-engineers.md
@@ -7,7 +7,7 @@ Two AuthPolicies will be declared:
 | Use case                       | AuthPolicy                                                                                                                                                                                                                                                                                |
 |--------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | **App developer**              | 1 AuthPolicy targeting a HTTPRoute that routes traffic to a sample Toy Store application, and enforces API key authentication to all requests in this route, as well as requires API key owners to be mapped to `groups:admins` metadata to access a specific HTTPRouteRule of the route. |
-| **Platform engineer use-case** | 1 AuthPolicy targeting the `istio-ingressgateway` Gateway that enforces a trivial "deny-all" policy that locks down any other HTTPRoute attached to the Gateway.                                                                                                                          |
+| **Platform engineer use-case** | 1 AuthPolicy targeting the `kuadrant-ingressgateway` Gateway that enforces a trivial "deny-all" policy that locks down any other HTTPRoute attached to the Gateway.                                                                                                                       |
 
 Topology:
 
@@ -18,19 +18,19 @@ Topology:
                    └───────┬───────┘
                            │
                            ▼
-                ┌──────────────────────┐
-                │     (Gateway)        │
-                │ istio-ingressgateway │
-          ┌────►│                      │◄───┐
-          │     │          *           │    │
-          │     └──────────────────────┘    │
-          │                                 │
- ┌────────┴─────────┐              ┌────────┴─────────┐
- │   (HTTPRoute)    │              │   (HTTPRoute)    │
- │    toystore      │              │      other       │
- │                  │              │                  │
- │ api.toystore.com │              │ *.other-apps.com │
- └──────────────────┘              └──────────────────┘
+                ┌─────────────────────────┐
+                │        (Gateway)        │
+                │ kuadrant-ingressgateway │
+          ┌────►│                         │◄───┐
+          │     │            *            │    │
+          │     └─────────────────────────┘    │
+          │                                    │
+ ┌────────┴─────────┐                 ┌────────┴─────────┐
+ │   (HTTPRoute)    │                 │   (HTTPRoute)    │
+ │    toystore      │                 │      other       │
+ │                  │                 │                  │
+ │ api.toystore.com │                 │ *.other-apps.com │
+ └──────────────────┘                 └──────────────────┘
           ▲
           │
   ┌───────┴───────┐
@@ -83,8 +83,8 @@ metadata:
   name: toystore
 spec:
   parentRefs:
-  - name: istio-ingressgateway
-    namespace: istio-system
+  - name: kuadrant-ingressgateway
+    namespace: gateway-system
   hostnames:
   - api.toystore.com
   rules:
@@ -113,8 +113,8 @@ EOF
 Export the gateway hostname and port:
 
 ```sh
-export INGRESS_HOST=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.status.addresses[0].value}')
-export INGRESS_PORT=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
+export INGRESS_HOST=$(kubectl get gtw kuadrant-ingressgateway -n gateway-system -o jsonpath='{.status.addresses[0].value}')
+export INGRESS_PORT=$(kubectl get gtw kuadrant-ingressgateway -n gateway-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
 export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
 ```
 
@@ -231,7 +231,7 @@ curl -H 'Host: api.toystore.com' -H 'Authorization: APIKEY iamanadmin' http://$G
 Create the policy:
 
 ```sh
-kubectl -n istio-system apply -f - <<EOF
+kubectl -n gateway-system apply -f - <<EOF
 apiVersion: kuadrant.io/v1beta2
 kind: AuthPolicy
 metadata:
@@ -240,7 +240,7 @@ spec:
   targetRef:
     group: gateway.networking.k8s.io
     kind: Gateway
-    name: istio-ingressgateway
+    name: kuadrant-ingressgateway
   rules:
     authorization:
       deny-all:
@@ -272,8 +272,8 @@ metadata:
   name: other
 spec:
   parentRefs:
-  - name: istio-ingressgateway
-    namespace: istio-system
+  - name: kuadrant-ingressgateway
+    namespace: gateway-system
   hostnames:
   - "*.other-apps.com"
 EOF

diff --git a/doc/user-guides/authenticated-rl-for-app-developers.md b/doc/user-guides/authenticated-rl-for-app-developers.md
@@ -70,8 +70,8 @@ metadata:
   name: toystore
 spec:
   parentRefs:
-  - name: istio-ingressgateway
-    namespace: istio-system
+  - name: kuadrant-ingressgateway
+    namespace: gateway-system
   hostnames:
   - api.toystore.com
   rules:
@@ -89,8 +89,8 @@ EOF
 Export the gateway hostname and port:
 
 ```sh
-export INGRESS_HOST=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.status.addresses[0].value}')
-export INGRESS_PORT=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
+export INGRESS_HOST=$(kubectl get gtw kuadrant-ingressgateway -n gateway-system -o jsonpath='{.status.addresses[0].value}')
+export INGRESS_PORT=$(kubectl get gtw kuadrant-ingressgateway -n gateway-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
 export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
 ```
 
@@ -104,7 +104,7 @@ curl -H 'Host: api.toystore.com' http://$GATEWAY_URL/toy -i
 > **Note**: If the command above fails to hit the Toy Store API on your environment, try forwarding requests to the service and accessing over localhost:
 >
 > ```sh
-> kubectl port-forward -n istio-system service/istio-ingressgateway-istio 9080:80 >/dev/null 2>&1 &
+> kubectl port-forward -n gateway-system service/kuadrant-ingressgateway-istio 9080:80 >/dev/null 2>&1 &
 > export GATEWAY_URL=localhost:9080
 > ```
 > ```sh

diff --git a/doc/user-guides/authenticated-rl-with-jwt-and-k8s-authnz.md b/doc/user-guides/authenticated-rl-with-jwt-and-k8s-authnz.md
@@ -85,8 +85,8 @@ kubectl apply -f examples/toystore/httproute.yaml
 Export the gateway hostname and port:
 
 ```sh
-export INGRESS_HOST=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.status.addresses[0].value}')
-export INGRESS_PORT=$(kubectl get gtw istio-ingressgateway -n istio-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
+export INGRESS_HOST=$(kubectl get gtw kuadrant-ingressgateway -n gateway-system -o jsonpath='{.status.addresses[0].value}')
+export INGRESS_PORT=$(kubectl get gtw kuadrant-ingressgateway -n gateway-system -o jsonpath='{.spec.listeners[?(@.name=="http")].port}')
 export GATEWAY_URL=$INGRESS_HOST:$INGRESS_PORT
 ```
 
@@ -100,7 +100,7 @@ It should return `200 OK`.
 > **Note**: If the command above fails to hit the Toy Store API on your environment, try forwarding requests to the service and accessing over localhost:
 >
 > ```sh
-> kubectl port-forward -n istio-system service/istio-ingressgateway-istio 9080:80 >/dev/null 2>&1 &
+> kubectl port-forward -n gateway-system service/kuadrant-ingressgateway-istio 9080:80 >/dev/null 2>&1 &
 > export GATEWAY_URL=localhost:9080
 > ```
 > ```sh

diff --git a/doc/user-guides/gateway-rl-for-cluster-operators.md b/doc/user-guides/gateway-rl-for-cluster-operators.md
@@ -40,7 +40,7 @@ EOF
 ### ② Create the ingress gateways
 
 ```sh
-kubectl -n istio-system apply -f - <<EOF
+kubectl -n gateway-system apply -f - <<EOF
 apiVersion: gateway.networking.k8s.io/v1
 kind: Gateway
 metadata:
@@ -99,7 +99,7 @@ EOF
 Create a Kuadrant `RateLimitPolicy` to configure rate limiting:
 
 ```sh
-kubectl apply -n istio-system -f - <<EOF
+kubectl apply -n gateway-system -f - <<EOF
 apiVersion: kuadrant.io/v1beta2
 kind: RateLimitPolicy
 metadata:
@@ -163,9 +163,9 @@ metadata:
 spec:
   parentRefs:
   - name: external
-    namespace: istio-system
+    namespace: gateway-system
   - name: internal
-    namespace: istio-system
+    namespace: gateway-system
   hostnames:
   - "*.toystore.io"
   - "*.toystore.local"
@@ -181,8 +181,8 @@ EOF
 Expose the gateways, respectively at the port numbers `9081` and `9082` of the local host:
 
 ```sh
-kubectl port-forward -n istio-system service/external-istio 9081:80 >/dev/null 2>&1 &
-kubectl port-forward -n istio-system service/internal-istio 9082:80 >/dev/null 2>&1 &
+kubectl port-forward -n gateway-system service/external-istio 9081:80 >/dev/null 2>&1 &
+kubectl port-forward -n gateway-system service/internal-istio 9082:80 >/dev/null 2>&1 &
 ```
 
 Up to 5 successful (`200 OK`) requests every 10 seconds through the `external` ingress gateway (`*.io`), then `429 Too Many Requests`: