Updates to latest version of Kuadrant (#6)

* DNSPolicy update

* git branch

* updates for new version

* version updates

* version changes

* RateLimitPolicy duration to window

* AuthPolicy dynamicMetadata to filters

documentation/modules/ROOT/pages/02-architecture.adoc

@@ -93,42 +93,86 @@ Now that the Gateway is made available, the developers can now start onboarding
 [#more_tech]
 == About the Technology Stack
 
-=== What is Gateway API
-https://gateway-api.sigs.k8s.io/[Gateway API^]This is the new standard for Ingress from the Kubernetes community. 
+=== Gateway API
+Ref: https://gateway-api.sigs.k8s.io/[Gateway API^]
 
-Gateway API is a relatively new Kubernetes based API focused on traffic routing and is often referred to as the next generation of Ingress on kube. 
-
-Used to define the Gateways and Routing rules for requests entering those gateways. Our supported provider is Istio via OpenShift Service Mesh.
+* New standard for Ingress from k8s community
+* Gateway API is the core API that Kuadrant integrates with.
+* Represent L4/L7 routing and traffic management through generic common core API resources
+* API  resources reflects the separation of responsibilities such as infra provider, PE or App Dev
 
 Connectivity Link (Kuadrant) provides connectivity, security and service protection capabilities in the form of Kubernetes CRDs that implement the Gateway API concept of policy attachment. These policy APIs can target specific Gateway API resources such as Gateways and HTTPRoutes to extend their capabilities and configuration. 
 
-==== Istio as Gateway provider
-Connectivity Link/Kuadrant's focus is on HTTP traffic and Istio/OpenShift Service Mesh as a supported Gateway API implementation. Istio is the Gateway API provider that Connectivity Link integrates with (via WASM and Istio APIS) to provide service protection capabilities. It configures Envoy via the Istio control plane to enforce the applied policies and register components such as Authorino and Limitador.+
-Ref: https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/ [Istio with Gateway API]
+.[underline]#Click to view why Gateway API#
+[%collapsible]
+====
+* Role Oriented - To allow cluster owners to designate how the infrastructure is used
+* Portable - This enables concepts & resources to be uniform across environments reducing complexity
+* Expressive - Provides built-in capabilities for header-based matching, traffic weighting & more
+====
+
+==== Gateway
+* describes how traffic can be translated to Services within the cluster
+* can express capabilities like HTTP header manipulation, traffic weighting & mirroring, TCP/UDP routing
+* may be attached to one or more Route references which serve to direct traffic for a subset of traffic to a specific service
+
 
 ==== HTTPRoute
-HTTPRoute enables advanced routing capabilities for Ingress. It is a Gateway API type for specifying routing behavior of HTTP requests from a Gateway listener to an API object, i.e. Service. +
-Ref: https://gateway-api.sigs.k8s.io/api-types/httproute/
+* enables advanced routing capabilities for Ingress.
+* specify routing behavior of HTTP requests from a Gateway listener to an API object, i.e. Service.
+* Each Route includes a way to reference the parent resources it wants to attach to. 
 
+=== OpenShift Service Mesh and Istio as Gateway provider
+OpenShift Service Mesh is a supported Gateway API provider and Connectivity Link integrates with Istio (via WASM and Istio APIS) to provide service protection capabilities. It configures Envoy via the Istio control plane to enforce the applied policies and register components such as Authorino and Limitador.
 
-=== What is Kuadrant
+Ref: https://istio.io/latest/docs/tasks/traffic-management/ingress/gateway-api/[Istio with Gateway API^]
+
+Kuadrant has also been proven to work with Envoy Gateway as a Gateway API provider. This is to showcase that Kudrant is extensible and can work work with other Gateway providers too. To try this out check out https://docs.kuadrant.io/latest/kuadrant-operator/doc/install/install-openshift/#step-5-optional-install-envoy-gateway-as-a-gateway-api-provider[this tutorial^]
+
+=== Cert Manager
+
+The cert-manager Operator for Red Hat OpenShift is a cluster-wide service that provides application certificate lifecycle management. It allows you to integrate with external certificate authorities and provides certificate provisioning, renewal, and retirement. In this solution pattern, we integrate with https://letsencrypt.org/[Let's Encrypt^].
+
+If needed, one can create the certificates manually and inject them, rather than using cert-manager. You can create a secret `my-cert` (as an e.g.) and add that to a listener in the gateway. TLSPolicy is a very light API wrapper around cert-manager resources that makes the target, host and secret name obvious as already defined in the gateway listener.
+
+=== Kuadrant
 
 
 video::euWAMvQojP4[youtube, width=800, height=480]
 
+It enables platform engineers and application developers to easily connect, secure, and protect their services and infrastructure across multiple clusters. It exposes these capabilities in the form of powerful policy APIs that implement the https://gateway-api.sigs.k8s.io/[Gateway API^] concept of https://gateway-api.sigs.k8s.io/reference/policy-attachment/[policy attachment^] -   with policies for https://docs.kuadrant.io/latest/kuadrant-operator/doc/tls/[TLS^], https://docs.kuadrant.io/0.8.0/kuadrant-operator/doc/reference/dnspolicy/[DNS^], application https://docs.kuadrant.io/latest/kuadrant-operator/doc/auth/[AuthN & AuthZ^], and https://docs.kuadrant.io/latest/kuadrant-operator/doc/rate-limiting/[rate limiting^]. Additionally, Kuadrant offers observability templates to further support infrastructure management. 
 
-It enables platform engineers and application developers to easily connect, secure, and protect their services and infrastructure across multiple clusters with policies for TLS, DNS, application authentication & authorization, and rate limiting. Additionally, Kuadrant offers observability templates to further support infrastructure management. +
-Ref: https://docs.kuadrant.io
 
-=== Kuadrant: list of underlying components
+Simply put, Red Hat Connectivity Link 
+
+* provides a  bunch of policies (through Kuadrant APIs) - that can be applied on Gateway API resources viz. Gateway and HttpRoute…
+* so that you can connect, secure and protect all of your service endpoints
+* providing the Platform Engineers the right level of control
+* providing Developers the tools for a more fully rounded API mgmt feature set through Apicurio.
+
+image::rhcl-simplyput.png[width=60%]
+
+
+=== Personas
+
+* *Platform engineers* 
+** can deploy, manage, observe and protect services exposed via their gateways 
+* confidently allow application developers to self-service knowing that endpoints are secured
+* *Application developers* 
+** are allowed to self service and refine policies to their specific needs in order to protect exposed endpoints.
+** focus on what is important for them - their applications and code
 
-==== DNS Operator
 
-DNS operator consumes DNSRecord resources that are configured via the *DNSPolicy* API and applies them into the targeted cloud DNS provider. AWS, Azure and Google DNS are our main targets.
 
-==== Cert Manager for TLS Policy
+=== Kuadrant' underlying components
 
-Manages TLS certificates for our components and for the Gateways. Consumes Certificate resources created by the Kuadrant operator in response to the TLSPolicy.
+Here is a view on how Kuadrant Policy APIs are applied on the Request flow on Gateway API
+
+image::policies-on-requestflow.png[] 
+
+==== DNS Operator
+
+DNS operator consumes DNSRecord resources that are configured via the *DNSPolicy* API and applies them into the targeted cloud DNS provider. AWS, Azure and Google DNS are our main targets.
 
 ====  Authorino Operator for Auth Policy
 
@@ -138,12 +182,14 @@ Ref: https://docs.kuadrant.io/0.8.0/authorino/
 
 ==== Limitador Operator for Ratelimits
 
-Limitador is a generic rate-limiter and can be enabled using RateLimit APIs.
-
+* Limitador is a generic rate-limiter and can be enabled using RateLimit APIs. 
+* It support in-memory, Redis and disk data stores. 
+* In this solution pattern, for a single cluster, we go with the built-in in-memory database; 
+* for multi-cluster setup you can use a  Redis service (or RocksDB)
 
 === Policies
 
-Kuadrant at its heart, provides Gateway Policies for Kubernetes. To quote https://kuadrant.io/:
+Kuadrant at its heart, provides Gateway Policies (as described previously) for Kubernetes. To quote https://kuadrant.io/:
 
 > Gateways play a pivotal role in application connectivity. With Kuadrant, platform engineers and application developers can easily connect, secure and protect their services and infrastructure using its powerful policy APIs
 
@@ -180,7 +226,7 @@ Here is an excerpt of an AuthPolicy.
           issuerUrl: https://sso.mykeycloak.example.com/realms/realmname
     response:
       success:
-        dynamicMetadata:
+        filters:
           identity:
             json:
               properties:

documentation/modules/ROOT/pages/03-demo.adoc

@@ -116,6 +116,11 @@ oc login --token=<token> --server=<server>
 git clone https://github.com/rh-soln-pattern-connectivity-link/connectivity-link-ansible
 ----
 
+[IMPORTANT]
+====
+Switch to `v0.11.0` branch in your editor
+====
+
 * Open the `inventories/inventory.template` file and update the variables. Save the file.
 +
 .[underline]#Click for details of inventory.template file#
@@ -154,7 +159,7 @@ Before running the following Ansible script, check if you have done these prereq
 ====
 
 
-Run the Ansible script which will setup the RHCL Operator, Istio and Kuadrant system workloads
+Run the Ansible script which will setup the RHCL Operator, Cert Manager Operator, OpenShift Service Mesh Operator, Istio CR and other Kuadrant system workloads
 
 [.console-input]
 [source,shell script]

documentation/modules/ROOT/pages/03.1-platform.adoc

@@ -82,20 +82,21 @@ spec:
 ``` 
 
 * gatewayClassName refers to Istio as a the provider (Istio  has also been setup by the Ansible script)
-* 
+* Note the `certificateRefs` in the above Custom Resource. This name `name: api-tls` defines the name of the secret where the certificate will be stored when it gets generated by Cert Manager
+* To view this secret click https://console-openshift-console.%OPENSHIFTSUBDOMAIN%/k8s/ns/ingress-gateway/secrets/api-tls[here^]
 ******
 ====
 
 
 * Various policies attached to the Gateway:
-** A default `deny-all` Auth Policy to start with zero-trust [https://console-openshift-console.%OPENSHIFTSUBDOMAIN%/k8s/ns/ingress-gateway/kuadrant.io\~v1beta2~AuthPolicy/prod-web-deny-all/yaml[View CR^]]
+** A default `deny-all` Auth Policy to start with zero-trust [https://console-openshift-console.%OPENSHIFTSUBDOMAIN%/k8s/ns/ingress-gateway/kuadrant.io\~v1~AuthPolicy/prod-web-deny-all/yaml[View CR^]]
 +
 .[underline]#Click to see an example and description#
 [%collapsible]
 ====
 ******
 ``` sh
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1
 kind: AuthPolicy
 metadata:
   name: prod-web-deny-all
@@ -130,14 +131,14 @@ spec:
 * You can define the response to be sent in the *response* section; in this case, a response has been defined for *unauthorized* requests
 ******
 ====
-** TLS Policy [https://console-openshift-console.%OPENSHIFTSUBDOMAIN%/k8s/ns/ingress-gateway/kuadrant.io\~v1alpha1~TLSPolicy/prod-web-tls-policy/yaml[View CR^]]
+** TLS Policy [https://console-openshift-console.%OPENSHIFTSUBDOMAIN%/k8s/ns/ingress-gateway/kuadrant.io\~v1~TLSPolicy/prod-web-tls-policy/yaml[View CR^]]
 +
 .[underline]#Click to see an example and description#
 [%collapsible]
 ====
 ******
 ``` sh
-apiVersion: kuadrant.io/v1alpha1
+apiVersion: kuadrant.io/v1
 kind: TLSPolicy
 metadata:
   name: prod-web-tls-policy
@@ -212,17 +213,18 @@ Now that we have setup a secure, protected application connectivity environment,
 [.console-input]
 [source,shell script]
 ----
-apiVersion: kuadrant.io/v1alpha1
+apiVersion: kuadrant.io/v1
 kind: DNSPolicy
 metadata:
   name: prod-web-dnspolicy
   namespace: ingress-gateway
 spec:
-  routingStrategy: "simple"
   targetRef:
     name: prod-web
     group: gateway.networking.k8s.io
     kind: Gateway
+  providerRefs:
+  - name: prod-web-aws-credentials
 ----
 
 * The DNSPolicy acts against a target Gateway by processing its listeners for hostnames and then create dns records for those hostnames. 
@@ -276,7 +278,7 @@ for i in {1..10}; do curl -k -w "%{http_code}" https://echo.globex.%AWSROOTZONE%
 [.console-input]
 [source,shell script]
 ----
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1
 kind: RateLimitPolicy
 metadata:
   name: echo-api-rlp
@@ -286,15 +288,20 @@ spec:
     echoa-api:
       rates:
         - duration: 10
-          limit: 8
-          unit: second
+          window: 12s
   targetRef:
     group: gateway.networking.k8s.io
     kind: HTTPRoute
     name: echo-api
-    namespace: echo-api
 ----
 
+* Now run this 10 times and you will see successful output from the echoAPI for all 10 requests. Make sure you allow for a reasonable time interval between requests.
++
+[.console-input]
+[source,shell script]
+----
+for i in {1..10}; do curl -k -w "%{http_code}" https://echo.globex.%AWSROOTZONE%; done
+----
 * Learn more about Rate Limiting https://docs.kuadrant.io/0.8.0/kuadrant-operator/doc/rate-limiting/[here^]
 
 

documentation/modules/ROOT/pages/03.2-developer.adoc

@@ -108,7 +108,7 @@ image::globex-403.png[width=70%]
 [.console-input]
 [source,shell script]
 ----
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1
 kind: AuthPolicy
 metadata:
   name: globex-mobile-gateway
@@ -118,22 +118,19 @@ spec:
     group: gateway.networking.k8s.io
     kind: HTTPRoute
     name: globex-mobile-gateway
-    namespace: globex-apim-user1
   rules:
     authentication:
       "keycloak-users":
         jwt:
           issuerUrl: https://sso.%OPENSHIFTSUBDOMAIN%/realms/globex-user1
     response:
       success:
-        dynamicMetadata:
+        filters:
           identity:
             json:
               properties:
                 userid:
                   selector: auth.identity.sub
-  routeSelectors:
-    - matches: []
 ----
 
 === Test Globex Mobile again (after HTTPRoute and AuthPolicy are setup)
@@ -159,7 +156,7 @@ image::globex-429.png[width=70%]
 [.console-input]
 [source,shell script]
 ----
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1
 kind: RateLimitPolicy
 metadata:
   name: globex-mobile-gateway
@@ -169,13 +166,11 @@ spec:
     group: gateway.networking.k8s.io
     kind: HTTPRoute
     name: globex-mobile-gateway
-    namespace: globex-apim-user1
   limits:
     "per-user":
       rates:
         - limit: 100
-          duration: 10
-          unit: second
+          window: 10s
       counters:
         - metadata.filter_metadata.envoy\.filters\.http\.ext_authz.identity.userid
 ----

documentation/modules/ROOT/pages/developer-resources.adoc

@@ -8,4 +8,5 @@
 
 * https://developers.redhat.com/articles/2024/06/12/getting-started-red-hat-connectivity-link-openshift[Getting started with Red Hat Connectivity Link on OpenShift^]
 * Red Hat Connectivity Link on https://developers.redhat.com/products/red-hat-connectivity-link[Red Hat Developers^]
-* Kuadrant https://docs.kuadrant.io[upstream docs^]
+* Kuadrant https://docs.kuadrant.io/latest[upstream docs^]
+* How does Kuadrant integrate with Gateway Providers?[https://docs.kuadrant.io/latest/architecture/docs/design/architectural-overview/#how-does-kuadrant-integrate-with-gateway-providers^]