From 74c8d2dc161b3056abcb8a8f2982121704a7d05c Mon Sep 17 00:00:00 2001
From: R-Lawton <rlawton@redhat.com>
Date: Fri, 20 Dec 2024 12:30:18 +0000
Subject: [PATCH] remove old install k8s doc

Signed-off-by: R-Lawton <rlawton@redhat.com>
---
 doc/install/install-kubernetes.md             | 209 -------
 doc/install/install-make.md                   |   3 -
 doc/install/mtls-configuration.md             |   4 +-
 .../secure-protect-connect.md                 | 532 ++++++++++++++++++
 4 files changed, 534 insertions(+), 214 deletions(-)
 delete mode 100644 doc/install/install-kubernetes.md
 create mode 100644 doc/user-guides/full-walkthrough/secure-protect-connect.md

diff --git a/doc/install/install-kubernetes.md b/doc/install/install-kubernetes.md
deleted file mode 100644
index da3246686..000000000
--- a/doc/install/install-kubernetes.md
+++ /dev/null
@@ -1,209 +0,0 @@
-# Install Kuadrant on a Kubernetes cluster
-
-!!! note
-    You must perform these steps on each Kubernetes cluster where you want to use Kuadrant.
-
-!!! warning
-
-    Kuadrant uses a number of labels to search and filter resources on the cluster.
-    All required labels are formatted as `kuadrant.io/*`.
-    Removal of any labels with the prefix may cause unexpected behaviour and degradation of the product.
-
-
-## Prerequisites
-
-- Access to a Kubernetes cluster, with `kubeadmin` or an account with similar permissions
-- `cert-manager` [installed](https://cert-manager.io/docs/installation/)
-
-## Procedure
-
-This guide will show you how to install Kuadrant onto a bare Kubernetes cluster.
-
-Alternatively, if you are looking instead for a way to set up Kuadrant locally to evaluate or develop, consider running the kind & Kubernetes [quickstart script](https://docs.kuadrant.io/latest/getting-started-single-cluster/).
-
-### Install Gateway API
-
-```bash
-kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml
-```
-
-### Install [OLM](https://olm.operatorframework.io/)
-
-!!! note
-    Currently, we recommend installing our operator via OLM. We plan to support Helm soon.
-
-```bash
-curl -sL https://github.com/operator-framework/operator-lifecycle-manager/releases/download/v0.28.0/install.sh | bash -s v0.28.0
-```
-
-### (Optional) Install Istio as a Gateway API provider
-
-!!! note
-    Skip this step if planing to use [Envoy Gateway](https://gateway.envoyproxy.io/) as Gateway API provider
-
-
-There are several ways to install Istio (via `istioctl`, Helm chart or Operator) - this is just an example for starting from a bare Kubernetes cluster.
-
-```bash
-curl -L https://istio.io/downloadIstio | ISTIO_VERSION=1.22.5 sh -
-./istio-1.22.5/bin/istioctl install --set profile=minimal
-./istio-1.22.5/bin/istioctl operator init
-kubectl apply -f https://raw.githubusercontent.com/Kuadrant/kuadrant-operator/main/config/dependencies/istio/istio-operator.yaml
-```
-
-### (Optional) Install Envoy Gateway as a Gateway API provider
-
-!!! note
-    Skip this step if planing to use [Istio](https://istio.io/) as Gateway API provider
-
-There are several ways to install Envoy Gateway (via `egctl`, Helm chart or Kubernetes yaml) - this is just an example for starting from a bare Kubernetes cluster.
-
-```bash
-helm install eg oci://docker.io/envoyproxy/gateway-helm --version v1.1.0 -n envoy-gateway-system --create-namespace
-```
-
-Kuadrant relies on the Envoy Gateway patch policy feature to function correctly - enable the *EnvoyPatchPolicy* feature like so:
-
-```bash
-TMP=$(mktemp -d)
-kubectl get configmap -n envoy-gateway-system envoy-gateway-config -o jsonpath='{.data.envoy-gateway\.yaml}' > ${TMP}/envoy-gateway.yaml
-yq e '.extensionApis.enableEnvoyPatchPolicy = true' -i ${TMP}/envoy-gateway.yaml
-kubectl create configmap -n envoy-gateway-system envoy-gateway-config --from-file=envoy-gateway.yaml=${TMP}/envoy-gateway.yaml -o yaml --dry-run=client | kubectl replace -f -
-kubectl rollout restart deployment envoy-gateway -n envoy-gateway-system
-```
-
-Wait for Envoy Gateway to become available:
-
-```bash
-kubectl wait --timeout=5m -n envoy-gateway-system deployment/envoy-gateway --for=condition=Available
-```
-
-### Install Kuadrant
-
-```bash
-kubectl create -f https://operatorhub.io/install/kuadrant-operator.yaml
-kubectl get crd --watch | grep -m 1 "kuadrants.kuadrant.io"
-```
-
-### Request a Kuadrant instance
-
-```bash
-kubectl create namespace kuadrant-system
-kubectl -n kuadrant-system apply -f - <<EOF
-apiVersion: kuadrant.io/v1beta1
-kind: Kuadrant
-metadata:
-  name: kuadrant
-spec: {}
-EOF
-```
-
-Kuadrant should now install. You can check the operator's install status with:
-
-```bash
-kubectl wait --for=jsonpath='{.status.state}'=AtLatestKnown subscription/my-kuadrant-operator -n operators --timeout=600s
-```
-
-Kuadrant is now ready to use.
-
-### (Optional) Observability setup (Istio only)
-
-There is a set of example dashboards and alerts in the kuadrant-operator repo that can be used for obserability of the Kuadrant components and gateway.
-To make use of these, first install the example monitoring stack and configuration:
-
-```bash
-kubectl apply -k github.com/Kuadrant/kuadrant-operator/config/observability?ref=main --dry-run=client -o yaml | docker run --rm -i docker.io/ryane/kfilt -i kind=CustomResourceDefinition | kubectl apply --server-side -f -
-kubectl apply -k github.com/Kuadrant/kuadrant-operator/config/observability?ref=main --dry-run=client -o yaml | docker run --rm -i docker.io/ryane/kfilt -x kind=CustomResourceDefinition | kubectl apply -f -
-kubectl apply -k github.com/Kuadrant/kuadrant-operator/config/thanos?ref=main
-kubectl apply -k github.com/Kuadrant/kuadrant-operator/examples/dashboards?ref=main
-kubectl apply -k github.com/Kuadrant/kuadrant-operator/examples/alerts?ref=main
-THANOS_RECEIVE_ROUTER_IP=$(kubectl -n monitoring get svc thanos-receive-router-lb -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
-kubectl -n monitoring patch prometheus k8s --type='merge' -p '{"spec":{"remoteWrite":[{"url":"http://'"$THANOS_RECEIVE_ROUTER_IP"':19291/api/v1/receive", "writeRelabelConfigs":[{"action":"replace", "replacement":"'"$KUADRANT_CLUSTER_NAME"'", "targetLabel":"cluster_id"}]}]}}'
-kubectl apply -k github.com/Kuadrant/kuadrant-operator/config/observability/prometheus/monitors/istio?ref=main
-```
-
-This will deploy prometheus, alertmanager and Grafana into the monitoring namespace, along with metrics scrape configuration for Istio and Envoy Proxy. Thanos will also be deployed with prometheus configured to remote write to it.
-
-To access Grafana and Prometheus, you can port forward to the services:
-
-```bash
-kubectl -n monitoring port-forward service/grafana 3000:3000
-```
-
-The Grafana UI can then be found at http://127.0.0.1:3000/ (default user/pass of admin & admin).
-
-```bash
-kubectl -n monitoring port-forward service/prometheus-k8s 9090:9090
-```
-
-The Prometheus UI can then be found at http://127.0.0.1:9090.
-
-### (Optional) `DNSPolicy` setup
-
-If you plan to use `DNSPolicy`, this doc uses an AWS Account with access to Route 53. There are other providers that you can also use for DNS integration: 
-
-[DNS Providers](https://docs.kuadrant.io/latest/dns-operator/docs/provider/)
-
-Export the following environment variables for setup:
-
-```bash
-export AWS_ACCESS_KEY_ID=xxxxxxx # Key ID from AWS with Route 53 access
-export AWS_SECRET_ACCESS_KEY=xxxxxxx # Access key from AWS with Route 53 access
-```
-
-Create an AWS credentials secret:
-
-```bash
-kubectl -n kuadrant-system create secret generic aws-credentials \
-  --type=kuadrant.io/aws \
-  --from-literal=AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
-  --from-literal=AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
-```
-
-### (Optional) Multi-cluster `RateLimitPolicy`
-
-To enable `RateLimitPolicy` to use shared, multi-cluster counters for Kuadrant's Limitador component, you need to configure Kuadrant with a Redis cluster URL. Redis URIs can be either `redis://` for standard connections or `rediss://` for secure connections.
-
-Follow these steps to create the necessary secret:
-
-1. Replace `some-redis.com:6379` with the URL of your accessible Redis cluster. Ensure you include the appropriate URI scheme (`redis://` or `rediss://`).
-
-2. Execute the following commands:
-
-    ```bash
-    # Replace this with an accessible Redis cluster URL
-    export REDIS_URL=redis://user:xxxxxx@some-redis.com:6379
-    
-    ```    
-3. Create the secret:
-    
-    ```bash
-    kubectl -n kuadrant-system create secret generic redis-config \
-      --from-literal=URL=$REDIS_URL
-    ```
-
-This will create a secret named `redis-config` in the `kuadrant-system` namespace containing your Redis cluster URL, which Kuadrant will use for multi-cluster rate limiting.
-
-
-You'll also need to update the `Limitador` instance (the component that handles rate limiting) to reconfigure Kuadrant to use Redis:
-
-```bash
-kubectl patch limitador limitador --type=merge -n kuadrant-system -p '
-spec:
-  storage:
-    redis:
-      configSecretRef:
-        name: redis-config
-'
-
-kubectl wait limitador/limitador -n kuadrant-system --for="condition=Ready=true"
-
-```
-
-### Metal LB (local setup)
-
-If you are using a local kind cluster, we recommend using [metallb](https://metallb.universe.tf/) to allow the service type loadbalancer to be used with your gateways and an IP to be assigned to your gateway address rather than an internal service name.
-
-## Next Steps
-
-- [Secure, protect, and connect APIs with Kuadrant on Kubernetes](../user-guides/full-walkthrough/secure-protect-connect-k8s.md)
diff --git a/doc/install/install-make.md b/doc/install/install-make.md
index c0e6153bb..a6ccb7b71 100644
--- a/doc/install/install-make.md
+++ b/doc/install/install-make.md
@@ -3,9 +3,6 @@
 ## Overview
 The following doc will show you how to install the Kuadrant Operator using make targets in the Kuadrant operator repo. What will be installed is Istio, Kubernetes Gateway API and Kuadrant itself.
 
-For other methods of installation see
-- [k8s](https://github.com/Kuadrant/kuadrant-operator/blob/main/doc/install/install-kubernetes.md)
-- [Openshift](https://github.com/Kuadrant/kuadrant-operator/blob/main/doc/install/install-openshift.md)
 
 > **Note:** In production environment, these steps are usually performed by a cluster operator with administrator privileges over the Kubernetes cluster.
 
diff --git a/doc/install/mtls-configuration.md b/doc/install/mtls-configuration.md
index cad4b59de..556f83fbc 100644
--- a/doc/install/mtls-configuration.md
+++ b/doc/install/mtls-configuration.md
@@ -12,8 +12,8 @@ At the time of writing there is [an RFC](https://github.com/Kuadrant/architectur
 
 ## Prerequisites
 
-You have installed Kuadrant in a [Kubernetes](https://docs.kuadrant.io/latest/kuadrant-operator/doc/install/install-kubernetes/) or [OpenShift](https://docs.kuadrant.io/latest/kuadrant-operator/doc/install/install-openshift/) cluster.
-Additionally, you have at least 1 AuthPolicy or RateLimitPolicy attached to your Gateway or HTTPRoute.
+- You have installed Kuadrant in a Kubernetes cluster.
+- Additionally, you have at least 1 AuthPolicy or RateLimitPolicy attached to your Gateway or HTTPRoute.
 
 ## Enabling mTLS
 
diff --git a/doc/user-guides/full-walkthrough/secure-protect-connect.md b/doc/user-guides/full-walkthrough/secure-protect-connect.md
new file mode 100644
index 000000000..8d4cf7555
--- /dev/null
+++ b/doc/user-guides/full-walkthrough/secure-protect-connect.md
@@ -0,0 +1,532 @@
+# Secure, protect, and connect APIs with Kuadrant
+
+## Overview
+
+This guide walks you through using Kuadrant to secure, protect, and connect an API exposed by a Gateway (Kubernetes Gateway API) from the personas platform engineer and application developer. For more information on the different personas please see the [Gateway API documentation](https://gateway-api.sigs.k8s.io/concepts/roles-and-personas/#key-roles-and-personas)
+
+## Prerequisites
+
+- Have a cluster with Kuadrant operator installed. 
+- [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl) command line tool.
+- AWS/Azure or GCP with DNS capabilities.
+
+
+### Set the environment variables
+
+Set the following environment variables used for convenience in this guide:
+
+```bash
+export KUADRANT_GATEWAY_NS=api-gateway # Namespace for the example Gateway
+export KUADRANT_GATEWAY_NAME=external # Name for the example Gateway
+export KUADRANT_DEVELOPER_NS=toystore # Namespace for an example toystore app
+export KUADRANT_AWS_ACCESS_KEY_ID=xxxx # AWS Key ID with access to manage the DNS Zone ID below
+export KUADRANT_AWS_SECRET_ACCESS_KEY=xxxx # AWS Secret Access Key with access to manage the DNS Zone ID below
+export KUADRANT_AWS_DNS_PUBLIC_ZONE_ID=xxxx # AWS Route 53 Zone ID for the Gateway
+export KUADRANT_ZONE_ROOT_DOMAIN=example.com # Root domain associated with the Zone ID above
+export KUADRANT_CLUSTER_ISSUER_NAME=self-signed # Name for the ClusterIssuer
+```
+
+### Set up a DNS Provider
+
+The DNS provider declares credentials to access the zone(s) that Kuadrant can use to set up DNS configuration. Ensure that this credential only has access to the zones you want Kuadrant to manage via `DNSPolicy`
+
+Create the namespace the Gateway will be deployed in:
+
+```bash
+kubectl create ns ${KUADRANT_GATEWAY_NS}
+```
+
+Create the secret credentials in the same namespace as the Gateway - these will be used to configure DNS:
+
+```bash
+kubectl -n ${KUADRANT_GATEWAY_NS} create secret generic aws-credentials \
+  --type=kuadrant.io/aws \
+  --from-literal=AWS_ACCESS_KEY_ID=$KUADRANT_AWS_ACCESS_KEY_ID \
+  --from-literal=AWS_SECRET_ACCESS_KEY=$KUADRANT_AWS_SECRET_ACCESS_KEY
+```
+
+Before adding a TLS issuer, create the secret credentials in the cert-manager namespace:
+
+```bash
+kubectl -n cert-manager create secret generic aws-credentials \
+  --type=kuadrant.io/aws \
+  --from-literal=AWS_ACCESS_KEY_ID=$KUADRANT_AWS_ACCESS_KEY_ID \
+  --from-literal=AWS_SECRET_ACCESS_KEY=$KUADRANT_AWS_SECRET_ACCESS_KEY
+```
+
+### Deploy the Toystore app
+
+Create the namespace for the Toystore application:
+
+```bash
+
+kubectl create ns ${KUADRANT_DEVELOPER_NS}
+```
+
+Deploy the Toystore app to the developer namespace:
+
+```bash
+kubectl apply -f https://raw.githubusercontent.com/Kuadrant/Kuadrant-operator/main/examples/toystore/toystore.yaml -n ${KUADRANT_DEVELOPER_NS}
+```
+
+
+### Add a TLS issuer
+
+To secure communication to the Gateways, define a TLS issuer for TLS certificates.
+
+!!! note 
+    This example uses Let's Encrypt, but you can use any issuer supported by `cert-manager`.
+
+```bash
+kubectl apply -f - <<EOF
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ${KUADRANT_CLUSTER_ISSUER_NAME}
+spec:
+  selfSigned: {}
+EOF
+```
+
+Wait for the `ClusterIssuer` to become ready.
+
+```bash
+kubectl wait clusterissuer/${KUADRANT_CLUSTER_ISSUER_NAME} --for=condition=ready=true
+```
+
+### Deploy a Gateway
+
+```bash
+kubectl apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: ${KUADRANT_GATEWAY_NAME}
+  namespace: ${KUADRANT_GATEWAY_NS}
+  labels:
+    kuadrant.io/gateway: "true"
+spec:
+    gatewayClassName: istio
+    listeners:
+    - allowedRoutes:
+        namespaces:
+          from: All 
+      hostname: "api.${KUADRANT_ZONE_ROOT_DOMAIN}"
+      name: api
+      port: 443
+      protocol: HTTPS
+      tls:
+        certificateRefs:
+        - group: ""
+          kind: Secret
+          name: api-${KUADRANT_GATEWAY_NAME}-tls
+        mode: Terminate
+EOF
+```
+
+Check the status of the `Gateway` ensuring the gateway is Accepted and Programmed:
+
+```bash
+kubectl get gateway ${KUADRANT_GATEWAY_NAME} -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Programmed")].message}'
+```
+
+Check the status of the listener, you will see that it is not yet programmed or ready to accept traffic due to bad TLS configuration. This will be fixed in the next step with the `TLSPolicy`:
+
+```bash
+kubectl get gateway ${KUADRANT_GATEWAY_NAME} -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.listeners[0].conditions[?(@.type=="Programmed")].message}'
+```
+
+## Secure and protect the Gateway with Auth, Rate Limit, and DNS policies.
+
+### Deploy the gateway TLS policy
+
+```bash
+kubectl apply -f - <<EOF
+apiVersion: kuadrant.io/v1
+kind: TLSPolicy
+metadata:
+  name: ${KUADRANT_GATEWAY_NAME}-tls
+  namespace: ${KUADRANT_GATEWAY_NS}
+spec:
+  targetRef:
+    name: ${KUADRANT_GATEWAY_NAME}
+    group: gateway.networking.k8s.io
+    kind: Gateway
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: ${KUADRANT_CLUSTER_ISSUER_NAME}
+EOF
+```
+
+Check that the `TLSpolicy` has an Accepted and Enforced status (This may take a few minutes for certain provider e.g Lets Encrypt):
+
+
+```bash
+kubectl get tlspolicy ${KUADRANT_GATEWAY_NAME}-tls -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Enforced")].message}'
+```
+
+### Setup Toystore application HTTPRoute
+
+```bash
+
+kubectl apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: toystore
+  namespace: ${KUADRANT_DEVELOPER_NS}
+  labels:
+    deployment: toystore
+    service: toystore
+spec:
+  parentRefs:
+  - name: ${KUADRANT_GATEWAY_NAME}
+    namespace: ${KUADRANT_GATEWAY_NS}
+  hostnames:
+  - "api.${KUADRANT_ZONE_ROOT_DOMAIN}"
+  rules:
+  - matches:
+    - method: GET
+      path:
+        type: PathPrefix
+        value: "/cars"
+    - method: GET
+      path:
+        type: PathPrefix
+        value: "/health"    
+    backendRefs:
+    - name: toystore
+      port: 80  
+EOF
+```
+
+While the `Gateway` is now deployed, it currently has exposed endpoints. The next steps will be defining an `AuthPolicy` to set up a default `403` response for any unprotected endpoints, as well as a `RateLimitPolicy` to set up a default unrealistic low global limit to further protect any exposed endpoints.
+
+### Set the `Deny all` Gateway AuthPolicy
+
+```bash
+kubectl apply -f - <<EOF
+apiVersion: kuadrant.io/v1
+kind: AuthPolicy
+metadata:
+  name: ${KUADRANT_GATEWAY_NAME}-auth
+  namespace: ${KUADRANT_GATEWAY_NS}
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: Gateway
+    name: ${KUADRANT_GATEWAY_NAME}
+  defaults:
+   when:
+     - predicate: "request.path != '/health'"
+   rules:
+    authorization:
+      deny-all:
+        opa:
+          rego: "allow = false"
+    response:
+      unauthorized:
+        headers:
+          "content-type":
+            value: application/json
+        body:
+          value: |
+            {
+              "error": "Forbidden",
+              "message": "Access denied by default by the gateway operator. If you are the administrator of the service, create a specific auth policy for the route."
+            }
+EOF
+```
+
+Check that the `AuthPolicy` has Accepted and Enforced status:
+
+```bash
+kubectl get authpolicy ${KUADRANT_GATEWAY_NAME}-auth -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Enforced")].message}'
+
+```
+
+### Deploy the `low-limit` Gateway RateLimitPolicy
+
+```bash
+kubectl apply -f  - <<EOF
+apiVersion: kuadrant.io/v1
+kind: RateLimitPolicy
+metadata:
+  name: ${KUADRANT_GATEWAY_NAME}-rlp
+  namespace: ${KUADRANT_GATEWAY_NS}
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: Gateway
+    name: ${KUADRANT_GATEWAY_NAME}
+  defaults:
+    limits:
+      "low-limit":
+        rates:
+        - limit: 1
+          window: 10s
+EOF
+```
+
+Check that the `RateLimitPolicy` has Accepted and Enforced status:
+
+```bash
+kubectl get ratelimitpolicy ${KUADRANT_GATEWAY_NAME}-rlp -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Enforced")].message}'
+```
+### Create the Gateway DNSPolicy
+
+```bash
+kubectl apply -f - <<EOF
+apiVersion: kuadrant.io/v1
+kind: DNSPolicy
+metadata:
+  name: ${KUADRANT_GATEWAY_NAME}-dnspolicy
+  namespace: ${KUADRANT_GATEWAY_NS}
+spec:
+  healthCheck:
+    failureThreshold: 3
+    interval: 1m
+    path: /health
+  loadBalancing:
+    defaultGeo: true
+    geo: GEO-NA
+    weight: 120
+  targetRef:
+    name: ${KUADRANT_GATEWAY_NAME}
+    group: gateway.networking.k8s.io
+    kind: Gateway
+  providerRefs:
+  - name: aws-credentials # Secret created earlier
+EOF
+```
+
+Check that the `DNSPolicy` has been Accepted and Enforced (This mat take a few minutes):
+
+```bash
+kubectl get dnspolicy ${KUADRANT_GATEWAY_NAME}-dnspolicy -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Enforced")].message}'
+```
+
+#### DNS Health checks
+DNS Health checks has been enabled on the DNSPolicy. These health checks will flag a published endpoint as healthy or unhealthy based on the defined configuration. When unhealthy an endpoint will not be published if it has not already been published to the DNS provider, will only be unpublished if it is part of a multi-value A record and in all cases can be observable via the DNSPolicy status. For more information see [DNS Health checks documentation](../dns/dnshealthchecks.md)
+
+Check the status of the health checks as follow:
+
+```bash
+kubectl get dnspolicy ${KUADRANT_GATEWAY_NAME}-dnspolicy -n ${KUADRANT_GATEWAY_NS} -o=jsonpath='{.status.conditions[?(@.type=="SubResourcesHealthy")].message}'
+```
+### Test the `low-limit` and `deny all` policies
+
+```bash
+while :; do curl -k --write-out '%{http_code}\n' --silent --output /dev/null  "https://api.$KUADRANT_ZONE_ROOT_DOMAIN/cars" | grep -E --color "\b(429)\b|$"; sleep 1; done
+```
+
+### Override the Gateway's deny-all AuthPolicy 
+
+### Set up API key auth flow
+
+Set up an example API key for the new users:
+
+```bash
+export KUADRANT_SYSTEM_NS=$(kubectl get kuadrant -A -o jsonpath="{.items[0].metadata.namespace}")
+```
+
+```bash
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: bob-key
+  namespace: ${KUADRANT_SYSTEM_NS}
+  labels:
+    authorino.kuadrant.io/managed-by: authorino
+    app: toystore
+  annotations:
+    secret.kuadrant.io/user-id: bob
+stringData:
+  api_key: IAMBOB
+type: Opaque
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: alice-key
+  namespace: ${KUADRANT_SYSTEM_NS}
+  labels:
+    authorino.kuadrant.io/managed-by: authorino
+    app: toystore
+  annotations:
+    secret.kuadrant.io/user-id: alice
+stringData:
+  api_key: IAMALICE
+type: Opaque
+EOF
+```
+
+Create a new AuthPolicy in a different namespace that overrides the `Deny all` created earlier:
+
+
+
+```bash
+kubectl apply -f - <<EOF
+apiVersion: kuadrant.io/v1
+kind: AuthPolicy
+metadata:
+  name: toystore-auth
+  namespace: ${KUADRANT_DEVELOPER_NS}
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: toystore
+  defaults:
+   when:
+     - predicate: "request.path != '/health'"  
+   rules:
+    authentication:
+      "api-key-users":
+        apiKey:
+          selector:
+            matchLabels:
+              app: toystore
+        credentials:
+          authorizationHeader:
+            prefix: APIKEY
+    response:
+      success:
+        filters:
+          "identity":
+            json:
+              properties:
+                "userid":
+                  selector: auth.identity.metadata.annotations.secret\.kuadrant\.io/user-id
+EOF
+```
+
+### Override `low-limit` RateLimitPolicy for specific users
+
+Create a new `RateLimitPolicy` in a different namespace to override the default `RateLimitPolicy` created earlier:
+
+```bash
+kubectl apply -f - <<EOF
+apiVersion: kuadrant.io/v1
+kind: RateLimitPolicy
+metadata:
+  name: toystore-rlp
+  namespace: ${KUADRANT_DEVELOPER_NS}
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: toystore
+  limits:
+    "general-user":
+      rates:
+      - limit: 5
+        window: 10s
+      counters:
+      - expression: auth.identity.userid
+      when:
+      - predicate: "auth.identity.userid != 'bob'"
+    "bob-limit":
+      rates:
+      - limit: 2
+        window: 10s
+      when:
+      - predicate: "auth.identity.userid == 'bob'"
+EOF
+```
+
+The `RateLimitPolicy` should be Accepted and Enforced:
+
+```bash
+kubectl get ratelimitpolicy -n ${KUADRANT_DEVELOPER_NS} toystore-rlp -o=jsonpath='{.status.conditions[?(@.type=="Accepted")].message}{"\n"}{.status.conditions[?(@.type=="Enforced")].message}'
+
+```
+
+Check the status of the `HTTPRoute`, is now affected by the `RateLimitPolicy` in the same namespace:
+
+```bash
+kubectl get httproute toystore -n ${KUADRANT_DEVELOPER_NS} -o=jsonpath='{.status.parents[0].conditions[?(@.type=="kuadrant.io/RateLimitPolicyAffected")].message}'
+```
+
+### Test the new Rate limit and Auth policy
+
+#### Send requests as Alice:
+
+You should see status `200` every second for 5 second followed by stats `429` every second for 5 seconds
+
+```bash
+while :; do curl -k --write-out '%{http_code}\n' --silent --output /dev/null -H 'Authorization: APIKEY IAMALICE' "https://api.$KUADRANT_ZONE_ROOT_DOMAIN/cars" | grep -E --color "\b(429)\b|$"; sleep 1; done
+```
+
+#### Send requests as Bob:
+You should see status `200` every second for 2 seconds followed by stats `429` every second for 8 seconds
+
+
+```bash
+while :; do curl -k --write-out '%{http_code}\n' --silent --output /dev/null -H 'Authorization: APIKEY IAMBOB' "https://api.$KUADRANT_ZONE_ROOT_DOMAIN/cars" | grep -E --color "\b(429)\b|$"; sleep 1; done
+```
+
+## Next Steps
+
+- [mTLS Configuration](../../install/mtls-configuration.md)
+To learn more about Kuadrant and see more how to guides, visit Kuadrant [documentation](https://docs.kuadrant.io)
+
+
+### Optional
+
+If you have prometheus in your cluster, set up a PodMonitor to configure it to scrape metrics directly from the Gateway pod.
+This must be done in the namespace where the Gateway is running.
+This configuration is required for metrics such as `istio_requests_total`.
+
+```bash
+kubectl apply -f - <<EOF
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: istio-proxies-monitor
+  namespace: ${KUADRANT_GATEWAY_NS}
+spec:
+  selector:
+    matchExpressions:
+      - key: istio-prometheus-ignore
+        operator: DoesNotExist
+  podMetricsEndpoints:
+    - path: /stats/prometheus
+      interval: 30s
+      relabelings:
+        - action: keep
+          sourceLabels: ["__meta_kubernetes_pod_container_name"]
+          regex: "istio-proxy"
+        - action: keep
+          sourceLabels:
+            ["__meta_kubernetes_pod_annotationpresent_prometheus_io_scrape"]
+        - action: replace
+          regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4})
+          replacement: "[\$2]:\$1"
+          sourceLabels:
+            [
+              "__meta_kubernetes_pod_annotation_prometheus_io_port",
+              "__meta_kubernetes_pod_ip",
+            ]
+          targetLabel: "__address__"
+        - action: replace
+          regex: (\d+);((([0-9]+?)(\.|$)){4})
+          replacement: "\$2:\$1"
+          sourceLabels:
+            [
+              "__meta_kubernetes_pod_annotation_prometheus_io_port",
+              "__meta_kubernetes_pod_ip",
+            ]
+          targetLabel: "__address__"
+        - action: labeldrop
+          regex: "__meta_kubernetes_pod_label_(.+)"
+        - sourceLabels: ["__meta_kubernetes_namespace"]
+          action: replace
+          targetLabel: namespace
+        - sourceLabels: ["__meta_kubernetes_pod_name"]
+          action: replace
+          targetLabel: pod_name
+EOF
+```