diff --git a/content/en/docs/ambient/getting-started/_index.md b/content/en/docs/ambient/getting-started/_index.md
new file mode 100644
index 0000000000000..a4b0556148c0d
--- /dev/null
+++ b/content/en/docs/ambient/getting-started/_index.md
@@ -0,0 +1,71 @@
+---
+title: Getting Started
+description: How to deploy and install Istio in ambient mode.
+weight: 2
+aliases:
+ - /docs/ops/ambient/getting-started
+ - /latest/docs/ops/ambient/getting-started
+owner: istio/wg-networking-maintainers
+skip_list: true
+test: yes
+---
+
+This guide lets you quickly evaluate Istio's {{< gloss "ambient" >}}ambient mode{{< /gloss >}}. You'll need a Kubernetes cluster to proceed. If you don't have a cluster, you can use [kind](/docs/setup/platform-setup/kind) or any other [supported Kubernetes platform](/docs/setup/platform-setup).
+
+These steps require you to have a {{< gloss >}}cluster{{< /gloss >}} running a
+[supported version](/docs/releases/supported-releases#support-status-of-istio-releases) of Kubernetes ({{< supported_kubernetes_versions >}}).
+
+## Download the Istio CLI
+
+Istio is configured using a command line tool called `istioctl`. Download it, and the Istio sample applications:
+
+{{< text syntax=bash snip_id=none >}}
+$ curl -L https://istio.io/downloadIstio | sh -
+$ cd istio-{{< istio_full_version >}}
+$ export PATH=$PWD/bin:$PATH
+{{< /text >}}
+
+Check that you are able to run `istioctl` by printing the version of the command. At this point, Istio is not installed in your cluster, so you will see that there are no pods ready.
+
+{{< text syntax=bash snip_id=none >}}
+$ istioctl version
+no ready Istio pods in "istio-system"
+{{< istio_full_version >}}
+{{< /text >}}
+
+## Install Istio on to your cluster
+
+`istioctl` supports a number of [configuration profiles](/docs/setup/additional-setup/config-profiles/) that include different default options, and can be customized for your production needs. Support for ambient mode is included in the `ambient` profile. Install Istio with the following command:
+
+{{< text syntax=bash snip_id=install_ambient >}}
+$ istioctl install --set profile=ambient --skip-confirmation
+{{< /text >}}
+
+It might take a minute for the Istio components to be installed. Once the installation completes, you’ll get the following output that indicates all components have been installed successfully.
+
+{{< text syntax=plain snip_id=none >}}
+✔ Istio core installed
+✔ Istiod installed
+✔ CNI installed
+✔ Ztunnel installed
+✔ Installation complete
+{{< /text >}}
+
+{{< tip >}}
+You can verify the installed components using the command `istioctl verify-install`.
+{{< /tip >}}
+
+## Install the Kubernetes Gateway API CRDs
+
+You need to install the Kubernetes Gateway API CRDs, which don’t come installed by default on most Kubernetes clusters:
+
+{{< text syntax=bash snip_id=install_k8s_gateway_api >}}
+$ kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
+ { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref=v1.1.0" | kubectl apply -f -; }
+{{< /text >}}
+
+You will use the Kubernetes Gateway API to configure traffic routing.
+
+## Next steps
+
+Congratulations! You've successfully installed Istio with support for ambient mode. Continue to the next step to [install the demo application and add it to the ambient mesh](/docs/ambient/getting-started/deploy-sample-app/).
diff --git a/content/en/docs/ambient/getting-started/cleanup/index.md b/content/en/docs/ambient/getting-started/cleanup/index.md
new file mode 100644
index 0000000000000..7c2f1caff2e3b
--- /dev/null
+++ b/content/en/docs/ambient/getting-started/cleanup/index.md
@@ -0,0 +1,47 @@
+
+---
+title: Cleanup
+description: Delete Istio and associated resources.
+weight: 6
+owner: istio/wg-networking-maintainers
+test: yes
+---
+
+If you no longer need Istio and associated resources, you can delete them by following the steps in this section.
+
+## Remove the ambient and waypoint labels
+
+The label to instruct Istio to automatically include applications in the `default` namespace to an ambient mesh is not removed by default. If no longer needed, use the following command to remove it:
+
+{{< text bash >}}
+$ kubectl label namespace default istio.io/dataplane-mode-
+$ kubectl label namespace default istio.io/use-waypoint-
+{{< /text >}}
+
+## Remove waypoint proxies and uninstall Istio
+
+To remove waypoint proxies, installed policies, and uninstall Istio, run the following commands:
+
+{{< text bash >}}
+$ istioctl x waypoint delete --all
+$ istioctl uninstall -y --purge
+$ kubectl delete namespace istio-system
+{{< /text >}}
+
+## Remove the sample application
+
+To delete the Bookinfo sample application and the `sleep` deployment, run the following:
+
+{{< text bash >}}
+$ kubectl delete -f {{< github_file >}}/samples/bookinfo/platform/kube/bookinfo.yaml
+$ kubectl delete -f {{< github_file >}}/samples/bookinfo/platform/kube/bookinfo-versions.yaml
+$ kubectl delete -f {{< github_file >}}/samples/sleep/sleep.yaml
+{{< /text >}}
+
+## Remove the Kubernetes Gateway API CRDs
+
+If you installed the Gateway API CRDs, remove them:
+
+{{< text bash >}}
+$ kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref={{< k8s_gateway_api_version >}}" | kubectl delete -f -
+{{< /text >}}
diff --git a/content/en/docs/ambient/getting-started/cleanup/snips.sh b/content/en/docs/ambient/getting-started/cleanup/snips.sh
new file mode 100644
index 0000000000000..f748692c40822
--- /dev/null
+++ b/content/en/docs/ambient/getting-started/cleanup/snips.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+# shellcheck disable=SC2034,SC2153,SC2155,SC2164
+
+# Copyright Istio Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+####################################################################################################
+# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
+# docs/ambient/getting-started/cleanup/index.md
+####################################################################################################
+
+snip_remove_the_ambient_and_waypoint_labels_1() {
+kubectl label namespace default istio.io/dataplane-mode-
+kubectl label namespace default istio.io/use-waypoint-
+}
+
+snip_remove_waypoint_proxies_and_uninstall_istio_1() {
+istioctl x waypoint delete --all
+istioctl uninstall -y --purge
+kubectl delete namespace istio-system
+}
+
+snip_remove_the_sample_application_1() {
+kubectl delete -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yaml
+kubectl delete -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo-versions.yaml
+kubectl delete -f https://raw.githubusercontent.com/istio/istio/master/samples/sleep/sleep.yaml
+}
+
+snip_remove_the_kubernetes_gateway_api_crds_1() {
+kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref=v1.1.0" | kubectl delete -f -
+}
diff --git a/content/en/docs/ambient/getting-started/deploy-sample-app/bookinfo-browser.png b/content/en/docs/ambient/getting-started/deploy-sample-app/bookinfo-browser.png
new file mode 100644
index 0000000000000..e91cda0b780f3
Binary files /dev/null and b/content/en/docs/ambient/getting-started/deploy-sample-app/bookinfo-browser.png differ
diff --git a/content/en/docs/ambient/getting-started/deploy-sample-app/bookinfo.svg b/content/en/docs/ambient/getting-started/deploy-sample-app/bookinfo.svg
new file mode 100644
index 0000000000000..7e1da78815f46
--- /dev/null
+++ b/content/en/docs/ambient/getting-started/deploy-sample-app/bookinfo.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/content/en/docs/ambient/getting-started/deploy-sample-app/index.md b/content/en/docs/ambient/getting-started/deploy-sample-app/index.md
new file mode 100644
index 0000000000000..ffb318f7c0dc6
--- /dev/null
+++ b/content/en/docs/ambient/getting-started/deploy-sample-app/index.md
@@ -0,0 +1,77 @@
+---
+title: Deploy the application
+description: Deploy the Bookinfo sample application.
+weight: 2
+owner: istio/wg-networking-maintainers
+test: yes
+---
+
+To explore Istio, you will install the sample [Bookinfo application](/docs/examples/bookinfo/), composed of four separate microservices used to demonstrate various Istio features.
+
+{{< image width="50%" link="./bookinfo.svg" caption="Istio's Bookinfo sample application is written in many different languages" >}}
+
+As part of this guide, you'll deploy the Bookinfo application and expose the `productpage` service using an ingress gateway.
+
+## Deploy the Bookinfo application
+
+Start by deploying the application:
+
+{{< text bash >}}
+$ kubectl apply -f {{< github_file >}}/samples/bookinfo/platform/kube/bookinfo.yaml
+$ kubectl apply -f {{< github_file >}}/samples/bookinfo/platform/kube/bookinfo-versions.yaml
+{{< /text >}}
+
+To verify that the application is running, check the status of the pods:
+
+{{< text syntax=bash snip_id=none >}}
+$ kubectl get pods
+NAME READY STATUS RESTARTS AGE
+details-v1-cf74bb974-nw94k 1/1 Running 0 42s
+productpage-v1-87d54dd59-wl7qf 1/1 Running 0 42s
+ratings-v1-7c4bbf97db-rwkw5 1/1 Running 0 42s
+reviews-v1-5fd6d4f8f8-66j45 1/1 Running 0 42s
+reviews-v2-6f9b55c5db-6ts96 1/1 Running 0 42s
+reviews-v3-7d99fd7978-dm6mx 1/1 Running 0 42s
+{{< /text >}}
+
+To access the `productpage` service from outside the cluster, you need to configure an ingress gateway.
+
+## Deploy and configure the ingress gateway
+
+You will use the Kubernetes Gateway API to deploy a gateway called `bookinfo-gateway`:
+
+{{< text syntax=bash snip_id=deploy_bookinfo_gateway >}}
+$ kubectl apply -f {{< github_file >}}/samples/bookinfo/gateway-api/bookinfo-gateway.yaml
+{{< /text >}}
+
+By default, Istio creates a `LoadBalancer` service for a gateway. As we will access this gateway by a tunnel, we don't need a load balancer. Change the service type to `ClusterIP` by annotating the gateway:
+
+{{< text syntax=bash snip_id=annotate_bookinfo_gateway >}}
+$ kubectl annotate gateway bookinfo-gateway networking.istio.io/service-type=ClusterIP --namespace=default
+{{< /text >}}
+
+To check the status of the gateway, run:
+
+{{< text bash >}}
+$ kubectl get gateway
+NAME CLASS ADDRESS PROGRAMMED AGE
+bookinfo-gateway istio bookinfo-gateway-istio.default.svc.cluster.local True 42s
+{{< /text >}}
+
+## Access the application
+
+You will connect to the Bookinfo `productpage` service through the gateway you just provisioned. To access the gateway, you need to use the `kubectl port-forward` command:
+
+{{< text syntax=bash snip_id=none >}}
+$ kubectl port-forward svc/bookinfo-gateway-istio 8080:80
+{{< /text >}}
+
+Open your browser and navigate to `http://localhost:8080/productpage` to view the Bookinfo application.
+
+{{< image width="80%" link="./bookinfo-browser.png" caption="Bookinfo Application" >}}
+
+If you refresh the page, you should see the book reviews and ratings changing as the requests are distributed across the different versions of the `reviews` service.
+
+## Next steps
+
+[Continue to the next section](../secure-and-visualize/) to add the application to the mesh, and learn how to secure and visualize the communication between the applications.
diff --git a/content/en/docs/ambient/getting-started/deploy-sample-app/snips.sh b/content/en/docs/ambient/getting-started/deploy-sample-app/snips.sh
new file mode 100644
index 0000000000000..70bf908457201
--- /dev/null
+++ b/content/en/docs/ambient/getting-started/deploy-sample-app/snips.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+# shellcheck disable=SC2034,SC2153,SC2155,SC2164
+
+# Copyright Istio Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+####################################################################################################
+# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
+# docs/ambient/getting-started/deploy-sample-app/index.md
+####################################################################################################
+
+snip_deploy_the_bookinfo_application_1() {
+kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yaml
+kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo-versions.yaml
+}
+
+snip_deploy_bookinfo_gateway() {
+kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/gateway-api/bookinfo-gateway.yaml
+}
+
+snip_annotate_bookinfo_gateway() {
+kubectl annotate gateway bookinfo-gateway networking.istio.io/service-type=ClusterIP --namespace=default
+}
+
+snip_deploy_and_configure_the_ingress_gateway_3() {
+kubectl get gateway
+}
+
+! IFS=$'\n' read -r -d '' snip_deploy_and_configure_the_ingress_gateway_3_out <<\ENDSNIP
+NAME CLASS ADDRESS PROGRAMMED AGE
+bookinfo-gateway istio bookinfo-gateway-istio.default.svc.cluster.local True 42s
+ENDSNIP
diff --git a/content/en/docs/ambient/getting-started/enforce-auth-policies/index.md b/content/en/docs/ambient/getting-started/enforce-auth-policies/index.md
new file mode 100644
index 0000000000000..a8c43345b2247
--- /dev/null
+++ b/content/en/docs/ambient/getting-started/enforce-auth-policies/index.md
@@ -0,0 +1,125 @@
+---
+title: Enforce authorization policies
+description: Enforce Layer 4 and Layer 7 authorization policies in an ambient mesh.
+weight: 4
+owner: istio/wg-networking-maintainers
+test: yes
+---
+
+After you have added your application to the ambient mesh, you can secure application access using Layer 4 authorization policies.
+
+This feature lets you control access to and from a service based on the client workload
+identities that are automatically issued to all workloads in the mesh.
+
+## Enforce Layer 4 authorization policy
+
+Let's create an [authorization policy](/docs/reference/config/security/authorization-policy/) that restricts which services can communicate with the `productpage` service. The policy is applied to pods with the `app: productpage` label, and it allows calls only from the the service account `cluster.local/ns/default/sa/bookinfo-gateway-istio`. (This is the service account that is used by the Bookinfo gateway you deployed in the previous step.)
+
+{{< text syntax=bash snip_id=deploy_l4_policy >}}
+$ kubectl apply -f - <}}
+
+If you open the Bookinfo application in your browser (`http://localhost:8080/productpage`), you will see the product page, just as before. However, if you try to access the `productpage` service from a different service account, you should see an error.
+
+Let's try accessing Bookinfo application from a `sleep` pod:
+
+{{< text syntax=bash snip_id=deploy_sleep >}}
+$ kubectl apply -f {{< github_file >}}/samples/sleep/sleep.yaml
+{{< /text >}}
+
+Since the `sleep` pod is using a different service account, it will not have access the `productpage` service:
+
+{{< text bash >}}
+$ kubectl exec deploy/sleep -- curl -s "http://productpage:9080/productpage"
+command terminated with exit code 56
+{{< /text >}}
+
+## Enforce Layer 7 authorization policy
+
+To enforce Layer 7 policies, you first need a {{< gloss "waypoint" >}}waypoint proxy{{< /gloss >}} for the namespace. This proxy will handle all Layer 7 traffic entering the namespace.
+
+{{< text syntax=bash snip_id=deploy_waypoint >}}
+$ istioctl x waypoint apply --enroll-namespace --wait
+waypoint default/waypoint applied
+namespace default labeled with "istio.io/use-waypoint: waypoint"
+{{< /text >}}
+
+You can view the waypoint proxy and make sure it has the `Programmed=True` status:
+
+{{< text bash >}}
+$ kubectl get gtw waypoint
+NAME CLASS ADDRESS PROGRAMMED AGE
+waypoint istio-waypoint 10.96.58.95 True 42s
+{{< /text >}}
+
+Adding a [L7 authorization policy](/docs/ambient/usage/l7-features/) will explicitly allow the `sleep` service to send `GET` requests to the `productpage` service, but perform no other operations:
+
+{{< text syntax=bash snip_id=deploy_l7_policy >}}
+$ kubectl apply -f - <}}
+
+Note the `targetRefs` field is used to specify the target service for the authorization policy of a waypoint proxy. The rules section is similar as before, but this time we added the `to` section to specify the operation that is allowed.
+
+{{< tip >}}
+To learn about how to enable more Istio's features, read the [Use Layer 7 features user guide](/docs/ambient/usage/l7-features/).
+{{< /tip >}}
+
+Confirm the new waypoint proxy is enforcing the updated authorization policy:
+
+{{< text bash >}}
+$ # This fails with an RBAC error because we're not using a GET operation
+$ kubectl exec deploy/sleep -- curl -s "http://productpage:9080/productpage" -X DELETE
+RBAC: access denied
+{{< /text >}}
+
+{{< text bash >}}
+$ # This fails with an RBAC error because the identity of the reviews-v1 service is not allowed
+$ kubectl exec deploy/reviews-v1 -- curl -s http://productpage:9080/productpage
+RBAC: access denied
+{{< /text >}}
+
+{{< text bash >}}
+$ # This works as we're explicitly allowing GET requests from the sleep pod
+$ kubectl exec deploy/sleep -- curl -s http://productpage:9080/productpage | grep -o ".*"
+Simple Bookstore App
+{{< /text >}}
+
+## Next steps
+
+With the waypoint proxy in place, you can now enforce Layer 7 policies in the namespace. In addition to authorization policies, [we can use the waypoint proxy to split traffic between services](../manage-traffic/). This is useful when doing canary deployments or A/B testing.
diff --git a/content/en/docs/ambient/getting-started/enforce-auth-policies/snips.sh b/content/en/docs/ambient/getting-started/enforce-auth-policies/snips.sh
new file mode 100644
index 0000000000000..9efe01d5ff54a
--- /dev/null
+++ b/content/en/docs/ambient/getting-started/enforce-auth-policies/snips.sh
@@ -0,0 +1,122 @@
+#!/bin/bash
+# shellcheck disable=SC2034,SC2153,SC2155,SC2164
+
+# Copyright Istio Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+####################################################################################################
+# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
+# docs/ambient/getting-started/enforce-auth-policies/index.md
+####################################################################################################
+
+snip_deploy_l4_policy() {
+kubectl apply -f - <.*"
+}
+
+! IFS=$'\n' read -r -d '' snip_enforce_layer_7_authorization_policy_6_out <<\ENDSNIP
+Simple Bookstore App
+ENDSNIP
diff --git a/content/en/docs/ambient/getting-started/index.md b/content/en/docs/ambient/getting-started/index.md
deleted file mode 100644
index ee8dfa005bcb2..0000000000000
--- a/content/en/docs/ambient/getting-started/index.md
+++ /dev/null
@@ -1,350 +0,0 @@
----
-title: Getting Started
-description: How to deploy and install Istio in ambient mode.
-weight: 2
-aliases:
- - /docs/ops/ambient/getting-started
- - /latest/docs/ops/ambient/getting-started
-owner: istio/wg-networking-maintainers
-test: yes
----
-
-This guide lets you quickly evaluate Istio's {{< gloss "ambient" >}}ambient mode{{< /gloss >}}. These steps require you to have a {{< gloss >}}cluster{{< /gloss >}} running a
-[supported version](/docs/releases/supported-releases#support-status-of-istio-releases) of Kubernetes ({{< supported_kubernetes_versions >}}).
-You can install Istio ambient mode on [any supported Kubernetes platform](/docs/setup/platform-setup/), but this guide will assume the use of [kind](https://kind.sigs.k8s.io/) for simplicity.
-
-{{< tip >}}
-Note that ambient mode currently requires the use of [istio-cni](/docs/setup/additional-setup/cni) to configure Kubernetes nodes, which must run as a privileged pod. Ambient mode is compatible with every major CNI that previously supported sidecar mode.
-{{< /tip >}}
-
-Follow these steps to get started with Istio's ambient mode:
-
-1. [Download and install](#download)
-1. [Deploy the sample application](#bookinfo)
-1. [Adding your application to ambient](#addtoambient)
-1. [Secure application access](#secure)
-1. [Control traffic](#control)
-1. [Uninstall](#uninstall)
-
-## Download and install {#download}
-
-1. Install [kind](https://kind.sigs.k8s.io/)
-
-1. Download the [latest version of Istio](/docs/setup/getting-started/#download) (v1.21.0 or later) with Alpha support for ambient mode.
-
-1. Deploy a new local `kind` cluster:
-
- {{< text syntax=bash snip_id=none >}}
- $ kind create cluster --config=- <}}
-
-1. Install the Kubernetes Gateway API CRDs, which don’t come installed by default on most Kubernetes clusters:
-
- {{< text bash >}}
- $ kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
- { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref={{< k8s_gateway_api_version >}}" | kubectl apply -f -; }
- {{< /text >}}
-
-1. Install Istio with the `ambient` profile on your Kubernetes cluster, using
- the version of `istioctl` downloaded above:
-
- {{< text bash >}}
- $ istioctl install --set profile=ambient --skip-confirmation
- {{< /text >}}
-
- After running the above command, you’ll get the following output that indicates
- four components (including {{< gloss "ztunnel" >}}ztunnel{{< /gloss >}}) have been installed successfully!
-
- {{< text syntax=plain snip_id=none >}}
- ✔ Istio core installed
- ✔ Istiod installed
- ✔ CNI installed
- ✔ Ztunnel installed
- ✔ Installation complete
- {{< /text >}}
-
-1. Verify the installed components using the following command:
-
- {{< text bash >}}
- $ kubectl get pods,daemonset -n istio-system
- NAME READY STATUS RESTARTS AGE
- pod/istio-cni-node-btbjf 1/1 Running 0 2m18s
- pod/istiod-55b74b77bd-xggqf 1/1 Running 0 2m27s
- pod/ztunnel-5m27h 1/1 Running 0 2m10s
-
- NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
- daemonset.apps/istio-cni-node 1 1 1 1 1 kubernetes.io/os=linux 2m18s
- daemonset.apps/ztunnel 1 1 1 1 1 kubernetes.io/os=linux 2m10s
- {{< /text >}}
-
-## Deploy the sample application {#bookinfo}
-
-You’ll use the sample [bookinfo application](/docs/examples/bookinfo/), which is part of
-the Istio distribution that you downloaded above. In ambient mode, you deploy applications to
-your Kubernetes cluster exactly the same way you would
-without Istio. This means that you can have your applications running in your cluster before
-you enable ambient mode, and have them join the mesh without needing to restart or
-reconfigure them.
-
-{{< warning >}}
-Make sure the default namespace does not include the label `istio-injection=enabled` when using ambient mode, because you do not need Istio to inject sidecars into application pods.
-{{< /warning >}}
-
-1. Start the sample services:
-
- {{< text bash >}}
- $ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo.yaml@
- $ kubectl apply -f @samples/bookinfo/platform/kube/bookinfo-versions.yaml@
- {{< /text >}}
-
- {{< text bash >}}
- $ kubectl apply -f @samples/sleep/sleep.yaml@
- $ kubectl apply -f @samples/sleep/notsleep.yaml@
- {{< /text >}}
-
- `sleep` and `notsleep` are two simple applications that can serve as curl clients.
-
-1. Deploy an ingress gateway:
-
- Create a [Kubernetes Gateway](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.Gateway)
- and [HTTPRoute](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.HTTPRoute):
-
- {{< text bash >}}
- $ kubectl apply -f @samples/bookinfo/gateway-api/bookinfo-gateway.yaml@
- {{< /text >}}
-
- By default, Istio creates a `LoadBalancer` service for a gateway. Change the service type to `ClusterIP` by annotating the gateway.
-
- {{< text bash >}}
- $ kubectl annotate gateway bookinfo-gateway networking.istio.io/service-type=ClusterIP --namespace=default
- {{< /text >}}
-
- Set the environment variables for the Kubernetes Gateway:
-
- {{< text bash >}}
- $ kubectl wait --for=condition=programmed gtw/bookinfo-gateway
- $ export GATEWAY_HOST=bookinfo-gateway-istio.default
- $ export GATEWAY_SERVICE_ACCOUNT=ns/default/sa/bookinfo-gateway-istio
- {{< /text >}}
-
-1. Test your bookinfo application. It should work with and without the gateway:
-
- {{< text syntax=bash snip_id=verify_traffic_sleep_to_ingress >}}
- $ kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" | grep -o ".*"
- Simple Bookstore App
- {{< /text >}}
-
- {{< text syntax=bash snip_id=verify_traffic_sleep_to_productpage >}}
- $ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o ".*"
- Simple Bookstore App
- {{< /text >}}
-
- {{< text syntax=bash snip_id=verify_traffic_notsleep_to_productpage >}}
- $ kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | grep -o ".*"
- Simple Bookstore App
- {{< /text >}}
-
-## Adding your application to the ambient mesh {#addtoambient}
-
-1. You can enable all pods in a given namespace to be part of an ambient mesh by simply labeling the namespace:
-
- {{< text bash >}}
- $ kubectl label namespace default istio.io/dataplane-mode=ambient
- namespace/default labeled
- {{< /text >}}
-
- Congratulations! You have successfully added all pods in the default namespace
- to the mesh. Note that you did not have to restart or redeploy anything!
-
-1. Now, send some test traffic:
-
- {{< text bash >}}
- $ kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" | grep -o ".*"
- Simple Bookstore App
- {{< /text >}}
-
- {{< text bash >}}
- $ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o ".*"
- Simple Bookstore App
- {{< /text >}}
-
- {{< text bash >}}
- $ kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | grep -o ".*"
- Simple Bookstore App
- {{< /text >}}
-
-You’ll immediately gain mTLS communication and L4 telemetry among the applications in the ambient mesh.
-If you follow the instructions to install [Prometheus](/docs/ops/integrations/prometheus/#installation)
-and [Kiali](/docs/ops/integrations/kiali/#installation), you’ll be able to visualize your application
-in Kiali’s dashboard:
-
-{{< image link="./kiali-ambient-bookinfo.png" caption="Kiali dashboard" >}}
-
-## Secure application access {#secure}
-
-After you have added your application to an ambient mode mesh, you can secure application access using Layer 4
-authorization policies. This feature lets you control access to and from a service based on client workload
-identities, but not at the Layer 7 level, such as HTTP methods like `GET` and `POST`.
-
-### Layer 4 authorization policy
-
-1. Explicitly allow the `sleep` and gateway service accounts to call the `productpage` service:
-
- {{< text bash >}}
- $ kubectl apply -f - <}}
-
-1. Confirm the above authorization policy is working:
-
- {{< text bash >}}
- $ # this should succeed
- $ kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" | grep -o ".*"
- Simple Bookstore App
- {{< /text >}}
-
- {{< text bash >}}
- $ # this should succeed
- $ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o ".*"
- Simple Bookstore App
- {{< /text >}}
-
- {{< text bash >}}
- $ # this should fail with a connection reset error code 56
- $ kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | grep -o ".*"
- command terminated with exit code 56
- {{< /text >}}
-
-### Layer 7 authorization policy
-
-1. Using the Kubernetes Gateway API, you can deploy a {{< gloss "waypoint" >}}waypoint proxy{{< /gloss >}} for your namespace:
-
- {{< text bash >}}
- $ istioctl x waypoint apply --enroll-namespace --wait
- waypoint default/waypoint applied
- namespace default labeled with "istio.io/use-waypoint: waypoint"
- {{< /text >}}
-
-1. View the waypoint proxy; you should see the details of the gateway resource with `Programmed=True` status:
-
- {{< text bash >}}
- $ kubectl get gtw waypoint
- NAME CLASS ADDRESS PROGRAMMED AGE
- waypoint istio-waypoint 10.96.58.95 True 61s
- {{< /text >}}
-
-1. Update your `AuthorizationPolicy` to explicitly allow the `sleep` service to `GET` the `productpage` service, but perform no other operations:
-
- {{< text bash >}}
- $ kubectl apply -f - <}}
-
-1. Confirm the new waypoint proxy is enforcing the updated authorization policy:
-
- {{< text bash >}}
- $ # this should fail with an RBAC error because it is not a GET operation
- $ kubectl exec deploy/sleep -- curl -s "http://productpage:9080/productpage" -X DELETE
- RBAC: access denied
- {{< /text >}}
-
- {{< text bash >}}
- $ # this should fail with an RBAC error because the identity is not allowed
- $ kubectl exec deploy/notsleep -- curl -s http://productpage:9080/
- RBAC: access denied
- {{< /text >}}
-
- {{< text bash >}}
- $ # this should continue to work
- $ kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o ".*"
- Simple Bookstore App
- {{< /text >}}
-
-## Control traffic {#control}
-
-1. You can use the same waypoint to control traffic to `reviews`. Configure traffic routing to send 90% of requests to `reviews` v1 and 10% to `reviews` v2:
-
- {{< text bash >}}
- $ kubectl apply -f @samples/bookinfo/gateway-api/route-reviews-90-10.yaml@
- {{< /text >}}
-
-1. Confirm that roughly 10% of the traffic from 100 requests goes to reviews-v2:
-
- {{< text bash >}}
- $ kubectl exec deploy/sleep -- sh -c "for i in \$(seq 1 100); do curl -s http://productpage:9080/productpage | grep reviews-v.-; done"
- {{< /text >}}
-
-## Uninstall {#uninstall}
-
-1. The label to instruct Istio to automatically include applications in the `default` namespace to an ambient mesh is not removed by default. If no longer needed, use the following command to remove it:
-
- {{< text bash >}}
- $ kubectl label namespace default istio.io/dataplane-mode-
- $ kubectl label namespace default istio.io/use-waypoint-
- {{< /text >}}
-
-1. To remove waypoint proxies, installed policies, and uninstall Istio:
-
- {{< text bash >}}
- $ istioctl x waypoint delete --all
- $ istioctl uninstall -y --purge
- $ kubectl delete namespace istio-system
- {{< /text >}}
-
-1. To delete the Bookinfo sample application and its configuration, see [Bookinfo cleanup](/docs/examples/bookinfo/#cleanup).
-
-1. To remove the `sleep` and `notsleep` applications:
-
- {{< text bash >}}
- $ kubectl delete -f @samples/sleep/sleep.yaml@
- $ kubectl delete -f @samples/sleep/notsleep.yaml@
- {{< /text >}}
-
-1. If you installed the Gateway API CRDs, remove them:
-
- {{< text bash >}}
- $ kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref={{< k8s_gateway_api_version >}}" | kubectl delete -f -
- {{< /text >}}
diff --git a/content/en/docs/ambient/getting-started/kiali-ambient-bookinfo.png b/content/en/docs/ambient/getting-started/kiali-ambient-bookinfo.png
deleted file mode 100644
index fbe1ee97a64ac..0000000000000
Binary files a/content/en/docs/ambient/getting-started/kiali-ambient-bookinfo.png and /dev/null differ
diff --git a/content/en/docs/ambient/getting-started/manage-traffic/index.md b/content/en/docs/ambient/getting-started/manage-traffic/index.md
new file mode 100644
index 0000000000000..9eb0a58e846ee
--- /dev/null
+++ b/content/en/docs/ambient/getting-started/manage-traffic/index.md
@@ -0,0 +1,50 @@
+---
+title: Manage traffic
+description: Manage traffic between services in the ambient mode.
+weight: 5
+owner: istio/wg-networking-maintainers
+test: yes
+---
+
+Now we have a waypoint proxy installed, we will learn how to split traffic between services.
+
+## Split traffic between services
+
+The Bookinfo application has three versions of the `reviews` service. You can split traffic between these versions to test new features or perform A/B testing.
+
+Let's configure traffic routing to send 90% of requests to `reviews` v1 and 10% to `reviews` v2:
+
+{{< text syntax=bash snip_id=deploy_httproute >}}
+$ kubectl apply -f - <}}
+
+To confirm that roughly 10% of the of the traffic from 100 requests goes to `reviews-v2`, you can run the following command:
+
+{{< text syntax=bash snip_id=test_traffic_split >}}
+$ kubectl exec deploy/sleep -- sh -c "for i in \$(seq 1 100); do curl -s http://productpage:9080/productpage | grep reviews-v.-; done"
+{{< /text >}}
+
+You'll notice the majority of requests go to `reviews-v1`. You can confirm the same if you open the Bookinfo application in your browser and refresh the page multiple times. Notice the requests from the `reviews-v1` don't have any stars, while the requests from `reviews-v2` have black stars.
+
+## Next steps
+
+This section concludes the Getting Started guide for ambient mode. You can continue to the [Cleanup](/docs/ambient/getting-started/cleanup) section to remove Istio or continue exploring the [ambient mode user guides](/docs/ambient/usage/) to learn more about Istio's features and capabilities.
diff --git a/content/en/docs/ambient/getting-started/manage-traffic/snips.sh b/content/en/docs/ambient/getting-started/manage-traffic/snips.sh
new file mode 100644
index 0000000000000..a5d6fb976fb39
--- /dev/null
+++ b/content/en/docs/ambient/getting-started/manage-traffic/snips.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+# shellcheck disable=SC2034,SC2153,SC2155,SC2164
+
+# Copyright Istio Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+####################################################################################################
+# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
+# docs/ambient/getting-started/manage-traffic/index.md
+####################################################################################################
+
+snip_deploy_httproute() {
+kubectl apply -f - <}}
+$ kubectl label namespace default istio.io/dataplane-mode=ambient
+namespace/default labeled
+{{< /text >}}
+
+Congratulations! You have successfully added all pods in the default namespace to the ambient mesh. 🎉
+
+If you open the Bookinfo application in your browser, you will see the product page, just like before. The difference this time is that the communication between the Bookinfo application pods is encrypted using mTLS. Additionally, Istio is gathering TCP telemetry for all traffic between the pods.
+
+{{< tip >}}
+You now have mTLS encryption between all your pods — without even restarting or redeploying any of the applications!
+{{< /tip >}}
+
+## Visualize the application and metrics
+
+Using Istio's dashboard, Kiali, and the Prometheus metrics engine, you can visualize the Bookinfo application. Deploy them both:
+
+{{< text syntax=bash snip_id=none >}}
+$ kubectl apply -f {{< github_file >}}/samples/addons/prometheus.yaml
+$ kubectl apply -f {{< github_file >}}/samples/addons/kiali.yaml
+{{< /text >}}
+
+You can access the Kiali dashboard by running the following command:
+
+{{< text syntax=bash snip_id=none >}}
+$ istioctl dashboard kiali
+{{< /text >}}
+
+Let's send some traffic to the Bookinfo application, so Kiali generates the traffic graph:
+
+{{< text bash >}}
+$ for i in $(seq 1 100); do curl -s http://localhost:8080/productpage; done
+{{< /text >}}
+
+Next, click on the Traffic Graph and you should see the Bookinfo application:
+
+{{< image link="./kiali-ambient-bookinfo.png" caption="Kiali dashboard" >}}
+
+{{< tip >}}
+If you don't see the traffic graph, try re-sending the traffic to the Bookinfo application and make sure you have selected the **default** namespace in the **Namespace** drop-down in Kiali.
+
+To see the mTLS status between the services, click the **Display** drop-down and click **Security**.
+{{}}
+
+If you click on the line connecting two services on the the dashboard, you can see the inbound and outbound traffic metrics gathered by Istio.
+
+{{< image link="./kiali-tcp-traffic.png" caption="L4 traffic" >}}
+
+In addition to the TCP metrics, Istio has created a strong identity for each service: a SPIFFE ID. This identity can be used for creating authorization policies.
+
+## Next steps
+
+Now that we have identities assigned to the services, let's [enforce authorization policies](/docs/ambient/getting-started/enforce-auth-policies/) to secure access to the application.
diff --git a/content/en/docs/ambient/getting-started/secure-and-visualize/kiali-ambient-bookinfo.png b/content/en/docs/ambient/getting-started/secure-and-visualize/kiali-ambient-bookinfo.png
new file mode 100644
index 0000000000000..319f7523253c0
Binary files /dev/null and b/content/en/docs/ambient/getting-started/secure-and-visualize/kiali-ambient-bookinfo.png differ
diff --git a/content/en/docs/ambient/getting-started/secure-and-visualize/kiali-tcp-traffic.png b/content/en/docs/ambient/getting-started/secure-and-visualize/kiali-tcp-traffic.png
new file mode 100644
index 0000000000000..ab1d757faf8ed
Binary files /dev/null and b/content/en/docs/ambient/getting-started/secure-and-visualize/kiali-tcp-traffic.png differ
diff --git a/content/en/docs/ambient/getting-started/secure-and-visualize/snips.sh b/content/en/docs/ambient/getting-started/secure-and-visualize/snips.sh
new file mode 100644
index 0000000000000..cee363521feb5
--- /dev/null
+++ b/content/en/docs/ambient/getting-started/secure-and-visualize/snips.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+# shellcheck disable=SC2034,SC2153,SC2155,SC2164
+
+# Copyright Istio Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+####################################################################################################
+# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
+# docs/ambient/getting-started/secure-and-visualize/index.md
+####################################################################################################
+
+snip_add_bookinfo_to_the_mesh_1() {
+kubectl label namespace default istio.io/dataplane-mode=ambient
+}
+
+! IFS=$'\n' read -r -d '' snip_add_bookinfo_to_the_mesh_1_out <<\ENDSNIP
+namespace/default labeled
+ENDSNIP
+
+snip_visualize_the_application_and_metrics_3() {
+for i in $(seq 1 100); do curl -s http://localhost:8080/productpage; done
+}
diff --git a/content/en/docs/ambient/getting-started/setup/snips.sh b/content/en/docs/ambient/getting-started/setup/snips.sh
new file mode 100644
index 0000000000000..7a2c896a8e606
--- /dev/null
+++ b/content/en/docs/ambient/getting-started/setup/snips.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+# shellcheck disable=SC2034,SC2153,SC2155,SC2164
+
+# Empty file to see if I can get around https://github.com/istio/istio.io/issues/15200
+# The below is included because a lint won't let me include the file without them
+
+# Copyright Istio Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
diff --git a/content/en/docs/ambient/getting-started/snips.sh b/content/en/docs/ambient/getting-started/snips.sh
index 710db0bfb23ad..058dd2d55e4d3 100644
--- a/content/en/docs/ambient/getting-started/snips.sh
+++ b/content/en/docs/ambient/getting-started/snips.sh
@@ -17,254 +17,14 @@
####################################################################################################
# WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL MARKDOWN FILE:
-# docs/ambient/getting-started/index.md
+# docs/ambient/getting-started/_index.md
####################################################################################################
-snip_download_and_install_2() {
-kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
- { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref=v1.1.0" | kubectl apply -f -; }
-}
-
-snip_download_and_install_3() {
+snip_install_ambient() {
istioctl install --set values.pilot.env.PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING=true --set profile=ambient --skip-confirmation
}
-snip_download_and_install_5() {
-kubectl get pods,daemonset -n istio-system
-}
-
-! IFS=$'\n' read -r -d '' snip_download_and_install_5_out <<\ENDSNIP
-NAME READY STATUS RESTARTS AGE
-pod/istio-cni-node-btbjf 1/1 Running 0 2m18s
-pod/istiod-55b74b77bd-xggqf 1/1 Running 0 2m27s
-pod/ztunnel-5m27h 1/1 Running 0 2m10s
-
-NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
-daemonset.apps/istio-cni-node 1 1 1 1 1 kubernetes.io/os=linux 2m18s
-daemonset.apps/ztunnel 1 1 1 1 1 kubernetes.io/os=linux 2m10s
-ENDSNIP
-
-snip_deploy_the_sample_application_1() {
-kubectl apply -f samples/bookinfo/platform/kube/bookinfo.yaml
-kubectl apply -f samples/bookinfo/platform/kube/bookinfo-versions.yaml
-}
-
-snip_deploy_the_sample_application_2() {
-kubectl apply -f samples/sleep/sleep.yaml
-kubectl apply -f samples/sleep/notsleep.yaml
-}
-
-snip_deploy_the_sample_application_3() {
-kubectl apply -f samples/bookinfo/gateway-api/bookinfo-gateway.yaml
-}
-
-snip_deploy_the_sample_application_4() {
-kubectl annotate gateway bookinfo-gateway networking.istio.io/service-type=ClusterIP --namespace=default
-}
-
-snip_deploy_the_sample_application_5() {
-kubectl wait --for=condition=programmed gtw/bookinfo-gateway
-export GATEWAY_HOST=bookinfo-gateway-istio.default
-export GATEWAY_SERVICE_ACCOUNT=ns/default/sa/bookinfo-gateway-istio
-}
-
-snip_verify_traffic_sleep_to_ingress() {
-kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" | grep -o ".*"
-}
-
-! IFS=$'\n' read -r -d '' snip_verify_traffic_sleep_to_ingress_out <<\ENDSNIP
-Simple Bookstore App
-ENDSNIP
-
-snip_verify_traffic_sleep_to_productpage() {
-kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o ".*"
-}
-
-! IFS=$'\n' read -r -d '' snip_verify_traffic_sleep_to_productpage_out <<\ENDSNIP
-Simple Bookstore App
-ENDSNIP
-
-snip_verify_traffic_notsleep_to_productpage() {
-kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | grep -o ".*"
-}
-
-! IFS=$'\n' read -r -d '' snip_verify_traffic_notsleep_to_productpage_out <<\ENDSNIP
-Simple Bookstore App
-ENDSNIP
-
-snip_adding_your_application_to_the_ambient_mesh_1() {
-kubectl label namespace default istio.io/dataplane-mode=ambient
-}
-
-! IFS=$'\n' read -r -d '' snip_adding_your_application_to_the_ambient_mesh_1_out <<\ENDSNIP
-namespace/default labeled
-ENDSNIP
-
-snip_adding_your_application_to_the_ambient_mesh_2() {
-kubectl exec deploy/sleep -- curl -s "http://$GATEWAY_HOST/productpage" | grep -o ".*"
-}
-
-! IFS=$'\n' read -r -d '' snip_adding_your_application_to_the_ambient_mesh_2_out <<\ENDSNIP
-Simple Bookstore App
-ENDSNIP
-
-snip_adding_your_application_to_the_ambient_mesh_3() {
-kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o ".*"
-}
-
-! IFS=$'\n' read -r -d '' snip_adding_your_application_to_the_ambient_mesh_3_out <<\ENDSNIP
-Simple Bookstore App
-ENDSNIP
-
-snip_adding_your_application_to_the_ambient_mesh_4() {
-kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | grep -o ".*"
-}
-
-! IFS=$'\n' read -r -d '' snip_adding_your_application_to_the_ambient_mesh_4_out <<\ENDSNIP
-Simple Bookstore App
-ENDSNIP
-
-snip_layer_4_authorization_policy_1() {
-kubectl apply -f - <.*"
-}
-
-! IFS=$'\n' read -r -d '' snip_layer_4_authorization_policy_2_out <<\ENDSNIP
-Simple Bookstore App
-ENDSNIP
-
-snip_layer_4_authorization_policy_3() {
-# this should succeed
-kubectl exec deploy/sleep -- curl -s http://productpage:9080/ | grep -o ".*"
-}
-
-! IFS=$'\n' read -r -d '' snip_layer_4_authorization_policy_3_out <<\ENDSNIP
-Simple Bookstore App
-ENDSNIP
-
-snip_layer_4_authorization_policy_4() {
-# this should fail with a connection reset error code 56
-kubectl exec deploy/notsleep -- curl -s http://productpage:9080/ | grep -o ".*"
-}
-
-! IFS=$'\n' read -r -d '' snip_layer_4_authorization_policy_4_out <<\ENDSNIP
-command terminated with exit code 56
-ENDSNIP
-
-snip_layer_7_authorization_policy_1() {
-istioctl x waypoint apply --enroll-namespace --wait
-}
-
-! IFS=$'\n' read -r -d '' snip_layer_7_authorization_policy_1_out <<\ENDSNIP
-waypoint default/waypoint applied
-namespace default labeled with "istio.io/use-waypoint: waypoint"
-ENDSNIP
-
-snip_layer_7_authorization_policy_2() {
-kubectl get gtw waypoint
-}
-
-! IFS=$'\n' read -r -d '' snip_layer_7_authorization_policy_2_out <<\ENDSNIP
-NAME CLASS ADDRESS PROGRAMMED AGE
-waypoint istio-waypoint 10.96.58.95 True 61s
-ENDSNIP
-
-snip_layer_7_authorization_policy_3() {
-kubectl apply -f - <.*"
-}
-
-! IFS=$'\n' read -r -d '' snip_layer_7_authorization_policy_6_out <<\ENDSNIP
-Simple Bookstore App
-ENDSNIP
-
-snip_control_traffic_1() {
-kubectl apply -f samples/bookinfo/gateway-api/route-reviews-90-10.yaml
-}
-
-snip_control_traffic_2() {
-kubectl exec deploy/sleep -- sh -c "for i in \$(seq 1 100); do curl -s http://productpage:9080/productpage | grep reviews-v.-; done"
-}
-
-snip_uninstall_1() {
-kubectl label namespace default istio.io/dataplane-mode-
-kubectl label namespace default istio.io/use-waypoint-
-}
-
-snip_uninstall_2() {
-istioctl x waypoint delete --all
-istioctl uninstall -y --purge
-kubectl delete namespace istio-system
-}
-
-snip_uninstall_3() {
-kubectl delete -f samples/sleep/sleep.yaml
-kubectl delete -f samples/sleep/notsleep.yaml
-}
-
-snip_uninstall_4() {
-kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref=v1.1.0" | kubectl delete -f -
+snip_install_k8s_gateway_api() {
+kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \
+ { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd/experimental?ref=v1.1.0" | kubectl apply -f -; }
}
diff --git a/content/en/docs/ambient/getting-started/test.sh b/content/en/docs/ambient/getting-started/test.sh
index 5ed8879b72ca3..f9ee4bf9eefbd 100644
--- a/content/en/docs/ambient/getting-started/test.sh
+++ b/content/en/docs/ambient/getting-started/test.sh
@@ -1,7 +1,7 @@
#!/usr/bin/env bash
# shellcheck disable=SC2154
-# Copyright 2023 Istio Authors
+# Copyright 2024 Istio Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -21,61 +21,57 @@ set -e
set -u
set -o pipefail
-# Kubernetes Gateway API CRDs are required by waypoint proxy.
-snip_download_and_install_2
+source "content/en/docs/ambient/getting-started/deploy-sample-app/snips.sh"
+source "content/en/docs/ambient/getting-started/secure-and-visualize/snips.sh"
+source "content/en/docs/ambient/getting-started/enforce-auth-policies/snips.sh"
+source "content/en/docs/ambient/getting-started/manage-traffic/snips.sh"
+source "content/en/docs/ambient/getting-started/cleanup/snips.sh"
-# install istio with ambient profile
-snip_download_and_install_3
+snip_install_ambient
+snip_install_k8s_gateway_api
_wait_for_deployment istio-system istiod
_wait_for_daemonset istio-system ztunnel
_wait_for_daemonset istio-system istio-cni-node
-_verify_like snip_download_and_install_5 "$snip_download_and_install_5_out"
+snip_deploy_the_bookinfo_application_1
+snip_deploy_bookinfo_gateway
+_wait_for_deployment default bookinfo-gateway-istio
+snip_annotate_bookinfo_gateway
+_wait_for_deployment default bookinfo-gateway-istio
+_verify_like snip_deploy_and_configure_the_ingress_gateway_3 "$snip_deploy_and_configure_the_ingress_gateway_3_out"
-# deploy test application
-snip_deploy_the_sample_application_1
-snip_deploy_the_sample_application_2
+_verify_contains snip_add_bookinfo_to_the_mesh_1 "$snip_add_bookinfo_to_the_mesh_1_out"
-snip_deploy_the_sample_application_3
-snip_deploy_the_sample_application_4
-snip_deploy_the_sample_application_5
+snip_deploy_l4_policy
+snip_deploy_sleep
+_wait_for_deployment default sleep
+_verify_contains snip_enforce_layer_4_authorization_policy_3 "$snip_enforce_layer_4_authorization_policy_3_out"
-# test traffic before ambient mode is enabled
-_verify_contains snip_verify_traffic_sleep_to_ingress "$snip_verify_traffic_sleep_to_ingress_out"
-_verify_contains snip_verify_traffic_sleep_to_productpage "$snip_verify_traffic_sleep_to_productpage_out"
-_verify_contains snip_verify_traffic_notsleep_to_productpage "$snip_verify_traffic_notsleep_to_productpage_out"
+snip_deploy_waypoint
+_wait_for_deployment default waypoint
+_verify_contains snip_deploy_waypoint "$snip_deploy_waypoint_out"
-_verify_same snip_adding_your_application_to_the_ambient_mesh_1 "$snip_adding_your_application_to_the_ambient_mesh_1_out"
+_verify_like snip_enforce_layer_7_authorization_policy_2 "$snip_enforce_layer_7_authorization_policy_2_out"
-# test traffic after ambient mode is enabled
-snip_adding_your_application_to_the_ambient_mesh_2
-_verify_contains snip_adding_your_application_to_the_ambient_mesh_3 "$snip_adding_your_application_to_the_ambient_mesh_3_out"
-_verify_same snip_adding_your_application_to_the_ambient_mesh_4 "$snip_adding_your_application_to_the_ambient_mesh_4_out"
+snip_deploy_l7_policy
-snip_layer_4_authorization_policy_1
-_verify_contains snip_layer_4_authorization_policy_2 "$snip_layer_4_authorization_policy_2_out"
-_verify_contains snip_layer_4_authorization_policy_3 "$snip_layer_4_authorization_policy_3_out"
-_verify_failure snip_layer_4_authorization_policy_4
+_verify_contains snip_enforce_layer_7_authorization_policy_4 "$snip_enforce_layer_7_authorization_policy_4_out"
+_verify_contains snip_enforce_layer_7_authorization_policy_5 "$snip_enforce_layer_7_authorization_policy_5_out"
+_verify_contains snip_enforce_layer_7_authorization_policy_6 "$snip_enforce_layer_7_authorization_policy_6_out"
-_verify_contains snip_layer_7_authorization_policy_1 "$snip_layer_7_authorization_policy_1_out"
-_verify_contains snip_layer_7_authorization_policy_2 "True"
-snip_layer_7_authorization_policy_3
-_verify_contains snip_layer_7_authorization_policy_4 "$snip_layer_7_authorization_policy_4_out"
-_verify_contains snip_layer_7_authorization_policy_5 "$snip_layer_7_authorization_policy_5_out"
-_verify_contains snip_layer_7_authorization_policy_6 "$snip_layer_7_authorization_policy_6_out"
+snip_deploy_httproute
+snip_test_traffic_split
-snip_control_traffic_1
-
-_verify_lines snip_control_traffic_2 "
+_verify_lines snip_test_traffic_split "
+ reviews-v1
+ reviews-v2
- reviews-v3
"
# @cleanup
-snip_uninstall_1
-snip_uninstall_2
-snip_uninstall_3
+snip_remove_the_ambient_and_waypoint_labels_1
+snip_remove_waypoint_proxies_and_uninstall_istio_1
+snip_remove_the_sample_application_1
samples/bookinfo/platform/kube/cleanup.sh
-snip_uninstall_4
+snip_remove_the_kubernetes_gateway_api_crds_1
\ No newline at end of file
diff --git a/content/en/docs/ambient/usage/extend-waypoint-wasm/index.md b/content/en/docs/ambient/usage/extend-waypoint-wasm/index.md
index ef0b174b38b85..e24288317f9bb 100644
--- a/content/en/docs/ambient/usage/extend-waypoint-wasm/index.md
+++ b/content/en/docs/ambient/usage/extend-waypoint-wasm/index.md
@@ -15,7 +15,7 @@ One of the key advantages of Wasm extensibility is that extensions can be loaded
## Install Ambient Mode and deploy test applications
-Follow the [Ambient Getting Started Guide](/docs/ambient/getting-started/#download) to install Istio in ambient mode. Deploy the [sample applications](/docs/ambient/getting-started/#bookinfo) required for exploring waypoint proxy extensibility via Wasm. Make sure to [add the sample applications](/docs/ambient/getting-started/#addtoambient) to the mesh before proceeding further.
+Follow the [Ambient Getting Started Guide](/docs/ambient/getting-started) to install Istio in ambient mode. Deploy the [sample applications](/docs/ambient/getting-started/deploy-sample-app) required for exploring waypoint proxy extensibility via Wasm. Make sure to [add the sample applications](/docs/ambient/getting-started/secure-and-visualize) to the mesh before proceeding further.
## Apply Wasm configuration at the Gateway
@@ -29,8 +29,8 @@ To configure a WebAssembly filter with a remote Wasm module, create a `WasmPlugi
{{< text bash >}}
$ kubectl get gateway
-NAME CLASS ADDRESS PROGRAMMED AGE
-bookinfo-gateway istio 172.18.7.110 True 23h
+NAME CLASS ADDRESS PROGRAMMED AGE
+bookinfo-gateway istio bookinfo-gateway-istio.default.svc.cluster.local True 42m
{{< /text >}}
{{< text bash >}}
@@ -66,14 +66,14 @@ The Istio agent will interpret the WasmPlugin configuration, download remote Was
1. Test `/productpage` without credentials
{{< text bash >}}
- $ kubectl exec deploy/sleep -- curl -s -w "%{http_code}" -o /dev/null "http://$GATEWAY_HOST/productpage"
+ $ kubectl exec deploy/sleep -- curl -s -w "%{http_code}" -o /dev/null "http://bookinfo-gateway-istio.default.svc.cluster.local/productpage"
401
{{< /text >}}
1. Test `/productpage` with credentials configured in the WasmPlugin resource
{{< text bash >}}
- $ kubectl exec deploy/sleep -- curl -s -o /dev/null -H "Authorization: Basic YWRtaW4zOmFkbWluMw==" -w "%{http_code}" "http://$GATEWAY_HOST/productpage"
+ $ kubectl exec deploy/sleep -- curl -s -o /dev/null -H "Authorization: Basic YWRtaW4zOmFkbWluMw==" -w "%{http_code}" "http://bookinfo-gateway-istio.default.svc.cluster.local/productpage"
200
{{< /text >}}
@@ -102,9 +102,9 @@ To configure a WebAssembly filter with a remote Wasm module, create a `WasmPlugi
{{< text bash >}}
$ kubectl get gateway
-NAME CLASS ADDRESS PROGRAMMED AGE
-bookinfo-gateway istio 172.18.7.110 True 23h
-waypoint istio-waypoint 10.96.202.82 True 21h
+NAME CLASS ADDRESS PROGRAMMED AGE
+bookinfo-gateway istio bookinfo-gateway-istio.default.svc.cluster.local True 23h
+waypoint istio-waypoint 10.96.202.82 True 21h
{{< /text >}}
{{< text bash >}}
diff --git a/content/en/docs/ambient/usage/extend-waypoint-wasm/snips.sh b/content/en/docs/ambient/usage/extend-waypoint-wasm/snips.sh
index f897af35a0180..b76d94d079e02 100644
--- a/content/en/docs/ambient/usage/extend-waypoint-wasm/snips.sh
+++ b/content/en/docs/ambient/usage/extend-waypoint-wasm/snips.sh
@@ -25,8 +25,8 @@ kubectl get gateway
}
! IFS=$'\n' read -r -d '' snip_configure_wasmplugin_for_gateway_1_out <<\ENDSNIP
-NAME CLASS ADDRESS PROGRAMMED AGE
-bookinfo-gateway istio 172.18.7.110 True 23h
+NAME CLASS ADDRESS PROGRAMMED AGE
+bookinfo-gateway istio bookinfo-gateway-istio.default.svc.cluster.local True 42m
ENDSNIP
snip_configure_wasmplugin_for_gateway_2() {
@@ -55,7 +55,7 @@ EOF
}
snip_verify_the_traffic_via_the_gateway_1() {
-kubectl exec deploy/sleep -- curl -s -w "%{http_code}" -o /dev/null "http://$GATEWAY_HOST/productpage"
+kubectl exec deploy/sleep -- curl -s -w "%{http_code}" -o /dev/null "http://bookinfo-gateway-istio.default.svc.cluster.local/productpage"
}
! IFS=$'\n' read -r -d '' snip_verify_the_traffic_via_the_gateway_1_out <<\ENDSNIP
@@ -63,7 +63,7 @@ kubectl exec deploy/sleep -- curl -s -w "%{http_code}" -o /dev/null "http://$GAT
ENDSNIP
snip_verify_the_traffic_via_the_gateway_2() {
-kubectl exec deploy/sleep -- curl -s -o /dev/null -H "Authorization: Basic YWRtaW4zOmFkbWluMw==" -w "%{http_code}" "http://$GATEWAY_HOST/productpage"
+kubectl exec deploy/sleep -- curl -s -o /dev/null -H "Authorization: Basic YWRtaW4zOmFkbWluMw==" -w "%{http_code}" "http://bookinfo-gateway-istio.default.svc.cluster.local/productpage"
}
! IFS=$'\n' read -r -d '' snip_verify_the_traffic_via_the_gateway_2_out <<\ENDSNIP
@@ -87,9 +87,9 @@ kubectl get gateway
}
! IFS=$'\n' read -r -d '' snip_apply_wasmplugin_at_waypoint_proxy_1_out <<\ENDSNIP
-NAME CLASS ADDRESS PROGRAMMED AGE
-bookinfo-gateway istio 172.18.7.110 True 23h
-waypoint istio-waypoint 10.96.202.82 True 21h
+NAME CLASS ADDRESS PROGRAMMED AGE
+bookinfo-gateway istio bookinfo-gateway-istio.default.svc.cluster.local True 23h
+waypoint istio-waypoint 10.96.202.82 True 21h
ENDSNIP
snip_apply_wasmplugin_at_waypoint_proxy_2() {
diff --git a/content/en/docs/ambient/usage/extend-waypoint-wasm/test.sh b/content/en/docs/ambient/usage/extend-waypoint-wasm/test.sh
index e3a46f9216ee5..aa5549e051e1f 100644
--- a/content/en/docs/ambient/usage/extend-waypoint-wasm/test.sh
+++ b/content/en/docs/ambient/usage/extend-waypoint-wasm/test.sh
@@ -22,35 +22,34 @@ set -u
set -o pipefail
source "content/en/docs/ambient/getting-started/snips.sh"
+source "content/en/docs/ambient/getting-started/secure-and-visualize/snips.sh"
+source "content/en/docs/ambient/getting-started/enforce-auth-policies/snips.sh"
+source "content/en/docs/ambient/getting-started/manage-traffic/snips.sh"
+source "content/en/docs/ambient/getting-started/deploy-sample-app/snips.sh"
+source "content/en/docs/ambient/getting-started/cleanup/snips.sh"
# Kubernetes Gateway API CRDs are required by waypoint proxy.
-snip_download_and_install_2
+snip_install_k8s_gateway_api
# install istio with ambient profile
-snip_download_and_install_3
+snip_install_ambient
_wait_for_deployment istio-system istiod
_wait_for_daemonset istio-system ztunnel
_wait_for_daemonset istio-system istio-cni-node
-_verify_like snip_download_and_install_5 "$snip_download_and_install_5_out"
-
# deploy test application
-snip_deploy_the_sample_application_1
-snip_deploy_the_sample_application_2
+snip_deploy_the_bookinfo_application_1
+snip_deploy_sleep
-snip_deploy_the_sample_application_3
-snip_deploy_the_sample_application_5
+snip_deploy_bookinfo_gateway
+_wait_for_deployment default bookinfo-gateway-istio
+snip_annotate_bookinfo_gateway
+_wait_for_deployment default bookinfo-gateway-istio
+_verify_like snip_deploy_and_configure_the_ingress_gateway_3 "$snip_deploy_and_configure_the_ingress_gateway_3_out"
# adding applications to ambient mesh
-_verify_same snip_adding_your_application_to_the_ambient_mesh_1 "$snip_adding_your_application_to_the_ambient_mesh_1_out"
-
-# ambient mode enabled
-snip_adding_your_application_to_the_ambient_mesh_2
-
-# test traffic after ambient mode is enabled
-_verify_contains snip_adding_your_application_to_the_ambient_mesh_3 "$snip_adding_your_application_to_the_ambient_mesh_3_out"
-_verify_same snip_adding_your_application_to_the_ambient_mesh_4 "$snip_adding_your_application_to_the_ambient_mesh_4_out"
+_verify_contains snip_add_bookinfo_to_the_mesh_1 "$snip_add_bookinfo_to_the_mesh_1_out"
# Display existing gateways and verify output
_verify_like snip_configure_wasmplugin_for_gateway_1 "$snip_configure_wasmplugin_for_gateway_1_out"
@@ -59,7 +58,7 @@ _verify_like snip_configure_wasmplugin_for_gateway_1 "$snip_configure_wasmplugin
snip_configure_wasmplugin_for_gateway_2
# verify traffic via gateway
-_verify_same snip_verify_the_traffic_via_the_gateway_1 "$snip_verify_the_traffic_via_the_gateway_1_out"
+_verify_same snip_verify_the_traffic_via_the_gateway_1 "$snip_verify_the_traffic_via_the_gateway_2_out"
_verify_same snip_verify_the_traffic_via_the_gateway_2 "$snip_verify_the_traffic_via_the_gateway_2_out"
# Deploy a waypoint proxy
@@ -91,8 +90,8 @@ _verify_same snip_verify_the_traffic_targeting_the_service_3 "$snip_verify_the_t
# @cleanup
snip_cleanup_1
-snip_uninstall_1
-snip_uninstall_2
-snip_uninstall_3
+snip_remove_the_ambient_and_waypoint_labels_1
+snip_remove_waypoint_proxies_and_uninstall_istio_1
+snip_remove_the_sample_application_1
samples/bookinfo/platform/kube/cleanup.sh
-snip_uninstall_4
+snip_remove_the_kubernetes_gateway_api_crds_1
diff --git a/scripts/snip.py b/scripts/snip.py
index 9415e61babe2d..0be12b26b478c 100644
--- a/scripts/snip.py
+++ b/scripts/snip.py
@@ -78,7 +78,7 @@
if args.snipfile:
snipfile = args.snipfile
else:
- snipfile = "snips.sh" if markdown.split('/')[-1] == "index.md" else markdown.split('/')[-1] + "_snips.sh"
+ snipfile = "snips.sh" if (markdown.split('/')[-1] == "index.md" or markdown.split('/')[-1] == "_index.md") else markdown.split('/')[-1] + "_snips.sh"
print("generating snips: " + os.path.join(snipdir, snipfile))