From ff5a0b1b198d8f3369bd44022894b10901d49337 Mon Sep 17 00:00:00 2001 From: Eitan Suez Date: Tue, 9 Apr 2024 00:02:12 -0500 Subject: [PATCH] docs: renames user guides to tasks (#3104) --- .../en/latest/contributions/DEVELOP.md | 4 ++-- .../en/latest/contributions/RELEASING.md | 9 ++++--- .../design/envoy-patch-policy.md | 4 ++-- .../design/extending-envoy-gateway.md | 2 +- site/content/en/latest/install/custom-cert.md | 4 ++-- .../en/latest/install/install-egctl.md | 4 ++-- .../content/en/latest/install/install-helm.md | 2 +- .../content/en/latest/install/install-yaml.md | 4 ++-- site/content/en/latest/tasks/_index.md | 5 ++++ .../en/latest/tasks/extensibility/_index.md | 5 ++++ .../extensibility/envoy-patch-policy.md | 4 ++-- .../en/latest/tasks/observability/_index.md | 5 ++++ .../observability/gateway-api-metrics.md | 2 +- .../observability/grafana-integration.md | 4 ++-- .../observability/proxy-observability.md | 4 ++-- .../en/latest/tasks/operations/_index.md | 5 ++++ .../operations/customize-envoyproxy.md | 2 +- .../operations/deployment-mode.md | 0 .../{user => tasks}/operations/egctl.md | 0 .../en/latest/{user => tasks}/quickstart.md | 4 ++-- .../en/latest/tasks/security/_index.md | 5 ++++ .../{user => tasks}/security/backend-tls.md | 8 +++---- .../{user => tasks}/security/basic-auth.md | 10 ++++---- .../latest/{user => tasks}/security/cors.md | 8 +++---- .../{user => tasks}/security/ext-auth.md | 10 ++++---- .../security/jwt-authentication.md | 8 +++---- .../{user => tasks}/security/mutual-tls.md | 8 +++---- .../latest/{user => tasks}/security/oidc.md | 10 ++++---- .../security/private-key-provider.md | 6 ++--- .../security/secure-gateways.md | 24 +++++++++---------- .../{user => tasks}/security/threat-model.md | 10 ++++---- .../security/tls-cert-manager.md | 6 ++--- .../security/tls-passthrough.md | 8 +++---- .../security/tls-termination.md | 5 ++-- .../content/en/latest/tasks/traffic/_index.md | 5 ++++ .../traffic/circuit-breaker.md | 4 ++-- .../traffic/client-traffic-policy.md | 4 ++-- .../traffic/connection-limit.md | 2 +- .../traffic/fault-injection.md | 6 ++--- .../traffic/gateway-address.md | 0 .../traffic/gatewayapi-support.md | 0 .../traffic/global-rate-limit.md | 2 +- .../{user => tasks}/traffic/grpc-routing.md | 5 ++-- .../{user => tasks}/traffic/http-redirect.md | 2 +- .../traffic/http-request-headers.md | 2 +- .../traffic/http-request-mirroring.md | 4 ++-- .../traffic/http-response-headers.md | 2 +- .../{user => tasks}/traffic/http-routing.md | 6 ++--- .../{user => tasks}/traffic/http-timeouts.md | 4 ++-- .../traffic/http-traffic-splitting.md | 2 +- .../traffic/http-urlrewrite.md | 2 +- .../latest/{user => tasks}/traffic/http3.md | 8 +++---- .../traffic/local-rate-limit.md | 2 +- .../traffic/multicluster-service.md | 0 .../latest/{user => tasks}/traffic/retry.md | 2 +- .../traffic/routing-outside-kubernetes.md | 2 +- .../{user => tasks}/traffic/tcp-routing.md | 2 +- .../{user => tasks}/traffic/udp-routing.md | 8 +++---- site/content/en/latest/user/_index.md | 5 ---- .../en/latest/user/extensibility/_index.md | 5 ---- .../en/latest/user/observability/_index.md | 5 ---- .../en/latest/user/operations/_index.md | 5 ---- .../content/en/latest/user/security/_index.md | 5 ---- site/content/en/latest/user/traffic/_index.md | 5 ---- .../content/en/v1.0.0/install/install-yaml.md | 2 +- 65 files changed, 155 insertions(+), 152 deletions(-) create mode 100644 site/content/en/latest/tasks/_index.md create mode 100644 site/content/en/latest/tasks/extensibility/_index.md rename site/content/en/latest/{user => tasks}/extensibility/envoy-patch-policy.md (97%) create mode 100644 site/content/en/latest/tasks/observability/_index.md rename site/content/en/latest/{user => tasks}/observability/gateway-api-metrics.md (96%) rename site/content/en/latest/{user => tasks}/observability/grafana-integration.md (93%) rename site/content/en/latest/{user => tasks}/observability/proxy-observability.md (96%) create mode 100644 site/content/en/latest/tasks/operations/_index.md rename site/content/en/latest/{user => tasks}/operations/customize-envoyproxy.md (99%) rename site/content/en/latest/{user => tasks}/operations/deployment-mode.md (100%) rename site/content/en/latest/{user => tasks}/operations/egctl.md (100%) rename site/content/en/latest/{user => tasks}/quickstart.md (97%) create mode 100644 site/content/en/latest/tasks/security/_index.md rename site/content/en/latest/{user => tasks}/security/backend-tls.md (94%) rename site/content/en/latest/{user => tasks}/security/basic-auth.md (91%) rename site/content/en/latest/{user => tasks}/security/cors.md (91%) rename site/content/en/latest/{user => tasks}/security/ext-auth.md (95%) rename site/content/en/latest/{user => tasks}/security/jwt-authentication.md (92%) rename site/content/en/latest/{user => tasks}/security/mutual-tls.md (90%) rename site/content/en/latest/{user => tasks}/security/oidc.md (90%) rename site/content/en/latest/{user => tasks}/security/private-key-provider.md (97%) rename site/content/en/latest/{user => tasks}/security/secure-gateways.md (89%) rename site/content/en/latest/{user => tasks}/security/threat-model.md (96%) rename site/content/en/latest/{user => tasks}/security/tls-cert-manager.md (98%) rename site/content/en/latest/{user => tasks}/security/tls-passthrough.md (88%) rename site/content/en/latest/{user => tasks}/security/tls-termination.md (88%) create mode 100644 site/content/en/latest/tasks/traffic/_index.md rename site/content/en/latest/{user => tasks}/traffic/circuit-breaker.md (97%) rename site/content/en/latest/{user => tasks}/traffic/client-traffic-policy.md (98%) rename site/content/en/latest/{user => tasks}/traffic/connection-limit.md (96%) rename site/content/en/latest/{user => tasks}/traffic/fault-injection.md (95%) rename site/content/en/latest/{user => tasks}/traffic/gateway-address.md (100%) rename site/content/en/latest/{user => tasks}/traffic/gatewayapi-support.md (100%) rename site/content/en/latest/{user => tasks}/traffic/global-rate-limit.md (99%) rename site/content/en/latest/{user => tasks}/traffic/grpc-routing.md (97%) rename site/content/en/latest/{user => tasks}/traffic/http-redirect.md (99%) rename site/content/en/latest/{user => tasks}/traffic/http-request-headers.md (98%) rename site/content/en/latest/{user => tasks}/traffic/http-request-mirroring.md (97%) rename site/content/en/latest/{user => tasks}/traffic/http-response-headers.md (98%) rename site/content/en/latest/{user => tasks}/traffic/http-routing.md (97%) rename site/content/en/latest/{user => tasks}/traffic/http-timeouts.md (94%) rename site/content/en/latest/{user => tasks}/traffic/http-traffic-splitting.md (98%) rename site/content/en/latest/{user => tasks}/traffic/http-urlrewrite.md (98%) rename site/content/en/latest/{user => tasks}/traffic/http3.md (86%) rename site/content/en/latest/{user => tasks}/traffic/local-rate-limit.md (98%) rename site/content/en/latest/{user => tasks}/traffic/multicluster-service.md (100%) rename site/content/en/latest/{user => tasks}/traffic/retry.md (96%) rename site/content/en/latest/{user => tasks}/traffic/routing-outside-kubernetes.md (94%) rename site/content/en/latest/{user => tasks}/traffic/tcp-routing.md (98%) rename site/content/en/latest/{user => tasks}/traffic/udp-routing.md (89%) delete mode 100644 site/content/en/latest/user/_index.md delete mode 100644 site/content/en/latest/user/extensibility/_index.md delete mode 100644 site/content/en/latest/user/observability/_index.md delete mode 100644 site/content/en/latest/user/operations/_index.md delete mode 100644 site/content/en/latest/user/security/_index.md delete mode 100644 site/content/en/latest/user/traffic/_index.md diff --git a/site/content/en/latest/contributions/DEVELOP.md b/site/content/en/latest/contributions/DEVELOP.md index 73efdfdbbef..83702cd81d6 100644 --- a/site/content/en/latest/contributions/DEVELOP.md +++ b/site/content/en/latest/contributions/DEVELOP.md @@ -140,7 +140,7 @@ There are many other endpoints on the [Envoy admin interface][] that may be help ### JWT Testing An example [JSON Web Token (JWT)][jwt] and [JSON Web Key Set (JWKS)][jwks] are used for the [request authentication][] -user guide. The JWT was created by the [JWT Debugger][], using the `RS256` algorithm. The public key from the JWTs +task. The JWT was created by the [JWT Debugger][], using the `RS256` algorithm. The public key from the JWTs verify signature was copied to [JWK Creator][] for generating the JWK. The JWK Creator was configured with matching settings, i.e. `Signing` public key use and the `RS256` algorithm. The generated JWK was wrapped in a JWKS structure and is hosted in the repo. @@ -158,6 +158,6 @@ and is hosted in the repo. [Envoy admin interface]: https://www.envoyproxy.io/docs/envoy/latest/operations/admin#operations-admin-interface [jwt]: https://tools.ietf.org/html/rfc7519 [jwks]: https://tools.ietf.org/html/rfc7517 -[request authentication]: ../user/security/jwt-authentication +[request authentication]: ../tasks/security/jwt-authentication [JWT Debugger]: https://jwt.io/ [JWK Creator]: https://russelldavies.github.io/jwk-creator/ diff --git a/site/content/en/latest/contributions/RELEASING.md b/site/content/en/latest/contributions/RELEASING.md index 857b81dd286..3ee8b970c5f 100644 --- a/site/content/en/latest/contributions/RELEASING.md +++ b/site/content/en/latest/contributions/RELEASING.md @@ -6,7 +6,10 @@ description: "This section tells the release process of Envoy Gateway." This document guides maintainers through the process of creating an Envoy Gateway release. - [Release Candidate](#release-candidate) + - [Prerequisites](#prerequisites) + - [Setup cherry picker action](#setup-cherry-picker-action) - [Minor Release](#minor-release) + - [Prerequisites](#prerequisites-1) - [Announce the Release](#announce-the-release) ## Release Candidate @@ -65,7 +68,7 @@ export GITHUB_REMOTE=origin 13. Confirm that the [release workflow][] completed successfully. 14. Confirm that the Envoy Gateway [image][] with the correct release tag was published to Docker Hub. 15. Confirm that the [release][] was created. -16. Note that the [Quickstart Guide][] references are __not__ updated for release candidates. However, test +16. Note that the [Quickstart][] references are __not__ updated for release candidates. However, test the quickstart steps using the release candidate by manually updating the links. 17. [Generate][] the GitHub changelog. 18. Ensure you check the "This is a pre-release" checkbox when editing the GitHub release. @@ -203,7 +206,7 @@ export GITHUB_REMOTE=origin 10. Confirm that the [release workflow][] completed successfully. 11. Confirm that the Envoy Gateway [image][] with the correct release tag was published to Docker Hub. 12. Confirm that the [release][] was created. -13. Confirm that the steps in the [Quickstart Guide][] work as expected. +13. Confirm that the steps in the [Quickstart][] work as expected. 14. [Generate][] the GitHub changelog and include the following text at the beginning of the release page: ```console @@ -239,7 +242,7 @@ It's important that the world knows about the release. Use the following steps t [release notes]: https://github.com/envoyproxy/gateway/tree/main/release-notes [Pull Request]: https://github.com/envoyproxy/gateway/pulls -[Quickstart Guide]: https://github.com/envoyproxy/gateway/blob/main/docs/user/quickstart.md +[Quickstart]: https://github.com/envoyproxy/gateway/blob/main/docs/user/quickstart.md [Build and Test]: https://github.com/envoyproxy/gateway/blob/main/.github/workflows/build_and_test.yaml [release GitHub action]: https://github.com/envoyproxy/gateway/blob/main/.github/workflows/release.yaml [release workflow]: https://github.com/envoyproxy/gateway/actions/workflows/release.yaml diff --git a/site/content/en/latest/contributions/design/envoy-patch-policy.md b/site/content/en/latest/contributions/design/envoy-patch-policy.md index 08cb6074626..343e6bab1e4 100644 --- a/site/content/en/latest/contributions/design/envoy-patch-policy.md +++ b/site/content/en/latest/contributions/design/envoy-patch-policy.md @@ -172,5 +172,5 @@ patches will work. [EnvoyGateway]: ../../api/extension_types#envoygateway [Extending the Control Plane]: ./extending-envoy-gateway [EnvoyFilter]: https://istio.io/latest/docs/reference/config/networking/envoy-filter -[egctl x translate]: ../../user/operations/egctl#egctl-experimental-translate -[Bootstrap configuration using EnvoyProxy API]: ../../user/operations/customize-envoyproxy#customize-envoyproxy-bootstrap-config +[egctl x translate]: ../../tasks/operations/egctl#egctl-experimental-translate +[Bootstrap configuration using EnvoyProxy API]: ../../tasks/operations/customize-envoyproxy#customize-envoyproxy-bootstrap-config diff --git a/site/content/en/latest/contributions/design/extending-envoy-gateway.md b/site/content/en/latest/contributions/design/extending-envoy-gateway.md index de2486e72ce..0b549460b65 100644 --- a/site/content/en/latest/contributions/design/extending-envoy-gateway.md +++ b/site/content/en/latest/contributions/design/extending-envoy-gateway.md @@ -316,7 +316,7 @@ Extending Envoy Gateway by using an external extension server which makes use of [Envoy specific configuration (xDS)]: https://www.envoyproxy.io/docs/envoy/v1.25.1/configuration/configuration [v1]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1 [rate limiting]: ./rate-limit -[authentication]: ../../user/security/jwt-authentication +[authentication]: ../../tasks/security/jwt-authentication [HTTPRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute [GRPCRoute]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.GRPCRoute [EnvoyGateway config]: ../../api/extension_types/#envoygateway diff --git a/site/content/en/latest/install/custom-cert.md b/site/content/en/latest/install/custom-cert.md index c521e61d27d..dd059c03520 100644 --- a/site/content/en/latest/install/custom-cert.md +++ b/site/content/en/latest/install/custom-cert.md @@ -5,7 +5,7 @@ weight: -70 Envoy Gateway establishes a secure TLS connection for control plane communication between Envoy Gateway pods and the Envoy Proxy fleet. The TLS Certificates used here are self signed and generated using a job that runs before envoy gateway is created, and these certs and mounted on to the envoy gateway and envoy proxy pods. -In this guide, we'll walk you through configuring custom certs for control plane auth. +This task will walk you through configuring custom certs for control plane auth. ## Before you begin @@ -13,7 +13,7 @@ We use Cert-Manager to manage the certificates. You can install it by following ## Configure custom certs for control plane -1. First you need to set up the CA issuer, in this guide, we use the `selfsigned-issuer` as an example. +1. First you need to set up the CA issuer, in this task, we use the `selfsigned-issuer` as an example. *You should not use the self-signed issuer in production, you should use a real CA issuer.* diff --git a/site/content/en/latest/install/install-egctl.md b/site/content/en/latest/install/install-egctl.md index d4634de8784..136d54c15cc 100644 --- a/site/content/en/latest/install/install-egctl.md +++ b/site/content/en/latest/install/install-egctl.md @@ -10,7 +10,7 @@ weight: -80 {{% /alert %}} -This guide shows how to install the egctl CLI. egctl can be installed either from source, or from pre-built binary releases. +This task shows how to install the egctl CLI. egctl can be installed either from source, or from pre-built binary releases. ### From The Envoy Gateway Project @@ -52,6 +52,6 @@ curl -fsSL https://gateway.envoyproxy.io/get-egctl.sh | VERSION=latest bash {{% alert title="Next Steps" color="warning" %}} -You can refer to [User Guides](../user/operations/egctl) to more details about egctl. +You can refer to the [Use egctl task](../tasks/operations/egctl) for more details about egctl. {{% /alert %}} diff --git a/site/content/en/latest/install/install-helm.md b/site/content/en/latest/install/install-helm.md index 84efd93b837..50c372d3e2a 100644 --- a/site/content/en/latest/install/install-helm.md +++ b/site/content/en/latest/install/install-helm.md @@ -140,5 +140,5 @@ These are the ports used by Envoy Gateway and the managed Envoy Proxy. | Heath Check | 0.0.0.0 | 19001 | {{% alert title="Next Steps" color="warning" %}} -Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](../user). +Envoy Gateway should now be successfully installed and running. To experience more abilities of Envoy Gateway, refer to [Tasks](../tasks). {{% /alert %}} diff --git a/site/content/en/latest/install/install-yaml.md b/site/content/en/latest/install/install-yaml.md index 859aef1f534..4fc9b38b0dd 100644 --- a/site/content/en/latest/install/install-yaml.md +++ b/site/content/en/latest/install/install-yaml.md @@ -3,7 +3,7 @@ title = "Install with Kubernetes YAML" weight = -99 +++ -In this guide, we'll walk you through installing Envoy Gateway in your Kubernetes cluster. +This task walks you through installing Envoy Gateway in your Kubernetes cluster. The manual install process does not allow for as much control over configuration as the [Helm install method](./install-helm), so if you need more control over your Envoy Gateway @@ -36,4 +36,4 @@ Refer to the [Developer Guide](/latest/contributions/develop) to learn more. 2. Next Steps - Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](/latest/user). + Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [Tasks](/latest/tasks). diff --git a/site/content/en/latest/tasks/_index.md b/site/content/en/latest/tasks/_index.md new file mode 100644 index 00000000000..49e8595328b --- /dev/null +++ b/site/content/en/latest/tasks/_index.md @@ -0,0 +1,5 @@ +--- +title: "Tasks" +weight: 2 +description: Learn Envoy Gateway hands-on through tasks +--- diff --git a/site/content/en/latest/tasks/extensibility/_index.md b/site/content/en/latest/tasks/extensibility/_index.md new file mode 100644 index 00000000000..664c734aeca --- /dev/null +++ b/site/content/en/latest/tasks/extensibility/_index.md @@ -0,0 +1,5 @@ +--- +title: "Extensibility" +weight: 4 +description: This section includes Extensibility tasks. +--- diff --git a/site/content/en/latest/user/extensibility/envoy-patch-policy.md b/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md similarity index 97% rename from site/content/en/latest/user/extensibility/envoy-patch-policy.md rename to site/content/en/latest/tasks/extensibility/envoy-patch-policy.md index 5f24f448969..94d71fc7c77 100644 --- a/site/content/en/latest/user/extensibility/envoy-patch-policy.md +++ b/site/content/en/latest/tasks/extensibility/envoy-patch-policy.md @@ -2,7 +2,7 @@ title: "Envoy Patch Policy" --- -This guide explains the usage of the [EnvoyPatchPolicy][] API. +This task explains the usage of the [EnvoyPatchPolicy][] API. __Note:__ This API is meant for users extremely familiar with Envoy [xDS][] semantics. Also before considering this API for production use cases, please be aware that this API is unstable and the outcome may change across versions. Use at your own risk. @@ -22,7 +22,7 @@ not exposed by Envoy Gateway APIs today. ### Prerequisites -* Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +* Follow the steps from the [Quickstart](../../quickstart) task to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ### Enable EnvoyPatchPolicy diff --git a/site/content/en/latest/tasks/observability/_index.md b/site/content/en/latest/tasks/observability/_index.md new file mode 100644 index 00000000000..9ca4896ee8b --- /dev/null +++ b/site/content/en/latest/tasks/observability/_index.md @@ -0,0 +1,5 @@ +--- +title: "Observability" +weight: 4 +description: This section includes Observability tasks. +--- diff --git a/site/content/en/latest/user/observability/gateway-api-metrics.md b/site/content/en/latest/tasks/observability/gateway-api-metrics.md similarity index 96% rename from site/content/en/latest/user/observability/gateway-api-metrics.md rename to site/content/en/latest/tasks/observability/gateway-api-metrics.md index 8170e196861..bd9e5b89317 100644 --- a/site/content/en/latest/user/observability/gateway-api-metrics.md +++ b/site/content/en/latest/tasks/observability/gateway-api-metrics.md @@ -7,7 +7,7 @@ The project also provides example dashboard for visualising the metrics using Gr ## Prerequisites -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. Run the following commands to install the metrics stack, with the Gateway API State Metrics configuration, on your kubernetes cluster: diff --git a/site/content/en/latest/user/observability/grafana-integration.md b/site/content/en/latest/tasks/observability/grafana-integration.md similarity index 93% rename from site/content/en/latest/user/observability/grafana-integration.md rename to site/content/en/latest/tasks/observability/grafana-integration.md index b7c58e0d582..c0e30c7cc9e 100644 --- a/site/content/en/latest/user/observability/grafana-integration.md +++ b/site/content/en/latest/tasks/observability/grafana-integration.md @@ -3,11 +3,11 @@ title: "Visualising metrics using Grafana" --- Envoy Gateway provides support for exposing Envoy Proxy metrics to a Prometheus instance. -This guide shows you how to visualise the metrics exposed to prometheus using grafana. +This task shows you how to visualise the metrics exposed to prometheus using grafana. ## Prerequisites -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. Follow the steps from the [Proxy Observability](../proxy-observability#Metrics) to enable prometheus metrics. diff --git a/site/content/en/latest/user/observability/proxy-observability.md b/site/content/en/latest/tasks/observability/proxy-observability.md similarity index 96% rename from site/content/en/latest/user/observability/proxy-observability.md rename to site/content/en/latest/tasks/observability/proxy-observability.md index df07bc569b6..5a1800ff39b 100644 --- a/site/content/en/latest/user/observability/proxy-observability.md +++ b/site/content/en/latest/tasks/observability/proxy-observability.md @@ -3,11 +3,11 @@ title: "Proxy Observability" --- Envoy Gateway provides observability for the ControlPlane and the underlying EnvoyProxy instances. -This guide show you how to config proxy observability, includes metrics, logs, and traces. +This task show you how to config proxy observability, includes metrics, logs, and traces. ## Prerequisites -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. [FluentBit](https://fluentbit.io/) is used to collect logs from the EnvoyProxy instances and forward them to Loki. Install FluentBit: diff --git a/site/content/en/latest/tasks/operations/_index.md b/site/content/en/latest/tasks/operations/_index.md new file mode 100644 index 00000000000..d87097c7d1e --- /dev/null +++ b/site/content/en/latest/tasks/operations/_index.md @@ -0,0 +1,5 @@ +--- +title: "Operations" +weight: 4 +description: This section includes Operations tasks. +--- diff --git a/site/content/en/latest/user/operations/customize-envoyproxy.md b/site/content/en/latest/tasks/operations/customize-envoyproxy.md similarity index 99% rename from site/content/en/latest/user/operations/customize-envoyproxy.md rename to site/content/en/latest/tasks/operations/customize-envoyproxy.md index d06c41b423f..76004a83676 100644 --- a/site/content/en/latest/user/operations/customize-envoyproxy.md +++ b/site/content/en/latest/tasks/operations/customize-envoyproxy.md @@ -8,7 +8,7 @@ Service. To learn more about GatewayClass and ParametersRef, please refer to [Ga ## Installation -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Add GatewayClass ParametersRef diff --git a/site/content/en/latest/user/operations/deployment-mode.md b/site/content/en/latest/tasks/operations/deployment-mode.md similarity index 100% rename from site/content/en/latest/user/operations/deployment-mode.md rename to site/content/en/latest/tasks/operations/deployment-mode.md diff --git a/site/content/en/latest/user/operations/egctl.md b/site/content/en/latest/tasks/operations/egctl.md similarity index 100% rename from site/content/en/latest/user/operations/egctl.md rename to site/content/en/latest/tasks/operations/egctl.md diff --git a/site/content/en/latest/user/quickstart.md b/site/content/en/latest/tasks/quickstart.md similarity index 97% rename from site/content/en/latest/user/quickstart.md rename to site/content/en/latest/tasks/quickstart.md index ab03631229a..980190b2bbf 100644 --- a/site/content/en/latest/user/quickstart.md +++ b/site/content/en/latest/tasks/quickstart.md @@ -4,7 +4,7 @@ weight: 1 description: Get started with Envoy Gateway in a few simple steps. --- -This guide will help you get started with Envoy Gateway in a few simple steps. +This "quick start" will help you get started with Envoy Gateway in a few simple steps. ## Prerequisites @@ -85,7 +85,7 @@ curl --verbose --header "Host: www.example.com" http://$GATEWAY_HOST/get ## Clean-Up -Use the steps in this section to uninstall everything from the quickstart guide. +Use the steps in this section to uninstall everything from the quickstart. Delete the GatewayClass, Gateway, HTTPRoute and Example App: diff --git a/site/content/en/latest/tasks/security/_index.md b/site/content/en/latest/tasks/security/_index.md new file mode 100644 index 00000000000..0e6a64144a7 --- /dev/null +++ b/site/content/en/latest/tasks/security/_index.md @@ -0,0 +1,5 @@ +--- +title: "Security" +weight: 2 +description: This section includes Security tasks. +--- diff --git a/site/content/en/latest/user/security/backend-tls.md b/site/content/en/latest/tasks/security/backend-tls.md similarity index 94% rename from site/content/en/latest/user/security/backend-tls.md rename to site/content/en/latest/tasks/security/backend-tls.md index c7ce67251c3..975e8a5f13c 100644 --- a/site/content/en/latest/user/security/backend-tls.md +++ b/site/content/en/latest/tasks/security/backend-tls.md @@ -2,8 +2,8 @@ title: "Backend TLS: Gateway to Backend" --- -This guide demonstrates how TLS can be achieved between the Gateway and a backend. The guide uses a self-signed CA, so it should be used for -testing and demonstration purposes only. +This task demonstrates how TLS can be achieved between the Gateway and a backend. +This task uses a self-signed CA, so it should be used for testing and demonstration purposes only. Envoy Gateway supports the Gateway-API defined [BackendTLSPolicy][]. @@ -13,7 +13,7 @@ Envoy Gateway supports the Gateway-API defined [BackendTLSPolicy][]. ## Installation -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. ## TLS Certificates @@ -235,4 +235,4 @@ Inspect the output and see that the response contains the details of the TLS han } ``` -[BackendTLSPolicy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ \ No newline at end of file +[BackendTLSPolicy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/ diff --git a/site/content/en/latest/user/security/basic-auth.md b/site/content/en/latest/tasks/security/basic-auth.md similarity index 91% rename from site/content/en/latest/user/security/basic-auth.md rename to site/content/en/latest/tasks/security/basic-auth.md index a45de6fe2c5..28c3ca53d5c 100644 --- a/site/content/en/latest/user/security/basic-auth.md +++ b/site/content/en/latest/tasks/security/basic-auth.md @@ -2,7 +2,7 @@ title: "Basic Authentication" --- -This guide provides instructions for configuring [HTTP Basic authentication][http Basic authentication]. +This task provides instructions for configuring [HTTP Basic authentication][http Basic authentication]. HTTP Basic authentication checks if an incoming request has a valid username and password before routing the request to a backend service. @@ -12,7 +12,7 @@ This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HT ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Configuration @@ -45,7 +45,7 @@ kubectl create secret tls example-cert --key=www.example.com.key --cert=www.exam ``` ### Enable HTTPS -Update the Gateway from the Quickstart guide to include an HTTPS listener that listens on port `443` and references the +Update the Gateway from the Quickstart to include an HTTPS listener that listens on port `443` and references the `example-cert` Secret: ```shell @@ -128,7 +128,7 @@ kubectl get securitypolicy/basic-auth-example -o yaml ## Testing -Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) guide is set. If not, follow the +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the Quickstart instructions to set the variable. ```shell @@ -176,7 +176,7 @@ The request should be allowed and you should see the response from the backend s ## Clean-Up -Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. Delete the SecurityPolicy and the secret diff --git a/site/content/en/latest/user/security/cors.md b/site/content/en/latest/tasks/security/cors.md similarity index 91% rename from site/content/en/latest/user/security/cors.md rename to site/content/en/latest/tasks/security/cors.md index dea4f04361d..1abbe77a737 100644 --- a/site/content/en/latest/user/security/cors.md +++ b/site/content/en/latest/tasks/security/cors.md @@ -2,7 +2,7 @@ title: "CORS" --- -This guide provides instructions for configuring [Cross-Origin Resource Sharing (CORS)][cors] on Envoy Gateway. +This task provides instructions for configuring [Cross-Origin Resource Sharing (CORS)][cors] on Envoy Gateway. CORS defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. @@ -11,7 +11,7 @@ This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HT ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Configuration @@ -57,7 +57,7 @@ kubectl get securitypolicy/cors-example -o yaml ## Testing -Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) guide is set. If not, follow the +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the Quickstart instructions to set the variable. ```shell @@ -122,7 +122,7 @@ filter to work. Otherwise, the OPTIONS request won't match the routes and the CO ## Clean-Up -Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. Delete the SecurityPolicy: diff --git a/site/content/en/latest/user/security/ext-auth.md b/site/content/en/latest/tasks/security/ext-auth.md similarity index 95% rename from site/content/en/latest/user/security/ext-auth.md rename to site/content/en/latest/tasks/security/ext-auth.md index efcd8b62467..b3eafd7e0be 100644 --- a/site/content/en/latest/user/security/ext-auth.md +++ b/site/content/en/latest/tasks/security/ext-auth.md @@ -2,7 +2,7 @@ title: "External Authorization" --- -This guide provides instructions for configuring external authentication. +This task provides instructions for configuring external authentication. External authorization calls an external HTTP or gRPC service to check whether an incoming HTTP request is authorized or not. If the request is deemed unauthorized, then the request will be denied with a 403 (Forbidden) response. If the @@ -13,7 +13,7 @@ This instantiated resource can be linked to a [Gateway][Gateway] and [HTTPRoute] ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. Verify the Gateway status: @@ -97,7 +97,7 @@ kubectl get securitypolicy/ext-auth-example -o yaml ### Testing -Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) guide is set. If not, follow the +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the Quickstart instructions to set the variable. ```shell @@ -252,7 +252,7 @@ kubectl get backendtlspolicy/grpc-ext-auth-btls -o yaml ### Testing -Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) guide is set. If not, follow the +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the Quickstart instructions to set the variable. ```shell @@ -290,7 +290,7 @@ curl -v -H "Host: www.example.com" -H "Authorization: Bearer token1" "http://${G ## Clean-Up -Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. Delete the demo auth services, HTTPRoute, SecurityPolicy and BackendTLSPolicy: diff --git a/site/content/en/latest/user/security/jwt-authentication.md b/site/content/en/latest/tasks/security/jwt-authentication.md similarity index 92% rename from site/content/en/latest/user/security/jwt-authentication.md rename to site/content/en/latest/tasks/security/jwt-authentication.md index a8204fdae5d..2e129b387f1 100644 --- a/site/content/en/latest/user/security/jwt-authentication.md +++ b/site/content/en/latest/tasks/security/jwt-authentication.md @@ -2,7 +2,7 @@ title: "JWT Authentication" --- -This guide provides instructions for configuring [JSON Web Token (JWT)][jwt] authentication. JWT authentication checks +This task provides instructions for configuring [JSON Web Token (JWT)][jwt] authentication. JWT authentication checks if an incoming request has a valid JWT before routing the request to a backend service. Currently, Envoy Gateway only supports validating a JWT from an HTTP header, e.g. `Authorization: Bearer `. @@ -11,7 +11,7 @@ This instantiated resource can be linked to a [Gateway][Gateway], [HTTPRoute][HT ## Prerequisites -Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. For GRPC - follow the steps from the [GRPC Routing](../traffic/grpc-routing) example. Before proceeding, you should be able to query the example backend using HTTP or GRPC. @@ -71,7 +71,7 @@ kubectl get securitypolicy/jwt-example -o yaml ## Testing -Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) guide is set. If not, follow the +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the Quickstart instructions to set the variable. ```shell @@ -150,7 +150,7 @@ You should see the below response ## Clean-Up -Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. Delete the SecurityPolicy: diff --git a/site/content/en/latest/user/security/mutual-tls.md b/site/content/en/latest/tasks/security/mutual-tls.md similarity index 90% rename from site/content/en/latest/user/security/mutual-tls.md rename to site/content/en/latest/tasks/security/mutual-tls.md index e24562ca45e..b7cf0b1fb7c 100644 --- a/site/content/en/latest/user/security/mutual-tls.md +++ b/site/content/en/latest/tasks/security/mutual-tls.md @@ -2,8 +2,8 @@ title: "Mutual TLS: External Clients to the Gateway" --- -This guide demonstrates how mutual TLS can be achieved between external clients and the Gateway. The guide uses a self-signed CA, so it should be used for -testing and demonstration purposes only. +This task demonstrates how mutual TLS can be achieved between external clients and the Gateway. +This task uses a self-signed CA, so it should be used for testing and demonstration purposes only. ## Prerequisites @@ -11,7 +11,7 @@ testing and demonstration purposes only. ## Installation -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## TLS Certificates @@ -50,7 +50,7 @@ openssl req -out client.example.com.csr -newkey rsa:2048 -nodes -keyout client.e openssl x509 -req -days 365 -CA example.com.crt -CAkey example.com.key -set_serial 0 -in client.example.com.csr -out client.example.com.crt ``` -Update the Gateway from the Quickstart guide to include an HTTPS listener that listens on port `443` and references the +Update the Gateway from the Quickstart to include an HTTPS listener that listens on port `443` and references the `example-cert` Secret: ```shell diff --git a/site/content/en/latest/user/security/oidc.md b/site/content/en/latest/tasks/security/oidc.md similarity index 90% rename from site/content/en/latest/user/security/oidc.md rename to site/content/en/latest/tasks/security/oidc.md index 392650640e7..9b168822796 100644 --- a/site/content/en/latest/user/security/oidc.md +++ b/site/content/en/latest/tasks/security/oidc.md @@ -2,7 +2,7 @@ title: "OIDC Authentication" --- -This guide provides instructions for configuring [OpenID Connect (OIDC)][oidc] authentication. +This task provides instructions for configuring [OpenID Connect (OIDC)][oidc] authentication. OpenID Connect (OIDC) is an authentication standard built on top of OAuth 2.0. It enables client applications to rely on authentication that is performed by an OpenID Connect Provider (OP) to verify the identity of a user. @@ -13,7 +13,7 @@ This instantiated resource can be linked to a [Gateway][Gateway] and [HTTPRoute] ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. Verify the Gateway status: @@ -25,7 +25,7 @@ kubectl get gateway/eg -o yaml OIDC can be configured at the Gateway level to authenticate all the HTTPRoutes that are associated with the Gateway with the same OIDC configuration, or at the HTTPRoute level to authenticate each HTTPRoute with different OIDC configurations. -This guide demonstrates the configuration of OIDC at the HTTPRoute level. +This task demonstrates the configuration of OIDC at the HTTPRoute level. Let's create an HTTPRoute that represents an application protected by OIDC. @@ -58,7 +58,7 @@ kubectl get httproute/myapp -o yaml ## Configuration -This guide uses Google as the OIDC provider to demonstrate the configuration of OIDC. However, EG works with any OIDC +This task uses Google as the OIDC provider to demonstrate the configuration of OIDC. However, EG works with any OIDC providers, including Auth0, Azure AD, Keycloak, Okta, OneLogin, Salesforce, UAA, etc. ### Register an OIDC application @@ -143,7 +143,7 @@ login page. After you successfully login, you should see the response from the b ## Clean-Up -Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. Delete the SecurityPolicy, the secret and the HTTPRoute: diff --git a/site/content/en/latest/user/security/private-key-provider.md b/site/content/en/latest/tasks/security/private-key-provider.md similarity index 97% rename from site/content/en/latest/user/security/private-key-provider.md rename to site/content/en/latest/tasks/security/private-key-provider.md index 6882ebfe259..447e61cb353 100644 --- a/site/content/en/latest/user/security/private-key-provider.md +++ b/site/content/en/latest/tasks/security/private-key-provider.md @@ -10,7 +10,7 @@ Today, there are two private key providers implemented in Envoy as contrib exten Both of them are used to accelerate the TLS handshake through the hardware capabilities. -This guide will walk you through the steps required to configure TLS Termination mode for TCP traffic while also using the Envoy Private Key Provider to accelerate the TLS handshake by leveraging QAT and the HW accelerator available on Intel SPR/EMR Xeon server platforms. +This task will walk you through the steps required to configure TLS Termination mode for TCP traffic while also using the Envoy Private Key Provider to accelerate the TLS handshake by leveraging QAT and the HW accelerator available on Intel SPR/EMR Xeon server platforms. ## Prerequisites @@ -112,7 +112,7 @@ It required the node with 3rd generation Intel Xeon Scalable processor server pr ## Installation -* Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway. +* Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway. * Lets enable the EnvoyPatchPolicy feature, which will allow us to directly configure the Private Key Provider Envoy Filter, since Envoy Gateway does not directly expose this functionality. @@ -382,4 +382,4 @@ With QAT private key provider, the QPS is over 3 times than without private key ```shell All done 134746 calls (plus 128 warmup) 28.505 ms avg, 4489.6 qps -``` \ No newline at end of file +``` diff --git a/site/content/en/latest/user/security/secure-gateways.md b/site/content/en/latest/tasks/security/secure-gateways.md similarity index 89% rename from site/content/en/latest/user/security/secure-gateways.md rename to site/content/en/latest/tasks/security/secure-gateways.md index 195a9191b80..f1f1f525526 100644 --- a/site/content/en/latest/user/security/secure-gateways.md +++ b/site/content/en/latest/tasks/security/secure-gateways.md @@ -2,8 +2,8 @@ title: "Secure Gateways" --- -This guide will help you get started using secure Gateways. The guide uses a self-signed CA, so it should be used for -testing and demonstration purposes only. +This task will help you get started using secure Gateways. +This task uses a self-signed CA, so it should be used for testing and demonstration purposes only. ## Prerequisites @@ -11,7 +11,7 @@ testing and demonstration purposes only. ## Installation -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## TLS Certificates @@ -37,7 +37,7 @@ Store the cert/key in a Secret: kubectl create secret tls example-cert --key=www.example.com.key --cert=www.example.com.crt ``` -Update the Gateway from the Quickstart guide to include an HTTPS listener that listens on port `443` and references the +Update the Gateway from the Quickstart to include an HTTPS listener that listens on port `443` and references the `example-cert` Secret: ```shell @@ -242,7 +242,7 @@ Lastly, test connectivity using the above [Testing section](#testing). ## Clean-Up -Follow the steps from the [Quickstart Guide](../../quickstart) to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. Delete the Secrets: @@ -257,10 +257,10 @@ This section gives a walkthrough to generate RSA and ECDSA derived certificates ## Prerequisites -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. -Follow the steps in the [TLS Certificates](#tls-certificates) section in the guide to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic. +Follow the steps in the [TLS Certificates](#tls-certificates) section to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic. ## Pre-checks @@ -295,7 +295,7 @@ Moving forward in the doc, we will be configuring the existing Gateway listener ## TLS Certificates -Reuse the CA certificate and key pair generated in the [Secure Gateways](#tls-certificates) guide and use this CA to sign both RSA and ECDSA Server certificates. +Reuse the CA certificate and key pair generated in the [Secure Gateways](#tls-certificates) task and use this CA to sign both RSA and ECDSA Server certificates. Note the CA certificate and key names are `example.com.crt` and `example.com.key` respectively. @@ -369,14 +369,14 @@ This sections gives a walkthrough to generate multiple certificates correspondin ## Prerequisites -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. -Follow the steps in the [TLS Certificates](#tls-certificates) section in the guide to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic. +Follow the steps in the [TLS Certificates](#tls-certificates) section to generate self-signed RSA derived Server certificate and private key, and configure those in the Gateway listener configuration to terminate HTTPS traffic. ## Additional Configurations -Using the [TLS Certificates](#tls-certificates) section in the guide we first generate additional Secret for another Host `www.sample.com`. +Using the [TLS Certificates](#tls-certificates) section, we first generate additional Secret for another Host `www.sample.com`. ```shell openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=sample Inc./CN=sample.com' -keyout sample.com.key -out sample.com.crt @@ -446,7 +446,7 @@ Since the multiple certificates are configured on the same Gateway listener, Env ### Clusters with External LoadBalancer Support -Refer to the steps mentioned earlier in the guide under [Testing in clusters with External LoadBalancer Support](#clusters-with-external-loadbalancer-support) +Refer to the steps mentioned earlier under [Testing in clusters with External LoadBalancer Support](#clusters-with-external-loadbalancer-support) ## Next Steps diff --git a/site/content/en/latest/user/security/threat-model.md b/site/content/en/latest/tasks/security/threat-model.md similarity index 96% rename from site/content/en/latest/user/security/threat-model.md rename to site/content/en/latest/tasks/security/threat-model.md index e46f4a1b0df..22be21642bf 100644 --- a/site/content/en/latest/user/security/threat-model.md +++ b/site/content/en/latest/tasks/security/threat-model.md @@ -90,7 +90,7 @@ Our threat model will be based on the high-level setup shown below, where Envoy ![Architecture](/img/architecture_threat_model.png) -The following use cases will be considered, in line with the [Envoy Gateway User Guides](https://gateway.envoyproxy.io/latest/user/): +The following use cases will be considered, in line with the [Envoy Gateway tasks](https://gateway.envoyproxy.io/latest/user/): 1. Routing and controlling traffic, including: a. HTTP \ @@ -232,9 +232,9 @@ When considering internal threat actors, we chose to follow the [security model] **Threat**: Compromise of the private key associated with the certificate used for inbound TLS terminating at Envoy Proxy. - **Recommendation**: The Envoy Gateway quickstart guide demonstrates how to set up a Secure Gateway using an example where a self-signed root certificate is created using openssl. As stated in the Envoy Gateway documentation, this is not a suitable configuration for Production usage. It is recommended that PKI best practices are followed, whereby certificates are signed by an Intermediary CA which sits underneath an organisational \'offline\' Root CA. + **Recommendation**: The Envoy Gateway quickstart demonstrates how to set up a Secure Gateway using an example where a self-signed root certificate is created using openssl. As stated in the Envoy Gateway documentation, this is not a suitable configuration for Production usage. It is recommended that PKI best practices are followed, whereby certificates are signed by an Intermediary CA which sits underneath an organisational \'offline\' Root CA. - PKI best practices should also apply to the management of client certificates when using mTLS. The Envoy Gateway [mTLS](https://gateway.envoyproxy.io/latest/user/security/mutual-tls/) guide shows how to set up client certificates using self-signed certificates. In the same way as gateway certificates and, as mentioned in the documentation, this configuration should not be used in production environments. + PKI best practices should also apply to the management of client certificates when using mTLS. The Envoy Gateway [mTLS](https://gateway.envoyproxy.io/latest/user/security/mutual-tls/) task shows how to set up client certificates using self-signed certificates. In the same way as gateway certificates and, as mentioned in the documentation, this configuration should not be used in production environments. ### EGTM-002 Private keys are stored as Kubernetes secrets @@ -591,7 +591,7 @@ Set runAsUser and runAsGroup security context options to specific UIDs (e.g., ru |ID|UID|Category|Risk|Threat|Priority| Recommendation | |-|-|-|-|-|-|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -|EGTM-001|EGTM-GW-001|Gateway API| Self-signed certificates (which do not comply with PKI best practices) could lead to unauthorised access to the private key associated with the certificate used for inbound TLS termination at Envoy Proxy, compromising the confidentiality and integrity of proxied traffic.

| Compromise of the private key associated with the certificate used for inbound TLS terminating at Envoy Proxy.

|High| The Envoy Gateway quickstart guide demonstrates how to set up a Secure Gateway using an example where a self-signed root certificate is created using openssl. As stated in the Envoy Gateway documentation, this is not a suitable configuration for Production usage. It is recommended that PKI best practices are followed, whereby certificates are signed by an Intermediary CA which sits underneath an organisational \'offline\' Root CA.

PKI best practices should also apply to the management of client certificates when using mTLS. The Envoy Gateway [mTLS](https://gateway.envoyproxy.io/latest/user/security/mutual-tls/) guide shows how to set up client certificates using self-signed certificates. In the same way as gateway certificates and, as mentioned in the documentation, this configuration should not be used in production environments. | +|EGTM-001|EGTM-GW-001|Gateway API| Self-signed certificates (which do not comply with PKI best practices) could lead to unauthorised access to the private key associated with the certificate used for inbound TLS termination at Envoy Proxy, compromising the confidentiality and integrity of proxied traffic.

| Compromise of the private key associated with the certificate used for inbound TLS terminating at Envoy Proxy.

|High| The Envoy Gateway quickstart demonstrates how to set up a Secure Gateway using an example where a self-signed root certificate is created using openssl. As stated in the Envoy Gateway documentation, this is not a suitable configuration for Production usage. It is recommended that PKI best practices are followed, whereby certificates are signed by an Intermediary CA which sits underneath an organisational \'offline\' Root CA.

PKI best practices should also apply to the management of client certificates when using mTLS. The Envoy Gateway [mTLS](https://gateway.envoyproxy.io/latest/user/security/mutual-tls/) task shows how to set up client certificates using self-signed certificates. In the same way as gateway certificates and, as mentioned in the documentation, this configuration should not be used in production environments. | |EGTM-002|EGTM-CS-001|Container Security| There is a risk that a threat actor could compromise the Kubernetes secret containing the Envoy private key, allowing the attacker to decrypt Envoy Proxy traffic, compromising the confidentiality of proxied traffic.

| Kubernetes secret containing the Envoy private key is compromised and used to decrypt proxied traffic.

|High| Certificate management best practices mandate short-lived key material where practical, meaning that a mechanism for rotation of private keys and certificates is required, along with a way for certificates to be mounted into Envoy containers. If Kubernetes secrets are used, when a certificate expires, the associated secret must be updated, and Envoy containers must be redeployed. Instead of a manual configuration, it is recommended that [cert-manager](https://github.com/cert-manager/cert-manager) is used. | |EGTM-004|EGTM-K8-002|Container Security| There is a risk that a threat actor could abuse misconfigured RBAC to access the Envoy Gateway ClusterRole (envoy-gateway-role) and use it to expose all secrets across the cluster, thus compromising the confidentiality and integrity of tenant data.

| Compromised Envoy Gateway or misconfigured ClusterRoleBinding (envoy-gateway-rolebinding) to Envoy Gateway ClusterRole (envoy-gateway-role), provides access to resources and secrets in different namespaces.

|High| Users should be aware that Envoy Gateway uses a ClusterRole (envoy-gateway-role) when deployed via the Helm chart, to allow management of Envoy Proxies across different namespaces. This ClusterRole is powerful and includes the ability to read secrets in namespaces which may not be within the purview of Envoy Gateway.

Kubernetes best-practices involve restriction of ClusterRoleBindings, with the use of RoleBindings where possible to limit access per namespace by specifying the namespace in metadata. Namespace isolation reduces the impact of compromise from cluster-scoped roles. Ideally, fine-grained K8s roles should be created per the principle of least privilege to ensure they have the minimum access necessary for role functions.

The pull request \#[1656](https://github.com/envoyproxy/gateway/pull/1656) introduced the use of Roles and RoleBindings in [namespaced mode](https://gateway.envoyproxy.io/latest/api/extension_types/#kuberneteswatchmode). This feature can be leveraged to reduce the amount of permissions required by the Envoy Gateway. | |EGTM-007|EGTM-EG-002|Envoy Gateway| There is a risk that a threat actor could exploit misconfigured Kubernetes RBAC to create or modify Gateway API resources with no business need, potentially leading to the compromise of the confidentiality, integrity, and availability of resources and traffic within the cluster.

| Unauthorised creation or misconfiguration of Gateway API resources by a threat actor with cluster-scoped access.

|High| Configure the apiGroup and resource fields in RBAC policies to restrict access to [Gateway](https://gateway-api.sigs.k8s.io/) and [GatewayClass](https://gateway-api.sigs.k8s.io/api-types/gatewayclass/) resources. Enable namespace isolation by using the namespace field, preventing unauthorised access to gateways in other namespaces. | @@ -603,7 +603,7 @@ Set runAsUser and runAsGroup security context options to specific UIDs (e.g., ru |EGTM-008|EGTM-EG-003|Envoy Gateway| There is a risk of a threat actor misconfiguring static config and compromising the integrity of Envoy Gateway, ultimately leading to the compromised confidentiality, integrity, or availability of tenant data and cluster resources.

| Accidental or deliberate misconfiguration of static configuration leads to a misconfigured deployment of Envoy Gateway, for example logging parameters could be modified or global rate limiting configuration misconfigured.

|Medium| Implement a GitOps model, utilising Kubernetes\' Role-Based Access Control (RBAC) and adhering to the principle of least privilege to minimise human intervention on the cluster. For instance, tools like [ArgoCD](https://argo-cd.readthedocs.io/en/stable/) can be used for declarative GitOps deployments, ensuring all changes are tracked and reviewed. Additionally, configure your source control management (SCM) system to include mandatory pull request (PR) reviews, commit signing, and protected branches to ensure only authorised changes can be committed to the start-up configuration. | |EGTM-010|EGTM-CS-005|Container Security| There is a risk that a threat actor exploits a weak pod security context, compromising the CIA of a node and the resources / services which run on it.

| Threat Actor who has compromised a pod exploits weak security context to escape to a node, potentially leading to the compromise of Envoy Proxy or Gateway running on the same node.

|Medium| To mitigate this risk, apply [Pod Security Standards](https://kubernetes.io/docs/concepts/security/pod-security-standards/) at a minimum of [Baseline](https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline) level to all namespaces, especially those containing Envoy Gateway and Proxy Pods. Pod security standards are implemented through K8s [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) to provide [admission control modes](https://kubernetes.io/docs/concepts/security/pod-security-admission/#pod-security-admission-labels-for-namespaces) (enforce, audit, and warn) for namespaces. Pod security standards can be enforced by namespace labels as shown [here](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/), to enforce a baseline level of pod security to specific namespaces.

Further enhance the security by implementing a sandboxing solution such as [gVisor](https://gvisor.dev/) for Envoy Gateway and Proxy Pods to isolate the application from the host kernel. This can be set within the runtimeClassName of the Pod specification. | |EGTM-012|EGTM-GW-004|Gateway API| There is a risk that a threat actor could abuse excessive RBAC privileges to create ReferenceGrant resources. These resources could then be used to create cross-namespace communication, leading to unauthorised access to the application. This could compromise the confidentiality and integrity of resources and configuration in the affected namespaces and potentially disrupt the availability of services that rely on these object references.

| A ReferenceGrant is created, which validates traffic to cross namespace trust boundaries without a valid business reason, such as a route in one tenant\'s namespace referencing a backend in another.

|Medium| Ensure that the ability to create ReferenceGrant resources is restricted to the minimum number of people. Pay special attention to ClusterRoles that allow that action. | -|EGTM-018|EGTM-GW-006|Gateway API| There is a risk that malicious requests could lead to a Denial of Service (DoS) attack, thereby reducing API gateway availability due to misconfigurations in rate-limiting or load balancing controls, or a lack of route timeout enforcement.

| Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack.

|Medium| To ensure high availability and mitigate potential security threats, follow the guidelines in the Envoy Gateway documentation for configuring [local rate limit](../traffic/local-rate-limit) filters, [global rate limit](../traffic/global-rate-limit) filters, and load balancing.

Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action).

[Path normalisation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) should be enabled to minimise path confusion vulnerabilities. These measures help protect against volumetric threats such as Denial of Service (DoS)nattacks. Utilise custom resources to implement policy attachment, thereby exposing request limit configuration for route types. | +|EGTM-018|EGTM-GW-006|Gateway API| There is a risk that malicious requests could lead to a Denial of Service (DoS) attack, thereby reducing API gateway availability due to misconfigurations in rate-limiting or load balancing controls, or a lack of route timeout enforcement.

| Reduced API gateway availability due to an attacker\'s maliciously crafted request (e.g., QoD) potentially inducing a Denial of Service (DoS) attack.

|Medium| To ensure high availability and to mitigate potential security threats, adhere to the Envoy Gateway documentation for the configuration of a [rate-limiting](https://gateway.envoyproxy.io/v0.6.0/user/rate-limit/) filter and load balancing.

Further, adhere to best practices for configuring Envoy Proxy as an edge proxy documented [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#configuring-envoy-as-an-edge-proxy) within the EnvoyProxy docs. This involves configuring TCP and HTTP proxies with specific settings, including restricting access to the admin endpoint, setting the [overload manager](https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/overload_manager/overload_manager#config-overload-manager) and [listener](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-per-connection-buffer-limit-bytes) / [cluster](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#envoy-v3-api-field-config-cluster-v3-cluster-per-connection-buffer-limit-bytes) buffer limits, enabling [use_remote_address](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-use-remote-address), setting [connection and stream timeouts](https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/timeouts#faq-configuration-timeouts), limiting [maximum concurrent streams](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-max-concurrent-streams), setting [initial stream window size limit](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-http2protocoloptions-initial-stream-window-size), and configuring action on [headers_with_underscores](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-field-config-core-v3-httpprotocoloptions-headers-with-underscores-action).

[Path normalisation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-normalize-path) should be enabled to minimise path confusion vulnerabilities. These measures help protect against volumetric threats such as Denial of Service (DoS)nattacks. Utilise custom resources to implement policy attachment, thereby exposing request limit configuration for route types. | |EGTM-019|EGTM-DP-004|Container Security| There is a risk that replay attacks using stolen or reused JSON Web Tokens (JWTs) can compromise transmission integrity, thereby undermining the confidentiality and integrity of the data plane.

| Transmission integrity is compromised due to replay attacks using stolen or reused JSON Web Tokens (JWTs).

|Medium| Comply with JWT best practices for enhanced security, paying special attention to the use of short-lived tokens, which reduce the window of opportunity for a replay attack. The [exp](https://datatracker.ietf.org/doc/html/rfc7519#page-9) claim can be used to set token expiration times. | |EGTM-024|EGTM-EG-008|Envoy Gateway| There is a risk of developers getting more privileges than required due to the use of SecurityPolicy, ClientTrafficPolicy, EnvoyPatchPolicy and BackendTrafficPolicy. These resources can be attached to a Gateway resource. Therefore, a developer with permission to deploy them would be able to modify a Gateway configuration by targeting the gateway in the policy manifest. This conflicts with the [Advanced 4 Tier Model](https://gateway-api.sigs.k8s.io/concepts/security-model/#write-permissions-for-advanced-4-tier-model), where developers do not have write permissions on Gateways.

| Excessive developer permissions lead to a misconfiguration and/or unauthorised access.

|Medium| Considering the Tenant C scenario (represented in the Architecture Diagram), if a developer can create SecurityPolicy, ClientTrafficPolicy, EnvoyPatchPolicy or BackendTrafficPolicy objects in namespace C, they would be able to modify a Gateway configuration by attaching the policy to the gateway. In such scenarios, it is recommended to either:

a. Create a separate namespace, where developers have no permissions, > to host tenant C\'s gateway. Note that, due to design decisions, > the > SecurityPolicy/EnvoyPatchPolicy/ClientTrafficPolicy/BackendTrafficPolicy > object can only target resources deployed in the same namespace. > Therefore, having a separate namespace for the gateway would > prevent developers from attaching the policy to the gateway.

b. Forbid the creation of these policies for developers in namespace C.

On the other hand, in scenarios similar to tenants A and B, where a shared gateway namespace is in place, this issue is more limited. Note that in this scenario, developers don\'t have access to the shared gateway namespace.

In addition, it is important to mention that EnvoyPatchPolicy resources can also be attached to GatewayClass resources. This means that, in order to comply with the Advanced 4 Tier model, individuals with the Application Administrator role should not have access to this resource either. | |EGTM-003|EGTM-EG-001|Envoy Gateway| There is a risk that a threat actor could downgrade the security of proxied connections by configuring a weak set of cipher suites, compromising the confidentiality and integrity of proxied traffic.

| Exploit weak cipher suite configuration to downgrade security of proxied connections.

|Low| Users operating in highly regulated environments may need to tightly control the TLS protocol and associated cipher suites, blocking non-conforming incoming connections to the gateway.

EnvoyProxy bootstrap config can be customised as per the [customise EnvoyProxy](https://gateway.envoyproxy.io/latest/user/operations/customize-envoyproxy/) documentation. In addition, from v.1.0.0, it is possible to configure common TLS properties for a Gateway or XRoute through the [ClientTrafficPolicy](https://gateway.envoyproxy.io/latest/api/extension_types/#clienttrafficpolicy) object. | diff --git a/site/content/en/latest/user/security/tls-cert-manager.md b/site/content/en/latest/tasks/security/tls-cert-manager.md similarity index 98% rename from site/content/en/latest/user/security/tls-cert-manager.md rename to site/content/en/latest/tasks/security/tls-cert-manager.md index 690a5e02e04..d51fa469e8c 100644 --- a/site/content/en/latest/user/security/tls-cert-manager.md +++ b/site/content/en/latest/tasks/security/tls-cert-manager.md @@ -2,7 +2,7 @@ title: "Using cert-manager For TLS Termination" --- -This guide shows how to set up [cert-manager](https://cert-manager.io/) to automatically create certificates and secrets for use by Envoy Gateway. +This task shows how to set up [cert-manager](https://cert-manager.io/) to automatically create certificates and secrets for use by Envoy Gateway. It will first show how to enable the self-sign issuer, which is useful to test that cert-manager and Envoy Gateway can talk to each other. Then it shows how to use [Let's Encrypt's staging environment](https://letsencrypt.org/docs/staging-environment/). Changing to the Let's Encrypt production environment is straight-forward after that. @@ -18,7 +18,7 @@ Changing to the Let's Encrypt production environment is straight-forward after t ## Installation -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Deploying cert-manager @@ -96,7 +96,7 @@ EOF ``` You could instead create a new Gateway serving HTTPS, if you'd prefer. -cert-manager doesn't care, but we'll keep it all together in this guide. +cert-manager doesn't care, but we'll keep it all together in this task. Nowadays, X.509 certificates don't use the subject Common Name for hostname matching, so you can set it to whatever you want, or leave it empty. The important parts here are diff --git a/site/content/en/latest/user/security/tls-passthrough.md b/site/content/en/latest/tasks/security/tls-passthrough.md similarity index 88% rename from site/content/en/latest/user/security/tls-passthrough.md rename to site/content/en/latest/tasks/security/tls-passthrough.md index f732b71236b..874ec2aac4e 100644 --- a/site/content/en/latest/user/security/tls-passthrough.md +++ b/site/content/en/latest/tasks/security/tls-passthrough.md @@ -2,7 +2,7 @@ title: "TLS Passthrough" --- -This guide will walk through the steps required to configure TLS Passthrough via Envoy Gateway. Unlike configuring +This task will walk through the steps required to configure TLS Passthrough via Envoy Gateway. Unlike configuring Secure Gateways, where the Gateway terminates the client TLS connection, TLS Passthrough allows the application itself to terminate the TLS connection, while the Gateway routes the requests to the application based on SNI headers. @@ -12,7 +12,7 @@ to terminate the TLS connection, while the Gateway routes the requests to the ap ## Installation -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## TLS Certificates @@ -49,7 +49,7 @@ Deploy TLS Passthrough application Deployment, Service and TLSRoute: kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/tls-passthrough.yaml ``` -Patch the Gateway from the Quickstart guide to include a TLS listener that listens on port `6443` and is configured for +Patch the Gateway from the Quickstart to include a TLS listener that listens on port `6443` and is configured for TLS mode Passthrough: ```shell @@ -106,7 +106,7 @@ curl -v -HHost:passthrough.example.com --resolve "passthrough.example.com:6443:$ ## Clean-Up -Follow the steps from the [Quickstart Guide](../../quickstart) to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. Delete the Secret: diff --git a/site/content/en/latest/user/security/tls-termination.md b/site/content/en/latest/tasks/security/tls-termination.md similarity index 88% rename from site/content/en/latest/user/security/tls-termination.md rename to site/content/en/latest/tasks/security/tls-termination.md index 1c75b40e6db..77a701a443a 100644 --- a/site/content/en/latest/user/security/tls-termination.md +++ b/site/content/en/latest/tasks/security/tls-termination.md @@ -2,7 +2,8 @@ title: "TLS Termination for TCP" --- -This guide will walk through the steps required to configure TLS Terminate mode for TCP traffic via Envoy Gateway. The guide uses a self-signed CA, so it should be used for testing and demonstration purposes only. +This task will walk through the steps required to configure TLS Terminate mode for TCP traffic via Envoy Gateway. +This task uses a self-signed CA, so it should be used for testing and demonstration purposes only. ## Prerequisites @@ -10,7 +11,7 @@ This guide will walk through the steps required to configure TLS Terminate mode ## Installation -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway. ## TLS Certificates Generate the certificates and keys used by the Gateway to terminate client TLS connections. diff --git a/site/content/en/latest/tasks/traffic/_index.md b/site/content/en/latest/tasks/traffic/_index.md new file mode 100644 index 00000000000..f884ccdfcb0 --- /dev/null +++ b/site/content/en/latest/tasks/traffic/_index.md @@ -0,0 +1,5 @@ +--- +title: "Traffic" +weight: 1 +description: This section includes Traffic Management tasks. +--- diff --git a/site/content/en/latest/user/traffic/circuit-breaker.md b/site/content/en/latest/tasks/traffic/circuit-breaker.md similarity index 97% rename from site/content/en/latest/user/traffic/circuit-breaker.md rename to site/content/en/latest/tasks/traffic/circuit-breaker.md index 2a797fc24c4..cf00d926a2c 100644 --- a/site/content/en/latest/user/traffic/circuit-breaker.md +++ b/site/content/en/latest/tasks/traffic/circuit-breaker.md @@ -20,7 +20,7 @@ This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRP ### Install Envoy Gateway -* Follow the installation step from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and sample resources. +* Follow the installation step from the [Quickstart](../../quickstart) to install Envoy Gateway and sample resources. ### Install the hey load testing tool * The `hey` CLI will be used to generate load and measure response times. Follow the installation instruction from the [Hey project] docs. @@ -120,4 +120,4 @@ With the new circuit breaker settings, and due to the slowness of the backend, o [Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway/ [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ [GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute/ -[Hey project]: https://github.com/rakyll/hey \ No newline at end of file +[Hey project]: https://github.com/rakyll/hey diff --git a/site/content/en/latest/user/traffic/client-traffic-policy.md b/site/content/en/latest/tasks/traffic/client-traffic-policy.md similarity index 98% rename from site/content/en/latest/user/traffic/client-traffic-policy.md rename to site/content/en/latest/tasks/traffic/client-traffic-policy.md index 7b37f8d4338..98659941f72 100644 --- a/site/content/en/latest/user/traffic/client-traffic-policy.md +++ b/site/content/en/latest/tasks/traffic/client-traffic-policy.md @@ -2,7 +2,7 @@ title: "Client Traffic Policy" --- -This guide explains the usage of the [ClientTrafficPolicy][] API. +This task explains the usage of the [ClientTrafficPolicy][] API. ## Introduction @@ -18,7 +18,7 @@ This API was added as a new policy attachment resource that can be applied to Ga ### Prerequisites -* Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +* Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ### Support TCP keepalive for downstream client diff --git a/site/content/en/latest/user/traffic/connection-limit.md b/site/content/en/latest/tasks/traffic/connection-limit.md similarity index 96% rename from site/content/en/latest/user/traffic/connection-limit.md rename to site/content/en/latest/tasks/traffic/connection-limit.md index ac9acc02844..138e620bf9b 100644 --- a/site/content/en/latest/user/traffic/connection-limit.md +++ b/site/content/en/latest/tasks/traffic/connection-limit.md @@ -25,7 +25,7 @@ When a [Client Traffic Policy][] is attached to a gateway, the connection limit ### Install Envoy Gateway -* Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the HTTPRoute example manifest. +* Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the HTTPRoute example manifest. Before proceeding, you should be able to query the example backend using HTTP. ### Install the hey load testing tool diff --git a/site/content/en/latest/user/traffic/fault-injection.md b/site/content/en/latest/tasks/traffic/fault-injection.md similarity index 95% rename from site/content/en/latest/user/traffic/fault-injection.md rename to site/content/en/latest/tasks/traffic/fault-injection.md index c033d12aed3..657b3e1453d 100644 --- a/site/content/en/latest/user/traffic/fault-injection.md +++ b/site/content/en/latest/tasks/traffic/fault-injection.md @@ -13,7 +13,7 @@ This instantiated resource can be linked to a [Gateway][], [HTTPRoute][] or [GRP ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. For GRPC - follow the steps from the [GRPC Routing](../grpc-routing) example. Before proceeding, you should be able to query the example backend using HTTP or GRPC. @@ -170,7 +170,7 @@ kubectl get backendtrafficpolicy/fault-injection-abort -o yaml ## Testing -Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) guide is set. If not, follow the +Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the Quickstart instructions to set the variable. ```shell @@ -238,7 +238,7 @@ Error invoking method "yages.Echo/Ping": rpc error: code = Unavailable desc = fa ## Clean-Up -Follow the steps from the [Quickstart](../../quickstart) guide to uninstall Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway and the example manifest. Delete the BackendTrafficPolicy: diff --git a/site/content/en/latest/user/traffic/gateway-address.md b/site/content/en/latest/tasks/traffic/gateway-address.md similarity index 100% rename from site/content/en/latest/user/traffic/gateway-address.md rename to site/content/en/latest/tasks/traffic/gateway-address.md diff --git a/site/content/en/latest/user/traffic/gatewayapi-support.md b/site/content/en/latest/tasks/traffic/gatewayapi-support.md similarity index 100% rename from site/content/en/latest/user/traffic/gatewayapi-support.md rename to site/content/en/latest/tasks/traffic/gatewayapi-support.md diff --git a/site/content/en/latest/user/traffic/global-rate-limit.md b/site/content/en/latest/tasks/traffic/global-rate-limit.md similarity index 99% rename from site/content/en/latest/user/traffic/global-rate-limit.md rename to site/content/en/latest/tasks/traffic/global-rate-limit.md index aca136fb298..a0734928bd7 100644 --- a/site/content/en/latest/user/traffic/global-rate-limit.md +++ b/site/content/en/latest/tasks/traffic/global-rate-limit.md @@ -27,7 +27,7 @@ has its own 100r/s rate limit bucket. ### Install Envoy Gateway -* Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the HTTPRoute example manifest. +* Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the HTTPRoute example manifest. Before proceeding, you should be able to query the example backend using HTTP. ### Install Redis diff --git a/site/content/en/latest/user/traffic/grpc-routing.md b/site/content/en/latest/tasks/traffic/grpc-routing.md similarity index 97% rename from site/content/en/latest/user/traffic/grpc-routing.md rename to site/content/en/latest/tasks/traffic/grpc-routing.md index 5334514b7cc..4c27ef993cc 100644 --- a/site/content/en/latest/user/traffic/grpc-routing.md +++ b/site/content/en/latest/tasks/traffic/grpc-routing.md @@ -7,7 +7,7 @@ To learn more about gRPC routing, refer to the [Gateway API documentation][]. ## Prerequisites -Follow the steps from the [Quickstart](../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Installation @@ -43,8 +43,7 @@ kubectl get gateways --selector=example=grpc-routing ``` The status should reflect "Ready=True", indicating the Envoy proxy infrastructure has been provisioned. The status also -provides the address of the Gateway. This address is used later in the guide to test connectivity to proxied backend -services. +provides the address of the Gateway. This address is used later to test connectivity to proxied backend services. Check the status of the GRPCRoute: diff --git a/site/content/en/latest/user/traffic/http-redirect.md b/site/content/en/latest/tasks/traffic/http-redirect.md similarity index 99% rename from site/content/en/latest/user/traffic/http-redirect.md rename to site/content/en/latest/tasks/traffic/http-redirect.md index 21aed019d4d..8639c2c9d7c 100644 --- a/site/content/en/latest/user/traffic/http-redirect.md +++ b/site/content/en/latest/tasks/traffic/http-redirect.md @@ -66,7 +66,7 @@ $ curl -L -vvv --header "Host: redirect.example" "http://${GATEWAY_HOST}/get" ... ``` -If you followed the steps in the [Secure Gateways](../security/secure-gateways) guide, you should be able to curl the redirect +If you followed the steps in the [Secure Gateways](../security/secure-gateways) task, you should be able to curl the redirect location. ## HTTP --> HTTPS diff --git a/site/content/en/latest/user/traffic/http-request-headers.md b/site/content/en/latest/tasks/traffic/http-request-headers.md similarity index 98% rename from site/content/en/latest/user/traffic/http-request-headers.md rename to site/content/en/latest/tasks/traffic/http-request-headers.md index af946da719e..05cb770c4a7 100644 --- a/site/content/en/latest/user/traffic/http-request-headers.md +++ b/site/content/en/latest/tasks/traffic/http-request-headers.md @@ -14,7 +14,7 @@ client. ## Prerequisites -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Adding Request Headers diff --git a/site/content/en/latest/user/traffic/http-request-mirroring.md b/site/content/en/latest/tasks/traffic/http-request-mirroring.md similarity index 97% rename from site/content/en/latest/user/traffic/http-request-mirroring.md rename to site/content/en/latest/tasks/traffic/http-request-mirroring.md index 0398cf3780b..e5caa3fdc89 100644 --- a/site/content/en/latest/user/traffic/http-request-mirroring.md +++ b/site/content/en/latest/tasks/traffic/http-request-mirroring.md @@ -8,7 +8,7 @@ When requests are made to a `HTTPRoute` that uses a `HTTPRequestMirrorFilter`, t ## Installation -Follow the steps from the [Quickstart Guide][] to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart][] to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Mirroring the Traffic @@ -244,7 +244,7 @@ EOF Error from server: error when creating "STDIN": admission webhook "validate.gateway.networking.k8s.io" denied the request: spec.rules[0].filters: Invalid value: "RequestMirror": cannot be used multiple times in the same rule ``` -[Quickstart Guide]: ../../quickstart/ +[Quickstart]: ../../quickstart/ [Traffic Splitting]: ../http-traffic-splitting/ [HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute/ [backendRefs]: https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.BackendRef diff --git a/site/content/en/latest/user/traffic/http-response-headers.md b/site/content/en/latest/tasks/traffic/http-response-headers.md similarity index 98% rename from site/content/en/latest/user/traffic/http-response-headers.md rename to site/content/en/latest/tasks/traffic/http-response-headers.md index 13efc8af19a..8e13f146493 100644 --- a/site/content/en/latest/user/traffic/http-response-headers.md +++ b/site/content/en/latest/tasks/traffic/http-response-headers.md @@ -12,7 +12,7 @@ upstream service. ## Prerequisites -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Adding Response Headers diff --git a/site/content/en/latest/user/traffic/http-routing.md b/site/content/en/latest/tasks/traffic/http-routing.md similarity index 97% rename from site/content/en/latest/user/traffic/http-routing.md rename to site/content/en/latest/tasks/traffic/http-routing.md index 12e1773a91f..bf1a7596637 100644 --- a/site/content/en/latest/user/traffic/http-routing.md +++ b/site/content/en/latest/tasks/traffic/http-routing.md @@ -3,13 +3,13 @@ title: "HTTP Routing" --- The [HTTPRoute][] resource allows users to configure HTTP routing by matching HTTP traffic and forwarding it to -Kubernetes backends. Currently, the only supported backend supported by Envoy Gateway is a Service resource. This guide +Kubernetes backends. Currently, the only supported backend supported by Envoy Gateway is a Service resource. This task shows how to route traffic based on host, header, and path fields and forward the traffic to different Kubernetes Services. To learn more about HTTP routing, refer to the [Gateway API documentation][]. ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Installation @@ -45,7 +45,7 @@ kubectl get gateways --selector=example=http-routing ``` The status should reflect "Ready=True", indicating the Envoy proxy infrastructure has been provisioned. The status also -provides the address of the Gateway. This address is used later in the guide to test connectivity to proxied backend +provides the address of the Gateway. This address is used later to test connectivity to proxied backend services. The three HTTPRoute resources create routing rules on the Gateway. In order to receive traffic from a Gateway, diff --git a/site/content/en/latest/user/traffic/http-timeouts.md b/site/content/en/latest/tasks/traffic/http-timeouts.md similarity index 94% rename from site/content/en/latest/user/traffic/http-timeouts.md rename to site/content/en/latest/tasks/traffic/http-timeouts.md index c3abc192611..01e166fe87e 100644 --- a/site/content/en/latest/user/traffic/http-timeouts.md +++ b/site/content/en/latest/tasks/traffic/http-timeouts.md @@ -2,7 +2,7 @@ title: "HTTP Timeouts" --- -The [HTTPRouteTimeouts][] resource allows users to configure request timeouts and response timeouts for an [HTTPRouteRule][]. This guide shows how to configure timeouts. +The [HTTPRouteTimeouts][] resource allows users to configure request timeouts and response timeouts for an [HTTPRouteRule][]. This task shows how to configure timeouts. The [HTTPRouteTimeouts][] supports two kinds of timeouts: - **request**: Request specifies the maximum duration for a gateway to respond to an HTTP request. @@ -12,7 +12,7 @@ __Note:__ The Request duration must be >= BackendRequest duration ## Installation -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Verification diff --git a/site/content/en/latest/user/traffic/http-traffic-splitting.md b/site/content/en/latest/tasks/traffic/http-traffic-splitting.md similarity index 98% rename from site/content/en/latest/user/traffic/http-traffic-splitting.md rename to site/content/en/latest/tasks/traffic/http-traffic-splitting.md index ef240753ad8..924d36970e9 100644 --- a/site/content/en/latest/user/traffic/http-traffic-splitting.md +++ b/site/content/en/latest/tasks/traffic/http-traffic-splitting.md @@ -8,7 +8,7 @@ with status code `500` for all requests that would have been sent to that backen ## Installation -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Single backendRef diff --git a/site/content/en/latest/user/traffic/http-urlrewrite.md b/site/content/en/latest/tasks/traffic/http-urlrewrite.md similarity index 98% rename from site/content/en/latest/user/traffic/http-urlrewrite.md rename to site/content/en/latest/tasks/traffic/http-urlrewrite.md index 062f6086392..5acca036714 100644 --- a/site/content/en/latest/user/traffic/http-urlrewrite.md +++ b/site/content/en/latest/tasks/traffic/http-urlrewrite.md @@ -7,7 +7,7 @@ used on a Route rule. This MUST NOT be used on the same Route rule as a HTTPRequ ## Prerequisites -Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Rewrite URL Prefix Path diff --git a/site/content/en/latest/user/traffic/http3.md b/site/content/en/latest/tasks/traffic/http3.md similarity index 86% rename from site/content/en/latest/user/traffic/http3.md rename to site/content/en/latest/tasks/traffic/http3.md index 77bc8742cb3..3b83bc7def5 100644 --- a/site/content/en/latest/user/traffic/http3.md +++ b/site/content/en/latest/tasks/traffic/http3.md @@ -2,8 +2,8 @@ title: "HTTP3" --- -This guide will help you get started using HTTP3 using EG. The guide uses a self-signed CA, so it should be used for -testing and demonstration purposes only. +This task will help you get started using HTTP3 using EG. +This task uses a self-signed CA, so it should be used for testing and demonstration purposes only. ## Prerequisites @@ -11,7 +11,7 @@ testing and demonstration purposes only. ## Installation -Follow the steps from the [Quickstart Guide](../quickstart) to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## TLS Certificates @@ -37,7 +37,7 @@ Store the cert/key in a Secret: kubectl create secret tls example-cert --key=www.example.com.key --cert=www.example.com.crt ``` -Update the Gateway from the Quickstart guide to include an HTTPS listener that listens on port `443` and references the +Update the Gateway from the Quickstart to include an HTTPS listener that listens on port `443` and references the `example-cert` Secret: ```shell diff --git a/site/content/en/latest/user/traffic/local-rate-limit.md b/site/content/en/latest/tasks/traffic/local-rate-limit.md similarity index 98% rename from site/content/en/latest/user/traffic/local-rate-limit.md rename to site/content/en/latest/tasks/traffic/local-rate-limit.md index 822e2dd5e56..067756b3109 100644 --- a/site/content/en/latest/user/traffic/local-rate-limit.md +++ b/site/content/en/latest/tasks/traffic/local-rate-limit.md @@ -28,7 +28,7 @@ has its own 100r/s rate limit bucket. ### Install Envoy Gateway -* Follow the steps from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and the HTTPRoute example manifest. +* Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the HTTPRoute example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Rate Limit Specific User diff --git a/site/content/en/latest/user/traffic/multicluster-service.md b/site/content/en/latest/tasks/traffic/multicluster-service.md similarity index 100% rename from site/content/en/latest/user/traffic/multicluster-service.md rename to site/content/en/latest/tasks/traffic/multicluster-service.md diff --git a/site/content/en/latest/user/traffic/retry.md b/site/content/en/latest/tasks/traffic/retry.md similarity index 96% rename from site/content/en/latest/user/traffic/retry.md rename to site/content/en/latest/tasks/traffic/retry.md index ad40202a107..cde27f5c2bf 100644 --- a/site/content/en/latest/user/traffic/retry.md +++ b/site/content/en/latest/tasks/traffic/retry.md @@ -15,7 +15,7 @@ Envoy Gateway introduces a new CRD called [BackendTrafficPolicy](../../../api/ex ## Prerequisites -Follow the installation step from the [Quickstart Guide](../../quickstart) to install Envoy Gateway and sample resources. +Follow the installation step from the [Quickstart](../../quickstart) to install Envoy Gateway and sample resources. ## Test and customize retry settings diff --git a/site/content/en/latest/user/traffic/routing-outside-kubernetes.md b/site/content/en/latest/tasks/traffic/routing-outside-kubernetes.md similarity index 94% rename from site/content/en/latest/user/traffic/routing-outside-kubernetes.md rename to site/content/en/latest/tasks/traffic/routing-outside-kubernetes.md index 6be1853570f..95b91eaa0e1 100644 --- a/site/content/en/latest/user/traffic/routing-outside-kubernetes.md +++ b/site/content/en/latest/tasks/traffic/routing-outside-kubernetes.md @@ -7,7 +7,7 @@ running is a common use. This can be achieved by defining FQDN addresses in a [E ## Installation -Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Configuration diff --git a/site/content/en/latest/user/traffic/tcp-routing.md b/site/content/en/latest/tasks/traffic/tcp-routing.md similarity index 98% rename from site/content/en/latest/user/traffic/tcp-routing.md rename to site/content/en/latest/tasks/traffic/tcp-routing.md index 854522c7b98..4eea863f5f8 100644 --- a/site/content/en/latest/user/traffic/tcp-routing.md +++ b/site/content/en/latest/tasks/traffic/tcp-routing.md @@ -8,7 +8,7 @@ HTTP routing, refer to the [Gateway API documentation][]. ## Installation -Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Configuration diff --git a/site/content/en/latest/user/traffic/udp-routing.md b/site/content/en/latest/tasks/traffic/udp-routing.md similarity index 89% rename from site/content/en/latest/user/traffic/udp-routing.md rename to site/content/en/latest/tasks/traffic/udp-routing.md index 521d0b41acc..c703abe804f 100644 --- a/site/content/en/latest/user/traffic/udp-routing.md +++ b/site/content/en/latest/tasks/traffic/udp-routing.md @@ -3,7 +3,7 @@ title: "UDP Routing" --- The [UDPRoute][] resource allows users to configure UDP routing by matching UDP traffic and forwarding it to Kubernetes -backends. This guide will use CoreDNS example to walk you through the steps required to configure UDPRoute on Envoy +backends. This task will use CoreDNS example to walk you through the steps required to configure UDPRoute on Envoy Gateway. __Note:__ UDPRoute allows Envoy Gateway to operate as a non-transparent proxy between a UDP client and server. The lack @@ -12,7 +12,7 @@ For additional information, refer to Envoy's [UDP proxy documentation][]. ## Prerequisites -Follow the steps from the [Quickstart](../../quickstart) guide to install Envoy Gateway and the example manifest. +Follow the steps from the [Quickstart](../../quickstart) to install Envoy Gateway and the example manifest. Before proceeding, you should be able to query the example backend using HTTP. ## Installation @@ -30,7 +30,7 @@ Wait for the CoreDNS deployment to become available: kubectl wait --timeout=5m deployment/coredns --for=condition=Available ``` -Update the Gateway from the Quickstart guide to include a UDP listener that listens on UDP port `5300`: +Update the Gateway from the Quickstart to include a UDP listener that listens on UDP port `5300`: ```shell kubectl patch gateway eg --type=json --patch '[{ @@ -128,7 +128,7 @@ _udp.foo.bar.com. 0 IN SRV 0 0 42376 . ## Clean-Up -Follow the steps from the [Quickstart Guide](../../quickstart) to uninstall Envoy Gateway. +Follow the steps from the [Quickstart](../../quickstart) to uninstall Envoy Gateway. Delete the CoreDNS example manifest and the UDPRoute: diff --git a/site/content/en/latest/user/_index.md b/site/content/en/latest/user/_index.md deleted file mode 100644 index e413578a6ca..00000000000 --- a/site/content/en/latest/user/_index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: "User Guides" -weight: 2 -description: This section includes User Guides of Envoy Gateway. ---- diff --git a/site/content/en/latest/user/extensibility/_index.md b/site/content/en/latest/user/extensibility/_index.md deleted file mode 100644 index 9560b0dd241..00000000000 --- a/site/content/en/latest/user/extensibility/_index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: "Extensibility" -weight: 4 -description: This section includes User Guides of Extensibility. ---- diff --git a/site/content/en/latest/user/observability/_index.md b/site/content/en/latest/user/observability/_index.md deleted file mode 100644 index ed877d4355b..00000000000 --- a/site/content/en/latest/user/observability/_index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: "Observability" -weight: 4 -description: This section includes User Guides of Observability. ---- diff --git a/site/content/en/latest/user/operations/_index.md b/site/content/en/latest/user/operations/_index.md deleted file mode 100644 index 0341d46ad0a..00000000000 --- a/site/content/en/latest/user/operations/_index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: "Operations" -weight: 4 -description: This section includes User Guides of Operations. ---- diff --git a/site/content/en/latest/user/security/_index.md b/site/content/en/latest/user/security/_index.md deleted file mode 100644 index f469d0c55a5..00000000000 --- a/site/content/en/latest/user/security/_index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: "Security" -weight: 2 -description: This section includes User Guides of Security. ---- diff --git a/site/content/en/latest/user/traffic/_index.md b/site/content/en/latest/user/traffic/_index.md deleted file mode 100644 index 87e84e04907..00000000000 --- a/site/content/en/latest/user/traffic/_index.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: "Traffic" -weight: 1 -description: This section includes User Guides of Traffic Management. ---- diff --git a/site/content/en/v1.0.0/install/install-yaml.md b/site/content/en/v1.0.0/install/install-yaml.md index 859aef1f534..62f2212eed2 100644 --- a/site/content/en/v1.0.0/install/install-yaml.md +++ b/site/content/en/v1.0.0/install/install-yaml.md @@ -36,4 +36,4 @@ Refer to the [Developer Guide](/latest/contributions/develop) to learn more. 2. Next Steps - Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](/latest/user). + Envoy Gateway should now be successfully installed and running, but in order to experience more abilities of Envoy Gateway, you can refer to [User Guides](/latest/tasks).