Merge pull request #110719 from openshift-cherrypick-robot/cherry-pick-108507-to-enterprise-4.22

[enterprise-4.22] OSDOCS-18134: JTBD Docs Enhancement Gateway API Statuses

Author: bscott-rh

_topic_maps/_topic_map.yml

@@ -1793,6 +1793,10 @@ Topics:
       File: ingress-controller-dnsmgt
     - Name: Gateway API with OpenShift Container Platform networking
       File: ingress-gateway-api
+  - Name: Configuring Gateway API
+    Dir: configuring_gateway_api
+    Distros: openshift-enterprise,openshift-origin
+    Topics:
     - Name: Controlling incoming traffic with Gateway listeners
       File: controlling-incoming-traffic-gateway-listeners
     - Name: Assigning network addresses to gateways
@@ -1801,6 +1805,8 @@ Topics:
       File: routing-http-requests-to-services
     - Name: Routing gRPC requests to services
       File: routing-grpc-requests-to-services
+    - Name: Verifying Gateway infrastructure status
+      File: verifying-gateway-infrastructure-status
   - Name: Load balancing on OpenStack
     File: load-balancing-openstack
   - Name: Load balancing with MetalLB

modules/gateway-listener-status-conditions.adoc

@@ -0,0 +1,156 @@
+// Module included in the following assemblies:
+//
+// * networking/ingress_load_balancing/configuring_ingress_cluster_traffic/verifying-gateway-infrastructure-status.adoc
+//
+:_mod-docs-content-type: REFERENCE
+[id="gateway-listener-status-conditions_{context}"]
+= Gateway and listener status conditions reference
+
+[role="_abstract"]
+To verify that your gateway is configured in the data plane and ready to route traffic, review its gateway-level and listener-level `status` conditions. A healthy `Gateway` custom resource (CR) reports a status of `True` for its `Accepted` and `Programmed` conditions.
+
+[IMPORTANT]
+====
+The `Conflicted` listener condition uses negative polarity. This means that a status of `False` indicates a healthy state, while a status of `True` indicates an error.
+====
+
+.Gateway-level status conditions
+[cols="1,1,3",options="header"]
+|===
+|Condition |Status |Description and common reasons
+
+|`Accepted`
+|`True`
+|The gateway configuration is valid and working properly.
+
+|`Accepted`
+|`False`
+|The configuration has errors. Common reasons include `ListenersNotValid` (one or more listeners have issues) or `InvalidParameters` (the configuration is invalid).
+
+|`Accepted`
+|`Unknown`
+|The controller has not evaluated the gateway yet.
+
+|`Programmed`
+|`True`
+|The infrastructure is provisioned and the gateway is configured in the data plane, such as a load balancer or proxy.
+
+|`Programmed`
+|`False`
+|Programming failed or the data plane is not ready. Common reasons include `NoResources` (insufficient resources or pods unavailable), `Invalid` (cannot apply to the data plane), or `Pending`.
+
+|`Programmed`
+|`Unknown`
+|Programming is currently in progress.
+
+|`LoadBalancerReady`
+|`True`
+|The cloud load balancer service for the gateway is successfully provisioned.
+
+|`LoadBalancerReady`
+|`False`
+|The load balancer service failed to provision or is pending. Common reasons include `ServiceNotFound`, `LoadBalancerPending`, or `SyncLoadBalancerFailed`.
+
+|`DNSReady`
+|`True`
+|DNS records for all listeners are functioning correctly.
+
+|`DNSReady`
+|`False`
+|One or more listeners have DNS provisioning issues.
+|===
+
+.Listener-level status conditions
+[cols="1,1,3",options="header"]
+|===
+|Condition |Status |Description and common reasons
+
+|`Accepted`
+|`True`
+|The listener configuration is valid and working properly.
+
+|`Accepted`
+|`False`
+|The listener configuration has errors.
+
+|`Programmed`
+|`True`
+|The listener is successfully configured in the data plane.
+
+|`Programmed`
+|`False`
+|The listener configuration failed in the data plane.
+
+|`ResolvedRefs`
+|`True`
+|All references, such as TLS certificates, are found and valid.
+
+|`ResolvedRefs`
+|`False`
+|At least one reference is invalid. Common reasons include `InvalidCertificateRef` (a TLS certificate was not found or is invalid) or `RefNotPermitted` (a cross-namespace reference is not allowed).
+
+|`Conflicted` (Negative polarity)
+|`False`
+|Healthy state. There are no conflicts.
+
+|`Conflicted` (Negative polarity)
+|`True`
+|The listener conflicts with another listener. Common reasons include `ProtocolConflict` (multiple listeners on the same port with incompatible protocols) or `HostnameConflict` (overlapping hostnames).
+
+|`DNSReady`
+|`True`
+|The DNS record for this listener's hostname is successfully provisioned in all reported zones.
+
+|`DNSReady`
+|`False`
+|The DNS record failed to provision. Common reasons include `FailedZones`, `NoDNSZones`, or `RecordNotFound`.
+
+|`DNSReady`
+|`Unknown`
+a|The DNS status cannot be determined or is unmanaged.
+
+[NOTE]
+====
+Listeners without a configured hostname will not have DNS conditions added to their `status`.
+====
+|===
+
+.Example `Gateway` CR status output showing a DNS failure on one listener
+[source,yaml]
+----
+# ...
+status:
+  # Gateway-level conditions (LoadBalancer and aggregate DNS status)
+  conditions:
+  - type: LoadBalancerReady
+    status: "True"
+    reason: LoadBalancerProvisioned
+    message: "The LoadBalancer service is provisioned"
+    observedGeneration: 1
+    lastTransitionTime: "2025-01-12T10:00:00Z"
+  - type: DNSReady
+    status: "False"
+    reason: SomeListenersNotReady
+    message: "One or more listeners have DNS provisioning issues"
+    observedGeneration: 1
+    lastTransitionTime: "2025-01-12T10:00:00Z"
+
+  # Listener-level conditions (DNS status per listener)
+  listeners:
+  - name: <stage_http>
+    conditions:
+    - type: DNSReady
+      status: "True"
+      reason: NoFailedZones
+      message: "The record is provisioned in all reported zones."
+      observedGeneration: 1
+      lastTransitionTime: "2025-01-12T10:00:00Z"
+  - name: <prod_https>
+    conditions:
+    - type: DNSReady
+      status: "False"
+      reason: FailedZones
+      message: "The record failed to provision in some zones: [<prod.example.com>]"
+      observedGeneration: 1
+      lastTransitionTime: "2025-01-12T10:00:00Z"
+----

modules/gatewayclass-status-conditions.adoc

@@ -0,0 +1,60 @@
+// Module included in the following assemblies:
+//
+// * networking/ingress_load_balancing/configuring_ingress_cluster_traffic/verifying-gateway-infrastructure-status.adoc
+//
+:_mod-docs-content-type: REFERENCE
+[id="gatewayclass-status-conditions_{context}"]
+= GatewayClass status conditions reference
+
+[role="_abstract"]
+To verify that your `GatewayClass` custom resource (CR) is valid and ready to provision gateways, review its `status` conditions. A healthy `GatewayClass` CR reports a status of `True` for core conditions like `Accepted` and `SupportedVersion`.
+
+.`GatewayClass` CR status conditions
+[cols="1,1,3",options="header"]
+|===
+|Condition |Status |Description and common reasons
+
+|`Accepted`
+|`True`
+|The `GatewayClass` CR is valid and the controller has claimed it.
+
+|`Accepted`
+|`False`
+|The configuration has errors or was rejected. Common reasons include `InvalidParameters` (referenced parameters are invalid or not found), `Pending` (the controller has not processed the resource yet), or `Unknown` (an unsupported `controllerName` was provided).
+
+|`Accepted`
+|`Unknown`
+|The `GatewayClass` CR is waiting for the controller to process it.
+
+|`SupportedVersion`
+|`True`
+|The installed Gateway API version is compatible with the controller.
+
+|`SupportedVersion`
+|`False`
+|There is a version mismatch. A common reason is `UnsupportedVersion`, which indicates that the custom resource definition (CRD) version does not match the controller requirements.
+
+|`ControllerInstalled`
+|`True`
+|The Cluster Ingress Operator successfully installed the Gateway API controller.
+
+|`ControllerInstalled`
+|`False`
+|The installation failed.
+
+|`ControllerInstalled`
+|`Unknown`
+|The controller has not started the installation yet.
+
+|`CRDsReady`
+|`True`
+|The Istio CRDs are installed and actively managed by either the Cluster Ingress Operator or OLM.
+
+|`CRDsReady`
+|`False`
+|The CRDs were installed by a third party or have mixed ownership, preventing the controller from managing them.
+
+|`CRDsReady`
+|`Unknown`
+|The CRDs are not installed yet.
+|===

modules/querying-gateway-status-cli.adoc

@@ -0,0 +1,77 @@
+// Module included in the following assemblies:
+//
+// * networking/ingress_load_balancing/configuring_ingress_cluster_traffic/verifying-gateway-infrastructure-status.adoc
+//
+:_mod-docs-content-type: PROCEDURE
+[id="querying-gateway-status-cli_{context}"]
+= Query Gateway infrastructure status using the CLI
+
+[role="_abstract"]
+To quickly check the health of your gateway infrastructure, query specific `status` fields using the {product-title} CLI. You can validate your deployment, check route attachments, and retrieve IP addresses without parsing lengthy YAML manifests.
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+* You have installed the {oc-first}.
+* Your gateway is deployed in the `openshift-ingress` namespace.
+* Your gateway is managed by the gateway controller (`openshift.io/gateway-controller/v1`).
+
+.Procedure
+
+* Run the relevant command for the status information you need to retrieve:
++
+--
+** To list all `GatewayClass` custom resources (CRs) in your cluster, run the following command:
++
+[source,terminal]
+----
+$ oc get gatewayclass
+----
+
+** To check if a specific `GatewayClass` CR has been accepted by the controller, run the following command:
++
+[source,terminal]
+----
+$ oc get gatewayclass <gatewayclass_name> -o jsonpath='{.status.conditions[?(@.type=="Accepted")].status}'
+----
+*** `<gatewayclass_name>`: Specify the name of your gateway class.
+
+** To list all `Gateway` custom resources (CRs) across all namespaces, run the following command:
++
+[source,terminal]
+----
+$ oc get gateway -A
+----
+
+** To check if a specific `Gateway` CR is successfully programmed in the data plane, run the following command:
++
+[source,terminal]
+----
+$ oc get gateway <gateway_name> -n openshift-ingress -o jsonpath='{.status.conditions[?(@.type=="Programmed")].status}'
+----
+*** `<gateway_name>`: Specify the name of your gateway.
+
+** To retrieve the IP address assigned to a specific `Gateway` CR, run the following command:
++
+[source,terminal]
+----
+$ oc get gateway <gateway_name> -n openshift-ingress -o jsonpath='{.status.addresses[0].value}'
+----
+*** `<gateway_name>`: Specify the name of your gateway.
+
+** To check the total number of routes attached to a specific `Gateway` CR, run the following command:
++
+[source,terminal]
+----
+$ oc get gateway <gateway_name> -n openshift-ingress -o jsonpath='{.status.listeners[*].attachedRoutes}'
+----
+*** `<gateway_name>`: Specify the name of your gateway.
+
+** To watch a specific `Gateway` CR for real-time status changes, run the following command:
++
+[source,terminal]
+----
+$ oc get gateway <gateway_name> -n openshift-ingress -w
+----
+*** `<gateway_name>`: Specify the name of your gateway.
+--

networking/ingress_load_balancing/configuring_gateway_api/_attributes

@@ -0,0 +1 @@
+../../../_attributes

networking/ingress_load_balancing/configuring_gateway_api/assigning-network-addresses-gateways.adoc

@@ -0,0 +1,21 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="assigning-network-addresses-gateways"]
+= Assigning network addresses to gateways
+include::_attributes/common-attributes.adoc[]
+:context: assigning-network-addresses-gateways
+
+toc::[]
+
+[role="_abstract"]
+You can configure network addresses for your gateway to provide a predictable entry point for external traffic. This ensures that clients can reliably resolve and route requests to your load balancers.
+
+The Gateway API uses addresses to define the specific network locations that are assigned to your `Gateway` resource. In {product-title}, you rely on the Gateway controller to automatically provision and bind the necessary network addresses, such as an external load balancer IP, to your gateway. The controller then populates the `status.addresses` field of the `Gateway` resource with the assigned addresses once they are available.
+
+To successfully assign network addresses to your gateway, complete the following tasks:
+
+* Understand gateway address assignment and types to plan your DNS and load balancer configuration.
+* Configure automatic address assignment for a gateway to successfully deploy it without violating manual address constraints.
+
+include::modules/understand-gateway-address-assignment.adoc[leveloffset=+1]
+
+include::modules/configuring-automatic-address-assignment-gateway.adoc[leveloffset=+1]

networking/ingress_load_balancing/configuring_gateway_api/controlling-incoming-traffic-gateway-listeners.adoc

@@ -0,0 +1,33 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="controlling-incoming-traffic-gateway-listeners"]
+= Control incoming traffic with gateway listeners
+include::_attributes/common-attributes.adoc[]
+:context: controlling-incoming-traffic-gateway-listeners
+
+toc::[]
+
+[role="_abstract"]
+To control network traffic flow, you can configure Gateway API listeners to define the designated port, protocol, and hostname for your gateway. By configuring listeners, you can specify secure TLS connections, dictate how traffic is terminated, and restrict which application routes are permitted to attach to the gateway.
+
+To successfully manage your incoming traffic with gateway listeners, complete the following tasks:
+
+* Configure listener routing and security settings to define the ports, protocols, hostnames, and TLS certificates for your incoming traffic.
+* Understand listener routing conflicts by applying conflict management rules to ensure overlapping hostnames or ports are routed correctly.
+* Troubleshoot listener connections by monitoring listener status conditions to identify and resolve configuration errors.
+
+include::modules/configuring-listener-routing-security.adoc[leveloffset=+1]
+
+include::modules/gateway-listener-configuration-reference.adoc[leveloffset=+2]
+
+include::modules/resolving-listener-routing-conflicts.adoc[leveloffset=+1]
+
+include::modules/troubleshooting-listener-conditions.adoc[leveloffset=+1]
+
+include::modules/gateway-listener-troubleshooting-reference.adoc[leveloffset=+2]
+
+[role="_additional-resources"]
+[id="additional-resources_{context}"]
+== Additional resources
+
+* link:https://gateway-api.sigs.k8s.io/concepts/api-overview/#distinctiveness[Gateway API documentation: Protocol-specific distinctiveness rules]
+* link:https://gateway-api.sigs.k8s.io/concepts/hostnames/[Gateway API documentation: Hostnames]

networking/ingress_load_balancing/configuring_gateway_api/images

@@ -0,0 +1 @@
+../../../images

networking/ingress_load_balancing/configuring_gateway_api/modules

@@ -0,0 +1 @@
+../../../modules