From 526b0c9b8f6bb623159a7d132b21e87b4230fee6 Mon Sep 17 00:00:00 2001
From: Craig Brookes <maleck13@users.noreply.github.com>
Date: Thu, 14 Nov 2024 12:43:52 +0000
Subject: [PATCH] Updated install doc (#986)

* add a basic kustomize install

Signed-off-by: craig <cbrookes@redhat.com>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

* Update config/install/README.md

Co-authored-by: Rachel Lawton <rlawton@redhat.com>

* Add observability steps and configuration (#1006)

Signed-off-by: David Martin <davmarti@redhat.com>

* updates for install doc

Signed-off-by: craig <cbrookes@redhat.com>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

Update observability resources to use gateway-system namespace (#969)

Signed-off-by: David Martin <davmarti@redhat.com>

add example for external api usage

* remove links

Signed-off-by: craig <cbrookes@redhat.com>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

* Update config/install/README.md

Co-authored-by: Rachel Lawton <rlawton@redhat.com>

* Update config/install/README.md

Co-authored-by: Rachel Lawton <rlawton@redhat.com>

* Update config/install/README.md

Co-authored-by: Rachel Lawton <rlawton@redhat.com>

* Update config/install/README.md

Co-authored-by: Rachel Lawton <rlawton@redhat.com>

* Apply suggestions from code review

Co-authored-by: Rachel Lawton <rlawton@redhat.com>

* Update config/install/README.md

Co-authored-by: Rachel Lawton <rlawton@redhat.com>

* remove links
update multi cluster options

Signed-off-by: craig <cbrookes@redhat.com>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

* fix indent

Signed-off-by: craig <cbrookes@redhat.com>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

* re-add changes

Signed-off-by: craig <cbrookes@redhat.com>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

* re-add changes

Signed-off-by: craig <cbrookes@redhat.com>

rh-pre-commit.version: 2.2.0
rh-pre-commit.check-secrets: ENABLED

* Update config/install/README.md

Co-authored-by: Rachel Lawton <rlawton@redhat.com>

---------

Signed-off-by: David Martin <davmarti@redhat.com>
Co-authored-by: Rachel Lawton <rlawton@redhat.com>
Co-authored-by: David Martin <david-martin@users.noreply.github.com>
---
 .gitignore                                    |   1 +
 config/install/README.md                      | 129 +++++++++++++
 .../install/configure/aws/cluster-issuer.yaml |  19 ++
 .../install/configure/aws/kustomization.yaml  |  26 +++
 .../configure/azure/cluster-issuer.yaml       |  25 +++
 .../configure/azure/kustomization.yaml        |  27 +++
 .../install/configure/gcp/cluster-issuer.yaml |  20 ++
 .../install/configure/gcp/kustomization.yaml  |  27 +++
 .../configure/kitchen-sink/kustomization.yaml |   9 +
 .../observability/kustomization.yaml          |   7 +
 .../redis-storage/kustomization.yaml          |  17 ++
 .../configure/redis-storage/limitador.yaml    |  10 +
 .../install/configure/standard/kuadrant.yaml  |   5 +
 .../configure/standard/kustomization.yaml     |   5 +
 config/install/configure/standard/sail.yaml   |  13 ++
 .../tls-lets-encrypt/kustomization.yaml       |   5 +
 config/install/standard/kustomization.yaml    |  16 ++
 config/install/standard/sail-operator.yaml    |  26 +++
 .../openshift/grafana/.gitignore              |   2 +
 .../openshift/grafana/dashboards.yaml         |  59 ++++++
 .../openshift/grafana/datasource.yaml         |  20 ++
 .../openshift/grafana/grafana.yaml            |  19 ++
 .../openshift/grafana/kustomization.yaml      |  38 ++++
 .../openshift/grafana/subscription.yaml       |  13 ++
 .../openshift/kustomization.yaml              |   7 +
 .../istio/service-monitor-istiod.yaml         |   4 +-
 .../prometheus/monitors/istio/telemetry.yaml  |   2 +-
 .../prometheus/monitors/kustomization.yaml    |   7 +
 doc/install/install-openshift.md              |  45 ++++-
 doc/user-guides/external-api.md               | 176 ++++++++++++++++++
 doc/user-guides/secure-protect-connect.md     |  16 +-
 examples/dashboards/kustomization.yaml        |  11 +-
 examples/external-api-istio.yaml              |  94 ++++++++++
 33 files changed, 879 insertions(+), 21 deletions(-)
 create mode 100644 config/install/README.md
 create mode 100644 config/install/configure/aws/cluster-issuer.yaml
 create mode 100644 config/install/configure/aws/kustomization.yaml
 create mode 100644 config/install/configure/azure/cluster-issuer.yaml
 create mode 100644 config/install/configure/azure/kustomization.yaml
 create mode 100644 config/install/configure/gcp/cluster-issuer.yaml
 create mode 100644 config/install/configure/gcp/kustomization.yaml
 create mode 100644 config/install/configure/kitchen-sink/kustomization.yaml
 create mode 100644 config/install/configure/observability/kustomization.yaml
 create mode 100644 config/install/configure/redis-storage/kustomization.yaml
 create mode 100644 config/install/configure/redis-storage/limitador.yaml
 create mode 100644 config/install/configure/standard/kuadrant.yaml
 create mode 100644 config/install/configure/standard/kustomization.yaml
 create mode 100644 config/install/configure/standard/sail.yaml
 create mode 100644 config/install/configure/tls-lets-encrypt/kustomization.yaml
 create mode 100644 config/install/standard/kustomization.yaml
 create mode 100644 config/install/standard/sail-operator.yaml
 create mode 100644 config/observability/openshift/grafana/.gitignore
 create mode 100644 config/observability/openshift/grafana/dashboards.yaml
 create mode 100644 config/observability/openshift/grafana/datasource.yaml
 create mode 100644 config/observability/openshift/grafana/grafana.yaml
 create mode 100644 config/observability/openshift/grafana/kustomization.yaml
 create mode 100644 config/observability/openshift/grafana/subscription.yaml
 create mode 100644 config/observability/openshift/kustomization.yaml
 create mode 100644 config/observability/prometheus/monitors/kustomization.yaml
 create mode 100644 doc/user-guides/external-api.md
 create mode 100644 examples/external-api-istio.yaml

diff --git a/.gitignore b/.gitignore
index 10897f3e1..a9e73b929 100644
--- a/.gitignore
+++ b/.gitignore
@@ -23,6 +23,7 @@ testbin/*
 .vscode
 *.swp
 *.swo
+*.env
 *~
 /kuadrant-operator
 tmp
diff --git a/config/install/README.md b/config/install/README.md
new file mode 100644
index 000000000..b63eb4270
--- /dev/null
+++ b/config/install/README.md
@@ -0,0 +1,129 @@
+# Install Kuadrant and Sail via OLM
+
+## Prerequisites  
+- Clone the[ Kuadrant-operator](https://github.com/Kuadrant/kuadrant-operator) repo
+- OLM (operator lifecycle manager)
+- cert-manager 
+  - [cert-manager Operator for Red Hat OpenShift](https://docs.openshift.com/container-platform/4.16/security/cert_manager_operator/cert-manager-operator-install.html)
+  - [installing cert-manager via OperatorHub](https://cert-manager.io/docs/installation/operator-lifecycle-manager/)
+- AWS, Azure or GCP with DNS capabilities. (Optional)
+- Accessible Redis instance, for persistent storage for your rate limit counters. (Optional)
+
+
+> Note: By default the following guide will install the "latest" or "main" version of Kuadrant. To pick a specific version, change the image in the `config/deploy/install/standard/kustomization.yaml`. All versions available can be found on the Kuadrant operator [release page](https://github.com/Kuadrant/kuadrant-operator/releases)
+
+> Note: for multiple clusters, it would make sense to do the installation via a tool like [argocd](https://argo-cd.readthedocs.io/en/stable/). For other methods of addressing multiple clusters take a look at the [kubectl docs](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/)
+
+## Setup the environment
+
+```
+kubectl apply -k config/install/standard
+``` 
+
+Verify both Kuadrant and sail operators are installed. Note, that this can take a while. You can also take a look at the subscription and installplan resource to help with debugging but the end state should be as below:
+
+```
+kubectl get deployments -n kuadrant-system
+
+
+# NAME                                    READY   UP-TO-DATE   AVAILABLE   AGE
+# authorino-operator                      1/1     1            1           83m
+# dns-operator-controller-manager         1/1     1            1           83m
+# kuadrant-console-plugin                 1/1     1            1           83m
+# kuadrant-operator-controller-manager    1/1     1            1           83m
+# limitador-operator-controller-manager   1/1     1            1           83m
+```
+
+
+
+```
+kubectl get deployments -n gateway-system
+
+
+# NAME            READY   UP-TO-DATE   AVAILABLE   AGE
+# istiod          1/1     1            1           61s
+# sail-operator   1/1     1            1           81m
+```
+
+## Configure the installation
+
+### TLS and DNS integration
+
+
+Create the `$CLOUD_PROVIDER-credentials.env file` in the cloud provider directory `config/install/configure/$CLOUD_PROVIDER.` e.g. `aws-credentials.env` in the `config/install/configure/aws` directory. Apply the configuration for the desired cloud provider. Example AWS
+
+```
+kubectl apply -k config/install/configure/aws
+```
+
+This will configure Kuadrant and Sail to install their components, set the credentials needed to access DNS zones in the cloud provider, and create a Let's Encrypt cluster issuer configured to use DNS-based validation.
+
+### Validate
+
+Validate Kuadrant is ready via the kuadrant resource status condition
+
+```
+kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml
+```
+
+At this point Kuadrant is ready to use. Below are some additional configuration that can be applied.
+
+### External Redis
+
+create a `redis-credential.env` in the `config/install/configure/redis-storage` dir
+
+```
+kubectl apply -k config/install/configure/redis-storage
+```
+
+This will setup limitador to use provided redis connection URL as a backend store for ratelimit counters. Limitador will becomes temporarily unavailable as it restarts.
+
+### Validate
+
+Validate Kuadrant is in a ready state as before:
+
+```
+kubectl get kuadrant kuadrant -n kuadrant-system -o=yaml
+```
+
+## Set up observability
+
+Verify that user workload monitoring is enabled in your Openshift cluster.
+If it not enabled, check the [Openshift documentation](https://docs.openshift.com/container-platform/4.17/observability/monitoring/enabling-monitoring-for-user-defined-projects.html) for how to do this.
+
+
+```bash
+kubectl get configmap cluster-monitoring-config -n openshift-monitoring -o jsonpath='{.data.config\.yaml}'|grep enableUserWorkload
+# (expected output)
+# enableUserWorkload: true
+```
+
+Install the gateway & Kuadrant metrics components and configuration, including Grafana.
+
+```bash
+kubectl apply -k config/install/configure/observability
+```
+
+Configure the Openshift thanos-query instance as a data source in Grafana.
+
+```bash
+TOKEN="Bearer $(oc whoami -t)"
+HOST="$(kubectl -n openshift-monitoring get route thanos-querier -o jsonpath='https://{.status.ingress[].host}')"
+echo "TOKEN=$TOKEN" > config/observability/openshift/grafana/datasource.env
+echo "HOST=$HOST" >> config/observability/openshift/grafana/datasource.env
+kubectl apply -k config/observability/openshift/grafana
+```
+
+Create the example dashboards in Grafana
+
+```bash
+kubectl apply -k examples/dashboards
+```
+
+Access the Grafana UI, using the default user/pass of root/secret.
+You should see the example dashboards in the 'monitoring' folder.
+For more information on the example dashboards, check out the [documentation](https://docs.kuadrant.io/latest/kuadrant-operator/doc/observability/examples/).
+
+```bash
+kubectl -n monitoring get routes grafana-route -o jsonpath="https://{.status.ingress[].host}"
+```
diff --git a/config/install/configure/aws/cluster-issuer.yaml b/config/install/configure/aws/cluster-issuer.yaml
new file mode 100644
index 000000000..6075fb10a
--- /dev/null
+++ b/config/install/configure/aws/cluster-issuer.yaml
@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: lets-encrypt-aws
+spec:
+  acme:
+    privateKeySecretRef:
+      name: le-secret
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+      - dns01:
+          route53:
+            accessKeyIDSecretRef:
+              key: AWS_ACCESS_KEY_ID
+              name: aws-credentials
+            region: us-east-1 #override if needed
+            secretAccessKeySecretRef:
+              key: AWS_SECRET_ACCESS_KEY
+              name: aws-credentials
diff --git a/config/install/configure/aws/kustomization.yaml b/config/install/configure/aws/kustomization.yaml
new file mode 100644
index 000000000..831238e72
--- /dev/null
+++ b/config/install/configure/aws/kustomization.yaml
@@ -0,0 +1,26 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+## NOTE YOU NEED TO CREATE A aws-provider-credentials.env file first!
+
+resources:
+  - ../standard
+  - cluster-issuer.yaml
+
+generatorOptions:
+  disableNameSuffixHash: true
+  labels:
+    app.kubernetes.io/part-of: kuadrant
+    app.kubernetes.io/managed-by: kustomize
+
+secretGenerator:
+  - name: aws-provider-credentials
+    namespace: cert-manager
+    envs:
+      - aws-credentials.env
+    type: 'kuadrant.io/aws'
+  - name: aws-provider-credentials
+    namespace: gateway-system
+    envs:
+      - aws-credentials.env
+    type: 'kuadrant.io/aws'
diff --git a/config/install/configure/azure/cluster-issuer.yaml b/config/install/configure/azure/cluster-issuer.yaml
new file mode 100644
index 000000000..0d552e2b3
--- /dev/null
+++ b/config/install/configure/azure/cluster-issuer.yaml
@@ -0,0 +1,25 @@
+## TODO
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-azure
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # email: $EMAIL_ADDRESS
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+      - dns01:
+          azureDNS:
+            clientID: AZURE_CERT_MANAGER_SP_APP_ID
+            clientSecretSecretRef:
+              # The following is the secret we created in Kubernetes. Issuer will use this to present challenge to Azure DNS.
+              name: azuredns-config
+              key: client-secret
+            subscriptionID: AZURE_SUBSCRIPTION_ID
+            tenantID: AZURE_TENANT_ID
+            resourceGroupName: AZURE_DNS_ZONE_RESOURCE_GROUP
+            hostedZoneName: AZURE_DNS_ZONE
+            # Azure Cloud Environment, default to AzurePublicCloud
+            environment: AzurePublicCloud
diff --git a/config/install/configure/azure/kustomization.yaml b/config/install/configure/azure/kustomization.yaml
new file mode 100644
index 000000000..0f7c0f03f
--- /dev/null
+++ b/config/install/configure/azure/kustomization.yaml
@@ -0,0 +1,27 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+## NOTE YOU NEED TO CREATE A azure-provider-credentials.env file first!
+
+generatorOptions:
+  disableNameSuffixHash: true
+  labels:
+    app.kubernetes.io/part-of: kuadrant
+    app.kubernetes.io/managed-by: kustomize
+
+secretGenerator:
+  - name: azure-provider-credentials
+    namespace: kuadrant-system
+    envs:
+      - azure-credentials.env
+    type: 'kuadrant.io/azure'
+  - name: azure-provider-credentials
+    namespace: cert-manager
+    envs:
+      - azure-credentials.env
+    type: 'kuadrant.io/azure'
+  - name: azure-provider-credentials
+    namespace: gateway-system
+    envs:
+      - azure-credentials.env
+    type: 'kuadrant.io/azure'
diff --git a/config/install/configure/gcp/cluster-issuer.yaml b/config/install/configure/gcp/cluster-issuer.yaml
new file mode 100644
index 000000000..755f6b963
--- /dev/null
+++ b/config/install/configure/gcp/cluster-issuer.yaml
@@ -0,0 +1,20 @@
+## TODO
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-gcp
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # email: $EMAIL_ADDRESS
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+      - dns01:
+          cloudDNS:
+            # The ID of the GCP project
+            project: $PROJECT_ID
+            # This is the secret used to access the service account
+            serviceAccountSecretRef:
+              name: gcp-provider-credentials
+              key: key.json
diff --git a/config/install/configure/gcp/kustomization.yaml b/config/install/configure/gcp/kustomization.yaml
new file mode 100644
index 000000000..54071c718
--- /dev/null
+++ b/config/install/configure/gcp/kustomization.yaml
@@ -0,0 +1,27 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+## NOTE YOU NEED TO CREATE A gcp-provider-credentials.env file first!
+
+generatorOptions:
+  disableNameSuffixHash: true
+  labels:
+    app.kubernetes.io/part-of: kuadrant
+    app.kubernetes.io/managed-by: kustomize
+
+secretGenerator:
+  - name: gcp-provider-credentials
+    namespace: kuadrant-system
+    envs:
+      - gcp-credentials.env
+    type: 'kuadrant.io/gcp'
+  - name: gcp-provider-credentials
+    namespace: cert-manager
+    envs:
+      - gcp-credentials.env
+    type: 'kuadrant.io/gcp'
+  - name: gcp-provider-credentials
+    namespace: gateway-system
+    envs:
+      - gcp-credentials.env
+    type: 'kuadrant.io/gcp'
diff --git a/config/install/configure/kitchen-sink/kustomization.yaml b/config/install/configure/kitchen-sink/kustomization.yaml
new file mode 100644
index 000000000..74bde7691
--- /dev/null
+++ b/config/install/configure/kitchen-sink/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ../dns-aws
+  - ../dns-azure
+  - ../dns-gcp
+  - ../redis-storage
+  - ../tls-lets-encrypt
diff --git a/config/install/configure/observability/kustomization.yaml b/config/install/configure/observability/kustomization.yaml
new file mode 100644
index 000000000..f6c19b492
--- /dev/null
+++ b/config/install/configure/observability/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - github.com/Kuadrant/gateway-api-state-metrics/config/kuadrant?ref=0.6.0
+  - ../../../observability/openshift/
+  - ../../../observability/prometheus/monitors/
diff --git a/config/install/configure/redis-storage/kustomization.yaml b/config/install/configure/redis-storage/kustomization.yaml
new file mode 100644
index 000000000..862321f8f
--- /dev/null
+++ b/config/install/configure/redis-storage/kustomization.yaml
@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - limitador.yaml
+
+generatorOptions:
+  disableNameSuffixHash: true
+  labels:
+    app.kubernetes.io/part-of: kuadrant
+    app.kubernetes.io/managed-by: kustomize
+
+secretGenerator:
+  - name: redis-credentials
+    namespace: kuadrant-system
+    envs:
+      - redis-credentials.env
+    type: 'kuadrant.io/aws'
diff --git a/config/install/configure/redis-storage/limitador.yaml b/config/install/configure/redis-storage/limitador.yaml
new file mode 100644
index 000000000..cc06dbb50
--- /dev/null
+++ b/config/install/configure/redis-storage/limitador.yaml
@@ -0,0 +1,10 @@
+apiVersion: limitador.kuadrant.io/v1alpha1
+kind: Limitador
+metadata:
+  name: limitador
+  namespace: kuadrant-system
+spec:
+  storage:
+    redis:
+      configSecretRef:
+        name: redis-credentials
diff --git a/config/install/configure/standard/kuadrant.yaml b/config/install/configure/standard/kuadrant.yaml
new file mode 100644
index 000000000..4f7ebab0e
--- /dev/null
+++ b/config/install/configure/standard/kuadrant.yaml
@@ -0,0 +1,5 @@
+apiVersion: kuadrant.io/v1beta1
+kind: Kuadrant
+metadata:
+  name: kuadrant
+  namespace: kuadrant-system
diff --git a/config/install/configure/standard/kustomization.yaml b/config/install/configure/standard/kustomization.yaml
new file mode 100644
index 000000000..a09fcd6e0
--- /dev/null
+++ b/config/install/configure/standard/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - sail.yaml
+  - kuadrant.yaml
diff --git a/config/install/configure/standard/sail.yaml b/config/install/configure/standard/sail.yaml
new file mode 100644
index 000000000..0db1b73e1
--- /dev/null
+++ b/config/install/configure/standard/sail.yaml
@@ -0,0 +1,13 @@
+apiVersion: sailoperator.io/v1alpha1
+kind: Istio
+metadata:
+  name: default
+spec:
+  namespace: gateway-system
+  updateStrategy:
+    type: InPlace
+    inactiveRevisionDeletionGracePeriodSeconds: 30
+  version: v1.23.0
+  values:
+    pilot:
+      autoscaleEnabled: false
diff --git a/config/install/configure/tls-lets-encrypt/kustomization.yaml b/config/install/configure/tls-lets-encrypt/kustomization.yaml
new file mode 100644
index 000000000..c28642a40
--- /dev/null
+++ b/config/install/configure/tls-lets-encrypt/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - cluster-issuer.yaml
diff --git a/config/install/standard/kustomization.yaml b/config/install/standard/kustomization.yaml
new file mode 100644
index 000000000..bc2d521e8
--- /dev/null
+++ b/config/install/standard/kustomization.yaml
@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml
+  - sail-operator.yaml
+  - ../../deploy/olm
+
+patches:
+  - patch: |-
+      apiVersion: operators.coreos.com/v1alpha1
+      kind: CatalogSource
+      metadata:
+        name: kuadrant-operator-catalog
+      spec:
+        image: quay.io/kuadrant/kuadrant-operator-catalog:v1.0.0-rc4  #change this to the version you want to install
diff --git a/config/install/standard/sail-operator.yaml b/config/install/standard/sail-operator.yaml
new file mode 100644
index 000000000..56edd1251
--- /dev/null
+++ b/config/install/standard/sail-operator.yaml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    control-plane: sail
+  name: gateway-system
+---
+kind: OperatorGroup
+apiVersion: operators.coreos.com/v1
+metadata:
+  name: sail
+  namespace: gateway-system
+spec:
+  upgradeStrategy: Default
+---
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: sailoperator
+  namespace: gateway-system
+spec:
+  channel: candidates
+  installPlanApproval: Automatic
+  name: sailoperator
+  source: community-operators
+  sourceNamespace: openshift-marketplace
diff --git a/config/observability/openshift/grafana/.gitignore b/config/observability/openshift/grafana/.gitignore
new file mode 100644
index 000000000..04f47aaef
--- /dev/null
+++ b/config/observability/openshift/grafana/.gitignore
@@ -0,0 +1,2 @@
+datasource.env
+
diff --git a/config/observability/openshift/grafana/dashboards.yaml b/config/observability/openshift/grafana/dashboards.yaml
new file mode 100644
index 000000000..10601e383
--- /dev/null
+++ b/config/observability/openshift/grafana/dashboards.yaml
@@ -0,0 +1,59 @@
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDashboard
+metadata:
+  name: grafana-platform-engineer
+spec:
+  instanceSelector:
+    matchLabels:
+      dashboards: "grafana"
+  configMapRef:
+    name: grafana-platform-engineer
+    key: platform_engineer.json
+---
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDashboard
+metadata:
+  name: grafana-business-user
+spec:
+  instanceSelector:
+    matchLabels:
+      dashboards: "grafana"
+  configMapRef:
+    name: grafana-business-user
+    key: business_user.json
+---
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDashboard
+metadata:
+  name: grafana-controller-resources-metrics
+spec:
+  instanceSelector:
+    matchLabels:
+      dashboards: "grafana"
+  configMapRef:
+    name: grafana-controller-resources-metrics
+    key: controller-resources-metrics.json
+---
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDashboard
+metadata:
+  name: grafana-controller-runtime-metrics
+spec:
+  instanceSelector:
+    matchLabels:
+      dashboards: "grafana"
+  configMapRef:
+    name: grafana-controller-runtime-metrics
+    key: controller-runtime-metrics.json
+---
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDashboard
+metadata:
+  name: grafana-app-developer
+spec:
+  instanceSelector:
+    matchLabels:
+      dashboards: "grafana"
+  configMapRef:
+    name: grafana-app-developer
+    key: app_developer.json
diff --git a/config/observability/openshift/grafana/datasource.yaml b/config/observability/openshift/grafana/datasource.yaml
new file mode 100644
index 000000000..aeeb84af2
--- /dev/null
+++ b/config/observability/openshift/grafana/datasource.yaml
@@ -0,0 +1,20 @@
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDatasource
+metadata:
+  name: thanos-query-ds
+spec:
+  datasource:
+    access: proxy
+    isDefault: true
+    jsonData:
+      httpHeaderName1: 'Authorization'
+      timeInterval: 5s
+      tlsSkipVerify: true
+    secureJsonData:
+      httpHeaderValue1: 'REPLACED_BY_ENV'
+    name: thanos-query-ds
+    type: prometheus
+    url: 'REPLACED_BY_ENV'
+  instanceSelector:
+    matchLabels:
+      dashboards: grafana
diff --git a/config/observability/openshift/grafana/grafana.yaml b/config/observability/openshift/grafana/grafana.yaml
new file mode 100644
index 000000000..ae70ab874
--- /dev/null
+++ b/config/observability/openshift/grafana/grafana.yaml
@@ -0,0 +1,19 @@
+apiVersion: grafana.integreatly.org/v1beta1
+kind: Grafana
+metadata:
+  labels:
+    dashboards: grafana
+  name: grafana
+spec:
+  config:
+    auth:
+      disable_login_form: 'false'
+    log:
+      mode: console
+    security:
+      admin_password: secret
+      admin_user: root
+  route:
+    metadata: {}
+    spec: {}
+  version: 10.4.3
diff --git a/config/observability/openshift/grafana/kustomization.yaml b/config/observability/openshift/grafana/kustomization.yaml
new file mode 100644
index 000000000..bda5b736b
--- /dev/null
+++ b/config/observability/openshift/grafana/kustomization.yaml
@@ -0,0 +1,38 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: monitoring
+
+resources:
+  - grafana.yaml
+  - datasource.yaml
+  - dashboards.yaml
+
+# Generate a ConfigMap from the .env file
+configMapGenerator:
+  - name: datasource-env-config
+    envs:
+      - datasource.env
+
+replacements:
+  - source:
+      kind: ConfigMap
+      name: datasource-env-config
+      fieldPath: data.TOKEN
+    targets:
+      - select:
+          kind: GrafanaDatasource
+          name: thanos-query-ds
+        fieldPaths:
+          - spec.datasource.secureJsonData.httpHeaderValue1
+  - source:
+      kind: ConfigMap
+      name: datasource-env-config
+      fieldPath: data.HOST
+    targets:
+      - select:
+          kind: GrafanaDatasource
+          name: thanos-query-ds
+        fieldPaths:
+          - spec.datasource.url
+
diff --git a/config/observability/openshift/grafana/subscription.yaml b/config/observability/openshift/grafana/subscription.yaml
new file mode 100644
index 000000000..2bd9fc89d
--- /dev/null
+++ b/config/observability/openshift/grafana/subscription.yaml
@@ -0,0 +1,13 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  labels:
+    operators.coreos.com/grafana-operator.openshift-operators: ""
+  name: grafana-operator
+  namespace: openshift-operators
+spec:
+  channel: v5
+  installPlanApproval: Automatic
+  name: grafana-operator
+  source: community-operators
+  sourceNamespace: openshift-marketplace
diff --git a/config/observability/openshift/kustomization.yaml b/config/observability/openshift/kustomization.yaml
new file mode 100644
index 000000000..e03c5942b
--- /dev/null
+++ b/config/observability/openshift/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - telemetry.yaml
+  - kube-state-metrics.yaml
+  - grafana/subscription.yaml
diff --git a/config/observability/prometheus/monitors/istio/service-monitor-istiod.yaml b/config/observability/prometheus/monitors/istio/service-monitor-istiod.yaml
index e2af452b7..c4215fc39 100644
--- a/config/observability/prometheus/monitors/istio/service-monitor-istiod.yaml
+++ b/config/observability/prometheus/monitors/istio/service-monitor-istiod.yaml
@@ -2,11 +2,11 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: istiod
-  namespace: istio-system
+  namespace: gateway-system
 spec:
   namespaceSelector:
     matchNames:
-    - istio-system
+    - gateway-system
   selector:
     matchLabels:
       app: istiod
diff --git a/config/observability/prometheus/monitors/istio/telemetry.yaml b/config/observability/prometheus/monitors/istio/telemetry.yaml
index d39050a9a..c966e230d 100644
--- a/config/observability/prometheus/monitors/istio/telemetry.yaml
+++ b/config/observability/prometheus/monitors/istio/telemetry.yaml
@@ -2,7 +2,7 @@ apiVersion: telemetry.istio.io/v1alpha1
 kind: Telemetry
 metadata:
   name: namespace-metrics
-  namespace: istio-system
+  namespace: gateway-system
 spec:
   metrics:
   - providers:
diff --git a/config/observability/prometheus/monitors/kustomization.yaml b/config/observability/prometheus/monitors/kustomization.yaml
new file mode 100644
index 000000000..889caa892
--- /dev/null
+++ b/config/observability/prometheus/monitors/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - istio/service-monitor-istiod.yaml
+  - operators.yaml
+
diff --git a/doc/install/install-openshift.md b/doc/install/install-openshift.md
index e53bb3de6..c22184796 100644
--- a/doc/install/install-openshift.md
+++ b/doc/install/install-openshift.md
@@ -42,7 +42,7 @@ export KUADRANT_VERSION='vX.Y.Z'
 Before you can use Kuadrant, you must install Gateway API v1 as follows:
 
 ```bash
-kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml
+kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml
 ```
 
 ### Step 3 - Install cert-manager
@@ -100,7 +100,7 @@ metadata:
   name: sailoperator
   namespace: gateway-system
 spec:
-  channel: 3.0-dp1
+  channel: candidates
   installPlanApproval: Automatic
   name: sailoperator
   source: community-operators
@@ -122,24 +122,34 @@ To configure the Istio Gateway API provider, run the following command:
 
 ```bash
 kubectl apply -f - <<EOF
-apiVersion: operator.istio.io/v1alpha1
+apiVersion: sailoperator.io/v1alpha1
 kind: Istio
 metadata:
   name: default
 spec:
-  version: v1.21.0
   namespace: gateway-system
-  # Disable autoscaling to reduce dev resources
+  updateStrategy:
+    type: InPlace
+    inactiveRevisionDeletionGracePeriodSeconds: 30
+  version: v1.23.0
   values:
     pilot:
-      autoscaleEnabled: false
+      autoscaleEnabled: false  
 EOF
 ```
 
+More details on what can be configured can be found by executing 
+
+```
+ kubectl explain istio.spec.values
+```
+
+And in documention : [Istio Config](https://istio.io/1.23.0/docs/reference/config/)
+
 Wait for Istio to be ready as follows:
 
 ```bash
-kubectl wait istio/default -n gateway-system --for="condition=Ready=true"
+kubectl wait istio.sailoperator.io/default -n gateway-system --for="condition=Ready=true"
 ```
 
 ### Step 5 - (Optional) Install Envoy Gateway as a Gateway API provider
@@ -296,6 +306,8 @@ After some time, this command should return `complete`.
 The example here is for AWS Route 53. It is important the secret for the DNSProvider is setup in the same namespace as the gateway.
 
 ```bash
+# note ingress-gateway is just an example
+
 kubectl create ns ingress-gateway
 ```
 
@@ -308,6 +320,20 @@ kubectl -n ingress-gateway create secret generic aws-credentials \
 
 For more details on other providers take a look at [DNS Providers](https://docs.kuadrant.io/latest/dns-operator/docs/provider/)
 
+
+#### Setup TLS DNS verification credential
+
+When setting up TLS certs via provider like lets-encrypt, cert-manager will do a DNS based verification. To allow it do this, it will need a similar credential to that one set up for the DNSProvider, but it needs to be created in the cert-manager namespace where the operator is installed.  
+
+
+
+```bash
+kubectl -n cert-manager create secret generic aws-credentials \
+  --type=kuadrant.io/aws \
+  --from-literal=AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
+  --from-literal=AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
+```
+
 ### Step 9 - Install Kuadrant Components
 
 To trigger your Kuadrant deployment, enter the following command:
@@ -319,6 +345,7 @@ kind: Kuadrant
 metadata:
   name: kuadrant
   namespace: kuadrant-system
+  
 EOF
 ```
 
@@ -345,7 +372,7 @@ This will setup and configure a number of Kuadrant subcomponents. Some of these
 In this installation we will show how to configure ratelimiting counters to be stored in redis. Before we go further we need to setup a redis secret to use later:
 
 ```bash
-kubectl -n kuadrant-system create secret generic redis-config --from-literal="URL"=$REDIS_URL
+kubectl -n kuadrant-system create secret generic redis-credential --from-literal="URL"=$REDIS_URL
 ```
 
 #### Update limitador config
@@ -360,7 +387,7 @@ spec:
   storage:
     redis:
       configSecretRef:
-        name: redis-config
+        name: redis-credential
 '
 ```
 
diff --git a/doc/user-guides/external-api.md b/doc/user-guides/external-api.md
new file mode 100644
index 000000000..335ab7c8b
--- /dev/null
+++ b/doc/user-guides/external-api.md
@@ -0,0 +1,176 @@
+# Using Gateway API and Kuadrant with APIs outside of the cluster
+
+
+### Overview
+
+In some cases, the application and API endpoints are exposed in a host external to the cluster where you are a running Gateway API and Kuadrant but you do not want it accessible directly via the public internet. If you want to have external traffic come into a Gateway API defined Gateway and protected by Kuadrant policies first being proxied to the existing legacy endpoints, this guide will give you some example of how to achieve this.
+
+
+### What we will do
+- Have an API in a private location become accessible via a public hostname
+- Setup a gateway and HTTPRoute to expose this private API via our new Gateway on a (public) domain.
+- proxy valid requests through to our back-end API service
+- Add auth and rate limiting and TLS to our public Gateway to protect it
+
+
+
+### Pre Requisites
+
+- Kuadrant and Gateway API installed (with Istio as the gateway provider)
+- Existing API on separate cluster accessible via HTTP from the Gateway cluster
+
+
+What we want to achieve:
+
+```
+                                ------------------- DMZ -----------------|
+                                                                         |
+                               |-------------------------------- internal network -----------------------------------| 
+                    load balancer                                        |                                            |           
+                        | - |  |      |----------k8s cluster-----------| |   |----- Legacy API Location --------|     |
+                        |   |  |      |  Gateway  Kuadrant             | |   |                                  |     |       
+                        |   |  |      |   -----    -----               | |   |                                  |     |                     
+---public traffic--my.api.com-------->|   |    |<--|   |               | |   |  HTTP (my.api.local)   Backend   |     |
+                        |   |  |      |   |    |   -----               | |   |      -----             -----     |     | 
+                        |   |  |      |   ----- -----------proxy---(my.api.local)-->|   | ----------> |   |     |     | 
+                        |   |  |      |                                | |   |      -----             -----     |     | 
+                        | - |  |      |--------------------------------| |   |----------------------------------|     | 
+                               |                                         |                                            |   
+                               |-----------------------------------------|--------------------------------------------| 
+                                                                         |
+                                ------------------- DMZ -----------------|       
+```
+
+
+Note for all of the resources defined here there is a copy of them under the [examples folder](https://github.com/Kuadrant/kuadrant-operator/examples/external-api-istio.yaml)
+
+1) Deploy a Gateway into the K8s cluster that will act as the main Ingress Gateway
+
+Define your external API hostname and Internal API hostname
+
+```
+export EXTERNAL_HOST=my.api.com
+export INTERNAL_HOST=my.api.local
+
+```
+
+```bash
+kubectl apply -n gateway-system -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  labels:
+    istio: ingress
+  name: ingress
+spec:
+  gatewayClassName: istio
+  listeners:
+    - name: ingress-tls
+      port: 443
+      hostname: '${EXTERNAL_HOST}'
+      protocol: HTTPS
+      allowedRoutes:
+        namespaces:
+          from: All
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: ingress-tls  #you can use TLSPolicy to provide this certificate or provide it manually
+            kind: Secret
+EOF            
+```
+
+2) Optional: Use TLSPolicy to configure TLS certificates for your listeners
+
+[TLSPolicy Guide](https://docs.kuadrant.io/latest/kuadrant-operator/doc/user-guides/gateway-tls/)
+
+3) Optional: Use DNSPolicy to bring external traffic to the external hostname
+
+[DNSPolicy Guide](https://docs.kuadrant.io/latest/kuadrant-operator/doc/user-guides/gateway-dns/#create-a-dns-provider-secret)
+
+4) Ensure the Gateway has the status of `Programmed` set to `True` meaning it is ready. 
+
+```bash
+kubectl get gateway ingress -n gateway-system -o=jsonpath='{.status.conditions[?(@.type=="Programmed")].status}'
+```
+
+5) Let Istio know about the external hostname and the rules it should use when sending traffic to that destination.
+
+Create a [`ServiceEntry`](https://istio.io/latest/docs/reference/config/networking/service-entry/)
+
+```bash
+kubectl apply -n gateway-system -f - <<EOF
+apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: internal-api
+spec:
+  hosts:
+    - ${INTERNAL_HOST} # your internal http endpoint
+  location: MESH_EXTERNAL
+  resolution: DNS
+  ports:
+    - number: 80
+      name: http
+      protocol: HTTP
+    - number: 443
+      name: https
+      protocol: TLS
+EOF
+```
+
+
+Create a [`DestionationRule`](https://istio.io/latest/docs/reference/config/networking/destination-rule/) to configure how to handle traffic to this endpoint.
+
+```bash
+kubectl apply -n gateway-system -f - <<EOF
+apiVersion: networking.istio.io/v1
+kind: DestinationRule
+metadata:
+  name: internal-api
+spec:
+  host: ${INTERNAL_HOST}
+  trafficPolicy:
+    tls:
+      mode: SIMPLE
+      sni: ${INTERNAL_HOST}
+EOF
+```
+
+
+6) Create a `HTTPRoute` that will route traffic for the Gateway and re-write the host
+
+```bash
+kubectl apply -n gateway-system -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: external-host
+spec:
+  parentRefs:
+    - name: ingress
+  hostnames:
+    - ${EXTERNAL_HOST}
+  rules:
+    - backendRefs:
+        - name: ${INTERNAL_HOST}
+          kind: Hostname
+          group: networking.istio.io
+          port: 443
+      filters:
+        - type: URLRewrite
+          urlRewrite:
+            hostname: ${INTERNAL_HOST}
+EOF
+```
+
+We should now be able to send requests to our external host and have the Gateway proxy requests and responses to and from the internal host.
+
+7) (optional) Add Auth and RateLimiting to protect your public endpoint
+
+As we are using Gateway API to define the Gateway and HTTPRoutes, we can now also apply RateLimiting and Auth to protect our public endpoints
+
+[AuthPolicy Guide](https://docs.kuadrant.io/latest/kuadrant-operator/doc/user-guides/auth-for-app-devs-and-platform-engineers/)
+
+[RateLimiting Guide](https://docs.kuadrant.io/latest/kuadrant-operator/doc/user-guides/gateway-rl-for-cluster-operators/)
+
diff --git a/doc/user-guides/secure-protect-connect.md b/doc/user-guides/secure-protect-connect.md
index cd3ffb3a9..6a0e3ad76 100644
--- a/doc/user-guides/secure-protect-connect.md
+++ b/doc/user-guides/secure-protect-connect.md
@@ -44,10 +44,13 @@ Here are the steps we will go through:
 
 
 You will need to set the `KUBECTL_CONTEXT` environment variable for the kubectl context of the cluster you are targeting.
+
 If you have followed the single cluster setup, it should be something like below.
 Adjust the name of the cluster accordingly to match the kubernetes cluster you are targeting.
 You can get the current context with `kubectl config current-context`
 
+We use the namespace `kuadrant-system` in this tutorial so ensure that namespace exists before continuing
+
 ```sh
 # Typical single cluster context
 export KUBECTL_CONTEXT=kind-kuadrant-local
@@ -137,10 +140,11 @@ spec:
 EOF
 ```
 
-The TLSPolicy should eventually have an `Accepted` condition.
+The TLSPolicy should eventually have an `Accepted`  and `Enforced` condition.
 
 ```sh
 kubectl --context $KUBECTL_CONTEXT wait tlspolicy api-gateway-tls -n kuadrant-system --for=condition=accepted
+kubectl --context $KUBECTL_CONTEXT wait tlspolicy api-gateway-tls -n kuadrant-system --for=condition=enforced
 ```
 
 Now, if you look at the status of the gateway, you will see the error is gone, and the status of the policy will report the listener as now secured with a TLS certificate and the gateway as affected by the TLS policy.
@@ -219,6 +223,7 @@ spec:
 EOF
 
 kubectl --context $KUBECTL_CONTEXT wait ratelimitpolicy infra-ratelimit -n kuadrant-system --for=condition=accepted
+kubectl --context $KUBECTL_CONTEXT wait ratelimitpolicy infra-ratelimit -n kuadrant-system --for=condition=enforced
 ```
 
 > **Note:** It may take a couple of minutes for the RateLimitPolicy to be applied depending on your cluster.
@@ -343,9 +348,10 @@ The loadbalancing section here has the following attributes:
 - **geo:** This will be the geo used to decide whether to return records defined for this gateway based on the requesting client's location. This should be set even if you have one gateway in a single geo. 
 - **defaultGeo:** For Azure and AWS, this will decide, if there should be a default geo. A default geo acts as a "catch-all" (GCP always sets a catch-all) for clients outside of the defined geo locations. There can only be one default value and so it is important you set `defaultGeo` as true for **one** and **only one** geo code for each of the gateways in that geo. 
 
-Wait for the DNSPolicy to marked as enforced:
+Wait for the DNSPolicy to marked as accepted and enforced:
 
 ```
+kubectl --context $KUBECTL_CONTEXT wait dnspolicy simple-dnspolicy -n kuadrant-system --for=condition=accepted
 kubectl --context $KUBECTL_CONTEXT wait dnspolicy simple-dnspolicy -n kuadrant-system --for=condition=enforced
 ```
 
@@ -436,6 +442,12 @@ spec:
 EOF
 ```
 
+Ensure the new policy is enforced:
+
+```
+kubectl --context $KUBECTL_CONTEXT wait authpolicy toystore --for=condition=enforced
+```
+
 ### ❽ Override the Gateway's RateLimitPolicy
 
 The gateway limits are a good set of limits for the general case, but as the developers of this API we know that we only want to allow a certain number of requests to specific users, and a general limit for all other users.
diff --git a/examples/dashboards/kustomization.yaml b/examples/dashboards/kustomization.yaml
index 96a64d330..cd26abf16 100644
--- a/examples/dashboards/kustomization.yaml
+++ b/examples/dashboards/kustomization.yaml
@@ -1,26 +1,23 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
+namespace: monitoring
+
 # grafana-dashboard dashboards as configmaps
 configMapGenerator:
 - name: grafana-app-developer
-  namespace: monitoring
   files:
   - ./app_developer.json
 - name: grafana-business-user
-  namespace: monitoring
   files:
   - ./business_user.json
 - name: grafana-platform-engineer
-  namespace: monitoring
   files:
   - ./platform_engineer.json
-- name: grafana-controller-runtime
-  namespace: monitoring
+- name: grafana-controller-runtime-metrics
   files:
   - ./controller-runtime-metrics.json
-- name: grafana-controller-resources
-  namespace: monitoring
+- name: grafana-controller-resources-metrics
   files:
   - ./controller-resources-metrics.json    
 
diff --git a/examples/external-api-istio.yaml b/examples/external-api-istio.yaml
new file mode 100644
index 000000000..1855043c0
--- /dev/null
+++ b/examples/external-api-istio.yaml
@@ -0,0 +1,94 @@
+## Note before using this example you will need cert-manager and a clusterissuer setup
+apiVersion: networking.istio.io/v1beta1
+kind: ServiceEntry
+metadata:
+  name: external-api
+spec:
+  hosts:
+    - kuadrant.io
+  location: MESH_EXTERNAL
+  resolution: DNS
+  ports:
+    - number: 80
+      name: http
+      protocol: HTTP
+    - number: 443
+      name: https
+      protocol: TLS
+---
+apiVersion: networking.istio.io/v1
+kind: DestinationRule
+metadata:
+  name: external-api
+spec:
+  host: 'kuadrant.io'
+  trafficPolicy:
+    tls:
+      mode: SIMPLE
+      sni: kuadrant.io
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: public-api
+spec:
+  gatewayClassName: istio
+  listeners:
+    - name: public-tls
+      port: 443
+      hostname: 'public.cb.hcpapps.net'
+      protocol: HTTPS
+      allowedRoutes:
+        namespaces:
+          from: All
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: public
+            kind: Secret
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: public-api
+spec:
+  parentRefs:
+    - name: public-api
+  hostnames:
+    - 'public.cb.hcpapps.net'
+  rules:
+    - backendRefs:
+        - name: kuadrant.io
+          kind: Hostname
+          group: networking.istio.io
+          port: 443
+      filters:
+        - type: URLRewrite
+          urlRewrite:
+            hostname: kuadrant.io
+---
+apiVersion: kuadrant.io/v1
+kind: TLSPolicy
+metadata:
+  name: tls
+spec:
+  targetRef:
+    name: public-api
+    group: gateway.networking.k8s.io
+    kind: Gateway
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: lets-encrypt-aws
+---
+apiVersion: kuadrant.io/v1
+kind: DNSPolicy
+metadata:
+  name: dns
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: Gateway
+    name: public-api
+  providerRefs:
+    - name: aws-provider-credentials