From fa55f5bfe508c2f396186ee685ec2c0bf5dfa349 Mon Sep 17 00:00:00 2001 From: Eitan Suez Date: Fri, 5 Apr 2024 13:29:45 -0500 Subject: [PATCH] renames user guides to tasks, #3098 Signed-off-by: Eitan Suez --- .../en/latest/contributions/DEVELOP.md | 8 +++---- site/content/en/latest/contributions/DOCS.md | 2 +- .../en/latest/contributions/RELEASING.md | 9 ++++--- .../design/envoy-patch-policy.md | 4 ++-- .../design/extending-envoy-gateway.md | 2 +- site/content/en/latest/install/custom-cert.md | 4 ++-- .../en/latest/install/install-egctl.md | 4 ++-- .../content/en/latest/install/install-helm.md | 2 +- .../content/en/latest/install/install-yaml.md | 4 ++-- site/content/en/latest/tasks/_index.md | 5 ++++ .../en/latest/tasks/extensibility/_index.md | 5 ++++ .../extensibility/envoy-patch-policy.md | 4 ++-- .../en/latest/tasks/observability/_index.md | 5 ++++ .../observability/gateway-api-metrics.md | 2 +- .../observability/grafana-integration.md | 4 ++-- .../observability/proxy-observability.md | 4 ++-- .../en/latest/tasks/operations/_index.md | 5 ++++ .../operations/customize-envoyproxy.md | 2 +- .../operations/deployment-mode.md | 0 .../{user => tasks}/operations/egctl.md | 0 .../en/latest/{user => tasks}/quickstart.md | 4 ++-- .../en/latest/tasks/security/_index.md | 5 ++++ .../{user => tasks}/security/backend-tls.md | 8 +++---- .../{user => tasks}/security/basic-auth.md | 10 ++++---- .../latest/{user => tasks}/security/cors.md | 8 +++---- .../{user => tasks}/security/ext-auth.md | 10 ++++---- .../security/jwt-authentication.md | 8 +++---- .../{user => tasks}/security/mutual-tls.md | 8 +++---- .../latest/{user => tasks}/security/oidc.md | 10 ++++---- .../security/private-key-provider.md | 6 ++--- .../security/secure-gateways.md | 24 +++++++++---------- .../{user => tasks}/security/threat-model.md | 24 +++++++++---------- .../security/tls-cert-manager.md | 6 ++--- .../security/tls-passthrough.md | 8 +++---- .../security/tls-termination.md | 5 ++-- .../content/en/latest/tasks/traffic/_index.md | 5 ++++ .../traffic/circuit-breaker.md | 4 ++-- .../traffic/client-traffic-policy.md | 4 ++-- .../traffic/connection-limit.md | 2 +- .../traffic/fault-injection.md | 6 ++--- .../traffic/gateway-address.md | 0 .../traffic/gatewayapi-support.md | 0 .../traffic/global-rate-limit.md | 2 +- .../{user => tasks}/traffic/grpc-routing.md | 5 ++-- .../{user => tasks}/traffic/http-redirect.md | 2 +- .../traffic/http-request-headers.md | 2 +- .../traffic/http-request-mirroring.md | 4 ++-- .../traffic/http-response-headers.md | 2 +- .../{user => tasks}/traffic/http-routing.md | 6 ++--- .../{user => tasks}/traffic/http-timeouts.md | 4 ++-- .../traffic/http-traffic-splitting.md | 2 +- .../traffic/http-urlrewrite.md | 2 +- .../latest/{user => tasks}/traffic/http3.md | 8 +++---- .../traffic/local-rate-limit.md | 2 +- .../traffic/multicluster-service.md | 0 .../latest/{user => tasks}/traffic/retry.md | 2 +- .../traffic/routing-outside-kubernetes.md | 2 +- .../{user => tasks}/traffic/tcp-routing.md | 2 +- .../{user => tasks}/traffic/udp-routing.md | 8 +++---- site/content/en/latest/user/_index.md | 5 ---- .../en/latest/user/extensibility/_index.md | 5 ---- .../en/latest/user/observability/_index.md | 5 ---- .../en/latest/user/operations/_index.md | 5 ---- .../content/en/latest/user/security/_index.md | 5 ---- site/content/en/latest/user/traffic/_index.md | 5 ---- 65 files changed, 164 insertions(+), 161 deletions(-) create mode 100644 site/content/en/latest/tasks/_index.md create mode 100644 site/content/en/latest/tasks/extensibility/_index.md rename site/content/en/latest/{user => tasks}/extensibility/envoy-patch-policy.md (97%) create mode 100644 site/content/en/latest/tasks/observability/_index.md rename site/content/en/latest/{user => tasks}/observability/gateway-api-metrics.md (96%) rename site/content/en/latest/{user => tasks}/observability/grafana-integration.md (93%) rename site/content/en/latest/{user => tasks}/observability/proxy-observability.md (96%) create mode 100644 site/content/en/latest/tasks/operations/_index.md rename site/content/en/latest/{user => tasks}/operations/customize-envoyproxy.md (99%) rename site/content/en/latest/{user => tasks}/operations/deployment-mode.md (100%) rename site/content/en/latest/{user => tasks}/operations/egctl.md (100%) rename site/content/en/latest/{user => tasks}/quickstart.md (97%) create mode 100644 site/content/en/latest/tasks/security/_index.md rename site/content/en/latest/{user => tasks}/security/backend-tls.md (94%) rename site/content/en/latest/{user => tasks}/security/basic-auth.md (91%) rename site/content/en/latest/{user => tasks}/security/cors.md (91%) rename site/content/en/latest/{user => tasks}/security/ext-auth.md (95%) rename site/content/en/latest/{user => tasks}/security/jwt-authentication.md (92%) rename site/content/en/latest/{user => tasks}/security/mutual-tls.md (90%) rename site/content/en/latest/{user => tasks}/security/oidc.md (90%) rename site/content/en/latest/{user => tasks}/security/private-key-provider.md (97%) rename site/content/en/latest/{user => tasks}/security/secure-gateways.md (89%) rename site/content/en/latest/{user => tasks}/security/threat-model.md (95%) rename site/content/en/latest/{user => tasks}/security/tls-cert-manager.md (98%) rename site/content/en/latest/{user => tasks}/security/tls-passthrough.md (88%) rename site/content/en/latest/{user => tasks}/security/tls-termination.md (88%) create mode 100644 site/content/en/latest/tasks/traffic/_index.md rename site/content/en/latest/{user => tasks}/traffic/circuit-breaker.md (97%) rename site/content/en/latest/{user => tasks}/traffic/client-traffic-policy.md (98%) rename site/content/en/latest/{user => tasks}/traffic/connection-limit.md (96%) rename site/content/en/latest/{user => tasks}/traffic/fault-injection.md (95%) rename site/content/en/latest/{user => tasks}/traffic/gateway-address.md (100%) rename site/content/en/latest/{user => tasks}/traffic/gatewayapi-support.md (100%) rename site/content/en/latest/{user => tasks}/traffic/global-rate-limit.md (99%) rename site/content/en/latest/{user => tasks}/traffic/grpc-routing.md (97%) rename site/content/en/latest/{user => tasks}/traffic/http-redirect.md (99%) rename site/content/en/latest/{user => tasks}/traffic/http-request-headers.md (98%) rename site/content/en/latest/{user => tasks}/traffic/http-request-mirroring.md (97%) rename site/content/en/latest/{user => tasks}/traffic/http-response-headers.md (98%) rename site/content/en/latest/{user => tasks}/traffic/http-routing.md (97%) rename site/content/en/latest/{user => tasks}/traffic/http-timeouts.md (94%) rename site/content/en/latest/{user => tasks}/traffic/http-traffic-splitting.md (98%) rename site/content/en/latest/{user => tasks}/traffic/http-urlrewrite.md (98%) rename site/content/en/latest/{user => tasks}/traffic/http3.md (86%) rename site/content/en/latest/{user => tasks}/traffic/local-rate-limit.md (98%) rename site/content/en/latest/{user => tasks}/traffic/multicluster-service.md (100%) rename site/content/en/latest/{user => tasks}/traffic/retry.md (96%) rename site/content/en/latest/{user => tasks}/traffic/routing-outside-kubernetes.md (94%) rename site/content/en/latest/{user => tasks}/traffic/tcp-routing.md (98%) rename site/content/en/latest/{user => tasks}/traffic/udp-routing.md (89%) delete mode 100644 site/content/en/latest/user/_index.md delete mode 100644 site/content/en/latest/user/extensibility/_index.md delete mode 100644 site/content/en/latest/user/observability/_index.md delete mode 100644 site/content/en/latest/user/operations/_index.md delete mode 100644 site/content/en/latest/user/security/_index.md delete mode 100644 site/content/en/latest/user/traffic/_index.md diff --git a/site/content/en/latest/contributions/DEVELOP.md b/site/content/en/latest/contributions/DEVELOP.md index 73efdfdbbef6..55bcb05fec62 100644 --- a/site/content/en/latest/contributions/DEVELOP.md +++ b/site/content/en/latest/contributions/DEVELOP.md @@ -140,24 +140,24 @@ There are many other endpoints on the [Envoy admin interface][] that may be help ### JWT Testing An example [JSON Web Token (JWT)][jwt] and [JSON Web Key Set (JWKS)][jwks] are used for the [request authentication][] -user guide. The JWT was created by the [JWT Debugger][], using the `RS256` algorithm. The public key from the JWTs +task. The JWT was created by the [JWT Debugger][], using the `RS256` algorithm. The public key from the JWTs verify signature was copied to [JWK Creator][] for generating the JWK. The JWK Creator was configured with matching settings, i.e. `Signing` public key use and the `RS256` algorithm. The generated JWK was wrapped in a JWKS structure and is hosted in the repo. -[Quickstart]: https://github.com/envoyproxy/gateway/blob/main/docs/latest/user/quickstart.md +[Quickstart]: https://github.com/envoyproxy/gateway/blob/main/docs/latest/tasks/quickstart.md [make]: https://www.gnu.org/software/make/ [Github Actions]: https://docs.github.com/en/actions [workflows]: https://github.com/envoyproxy/gateway/tree/main/.github/workflows [Kind]: https://kind.sigs.k8s.io/ [conformance homepage]: https://gateway-api.sigs.k8s.io/concepts/conformance/ -[directly exposing]: https://kind.sigs.k8s.io/docs/user/loadbalancer/ +[directly exposing]: https://kind.sigs.k8s.io/docs/tasks/loadbalancer/ [Kubernetes support]: https://docs.docker.com/desktop/kubernetes/ [gateway-dev]: https://hub.docker.com/r/envoyproxy/gateway-dev/tags [mac_connect]: https://github.com/chipmk/docker-mac-net-connect [Envoy admin interface]: https://www.envoyproxy.io/docs/envoy/latest/operations/admin#operations-admin-interface [jwt]: https://tools.ietf.org/html/rfc7519 [jwks]: https://tools.ietf.org/html/rfc7517 -[request authentication]: ../user/security/jwt-authentication +[request authentication]: ../tasks/security/jwt-authentication [JWT Debugger]: https://jwt.io/ [JWK Creator]: https://russelldavies.github.io/jwk-creator/ diff --git a/site/content/en/latest/contributions/DOCS.md b/site/content/en/latest/contributions/DOCS.md index ae19953a8b5c..83da02f4c09e 100644 --- a/site/content/en/latest/contributions/DOCS.md +++ b/site/content/en/latest/contributions/DOCS.md @@ -54,7 +54,7 @@ make docs-release TAG=v0.6.0 This will update the VERSION file at the project root, which records current release version, and it will be used in the pages version context and binary version output. Also, this will generate new dir `site/content/en/v0.6.0`, which contains docs at v0.6.0 and updates artifact links to `v0.6.0` -in all files under `site/content/en/v0.6.0/user`, like `quickstart.md`, `http-routing.md` and etc. +in all files under `site/content/en/v0.6.0/tasks`, like `quickstart.md`, `http-routing.md` and etc. ## Publishing Docs diff --git a/site/content/en/latest/contributions/RELEASING.md b/site/content/en/latest/contributions/RELEASING.md index 857b81dd2868..0cb7e89ca4a5 100644 --- a/site/content/en/latest/contributions/RELEASING.md +++ b/site/content/en/latest/contributions/RELEASING.md @@ -6,7 +6,10 @@ description: "This section tells the release process of Envoy Gateway." This document guides maintainers through the process of creating an Envoy Gateway release. - [Release Candidate](#release-candidate) + - [Prerequisites](#prerequisites) + - [Setup cherry picker action](#setup-cherry-picker-action) - [Minor Release](#minor-release) + - [Prerequisites](#prerequisites-1) - [Announce the Release](#announce-the-release) ## Release Candidate @@ -65,7 +68,7 @@ export GITHUB_REMOTE=origin 13. Confirm that the [release workflow][] completed successfully. 14. Confirm that the Envoy Gateway [image][] with the correct release tag was published to Docker Hub. 15. Confirm that the [release][] was created. -16. Note that the [Quickstart Guide][] references are __not__ updated for release candidates. However, test +16. Note that the [Quickstart][] references are __not__ updated for release candidates. However, test the quickstart steps using the release candidate by manually updating the links. 17. [Generate][] the GitHub changelog. 18. Ensure you check the "This is a pre-release" checkbox when editing the GitHub release. @@ -203,7 +206,7 @@ export GITHUB_REMOTE=origin 10. Confirm that the [release workflow][] completed successfully. 11. Confirm that the Envoy Gateway [image][] with the correct release tag was published to Docker Hub. 12. Confirm that the [release][] was created. -13. Confirm that the steps in the [Quickstart Guide][] work as expected. +13. Confirm that the steps in the [Quickstart][] work as expected. 14. [Generate][] the GitHub changelog and include the following text at the beginning of the release page: ```console @@ -239,7 +242,7 @@ It's important that the world knows about the release. Use the following steps t [release notes]: https://github.com/envoyproxy/gateway/tree/main/release-notes [Pull Request]: https://github.com/envoyproxy/gateway/pulls -[Quickstart Guide]: https://github.com/envoyproxy/gateway/blob/main/docs/user/quickstart.md +[Quickstart]: https://github.com/envoyproxy/gateway/blob/main/docs/tasks/quickstart.md [Build and Test]: https://github.com/envoyproxy/gateway/blob/main/.github/workflows/build_and_test.yaml [release GitHub action]: https://github.com/envoyproxy/gateway/blob/main/.github/workflows/release.yaml [release workflow]: https://github.com/envoyproxy/gateway/actions/workflows/release.yaml diff --git a/site/content/en/latest/contributions/design/envoy-patch-policy.md b/site/content/en/latest/contributions/design/envoy-patch-policy.md index 08cb60746265..343e6bab1e4b 100644 --- a/site/content/en/latest/contributions/design/envoy-patch-policy.md +++ b/site/content/en/latest/contributions/design/envoy-patch-policy.md @@ -172,5 +172,5 @@ patches will work. [EnvoyGateway]: ../../api/extension_types#envoygateway [Extending the Control Plane]: ./extending-envoy-gateway [EnvoyFilter]: https://istio.io/latest/docs/reference/config/networking/envoy-filter -[egctl x translate]: ../../user/operations/egctl#egctl-experimental-translate -[Bootstrap configuration using EnvoyProxy API]: ../../user/operations/customize-envoyproxy#customize-envoyproxy-bootstrap-config +[egctl x translate]: ../../tasks/operations/egctl#egctl-experimental-translate +[Bootstrap configuration using EnvoyProxy API]: ../../tasks/operations/customize-envoyproxy#customize-envoyproxy-bootstrap-config diff --git a/site/content/en/latest/contributions/design/extending-envoy-gateway.md b/site/content/en/latest/contributions/design/extending-envoy-gateway.md index de2486e72ce8..0b549460b655 100644 --- a/site/content/en/latest/contributions/design/extending-envoy-gateway.md +++ b/site/content/en/latest/contributions/design/extending-envoy-gateway.md @@ -316,7 +316,7 @@ Extending Envoy Gateway by using an external extension server which makes use of [Envoy specific configuration (xDS)]: https://www.envoyproxy.io/docs/envoy/v1.25.1/configuration/configuration [v1]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1 [rate limiting]: ./rate-limit -[authentication]: ../../user/security/jwt-authentication +[authentication]: ../../tasks/security/jwt-authentication [HTTPRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute [GRPCRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute [EnvoyGateway config]: ../../api/extension_types/#envoygateway diff --git a/site/content/en/latest/install/custom-cert.md b/site/content/en/latest/install/custom-cert.md index c521e61d27d0..dd059c035203 100644 --- a/site/content/en/latest/install/custom-cert.md +++ b/site/content/en/latest/install/custom-cert.md @@ -5,7 +5,7 @@ weight: -70 Envoy Gateway establishes a secure TLS connection for control plane communication between Envoy Gateway pods and the Envoy Proxy fleet. The TLS Certificates used here are self signed and generated using a job that runs before envoy gateway is created, and these certs and mounted on to the envoy gateway and envoy proxy pods. -In this guide, we'll walk you through configuring custom certs for control plane auth. +This task will walk you through configuring custom certs for control plane auth. ## Before you begin @@ -13,7 +13,7 @@ We use Cert-Manager to manage the certificates. You can install it by following ## Configure custom certs for control plane -1. First you need to set up the CA issuer, in this guide, we use the `selfsigned-issuer` as an example. +1. First you need to set up the CA issuer, in this task, we use the `selfsigned-issuer` as an example. *You should not use the self-signed issuer in production, you should use a real CA issuer.* diff --git a/site/content/en/latest/install/install-egctl.md b/site/content/en/latest/install/install-egctl.md index d4634de8784b..136d54c15cc4 100644 --- a/site/content/en/latest/install/install-egctl.md +++ b/site/content/en/latest/install/install-egctl.md @@ -10,7 +10,7 @@ weight: -80 {{% /alert %}} -This guide shows how to install the egctl CLI. egctl can be installed either from source, or from pre-built binary releases. +This task shows how to install the egctl CLI. egctl can be installed either from source, or from pre-built binary releases. ### From The Envoy Gateway Project @@ -52,6 +52,6 @@ curl -fsSL https://gateway.envoyproxy.io/get-egctl.sh | VERSION=latest bash {{% alert title="Next Steps" color="warning" %}} -You can refer to [User Guides](../user/operations/egctl) to more details about egctl. +You can refer to the [Use egctl task](../tasks/operations/egctl) for more details about egctl. {{% /alert %}} diff --git a/site/content/en/latest/install/install-helm.md b/site/content/en/latest/install/install-helm.md index 84efd93b837d..50c372d3e2a4 100644 --- a/site/content/en/latest/install/install-helm.md +++ b/site/content/en/latest/install/install-helm.md @@ -140,5 +140,5 @@ These are the ports used by Envoy Gateway and the managed Envoy Proxy. | Heath Check | 0.0.0.0 | 19001 | {{% alert title="Next Steps" color="warning" %}} -Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](../user). +Envoy Gateway should now be successfully installed and running. To experience more abilities of Envoy Gateway, refer to [Tasks](../tasks). {{% /alert %}} diff --git a/site/content/en/latest/install/install-yaml.md b/site/content/en/latest/install/install-yaml.md index 859aef1f534e..4fc9b38b0ddc 100644 --- a/site/content/en/latest/install/install-yaml.md +++ b/site/content/en/latest/install/install-yaml.md @@ -3,7 +3,7 @@ title = "Install with Kubernetes YAML" weight = -99 +++ -In this guide, we'll walk you through installing Envoy Gateway in your Kubernetes cluster. +This task walks you through installing Envoy Gateway in your Kubernetes cluster. The manual install process does not allow for as much control over configuration as the [Helm install method](./install-helm), so if you need more control over your Envoy Gateway @@ -36,4 +36,4 @@ Refer to the [Developer Guide](/latest/contributions/develop) to learn more. 2. Next Steps - Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](/latest/user). + Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [Tasks](/latest/tasks). diff --git a/site/content/en/latest/tasks/_index.md b/site/content/en/latest/tasks/_index.md new file mode 100644 index 000000000000..49e8595328bf --- /dev/null +++ b/site/content/en/latest/tasks/_index.md @@ -0,0 +1,5 @@ +--- +title: "Tasks" +weight: 2 +description: Learn Envoy Gateway hands-on through tasks +--- diff --git a/site/content/en/latest/tasks/extensibility/_index.md b/site/content/en/latest/tasks/extensibility/_index.md new file mode 100644 index 000000000000..664c734aeca0 --- /dev/null +++ b/site/content/en/latest/tasks/extensibility/_index.md @@ -0,0 +1,5 @@ +--- +title: "Extensibility" +weight: 4 +description: This section includes Extensibility tasks. +--- diff --git a/site/content/en/latest/user/extensibility/envoy-patch-policy.md b/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md similarity index 97% rename from site/content/en/latest/user/extensibility/envoy-patch-policy.md rename to site/content/en/latest/tasks/extensibility/envoy-patch-policy.md index 5f24f448969e..94d71fc7c777 100644 --- a/site/content/en/latest/user/extensibility/envoy-patch-policy.md +++ b/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md @@ -2,7 +2,7 @@ title: "Envoy Patch Policy" --- -This guide explains the usage of the [EnvoyPatchPolicy][] API. +This task explains the usage of the [EnvoyPatchPolicy][] API. __Note:__ This API is meant for users extremely familiar with Envoy [xDS][] semantics. Also before considering this API for production use cases, please be aware that this API is unstable and the outcome may change across versions. Use at your own risk. @@ -22,7 +22,7 @@ not exposed by Envoy Gateway APIs today. ### Prerequisites -* Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +* Follow the steps from the [Quickstart](../../quickstart) task to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ### Enable EnvoyPatchPolicy diff --git a/site/content/en/latest/tasks/observability/_index.md b/site/content/en/latest/tasks/observability/_index.md new file mode 100644 index 000000000000..9ca4896ee8b5 --- /dev/null +++ b/site/content/en/latest/tasks/observability/_index.md @@ -0,0 +1,5 @@ +--- +title: "Observability" +weight: 4 +description: This section includes Observability tasks. +--- diff --git a/site/content/en/latest/user/observability/gateway-api-metrics.md b/site/content/en/latest/tasks/observability/gateway-api-metrics.md similarity index 96% rename from site/content/en/latest/user/observability/gateway-api-metrics.md rename to site/content/en/latest/tasks/observability/gateway-api-metrics.md index 8170e1968614..bd9e5b89317b 100644 --- a/site/content/en/latest/user/observability/gateway-api-metrics.md +++ b/site/content/en/latest/tasks/observability/gateway-api-metrics.md @@ -7,7 +7,7 @@ The project also provides example dashboard for visualising the metrics using Gr ## Prerequisites -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. Run the following commands to install the metrics stack, with the Gateway API State Metrics configuration, on your kubernetes cluster: diff --git a/site/content/en/latest/user/observability/grafana-integration.md b/site/content/en/latest/tasks/observability/grafana-integration.md similarity index 93% rename from site/content/en/latest/user/observability/grafana-integration.md rename to site/content/en/latest/tasks/observability/grafana-integration.md index b7c58e0d5822..c0e30c7cc9e2 100644 --- a/site/content/en/latest/user/observability/grafana-integration.md +++ b/site/content/en/latest/tasks/observability/grafana-integration.md @@ -3,11 +3,11 @@ title: "Visualising metrics using Grafana" --- Envoy Gateway provides support for exposing Envoy Proxy metrics to a Prometheus instance. -This guide shows you how to visualise the metrics exposed to prometheus using grafana. +This task shows you how to visualise the metrics exposed to prometheus using grafana. ## Prerequisites -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. Follow the steps from the [Proxy Observability](../proxy-observability#Metrics) to enable prometheus metrics. diff --git a/site/content/en/latest/user/observability/proxy-observability.md b/site/content/en/latest/tasks/observability/proxy-observability.md similarity index 96% rename from site/content/en/latest/user/observability/proxy-observability.md rename to site/content/en/latest/tasks/observability/proxy-observability.md index df07bc569b68..5a1800ff39b7 100644 --- a/site/content/en/latest/user/observability/proxy-observability.md +++ b/site/content/en/latest/tasks/observability/proxy-observability.md @@ -3,11 +3,11 @@ title: "Proxy Observability" --- Envoy Gateway provides observability for the ControlPlane and the underlying EnvoyProxy instances. -This guide show you how to config proxy observability, includes metrics, logs, and traces. +This task show you how to config proxy observability, includes metrics, logs, and traces. ## Prerequisites -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. [FluentBit](https://fluentbit.io/) is used to collect logs from the EnvoyProxy instances and forward them to Loki. Install FluentBit: diff --git a/site/content/en/latest/tasks/operations/_index.md b/site/content/en/latest/tasks/operations/_index.md new file mode 100644 index 000000000000..d87097c7d1ed --- /dev/null +++ b/site/content/en/latest/tasks/operations/_index.md @@ -0,0 +1,5 @@ +--- +title: "Operations" +weight: 4 +description: This section includes Operations tasks. +--- diff --git a/site/content/en/latest/user/operations/customize-envoyproxy.md b/site/content/en/latest/tasks/operations/customize-envoyproxy.md similarity index 99% rename from site/content/en/latest/user/operations/customize-envoyproxy.md rename to site/content/en/latest/tasks/operations/customize-envoyproxy.md index d06c41b423ff..76004a836765 100644 --- a/site/content/en/latest/user/operations/customize-envoyproxy.md +++ b/site/content/en/latest/tasks/operations/customize-envoyproxy.md @@ -8,7 +8,7 @@ Service. To learn more about GatewayClass and ParametersRef, please refer to [Ga ## Installation -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Add GatewayClass ParametersRef diff --git a/site/content/en/latest/user/operations/deployment-mode.md b/site/content/en/latest/tasks/operations/deployment-mode.md similarity index 100% rename from site/content/en/latest/user/operations/deployment-mode.md rename to site/content/en/latest/tasks/operations/deployment-mode.md diff --git a/site/content/en/latest/user/operations/egctl.md b/site/content/en/latest/tasks/operations/egctl.md similarity index 100% rename from site/content/en/latest/user/operations/egctl.md rename to site/content/en/latest/tasks/operations/egctl.md diff --git a/site/content/en/latest/user/quickstart.md b/site/content/en/latest/tasks/quickstart.md similarity index 97% rename from site/content/en/latest/user/quickstart.md rename to site/content/en/latest/tasks/quickstart.md index ab03631229af..980190b2bbf6 100644 --- a/site/content/en/latest/user/quickstart.md +++ b/site/content/en/latest/tasks/quickstart.md @@ -4,7 +4,7 @@ weight: 1 description: Get started with Envoy Gateway in a few simple steps. --- -This guide will help you get started with Envoy Gateway in a few simple steps. +This "quick start" will help you get started with Envoy Gateway in a few simple steps. ## Prerequisites @@ -85,7 +85,7 @@ curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/get ## Clean-Up -Use the steps in this section to uninstall everything from the quickstart guide. +Use the steps in this section to uninstall everything from the quickstart. Delete the GatewayClass, Gateway, HTTPRoute and Example App: diff --git a/site/content/en/latest/tasks/security/_index.md b/site/content/en/latest/tasks/security/_index.md new file mode 100644 index 000000000000..0e6a64144a75 --- /dev/null +++ b/site/content/en/latest/tasks/security/_index.md @@ -0,0 +1,5 @@ +--- +title: "Security" +weight: 2 +description: This section includes Security tasks. +--- diff --git a/site/content/en/latest/user/security/backend-tls.md b/site/content/en/latest/tasks/security/backend-tls.md similarity index 94% rename from site/content/en/latest/user/security/backend-tls.md rename to site/content/en/latest/tasks/security/backend-tls.md index c7ce67251c3e..975e8a5f13c3 100644 --- a/site/content/en/latest/user/security/backend-tls.md +++ b/site/content/en/latest/tasks/security/backend-tls.md @@ -2,8 +2,8 @@ title: "Backend TLS: Gateway to Backend" --- -This guide demonstrates how TLS can be achieved between the Gateway and a backend. The guide uses a self-signed CA, so it should be used for -testing and demonstration purposes only. +This task demonstrates how TLS can be achieved between the Gateway and a backend. +This task uses a self-signed CA, so it should be used for testing and demonstration purposes only. Envoy Gateway supports the Gateway-API defined [BackendTLSPolicy][]. @@ -13,7 +13,7 @@ Envoy Gateway supports the Gateway-API defined [BackendTLSPolicy][]. ## Installation -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. ## TLS Certificates @@ -235,4 +235,4 @@ Inspect the output and see that the response contains the details of the TLS han } ``` -[BackendTLSPolicy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ \ No newline at end of file +[BackendTLSPolicy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ diff --git a/site/content/en/latest/user/security/basic-auth.md b/site/content/en/latest/tasks/security/basic-auth.md similarity index 91% rename from site/content/en/latest/user/security/basic-auth.md rename to site/content/en/latest/tasks/security/basic-auth.md index a45de6fe2c51..28c3ca53d5cf 100644 --- a/site/content/en/latest/user/security/basic-auth.md +++ b/site/content/en/latest/tasks/security/basic-auth.md @@ -2,7 +2,7 @@ title: "Basic Authentication" --- -This guide provides instructions for configuring [HTTP Basic authentication][http Basic authentication]. +This task provides instructions for configuring [HTTP Basic authentication][http Basic authentication]. HTTP Basic authentication checks if an incoming request has a valid username and password before routing the request to a backend service. @@ -12,7 +12,7 @@ This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HT ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Configuration @@ -45,7 +45,7 @@ kubectl create secret tls example-cert --key=www.example.com.key --cert=www.exam ``` ### Enable HTTPS -Update the Gateway from the Quickstart guide to include an HTTPS listener that listens on port `443` and references the +Update the Gateway from the Quickstart to include an HTTPS listener that listens on port `443` and references the `example-cert` Secret: ```shell @@ -128,7 +128,7 @@ kubectl get securitypolicy/basic-auth-example -o yaml ## Testing -Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) guide is set. If not, follow the +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the Quickstart instructions to set the variable. ```shell @@ -176,7 +176,7 @@ The request should be allowed and you should see the response from the backend s ## Clean-Up -Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. Delete the SecurityPolicy and the secret diff --git a/site/content/en/latest/user/security/cors.md b/site/content/en/latest/tasks/security/cors.md similarity index 91% rename from site/content/en/latest/user/security/cors.md rename to site/content/en/latest/tasks/security/cors.md index dea4f04361d5..1abbe77a737e 100644 --- a/site/content/en/latest/user/security/cors.md +++ b/site/content/en/latest/tasks/security/cors.md @@ -2,7 +2,7 @@ title: "CORS" --- -This guide provides instructions for configuring [Cross-Origin Resource Sharing (CORS)][cors] on Envoy Gateway. +This task provides instructions for configuring [Cross-Origin Resource Sharing (CORS)][cors] on Envoy Gateway. CORS defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. @@ -11,7 +11,7 @@ This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HT ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Configuration @@ -57,7 +57,7 @@ kubectl get securitypolicy/cors-example -o yaml ## Testing -Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) guide is set. If not, follow the +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the Quickstart instructions to set the variable. ```shell @@ -122,7 +122,7 @@ filter to work. Otherwise, the OPTIONS request won't match the routes and the CO ## Clean-Up -Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. Delete the SecurityPolicy: diff --git a/site/content/en/latest/user/security/ext-auth.md b/site/content/en/latest/tasks/security/ext-auth.md similarity index 95% rename from site/content/en/latest/user/security/ext-auth.md rename to site/content/en/latest/tasks/security/ext-auth.md index efcd8b624679..b3eafd7e0be7 100644 --- a/site/content/en/latest/user/security/ext-auth.md +++ b/site/content/en/latest/tasks/security/ext-auth.md @@ -2,7 +2,7 @@ title: "External Authorization" --- -This guide provides instructions for configuring external authentication. +This task provides instructions for configuring external authentication. External authorization calls an external HTTP or gRPC service to check whether an incoming HTTP request is authorized or not. If the request is deemed unauthorized, then the request will be denied with a 403 (Forbidden) response. If the @@ -13,7 +13,7 @@ This instantiated resource can be linked to a [Gateway][Gateway] and [HTTPRoute] ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. Verify the Gateway status: @@ -97,7 +97,7 @@ kubectl get securitypolicy/ext-auth-example -o yaml ### Testing -Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) guide is set. If not, follow the +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the Quickstart instructions to set the variable. ```shell @@ -252,7 +252,7 @@ kubectl get backendtlspolicy/grpc-ext-auth-btls -o yaml ### Testing -Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) guide is set. If not, follow the +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the Quickstart instructions to set the variable. ```shell @@ -290,7 +290,7 @@ curl -v -H "Host: www.example.com" -H "Authorization: Bearer token1" "http://${G ## Clean-Up -Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. Delete the demo auth services, HTTPRoute, SecurityPolicy and BackendTLSPolicy: diff --git a/site/content/en/latest/user/security/jwt-authentication.md b/site/content/en/latest/tasks/security/jwt-authentication.md similarity index 92% rename from site/content/en/latest/user/security/jwt-authentication.md rename to site/content/en/latest/tasks/security/jwt-authentication.md index a8204fdae5d0..2e129b387f1b 100644 --- a/site/content/en/latest/user/security/jwt-authentication.md +++ b/site/content/en/latest/tasks/security/jwt-authentication.md @@ -2,7 +2,7 @@ title: "JWT Authentication" --- -This guide provides instructions for configuring [JSON Web Token (JWT)][jwt] authentication. JWT authentication checks +This task provides instructions for configuring [JSON Web Token (JWT)][jwt] authentication. JWT authentication checks if an incoming request has a valid JWT before routing the request to a backend service. Currently, Envoy Gateway only supports validating a JWT from an HTTP header, e.g. `Authorization: Bearer `. @@ -11,7 +11,7 @@ This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HT ## Prerequisites -Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. For GRPC - follow the steps from the [GRPC Routing](../traffic/grpc-routing) example. Before proceeding, you should be able to query the example backend using HTTP or GRPC. @@ -71,7 +71,7 @@ kubectl get securitypolicy/jwt-example -o yaml ## Testing -Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) guide is set. If not, follow the +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the Quickstart instructions to set the variable. ```shell @@ -150,7 +150,7 @@ You should see the below response ## Clean-Up -Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. Delete the SecurityPolicy: diff --git a/site/content/en/latest/user/security/mutual-tls.md b/site/content/en/latest/tasks/security/mutual-tls.md similarity index 90% rename from site/content/en/latest/user/security/mutual-tls.md rename to site/content/en/latest/tasks/security/mutual-tls.md index e24562ca45e0..b7cf0b1fb7c8 100644 --- a/site/content/en/latest/user/security/mutual-tls.md +++ b/site/content/en/latest/tasks/security/mutual-tls.md @@ -2,8 +2,8 @@ title: "Mutual TLS: External Clients to the Gateway" --- -This guide demonstrates how mutual TLS can be achieved between external clients and the Gateway. The guide uses a self-signed CA, so it should be used for -testing and demonstration purposes only. +This task demonstrates how mutual TLS can be achieved between external clients and the Gateway. +This task uses a self-signed CA, so it should be used for testing and demonstration purposes only. ## Prerequisites @@ -11,7 +11,7 @@ testing and demonstration purposes only. ## Installation -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## TLS Certificates @@ -50,7 +50,7 @@ openssl req -out client.example.com.csr -newkey rsa:2048 -nodes -keyout client.e openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in client.example.com.csr -out client.example.com.crt ``` -Update the Gateway from the Quickstart guide to include an HTTPS listener that listens on port `443` and references the +Update the Gateway from the Quickstart to include an HTTPS listener that listens on port `443` and references the `example-cert` Secret: ```shell diff --git a/site/content/en/latest/user/security/oidc.md b/site/content/en/latest/tasks/security/oidc.md similarity index 90% rename from site/content/en/latest/user/security/oidc.md rename to site/content/en/latest/tasks/security/oidc.md index 392650640e7f..9b1688227963 100644 --- a/site/content/en/latest/user/security/oidc.md +++ b/site/content/en/latest/tasks/security/oidc.md @@ -2,7 +2,7 @@ title: "OIDC Authentication" --- -This guide provides instructions for configuring [OpenID Connect (OIDC)][oidc] authentication. +This task provides instructions for configuring [OpenID Connect (OIDC)][oidc] authentication. OpenID Connect (OIDC) is an authentication standard built on top of OAuth 2.0. It enables client applications to rely on authentication that is performed by an OpenID Connect Provider (OP) to verify the identity of a user. @@ -13,7 +13,7 @@ This instantiated resource can be linked to a [Gateway][Gateway] and [HTTPRoute] ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. Verify the Gateway status: @@ -25,7 +25,7 @@ kubectl get gateway/eg -o yaml OIDC can be configured at the Gateway level to authenticate all the HTTPRoutes that are associated with the Gateway with the same OIDC configuration, or at the HTTPRoute level to authenticate each HTTPRoute with different OIDC configurations. -This guide demonstrates the configuration of OIDC at the HTTPRoute level. +This task demonstrates the configuration of OIDC at the HTTPRoute level. Let's create an HTTPRoute that represents an application protected by OIDC. @@ -58,7 +58,7 @@ kubectl get httproute/myapp -o yaml ## Configuration -This guide uses Google as the OIDC provider to demonstrate the configuration of OIDC. However, EG works with any OIDC +This task uses Google as the OIDC provider to demonstrate the configuration of OIDC. However, EG works with any OIDC providers, including Auth0, Azure AD, Keycloak, Okta, OneLogin, Salesforce, UAA, etc. ### Register an OIDC application @@ -143,7 +143,7 @@ login page. After you successfully login, you should see the response from the b ## Clean-Up -Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. Delete the SecurityPolicy, the secret and the HTTPRoute: diff --git a/site/content/en/latest/user/security/private-key-provider.md b/site/content/en/latest/tasks/security/private-key-provider.md similarity index 97% rename from site/content/en/latest/user/security/private-key-provider.md rename to site/content/en/latest/tasks/security/private-key-provider.md index 6882ebfe2592..447e61cb3535 100644 --- a/site/content/en/latest/user/security/private-key-provider.md +++ b/site/content/en/latest/tasks/security/private-key-provider.md @@ -10,7 +10,7 @@ Today, there are two private key providers implemented in Envoy as contrib exten Both of them are used to accelerate the TLS handshake through the hardware capabilities. -This guide will walk you through the steps required to configure TLS Termination mode for TCP traffic while also using the Envoy Private Key Provider to accelerate the TLS handshake by leveraging QAT and the HW accelerator available on Intel SPR/EMR Xeon server platforms. +This task will walk you through the steps required to configure TLS Termination mode for TCP traffic while also using the Envoy Private Key Provider to accelerate the TLS handshake by leveraging QAT and the HW accelerator available on Intel SPR/EMR Xeon server platforms. ## Prerequisites @@ -112,7 +112,7 @@ It required the node with 3rd generation Intel Xeon Scalable processor server pr ## Installation -* Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway. +* Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway. * Lets enable the EnvoyPatchPolicy feature, which will allow us to directly configure the Private Key Provider Envoy Filter, since Envoy Gateway does not directly expose this functionality. @@ -382,4 +382,4 @@ With QAT private key provider, the QPS is over 3 times than without private key ```shell All done 134746 calls (plus 128 warmup) 28.505 ms avg, 4489.6 qps -``` \ No newline at end of file +``` diff --git a/site/content/en/latest/user/security/secure-gateways.md b/site/content/en/latest/tasks/security/secure-gateways.md similarity index 89% rename from site/content/en/latest/user/security/secure-gateways.md rename to site/content/en/latest/tasks/security/secure-gateways.md index 195a9191b803..f1f1f525526a 100644 --- a/site/content/en/latest/user/security/secure-gateways.md +++ b/site/content/en/latest/tasks/security/secure-gateways.md @@ -2,8 +2,8 @@ title: "Secure Gateways" --- -This guide will help you get started using secure Gateways. The guide uses a self-signed CA, so it should be used for -testing and demonstration purposes only. +This task will help you get started using secure Gateways. +This task uses a self-signed CA, so it should be used for testing and demonstration purposes only. ## Prerequisites @@ -11,7 +11,7 @@ testing and demonstration purposes only. ## Installation -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## TLS Certificates @@ -37,7 +37,7 @@ Store the cert/key in a Secret: kubectl create secret tls example-cert --key=www.example.com.key --cert=www.example.com.crt ``` -Update the Gateway from the Quickstart guide to include an HTTPS listener that listens on port `443` and references the +Update the Gateway from the Quickstart to include an HTTPS listener that listens on port `443` and references the `example-cert` Secret: ```shell @@ -242,7 +242,7 @@ Lastly, test connectivity using the above [Testing section](#testing). ## Clean-Up -Follow the steps from the [Quickstart Guide](../../quickstart) to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. Delete the Secrets: @@ -257,10 +257,10 @@ This section gives a walkthrough to generate RSA and ECDSA derived certificates ## Prerequisites -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. -Follow the steps in the [TLS Certificates](#tls-certificates) section in the guide to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic. +Follow the steps in the [TLS Certificates](#tls-certificates) section to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic. ## Pre-checks @@ -295,7 +295,7 @@ Moving forward in the doc, we will be configuring the existing Gateway listener ## TLS Certificates -Reuse the CA certificate and key pair generated in the [Secure Gateways](#tls-certificates) guide and use this CA to sign both RSA and ECDSA Server certificates. +Reuse the CA certificate and key pair generated in the [Secure Gateways](#tls-certificates) task and use this CA to sign both RSA and ECDSA Server certificates. Note the CA certificate and key names are `example.com.crt` and `example.com.key` respectively. @@ -369,14 +369,14 @@ This sections gives a walkthrough to generate multiple certificates correspondin ## Prerequisites -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. -Follow the steps in the [TLS Certificates](#tls-certificates) section in the guide to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic. +Follow the steps in the [TLS Certificates](#tls-certificates) section to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic. ## Additional Configurations -Using the [TLS Certificates](#tls-certificates) section in the guide we first generate additional Secret for another Host `www.sample.com`. +Using the [TLS Certificates](#tls-certificates) section, we first generate additional Secret for another Host `www.sample.com`. ```shell openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=sample Inc./CN=sample.com' -keyout sample.com.key -out sample.com.crt @@ -446,7 +446,7 @@ Since the multiple certificates are configured on the same Gateway listener, Env ### Clusters with External LoadBalancer Support -Refer to the steps mentioned earlier in the guide under [Testing in clusters with External LoadBalancer Support](#clusters-with-external-loadbalancer-support) +Refer to the steps mentioned earlier under [Testing in clusters with External LoadBalancer Support](#clusters-with-external-loadbalancer-support) ## Next Steps diff --git a/site/content/en/latest/user/security/threat-model.md b/site/content/en/latest/tasks/security/threat-model.md similarity index 95% rename from site/content/en/latest/user/security/threat-model.md rename to site/content/en/latest/tasks/security/threat-model.md index ec615bd659dd..3f74fcf0fc69 100644 --- a/site/content/en/latest/user/security/threat-model.md +++ b/site/content/en/latest/tasks/security/threat-model.md @@ -24,7 +24,7 @@ Envoy Gateway is configured by Gateway API resources, and serves as an intuitive In this threat model, we aim to provide an analysis of Envoy Gateway's design components and their capabilities (at version 1.0) through a threat-driven approach. It should be noted that this does not constitute a security audit of the Envoy Gateway project, but instead focuses on different possible deployment topologies for Envoy Gateway with the goal of deriving recommendations and best practice guidance for end users. -The Envoy Gateway project recommends a [multi-tenancy model](https://gateway.envoyproxy.io/latest/user/operations/deployment-mode/#multi-tenancy) whereby each tenant deploys their own Envoy Gateway controller in a namespace which they own. We will also explore the implications and risks associated with multiple tenants using a shared controller. +The Envoy Gateway project recommends a [multi-tenancy model](https://gateway.envoyproxy.io/latest/tasks/operations/deployment-mode/#multi-tenancy) whereby each tenant deploys their own Envoy Gateway controller in a namespace which they own. We will also explore the implications and risks associated with multiple tenants using a shared controller. ### Scope @@ -52,7 +52,7 @@ Implementation of Envoy Gateway as an egress traffic controller is out of scope [Configuring Envoy as an Edge Proxy](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#best-practices-edge) -[Envoy Gateway Deployment Mode](https://gateway.envoyproxy.io/latest/user/operations/deployment-mode/) +[Envoy Gateway Deployment Mode](https://gateway.envoyproxy.io/latest/tasks/operations/deployment-mode/) [Kubernetes Gateway API Security Model](https://gateway-api.sigs.k8s.io/concepts/security-model/) @@ -90,7 +90,7 @@ Our threat model will be based on the high-level setup shown below, where Envoy ![Architecture](/img/architecture_threat_model.png) -The following use cases will be considered, in line with the [Envoy Gateway User Guides](https://gateway.envoyproxy.io/latest/user/): +The following use cases will be considered, in line with the [Envoy Gateway tasks](https://gateway.envoyproxy.io/latest/tasks/): 1. Routing and controlling traffic, including: a. HTTP \ @@ -232,9 +232,9 @@ When considering internal threat actors, we chose to follow the [security model] **Threat**: Compromise of the private key associated with the certificate used for inbound TLS terminating at Envoy Proxy. - **Recommendation**: The Envoy Gateway quickstart guide demonstrates how to set up a Secure Gateway using an example where a self-signed root certificate is created using openssl. As stated in the Envoy Gateway documentation, this is not a suitable configuration for Production usage. It is recommended that PKI best practices are followed, whereby certificates are signed by an Intermediary CA which sits underneath an organisational \'offline\' Root CA. + **Recommendation**: The Envoy Gateway quickstart demonstrates how to set up a Secure Gateway using an example where a self-signed root certificate is created using openssl. As stated in the Envoy Gateway documentation, this is not a suitable configuration for Production usage. It is recommended that PKI best practices are followed, whereby certificates are signed by an Intermediary CA which sits underneath an organisational \'offline\' Root CA. - PKI best practices should also apply to the management of client certificates when using mTLS. The Envoy Gateway [mTLS](https://gateway.envoyproxy.io/latest/user/security/mutual-tls/) guide shows how to set up client certificates using self-signed certificates. In the same way as gateway certificates and, as mentioned in the documentation, this configuration should not be used in production environments. + PKI best practices should also apply to the management of client certificates when using mTLS. The Envoy Gateway [mTLS](https://gateway.envoyproxy.io/latest/tasks/security/mutual-tls/) task shows how to set up client certificates using self-signed certificates. In the same way as gateway certificates and, as mentioned in the documentation, this configuration should not be used in production environments. ### EGTM-002 Private keys are stored as Kubernetes secrets @@ -286,7 +286,7 @@ When considering internal threat actors, we chose to follow the [security model] **Threat**: Malicious or accidental co-tenant misconfiguration of Gateways and Routes associated with other application teams. - **Recommendation**: Dedicated Envoy Gateways should be provided to each tenant within their respective namespace. A one-to-one relationship should be established between GatewayClass and Gateway resources, meaning that each tenant namespace should have their own GatewayClass watched by a unique Envoy Gateway Controller as defined here in the [Deployment Mode](https://gateway.envoyproxy.io/latest/user/operations/deployment-mode/) documentation. + **Recommendation**: Dedicated Envoy Gateways should be provided to each tenant within their respective namespace. A one-to-one relationship should be established between GatewayClass and Gateway resources, meaning that each tenant namespace should have their own GatewayClass watched by a unique Envoy Gateway Controller as defined here in the [Deployment Mode](https://gateway.envoyproxy.io/latest/tasks/operations/deployment-mode/) documentation. Application Admins should have write permissions on the Gateway resource, but only in their specific namespaces, and Application Developers should only hold write permissions on Route resources. To enact this access control schema, follow the [Write Permissions for Advanced 4 Tier Model](https://gateway-api.sigs.k8s.io/concepts/security-model/#write-permissions-for-advanced-4-tier-model) described in the Kubernetes Gateway API security model. Examples of secured gateway-route topologies can be found [here](https://gateway-api.sigs.k8s.io/concepts/api-overview/#attaching-routes-to-gateways) within the Kubernetes Gateway API docs. @@ -396,7 +396,7 @@ When considering internal threat actors, we chose to follow the [security model] **Threat**: Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack. - **Recommendation**: To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](https://gateway.envoyproxy.io/v0.6.0/user/rate-limit/) filter and load balancing. + **Recommendation**: To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](https://gateway.envoyproxy.io/v0.6.0/tasks/rate-limit/) filter and load balancing. Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action). @@ -448,7 +448,7 @@ When considering internal threat actors, we chose to follow the [security model] **Recommendation**: Users operating in highly regulated environments may need to tightly control the TLS protocol and associated cipher suites, blocking non-conforming incoming connections to the gateway. - EnvoyProxy bootstrap config can be customised as per the [customise EnvoyProxy](https://gateway.envoyproxy.io/latest/user/operations/customize-envoyproxy/) documentation. In addition, from v.1.0.0, it is possible to configure common TLS properties for a Gateway or XRoute through the [ClientTrafficPolicy](https://gateway.envoyproxy.io/latest/api/extension_types/#clienttrafficpolicy) object. + EnvoyProxy bootstrap config can be customised as per the [customise EnvoyProxy](https://gateway.envoyproxy.io/latest/tasks/operations/customize-envoyproxy/) documentation. In addition, from v.1.0.0, it is possible to configure common TLS properties for a Gateway or XRoute through the [ClientTrafficPolicy](https://gateway.envoyproxy.io/latest/api/extension_types/#clienttrafficpolicy) object. ### EGTM-005 Envoy Gateway Helm chart deployment does not set AppArmor and Seccomp profiles @@ -591,11 +591,11 @@ Set runAsUser and runAsGroup security context options to specific UIDs (e.g., ru |ID|UID|Category|Risk|Threat|Priority| Recommendation | |-|-|-|-|-|-|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -|EGTM-001|EGTM-GW-001|Gateway API| Self-signed certificates (which do not comply with PKI best practices) could lead to unauthorised access to the private key associated with the certificate used for inbound TLS termination at Envoy Proxy, compromising the confidentiality and integrity of proxied traffic.

| Compromise of the private key associated with the certificate used for inbound TLS terminating at Envoy Proxy.

|High| The Envoy Gateway quickstart guide demonstrates how to set up a Secure Gateway using an example where a self-signed root certificate is created using openssl. As stated in the Envoy Gateway documentation, this is not a suitable configuration for Production usage. It is recommended that PKI best practices are followed, whereby certificates are signed by an Intermediary CA which sits underneath an organisational \'offline\' Root CA.

PKI best practices should also apply to the management of client certificates when using mTLS. The Envoy Gateway [mTLS](https://gateway.envoyproxy.io/latest/user/security/mutual-tls/) guide shows how to set up client certificates using self-signed certificates. In the same way as gateway certificates and, as mentioned in the documentation, this configuration should not be used in production environments. | +|EGTM-001|EGTM-GW-001|Gateway API| Self-signed certificates (which do not comply with PKI best practices) could lead to unauthorised access to the private key associated with the certificate used for inbound TLS termination at Envoy Proxy, compromising the confidentiality and integrity of proxied traffic.

| Compromise of the private key associated with the certificate used for inbound TLS terminating at Envoy Proxy.

|High| The Envoy Gateway quickstart demonstrates how to set up a Secure Gateway using an example where a self-signed root certificate is created using openssl. As stated in the Envoy Gateway documentation, this is not a suitable configuration for Production usage. It is recommended that PKI best practices are followed, whereby certificates are signed by an Intermediary CA which sits underneath an organisational \'offline\' Root CA.

PKI best practices should also apply to the management of client certificates when using mTLS. The Envoy Gateway [mTLS](https://gateway.envoyproxy.io/latest/tasks/security/mutual-tls/) task shows how to set up client certificates using self-signed certificates. In the same way as gateway certificates and, as mentioned in the documentation, this configuration should not be used in production environments. | |EGTM-002|EGTM-CS-001|Container Security| There is a risk that a threat actor could compromise the Kubernetes secret containing the Envoy private key, allowing the attacker to decrypt Envoy Proxy traffic, compromising the confidentiality of proxied traffic.

| Kubernetes secret containing the Envoy private key is compromised and used to decrypt proxied traffic.

|High| Certificate management best practices mandate short-lived key material where practical, meaning that a mechanism for rotation of private keys and certificates is required, along with a way for certificates to be mounted into Envoy containers. If Kubernetes secrets are used, when a certificate expires, the associated secret must be updated, and Envoy containers must be redeployed. Instead of a manual configuration, it is recommended that [cert-manager](https://github.com/cert-manager/cert-manager) is used. | |EGTM-004|EGTM-K8-002|Container Security| There is a risk that a threat actor could abuse misconfigured RBAC to access the Envoy Gateway ClusterRole (envoy-gateway-role) and use it to expose all secrets across the cluster, thus compromising the confidentiality and integrity of tenant data.

| Compromised Envoy Gateway or misconfigured ClusterRoleBinding (envoy-gateway-rolebinding) to Envoy Gateway ClusterRole (envoy-gateway-role), provides access to resources and secrets in different namespaces.

|High| Users should be aware that Envoy Gateway uses a ClusterRole (envoy-gateway-role) when deployed via the Helm chart, to allow management of Envoy Proxies across different namespaces. This ClusterRole is powerful and includes the ability to read secrets in namespaces which may not be within the purview of Envoy Gateway.

Kubernetes best-practices involve restriction of ClusterRoleBindings, with the use of RoleBindings where possible to limit access per namespace by specifying the namespace in metadata. Namespace isolation reduces the impact of compromise from cluster-scoped roles. Ideally, fine-grained K8s roles should be created per the principle of least privilege to ensure they have the minimum access necessary for role functions.

The pull request \#[1656](https://github.com/envoyproxy/gateway/pull/1656) introduced the use of Roles and RoleBindings in [namespaced mode](https://gateway.envoyproxy.io/latest/api/extension_types/#kuberneteswatchmode). This feature can be leveraged to reduce the amount of permissions required by the Envoy Gateway. | |EGTM-007|EGTM-EG-002|Envoy Gateway| There is a risk that a threat actor could exploit misconfigured Kubernetes RBAC to create or modify Gateway API resources with no business need, potentially leading to the compromise of the confidentiality, integrity, and availability of resources and traffic within the cluster.

| Unauthorised creation or misconfiguration of Gateway API resources by a threat actor with cluster-scoped access.

|High| Configure the apiGroup and resource fields in RBAC policies to restrict access to [Gateway](https://gateway-api.sigs.k8s.io/) and [GatewayClass](https://gateway-api.sigs.k8s.io/api-types/gatewayclass/) resources. Enable namespace isolation by using the namespace field, preventing unauthorised access to gateways in other namespaces. | -|EGTM-009|EGTM-GW-002|Gateway API| There is a risk that a co-tenant misconfigures Gateway or Route resources, compromising the confidentiality, integrity, and availability of routed traffic through Envoy Gateway.

| Malicious or accidental co-tenant misconfiguration of Gateways and Routes associated with other application teams.

|High| Dedicated Envoy Gateways should be provided to each tenant within their respective namespace. A one-to-one relationship should be established between GatewayClass and Gateway resources, meaning that each tenant namespace should have their own GatewayClass watched by a unique Envoy Gateway Controller as defined here in the [Deployment Mode](https://gateway.envoyproxy.io/latest/user/operations/deployment-mode/) documentation.

Application Admins should have write permissions on the Gateway resource, but only in their specific namespaces, and Application Developers should only hold write permissions on Route resources. To enact this access control schema, follow the [Write Permissions for Advanced 4 Tier Model](https://gateway-api.sigs.k8s.io/concepts/security-model/#write-permissions-for-advanced-4-tier-model) described in the Kubernetes Gateway API security model. Examples of secured gateway-route topologies can be found [here](https://gateway-api.sigs.k8s.io/concepts/api-overview/#attaching-routes-to-gateways) within the Kubernetes Gateway API docs.

Optionally, consider a GitOps model, where only the GitOps operator has the permission to deploy or modify custom resources in production. | +|EGTM-009|EGTM-GW-002|Gateway API| There is a risk that a co-tenant misconfigures Gateway or Route resources, compromising the confidentiality, integrity, and availability of routed traffic through Envoy Gateway.

| Malicious or accidental co-tenant misconfiguration of Gateways and Routes associated with other application teams.

|High| Dedicated Envoy Gateways should be provided to each tenant within their respective namespace. A one-to-one relationship should be established between GatewayClass and Gateway resources, meaning that each tenant namespace should have their own GatewayClass watched by a unique Envoy Gateway Controller as defined here in the [Deployment Mode](https://gateway.envoyproxy.io/latest/tasks/operations/deployment-mode/) documentation.

Application Admins should have write permissions on the Gateway resource, but only in their specific namespaces, and Application Developers should only hold write permissions on Route resources. To enact this access control schema, follow the [Write Permissions for Advanced 4 Tier Model](https://gateway-api.sigs.k8s.io/concepts/security-model/#write-permissions-for-advanced-4-tier-model) described in the Kubernetes Gateway API security model. Examples of secured gateway-route topologies can be found [here](https://gateway-api.sigs.k8s.io/concepts/api-overview/#attaching-routes-to-gateways) within the Kubernetes Gateway API docs.

Optionally, consider a GitOps model, where only the GitOps operator has the permission to deploy or modify custom resources in production. | |EGTM-014|EGTM-CS-006|Container Security| There is a risk that a supply chain attack on Envoy Gateway results in an arbitrary compromise of the confidentiality, integrity or availability of tenant data.

| Supply chain threat actor introduces malicious code into Envoy Gateway or Proxy.

|High| The Envoy Gateway project should continue to work towards conformance with supply-chain security best practices throughout the project lifecycle (for example, as set out in the [CNCF Software Supply Chain Best Practices Whitepaper](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf). Adherence to [Supply-chain Levels for Software Artefacts](https://slsa.dev/) (SLSA) standards is crucial for maintaining the security of the system. Employ version control systems to monitor the source and build platforms and assign responsibility to a specific stakeholder.

Integrate a supply chain security tool such as Sigstore, which provides native capabilities for signing and verifying container images and software artefacts. [Software Bill of Materials](https://www.cisa.gov/sbom) (SBOM), [Vulnerability Exploitability eXchange](https://www.ntia.gov/files/ntia/publications/vex_one-page_summary.pdf) (VEX), and signed artefacts should also be incorporated into the security protocol. | |EGTM-020|EGTM-CS-009|Container Security| There is a risk that a threat actor exploits an Envoy Proxy vulnerability to remote code execution (RCE) due to out of date or misconfigured Envoy Proxy pod deployment, compromising the confidentiality and integrity of Envoy Proxy along with the availability of the proxy service.

| Deployment of an Envoy Proxy or Gateway image containing exploitable CVEs.

|High| Always use the latest version of the Envoy Proxy image. Regularly check for updates and patch the system as soon as updates become available. Implement a CI/CD pipeline that includes security checks for images and prevents deployment of insecure configurations. A tool such as Snyk can be used to provide container vulnerability scanning to mitigate the risk of known vulnerabilities.

Utilise the [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) controller to enforce [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) and configure the [pod security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) to limit its capabilities per the principle of least privilege. | |EGTM-022|EGTM-CS-010|Container Security| There is a risk that the OIDC client secret (for OIDC authentication) and user password hashes (for basic authentication) get leaked due to misconfigured RBAC permissions.

| Unauthorised access to the application due to credential leakage.

|High| Ensure that only authorised users and service accounts are able to access secrets. This is especially important in namespaces where SecurityPolicy objects are configured, since those namespaces are the ones to store secrets containing the client secret (in OIDC scenarios) and user password hashes (in basic authentication scenarios).

To do so, minimise the use of ClusterRoles and Roles allowing listing and getting secrets. Perform periodic audits of RBAC permissions. | @@ -603,10 +603,10 @@ Set runAsUser and runAsGroup security context options to specific UIDs (e.g., ru |EGTM-008|EGTM-EG-003|Envoy Gateway| There is a risk of a threat actor misconfiguring static config and compromising the integrity of Envoy Gateway, ultimately leading to the compromised confidentiality, integrity, or availability of tenant data and cluster resources.

| Accidental or deliberate misconfiguration of static configuration leads to a misconfigured deployment of Envoy Gateway, for example logging parameters could be modified or global rate limiting configuration misconfigured.

|Medium| Implement a GitOps model, utilising Kubernetes\' Role-Based Access Control (RBAC) and adhering to the principle of least privilege to minimise human intervention on the cluster. For instance, tools like [ArgoCD](https://argo-cd.readthedocs.io/en/stable/) can be used for declarative GitOps deployments, ensuring all changes are tracked and reviewed. Additionally, configure your source control management (SCM) system to include mandatory pull request (PR) reviews, commit signing, and protected branches to ensure only authorised changes can be committed to the start-up configuration. | |EGTM-010|EGTM-CS-005|Container Security| There is a risk that a threat actor exploits a weak pod security context, compromising the CIA of a node and the resources / services which run on it.

| Threat Actor who has compromised a pod exploits weak security context to escape to a node, potentially leading to the compromise of Envoy Proxy or Gateway running on the same node.

|Medium| To mitigate this risk, apply [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) at a minimum of [Baseline](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline) level to all namespaces, especially those containing Envoy Gateway and Proxy Pods. Pod security standards are implemented through K8s [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) to provide [admission control modes](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces) (enforce, audit, and warn) for namespaces. Pod security standards can be enforced by namespace labels as shown [here](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/), to enforce a baseline level of pod security to specific namespaces.

Further enhance the security by implementing a sandboxing solution such as [gVisor](https://gvisor.dev/) for Envoy Gateway and Proxy Pods to isolate the application from the host kernel. This can be set within the runtimeClassName of the Pod specification. | |EGTM-012|EGTM-GW-004|Gateway API| There is a risk that a threat actor could abuse excessive RBAC privileges to create ReferenceGrant resources. These resources could then be used to create cross-namespace communication, leading to unauthorised access to the application. This could compromise the confidentiality and integrity of resources and configuration in the affected namespaces and potentially disrupt the availability of services that rely on these object references.

| A ReferenceGrant is created, which validates traffic to cross namespace trust boundaries without a valid business reason, such as a route in one tenant\'s namespace referencing a backend in another.

|Medium| Ensure that the ability to create ReferenceGrant resources is restricted to the minimum number of people. Pay special attention to ClusterRoles that allow that action. | -|EGTM-018|EGTM-GW-006|Gateway API| There is a risk that malicious requests could lead to a Denial of Service (DoS) attack, thereby reducing API gateway availability due to misconfigurations in rate-limiting or load balancing controls, or a lack of route timeout enforcement.

| Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack.

|Medium| To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](https://gateway.envoyproxy.io/v0.6.0/user/rate-limit/) filter and load balancing.

Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action).

[Path normalisation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) should be enabled to minimise path confusion vulnerabilities. These measures help protect against volumetric threats such as Denial of Service (DoS)nattacks. Utilise custom resources to implement policy attachment, thereby exposing request limit configuration for route types. | +|EGTM-018|EGTM-GW-006|Gateway API| There is a risk that malicious requests could lead to a Denial of Service (DoS) attack, thereby reducing API gateway availability due to misconfigurations in rate-limiting or load balancing controls, or a lack of route timeout enforcement.

| Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack.

|Medium| To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](https://gateway.envoyproxy.io/v0.6.0/tasks/rate-limit/) filter and load balancing.

Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action).

[Path normalisation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) should be enabled to minimise path confusion vulnerabilities. These measures help protect against volumetric threats such as Denial of Service (DoS)nattacks. Utilise custom resources to implement policy attachment, thereby exposing request limit configuration for route types. | |EGTM-019|EGTM-DP-004|Container Security| There is a risk that replay attacks using stolen or reused JSON Web Tokens (JWTs) can compromise transmission integrity, thereby undermining the confidentiality and integrity of the data plane.

| Transmission integrity is compromised due to replay attacks using stolen or reused JSON Web Tokens (JWTs).

|Medium| Comply with JWT best practices for enhanced security, paying special attention to the use of short-lived tokens, which reduce the window of opportunity for a replay attack. The [exp](https://datatracker.ietf.org/doc/html/rfc7519#page-9) claim can be used to set token expiration times. | |EGTM-024|EGTM-EG-008|Envoy Gateway| There is a risk of developers getting more privileges than required due to the use of SecurityPolicy, ClientTrafficPolicy, EnvoyPatchPolicy and BackendTrafficPolicy. These resources can be attached to a Gateway resource. Therefore, a developer with permission to deploy them would be able to modify a Gateway configuration by targeting the gateway in the policy manifest. This conflicts with the [Advanced 4 Tier Model](https://gateway-api.sigs.k8s.io/concepts/security-model/#write-permissions-for-advanced-4-tier-model), where developers do not have write permissions on Gateways.

| Excessive developer permissions lead to a misconfiguration and/or unauthorised access.

|Medium| Considering the Tenant C scenario (represented in the Architecture Diagram), if a developer can create SecurityPolicy, ClientTrafficPolicy, EnvoyPatchPolicy or BackendTrafficPolicy objects in namespace C, they would be able to modify a Gateway configuration by attaching the policy to the gateway. In such scenarios, it is recommended to either:

a. Create a separate namespace, where developers have no permissions, > to host tenant C\'s gateway. Note that, due to design decisions, > the > SecurityPolicy/EnvoyPatchPolicy/ClientTrafficPolicy/BackendTrafficPolicy > object can only target resources deployed in the same namespace. > Therefore, having a separate namespace for the gateway would > prevent developers from attaching the policy to the gateway.

b. Forbid the creation of these policies for developers in namespace C.

On the other hand, in scenarios similar to tenants A and B, where a shared gateway namespace is in place, this issue is more limited. Note that in this scenario, developers don\'t have access to the shared gateway namespace.

In addition, it is important to mention that EnvoyPatchPolicy resources can also be attached to GatewayClass resources. This means that, in order to comply with the Advanced 4 Tier model, individuals with the Application Administrator role should not have access to this resource either. | -|EGTM-003|EGTM-EG-001|Envoy Gateway| There is a risk that a threat actor could downgrade the security of proxied connections by configuring a weak set of cipher suites, compromising the confidentiality and integrity of proxied traffic.

| Exploit weak cipher suite configuration to downgrade security of proxied connections.

|Low| Users operating in highly regulated environments may need to tightly control the TLS protocol and associated cipher suites, blocking non-conforming incoming connections to the gateway.

EnvoyProxy bootstrap config can be customised as per the [customise EnvoyProxy](https://gateway.envoyproxy.io/latest/user/operations/customize-envoyproxy/) documentation. In addition, from v.1.0.0, it is possible to configure common TLS properties for a Gateway or XRoute through the [ClientTrafficPolicy](https://gateway.envoyproxy.io/latest/api/extension_types/#clienttrafficpolicy) object. | +|EGTM-003|EGTM-EG-001|Envoy Gateway| There is a risk that a threat actor could downgrade the security of proxied connections by configuring a weak set of cipher suites, compromising the confidentiality and integrity of proxied traffic.

| Exploit weak cipher suite configuration to downgrade security of proxied connections.

|Low| Users operating in highly regulated environments may need to tightly control the TLS protocol and associated cipher suites, blocking non-conforming incoming connections to the gateway.

EnvoyProxy bootstrap config can be customised as per the [customise EnvoyProxy](https://gateway.envoyproxy.io/latest/tasks/operations/customize-envoyproxy/) documentation. In addition, from v.1.0.0, it is possible to configure common TLS properties for a Gateway or XRoute through the [ClientTrafficPolicy](https://gateway.envoyproxy.io/latest/api/extension_types/#clienttrafficpolicy) object. | |EGTM-005|EGTM-CP-002|Container Security| Threat actor who has obtained access to Envoy Gateway pod could exploit the lack of AppArmor and Seccomp profiles in the Envoy Gateway deployment to attempt a container breakout, given the presence of an exploitable vulnerability, potentially impacting the confidentiality and integrity of namespace resources.

| Unauthorised syscalls and malicious code running in the Envoy Gateway pod.

|Low| Implement [AppArmor](https://kubernetes.io/docs/tutorials/security/apparmor/) policies by setting \: \ within container.apparmor.security.beta.kubernetes.io (note, this config is set *per container*). Well-defined AppArmor policies may provide greater protection from unknown threats.

Enforce [Seccomp](https://kubernetes.io/docs/tutorials/security/seccomp/) profiles by setting the seccompProfile under securityContext. Ideally, a [fine-grained](https://kubernetes.io/docs/tutorials/security/seccomp/#create-pod-with-a-seccomp-profile-that-only-allows-necessary-syscalls) profile should be used to restrict access to only necessary syscalls, however the \--seccomp-default flag can be set to resort to [RuntimeDefault](https://kubernetes.io/docs/tutorials/security/seccomp/#create-pod-that-uses-the-container-runtime-default-seccomp-profile) which provides a container runtime specific. Example seccomp profiles can be found [here](https://kubernetes.io/docs/tutorials/security/seccomp/#download-profiles).

To further enhance pod security, consider implementing [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) via seLinuxOptions for additional syscall attack surface reduction. Setting readOnlyRootFilesystem == true enforces an immutable root filesystem, preventing the addition of malicious binaries to the PATH and increasing the attack cost. Together, these configuration items improve the pods [Security Context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/). | |EGTM-006|EGTM-CS-004|Container Security| There is a risk that a threat actor exploits a vulnerability in Envoy Proxy to expose a reverse shell, enabling them to compromise the confidentiality, integrity and availability of tenant data via a secondary attack.

| If an external attacker managed to exploit a vulnerability in Envoy, the presence of a shell would be greatly helpful for the attacker in terms of potentially pivoting, escalating, or establishing some form of persistence.

|Low| By default, Envoy uses a [distroless](https://github.com/GoogleContainerTools/distroless) image since v.0.6.0, which does not ship a shell. Therefore, ensure EnvoyProxy image is up-to-date and patched with the latest stable version.

If using private EnvoyProxy images, use a lightweight EnvoyProxy image without a shell or debugging tool(s) which may be useful for an attacker.

An [AuditPolicy](https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/#audit-policy) (audit.k8s.io/v1beta1) can be configured to record API calls made within your cluster, allowing for identification of malicious traffic and enabling incident response. Requests are recorded based on stages which delineate between the lifecycle stage of the request made (e.g., RequestReceived, ResponseStarted, & ResponseComplete). | |EGTM-011|EGTM-GW-003|Gateway API| There is a risk that a gateway owner (or someone with the ability to set namespace labels) maliciously or accidentally binds routes across namespace boundaries, potentially compromising the confidentiality and integrity of traffic in a multitenant scenario.

| If a Route Binding within a Gateway Listener is configured based on a custom label, it could allow a malicious internal actor with the ability to label namespaces to change the set of namespaces supported by the Gateway

|Low| Consider the use of custom admission control to restrict what labels can be set on namespaces through tooling such as [Kubewarden](https://kyverno.io/policies/pod-security/), [Kyverno](https://github.com/kubewarden), and [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper). Route binding should follow the Kubernetes Gateway API security model, as shown [here](https://gateway-api.sigs.k8s.io/concepts/security-model/#1-route-binding), to connect gateways in different namespaces. | diff --git a/site/content/en/latest/user/security/tls-cert-manager.md b/site/content/en/latest/tasks/security/tls-cert-manager.md similarity index 98% rename from site/content/en/latest/user/security/tls-cert-manager.md rename to site/content/en/latest/tasks/security/tls-cert-manager.md index 690a5e02e042..d51fa469e8c4 100644 --- a/site/content/en/latest/user/security/tls-cert-manager.md +++ b/site/content/en/latest/tasks/security/tls-cert-manager.md @@ -2,7 +2,7 @@ title: "Using cert-manager For TLS Termination" --- -This guide shows how to set up [cert-manager](https://cert-manager.io/) to automatically create certificates and secrets for use by Envoy Gateway. +This task shows how to set up [cert-manager](https://cert-manager.io/) to automatically create certificates and secrets for use by Envoy Gateway. It will first show how to enable the self-sign issuer, which is useful to test that cert-manager and Envoy Gateway can talk to each other. Then it shows how to use [Let's Encrypt's staging environment](https://letsencrypt.org/docs/staging-environment/). Changing to the Let's Encrypt production environment is straight-forward after that. @@ -18,7 +18,7 @@ Changing to the Let's Encrypt production environment is straight-forward after t ## Installation -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Deploying cert-manager @@ -96,7 +96,7 @@ EOF ``` You could instead create a new Gateway serving HTTPS, if you'd prefer. -cert-manager doesn't care, but we'll keep it all together in this guide. +cert-manager doesn't care, but we'll keep it all together in this task. Nowadays, X.509 certificates don't use the subject Common Name for hostname matching, so you can set it to whatever you want, or leave it empty. The important parts here are diff --git a/site/content/en/latest/user/security/tls-passthrough.md b/site/content/en/latest/tasks/security/tls-passthrough.md similarity index 88% rename from site/content/en/latest/user/security/tls-passthrough.md rename to site/content/en/latest/tasks/security/tls-passthrough.md index f732b71236b0..874ec2aac4e6 100644 --- a/site/content/en/latest/user/security/tls-passthrough.md +++ b/site/content/en/latest/tasks/security/tls-passthrough.md @@ -2,7 +2,7 @@ title: "TLS Passthrough" --- -This guide will walk through the steps required to configure TLS Passthrough via Envoy Gateway. Unlike configuring +This task will walk through the steps required to configure TLS Passthrough via Envoy Gateway. Unlike configuring Secure Gateways, where the Gateway terminates the client TLS connection, TLS Passthrough allows the application itself to terminate the TLS connection, while the Gateway routes the requests to the application based on SNI headers. @@ -12,7 +12,7 @@ to terminate the TLS connection, while the Gateway routes the requests to the ap ## Installation -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## TLS Certificates @@ -49,7 +49,7 @@ Deploy TLS Passthrough application Deployment, Service and TLSRoute: kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/tls-passthrough.yaml ``` -Patch the Gateway from the Quickstart guide to include a TLS listener that listens on port `6443` and is configured for +Patch the Gateway from the Quickstart to include a TLS listener that listens on port `6443` and is configured for TLS mode Passthrough: ```shell @@ -106,7 +106,7 @@ curl -v -HHost:passthrough.example.com --resolve "passthrough.example.com:6443:$ ## Clean-Up -Follow the steps from the [Quickstart Guide](../../quickstart) to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. Delete the Secret: diff --git a/site/content/en/latest/user/security/tls-termination.md b/site/content/en/latest/tasks/security/tls-termination.md similarity index 88% rename from site/content/en/latest/user/security/tls-termination.md rename to site/content/en/latest/tasks/security/tls-termination.md index 1c75b40e6db7..77a701a443a4 100644 --- a/site/content/en/latest/user/security/tls-termination.md +++ b/site/content/en/latest/tasks/security/tls-termination.md @@ -2,7 +2,8 @@ title: "TLS Termination for TCP" --- -This guide will walk through the steps required to configure TLS Terminate mode for TCP traffic via Envoy Gateway. The guide uses a self-signed CA, so it should be used for testing and demonstration purposes only. +This task will walk through the steps required to configure TLS Terminate mode for TCP traffic via Envoy Gateway. +This task uses a self-signed CA, so it should be used for testing and demonstration purposes only. ## Prerequisites @@ -10,7 +11,7 @@ This guide will walk through the steps required to configure TLS Terminate mode ## Installation -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway. ## TLS Certificates Generate the certificates and keys used by the Gateway to terminate client TLS connections. diff --git a/site/content/en/latest/tasks/traffic/_index.md b/site/content/en/latest/tasks/traffic/_index.md new file mode 100644 index 000000000000..f884ccdfcb03 --- /dev/null +++ b/site/content/en/latest/tasks/traffic/_index.md @@ -0,0 +1,5 @@ +--- +title: "Traffic" +weight: 1 +description: This section includes Traffic Management tasks. +--- diff --git a/site/content/en/latest/user/traffic/circuit-breaker.md b/site/content/en/latest/tasks/traffic/circuit-breaker.md similarity index 97% rename from site/content/en/latest/user/traffic/circuit-breaker.md rename to site/content/en/latest/tasks/traffic/circuit-breaker.md index 2a797fc24c4c..cf00d926a2c1 100644 --- a/site/content/en/latest/user/traffic/circuit-breaker.md +++ b/site/content/en/latest/tasks/traffic/circuit-breaker.md @@ -20,7 +20,7 @@ This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRP ### Install Envoy Gateway -* Follow the installation step from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and sample resources. +* Follow the installation step from the [Quickstart](../../quickstart) to install Envoy Gateway and sample resources. ### Install the hey load testing tool * The `hey` CLI will be used to generate load and measure response times. Follow the installation instruction from the [Hey project] docs. @@ -120,4 +120,4 @@ With the new circuit breaker settings, and due to the slowness of the backend, o [Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway/ [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ [GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute/ -[Hey project]: https://github.com/rakyll/hey \ No newline at end of file +[Hey project]: https://github.com/rakyll/hey diff --git a/site/content/en/latest/user/traffic/client-traffic-policy.md b/site/content/en/latest/tasks/traffic/client-traffic-policy.md similarity index 98% rename from site/content/en/latest/user/traffic/client-traffic-policy.md rename to site/content/en/latest/tasks/traffic/client-traffic-policy.md index 7b37f8d4338b..98659941f72f 100644 --- a/site/content/en/latest/user/traffic/client-traffic-policy.md +++ b/site/content/en/latest/tasks/traffic/client-traffic-policy.md @@ -2,7 +2,7 @@ title: "Client Traffic Policy" --- -This guide explains the usage of the [ClientTrafficPolicy][] API. +This task explains the usage of the [ClientTrafficPolicy][] API. ## Introduction @@ -18,7 +18,7 @@ This API was added as a new policy attachment resource that can be applied to Ga ### Prerequisites -* Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +* Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ### Support TCP keepalive for downstream client diff --git a/site/content/en/latest/user/traffic/connection-limit.md b/site/content/en/latest/tasks/traffic/connection-limit.md similarity index 96% rename from site/content/en/latest/user/traffic/connection-limit.md rename to site/content/en/latest/tasks/traffic/connection-limit.md index ac9acc02844e..138e620bf9bc 100644 --- a/site/content/en/latest/user/traffic/connection-limit.md +++ b/site/content/en/latest/tasks/traffic/connection-limit.md @@ -25,7 +25,7 @@ When a [Client Traffic Policy][] is attached to a gateway, the connection limit ### Install Envoy Gateway -* Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the HTTPRoute example manifest. +* Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the HTTPRoute example manifest. Before proceeding, you should be able to query the example backend using HTTP. ### Install the hey load testing tool diff --git a/site/content/en/latest/user/traffic/fault-injection.md b/site/content/en/latest/tasks/traffic/fault-injection.md similarity index 95% rename from site/content/en/latest/user/traffic/fault-injection.md rename to site/content/en/latest/tasks/traffic/fault-injection.md index c033d12aed3e..657b3e1453d3 100644 --- a/site/content/en/latest/user/traffic/fault-injection.md +++ b/site/content/en/latest/tasks/traffic/fault-injection.md @@ -13,7 +13,7 @@ This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRP ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. For GRPC - follow the steps from the [GRPC Routing](../grpc-routing) example. Before proceeding, you should be able to query the example backend using HTTP or GRPC. @@ -170,7 +170,7 @@ kubectl get backendtrafficpolicy/fault-injection-abort -o yaml ## Testing -Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) guide is set. If not, follow the +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the Quickstart instructions to set the variable. ```shell @@ -238,7 +238,7 @@ Error invoking method "yages.Echo/Ping": rpc error: code = Unavailable desc = fa ## Clean-Up -Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. Delete the BackendTrafficPolicy: diff --git a/site/content/en/latest/user/traffic/gateway-address.md b/site/content/en/latest/tasks/traffic/gateway-address.md similarity index 100% rename from site/content/en/latest/user/traffic/gateway-address.md rename to site/content/en/latest/tasks/traffic/gateway-address.md diff --git a/site/content/en/latest/user/traffic/gatewayapi-support.md b/site/content/en/latest/tasks/traffic/gatewayapi-support.md similarity index 100% rename from site/content/en/latest/user/traffic/gatewayapi-support.md rename to site/content/en/latest/tasks/traffic/gatewayapi-support.md diff --git a/site/content/en/latest/user/traffic/global-rate-limit.md b/site/content/en/latest/tasks/traffic/global-rate-limit.md similarity index 99% rename from site/content/en/latest/user/traffic/global-rate-limit.md rename to site/content/en/latest/tasks/traffic/global-rate-limit.md index aca136fb2985..a0734928bd7b 100644 --- a/site/content/en/latest/user/traffic/global-rate-limit.md +++ b/site/content/en/latest/tasks/traffic/global-rate-limit.md @@ -27,7 +27,7 @@ has its own 100r/s rate limit bucket. ### Install Envoy Gateway -* Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the HTTPRoute example manifest. +* Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the HTTPRoute example manifest. Before proceeding, you should be able to query the example backend using HTTP. ### Install Redis diff --git a/site/content/en/latest/user/traffic/grpc-routing.md b/site/content/en/latest/tasks/traffic/grpc-routing.md similarity index 97% rename from site/content/en/latest/user/traffic/grpc-routing.md rename to site/content/en/latest/tasks/traffic/grpc-routing.md index 5334514b7ccc..4c27ef993ccc 100644 --- a/site/content/en/latest/user/traffic/grpc-routing.md +++ b/site/content/en/latest/tasks/traffic/grpc-routing.md @@ -7,7 +7,7 @@ To learn more about gRPC routing, refer to the [Gateway API documentation][]. ## Prerequisites -Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Installation @@ -43,8 +43,7 @@ kubectl get gateways --selector=example=grpc-routing ``` The status should reflect "Ready=True", indicating the Envoy proxy infrastructure has been provisioned. The status also -provides the address of the Gateway. This address is used later in the guide to test connectivity to proxied backend -services. +provides the address of the Gateway. This address is used later to test connectivity to proxied backend services. Check the status of the GRPCRoute: diff --git a/site/content/en/latest/user/traffic/http-redirect.md b/site/content/en/latest/tasks/traffic/http-redirect.md similarity index 99% rename from site/content/en/latest/user/traffic/http-redirect.md rename to site/content/en/latest/tasks/traffic/http-redirect.md index 21aed019d4d1..8639c2c9d7c2 100644 --- a/site/content/en/latest/user/traffic/http-redirect.md +++ b/site/content/en/latest/tasks/traffic/http-redirect.md @@ -66,7 +66,7 @@ $ curl -L -vvv --header "Host: redirect.example" "http://${GATEWAY_HOST}/get" ... ``` -If you followed the steps in the [Secure Gateways](../security/secure-gateways) guide, you should be able to curl the redirect +If you followed the steps in the [Secure Gateways](../security/secure-gateways) task, you should be able to curl the redirect location. ## HTTP --> HTTPS diff --git a/site/content/en/latest/user/traffic/http-request-headers.md b/site/content/en/latest/tasks/traffic/http-request-headers.md similarity index 98% rename from site/content/en/latest/user/traffic/http-request-headers.md rename to site/content/en/latest/tasks/traffic/http-request-headers.md index af946da719ed..05cb770c4a7d 100644 --- a/site/content/en/latest/user/traffic/http-request-headers.md +++ b/site/content/en/latest/tasks/traffic/http-request-headers.md @@ -14,7 +14,7 @@ client. ## Prerequisites -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Adding Request Headers diff --git a/site/content/en/latest/user/traffic/http-request-mirroring.md b/site/content/en/latest/tasks/traffic/http-request-mirroring.md similarity index 97% rename from site/content/en/latest/user/traffic/http-request-mirroring.md rename to site/content/en/latest/tasks/traffic/http-request-mirroring.md index 0398cf3780b7..e5caa3fdc899 100644 --- a/site/content/en/latest/user/traffic/http-request-mirroring.md +++ b/site/content/en/latest/tasks/traffic/http-request-mirroring.md @@ -8,7 +8,7 @@ When requests are made to a `HTTPRoute` that uses a `HTTPRequestMirrorFilter`, t ## Installation -Follow the steps from the [Quickstart Guide][] to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart][] to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Mirroring the Traffic @@ -244,7 +244,7 @@ EOF Error from server: error when creating "STDIN": admission webhook "validate.gateway.networking.k8s.io" denied the request: spec.rules[0].filters: Invalid value: "RequestMirror": cannot be used multiple times in the same rule ``` -[Quickstart Guide]: ../../quickstart/ +[Quickstart]: ../../quickstart/ [Traffic Splitting]: ../http-traffic-splitting/ [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ [backendRefs]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.BackendRef diff --git a/site/content/en/latest/user/traffic/http-response-headers.md b/site/content/en/latest/tasks/traffic/http-response-headers.md similarity index 98% rename from site/content/en/latest/user/traffic/http-response-headers.md rename to site/content/en/latest/tasks/traffic/http-response-headers.md index 13efc8af19af..8e13f1464936 100644 --- a/site/content/en/latest/user/traffic/http-response-headers.md +++ b/site/content/en/latest/tasks/traffic/http-response-headers.md @@ -12,7 +12,7 @@ upstream service. ## Prerequisites -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Adding Response Headers diff --git a/site/content/en/latest/user/traffic/http-routing.md b/site/content/en/latest/tasks/traffic/http-routing.md similarity index 97% rename from site/content/en/latest/user/traffic/http-routing.md rename to site/content/en/latest/tasks/traffic/http-routing.md index 12e1773a91f0..bf1a75966379 100644 --- a/site/content/en/latest/user/traffic/http-routing.md +++ b/site/content/en/latest/tasks/traffic/http-routing.md @@ -3,13 +3,13 @@ title: "HTTP Routing" --- The [HTTPRoute][] resource allows users to configure HTTP routing by matching HTTP traffic and forwarding it to -Kubernetes backends. Currently, the only supported backend supported by Envoy Gateway is a Service resource. This guide +Kubernetes backends. Currently, the only supported backend supported by Envoy Gateway is a Service resource. This task shows how to route traffic based on host, header, and path fields and forward the traffic to different Kubernetes Services. To learn more about HTTP routing, refer to the [Gateway API documentation][]. ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Installation @@ -45,7 +45,7 @@ kubectl get gateways --selector=example=http-routing ``` The status should reflect "Ready=True", indicating the Envoy proxy infrastructure has been provisioned. The status also -provides the address of the Gateway. This address is used later in the guide to test connectivity to proxied backend +provides the address of the Gateway. This address is used later to test connectivity to proxied backend services. The three HTTPRoute resources create routing rules on the Gateway. In order to receive traffic from a Gateway, diff --git a/site/content/en/latest/user/traffic/http-timeouts.md b/site/content/en/latest/tasks/traffic/http-timeouts.md similarity index 94% rename from site/content/en/latest/user/traffic/http-timeouts.md rename to site/content/en/latest/tasks/traffic/http-timeouts.md index c3abc1926115..01e166fe87e8 100644 --- a/site/content/en/latest/user/traffic/http-timeouts.md +++ b/site/content/en/latest/tasks/traffic/http-timeouts.md @@ -2,7 +2,7 @@ title: "HTTP Timeouts" --- -The [HTTPRouteTimeouts][] resource allows users to configure request timeouts and response timeouts for an [HTTPRouteRule][]. This guide shows how to configure timeouts. +The [HTTPRouteTimeouts][] resource allows users to configure request timeouts and response timeouts for an [HTTPRouteRule][]. This task shows how to configure timeouts. The [HTTPRouteTimeouts][] supports two kinds of timeouts: - **request**: Request specifies the maximum duration for a gateway to respond to an HTTP request. @@ -12,7 +12,7 @@ __Note:__ The Request duration must be >= BackendRequest duration ## Installation -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Verification diff --git a/site/content/en/latest/user/traffic/http-traffic-splitting.md b/site/content/en/latest/tasks/traffic/http-traffic-splitting.md similarity index 98% rename from site/content/en/latest/user/traffic/http-traffic-splitting.md rename to site/content/en/latest/tasks/traffic/http-traffic-splitting.md index ef240753ad8d..924d36970e9c 100644 --- a/site/content/en/latest/user/traffic/http-traffic-splitting.md +++ b/site/content/en/latest/tasks/traffic/http-traffic-splitting.md @@ -8,7 +8,7 @@ with status code `500` for all requests that would have been sent to that backen ## Installation -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Single backendRef diff --git a/site/content/en/latest/user/traffic/http-urlrewrite.md b/site/content/en/latest/tasks/traffic/http-urlrewrite.md similarity index 98% rename from site/content/en/latest/user/traffic/http-urlrewrite.md rename to site/content/en/latest/tasks/traffic/http-urlrewrite.md index 062f60863928..5acca0367144 100644 --- a/site/content/en/latest/user/traffic/http-urlrewrite.md +++ b/site/content/en/latest/tasks/traffic/http-urlrewrite.md @@ -7,7 +7,7 @@ used on a Route rule. This MUST NOT be used on the same Route rule as a HTTPRequ ## Prerequisites -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Rewrite URL Prefix Path diff --git a/site/content/en/latest/user/traffic/http3.md b/site/content/en/latest/tasks/traffic/http3.md similarity index 86% rename from site/content/en/latest/user/traffic/http3.md rename to site/content/en/latest/tasks/traffic/http3.md index 77bc8742cb33..3b83bc7def5e 100644 --- a/site/content/en/latest/user/traffic/http3.md +++ b/site/content/en/latest/tasks/traffic/http3.md @@ -2,8 +2,8 @@ title: "HTTP3" --- -This guide will help you get started using HTTP3 using EG. The guide uses a self-signed CA, so it should be used for -testing and demonstration purposes only. +This task will help you get started using HTTP3 using EG. +This task uses a self-signed CA, so it should be used for testing and demonstration purposes only. ## Prerequisites @@ -11,7 +11,7 @@ testing and demonstration purposes only. ## Installation -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## TLS Certificates @@ -37,7 +37,7 @@ Store the cert/key in a Secret: kubectl create secret tls example-cert --key=www.example.com.key --cert=www.example.com.crt ``` -Update the Gateway from the Quickstart guide to include an HTTPS listener that listens on port `443` and references the +Update the Gateway from the Quickstart to include an HTTPS listener that listens on port `443` and references the `example-cert` Secret: ```shell diff --git a/site/content/en/latest/user/traffic/local-rate-limit.md b/site/content/en/latest/tasks/traffic/local-rate-limit.md similarity index 98% rename from site/content/en/latest/user/traffic/local-rate-limit.md rename to site/content/en/latest/tasks/traffic/local-rate-limit.md index 822e2dd5e568..067756b31096 100644 --- a/site/content/en/latest/user/traffic/local-rate-limit.md +++ b/site/content/en/latest/tasks/traffic/local-rate-limit.md @@ -28,7 +28,7 @@ has its own 100r/s rate limit bucket. ### Install Envoy Gateway -* Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the HTTPRoute example manifest. +* Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the HTTPRoute example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Rate Limit Specific User diff --git a/site/content/en/latest/user/traffic/multicluster-service.md b/site/content/en/latest/tasks/traffic/multicluster-service.md similarity index 100% rename from site/content/en/latest/user/traffic/multicluster-service.md rename to site/content/en/latest/tasks/traffic/multicluster-service.md diff --git a/site/content/en/latest/user/traffic/retry.md b/site/content/en/latest/tasks/traffic/retry.md similarity index 96% rename from site/content/en/latest/user/traffic/retry.md rename to site/content/en/latest/tasks/traffic/retry.md index ad40202a107d..cde27f5c2bf4 100644 --- a/site/content/en/latest/user/traffic/retry.md +++ b/site/content/en/latest/tasks/traffic/retry.md @@ -15,7 +15,7 @@ Envoy Gateway introduces a new CRD called [BackendTrafficPolicy](../../../api/ex ## Prerequisites -Follow the installation step from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and sample resources. +Follow the installation step from the [Quickstart](../../quickstart) to install Envoy Gateway and sample resources. ## Test and customize retry settings diff --git a/site/content/en/latest/user/traffic/routing-outside-kubernetes.md b/site/content/en/latest/tasks/traffic/routing-outside-kubernetes.md similarity index 94% rename from site/content/en/latest/user/traffic/routing-outside-kubernetes.md rename to site/content/en/latest/tasks/traffic/routing-outside-kubernetes.md index 6be1853570f3..95b91eaa0e1a 100644 --- a/site/content/en/latest/user/traffic/routing-outside-kubernetes.md +++ b/site/content/en/latest/tasks/traffic/routing-outside-kubernetes.md @@ -7,7 +7,7 @@ running is a common use. This can be achieved by defining FQDN addresses in a [E ## Installation -Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Configuration diff --git a/site/content/en/latest/user/traffic/tcp-routing.md b/site/content/en/latest/tasks/traffic/tcp-routing.md similarity index 98% rename from site/content/en/latest/user/traffic/tcp-routing.md rename to site/content/en/latest/tasks/traffic/tcp-routing.md index 854522c7b98d..4eea863f5f82 100644 --- a/site/content/en/latest/user/traffic/tcp-routing.md +++ b/site/content/en/latest/tasks/traffic/tcp-routing.md @@ -8,7 +8,7 @@ HTTP routing, refer to the [Gateway API documentation][]. ## Installation -Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Configuration diff --git a/site/content/en/latest/user/traffic/udp-routing.md b/site/content/en/latest/tasks/traffic/udp-routing.md similarity index 89% rename from site/content/en/latest/user/traffic/udp-routing.md rename to site/content/en/latest/tasks/traffic/udp-routing.md index 521d0b41acc6..c703abe804fc 100644 --- a/site/content/en/latest/user/traffic/udp-routing.md +++ b/site/content/en/latest/tasks/traffic/udp-routing.md @@ -3,7 +3,7 @@ title: "UDP Routing" --- The [UDPRoute][] resource allows users to configure UDP routing by matching UDP traffic and forwarding it to Kubernetes -backends. This guide will use CoreDNS example to walk you through the steps required to configure UDPRoute on Envoy +backends. This task will use CoreDNS example to walk you through the steps required to configure UDPRoute on Envoy Gateway. __Note:__ UDPRoute allows Envoy Gateway to operate as a non-transparent proxy between a UDP client and server. The lack @@ -12,7 +12,7 @@ For additional information, refer to Envoy's [UDP proxy documentation][]. ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Installation @@ -30,7 +30,7 @@ Wait for the CoreDNS deployment to become available: kubectl wait --timeout=5m deployment/coredns --for=condition=Available ``` -Update the Gateway from the Quickstart guide to include a UDP listener that listens on UDP port `5300`: +Update the Gateway from the Quickstart to include a UDP listener that listens on UDP port `5300`: ```shell kubectl patch gateway eg --type=json --patch '[{ @@ -128,7 +128,7 @@ _udp.foo.bar.com. 0 IN SRV 0 0 42376 . ## Clean-Up -Follow the steps from the [Quickstart Guide](../../quickstart) to uninstall Envoy Gateway. +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway. Delete the CoreDNS example manifest and the UDPRoute: diff --git a/site/content/en/latest/user/_index.md b/site/content/en/latest/user/_index.md deleted file mode 100644 index e413578a6ca9..000000000000 --- a/site/content/en/latest/user/_index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: "User Guides" -weight: 2 -description: This section includes User Guides of Envoy Gateway. ---- diff --git a/site/content/en/latest/user/extensibility/_index.md b/site/content/en/latest/user/extensibility/_index.md deleted file mode 100644 index 9560b0dd2411..000000000000 --- a/site/content/en/latest/user/extensibility/_index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: "Extensibility" -weight: 4 -description: This section includes User Guides of Extensibility. ---- diff --git a/site/content/en/latest/user/observability/_index.md b/site/content/en/latest/user/observability/_index.md deleted file mode 100644 index ed877d4355b8..000000000000 --- a/site/content/en/latest/user/observability/_index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: "Observability" -weight: 4 -description: This section includes User Guides of Observability. ---- diff --git a/site/content/en/latest/user/operations/_index.md b/site/content/en/latest/user/operations/_index.md deleted file mode 100644 index 0341d46ad0a6..000000000000 --- a/site/content/en/latest/user/operations/_index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: "Operations" -weight: 4 -description: This section includes User Guides of Operations. ---- diff --git a/site/content/en/latest/user/security/_index.md b/site/content/en/latest/user/security/_index.md deleted file mode 100644 index f469d0c55a5a..000000000000 --- a/site/content/en/latest/user/security/_index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: "Security" -weight: 2 -description: This section includes User Guides of Security. ---- diff --git a/site/content/en/latest/user/traffic/_index.md b/site/content/en/latest/user/traffic/_index.md deleted file mode 100644 index 87e84e049070..000000000000 --- a/site/content/en/latest/user/traffic/_index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: "Traffic" -weight: 1 -description: This section includes User Guides of Traffic Management. ----