tasks/egress: document TLS origination with BackendTLSPolicy

content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md

@@ -114,10 +114,9 @@ Both of these issues can be resolved by configuring Istio to perform TLS origina
 
 ## TLS origination for egress traffic
 
-1.  Redefine your `ServiceEntry` from the previous section to redirect HTTP requests to port 443
-    and add a `DestinationRule` to perform TLS origination:
+1.  Redefine your `ServiceEntry` from the previous section to redirect HTTP requests to port 443:
 
-    {{< text syntax=bash snip_id=apply_origination >}}
+    {{< text syntax=bash snip_id=apply_origination_serviceentry >}}
     $ kubectl apply -f - <<EOF
     apiVersion: networking.istio.io/v1
     kind: ServiceEntry
@@ -135,24 +134,63 @@ Both of these issues can be resolved by configuring Istio to perform TLS origina
         name: https-port
         protocol: HTTPS
       resolution: DNS
-    ---
-    apiVersion: networking.istio.io/v1
-    kind: DestinationRule
-    metadata:
-      name: edition-cnn-com
-    spec:
-      host: edition.cnn.com
-      trafficPolicy:
-        portLevelSettings:
-        - port:
-            number: 80
-          tls:
-            mode: SIMPLE # initiates HTTPS when accessing edition.cnn.com
     EOF
     {{< /text >}}
 
-    The above `DestinationRule` will perform TLS origination for HTTP requests on port 80 and the `ServiceEntry`
-    will then redirect the requests on port 80 to target port 443.
+1.  Add a policy to perform TLS origination:
+
+{{< tabset category-name="tls-origination" >}}
+
+{{< tab name="Istio API" category-value="istio-api" >}}
+
+{{< text syntax=bash snip_id=apply_origination_destinationrule >}}
+$ kubectl apply -f - <<EOF
+apiVersion: networking.istio.io/v1
+kind: DestinationRule
+metadata:
+  name: edition-cnn-com
+spec:
+  host: edition.cnn.com
+  trafficPolicy:
+    portLevelSettings:
+    - port:
+        number: 80
+      tls:
+        mode: SIMPLE # initiates HTTPS when accessing edition.cnn.com
+EOF
+{{< /text >}}
+
+The above `DestinationRule` will perform TLS origination for HTTP requests on port 80 and the `ServiceEntry`
+will then redirect the requests on port 80 to target port 443.
+
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+{{< text syntax=bash snip_id=apply_origination_backendtlspolicy >}}
+$ kubectl apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: BackendTLSPolicy
+metadata:
+  name: edition-cnn-com
+spec:
+  targetRefs:
+  - group: networking.istio.io
+    kind: ServiceEntry
+    name: edition-cnn-com
+    sectionName: http-port
+  validation:
+    hostname: edition.cnn.com
+    wellKnownCACertificates: System
+EOF
+{{< /text >}}
+
+The above `BackendTLSPolicy` will perform TLS origination for HTTP requests on the `http` port and the `ServiceEntry`
+will then redirect the requests on port 80 to target port 443.
+
+{{< /tab >}}
+
+{{< /tabset >}}
 
 1. Send an HTTP request to `http://edition.cnn.com/politics`, as in the previous section:
 
@@ -198,11 +236,28 @@ topics and articles but does not prevent attackers from learning that `edition.c
 
 Remove the Istio configuration items you created:
 
+{{< tabset category-name="cleanup-tls-origination" >}}
+
+{{< tab name="Istio API" category-value="istio-api" >}}
+
 {{< text bash >}}
 $ kubectl delete serviceentry edition-cnn-com
 $ kubectl delete destinationrule edition-cnn-com
 {{< /text >}}
 
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+{{< text bash >}}
+$ kubectl delete serviceentry edition-cnn-com
+$ kubectl delete backendtlspolicy edition-cnn-com
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
 ## Mutual TLS origination for egress traffic
 
 This section describes how to configure a sidecar to perform TLS origination for an external service, this time using a

content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh

@@ -66,7 +66,7 @@ HTTP/2 200
 ...
 ENDSNIP
 
-snip_apply_origination() {
+snip_apply_origination_serviceentry() {
 kubectl apply -f - <<EOF
 apiVersion: networking.istio.io/v1
 kind: ServiceEntry
@@ -84,7 +84,11 @@ spec:
     name: https-port
     protocol: HTTPS
   resolution: DNS
----
+EOF
+}
+
+snip_apply_origination_destinationrule() {
+kubectl apply -f - <<EOF
 apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
@@ -100,6 +104,24 @@ spec:
 EOF
 }
 
+snip_apply_origination_backendtlspolicy() {
+kubectl apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: BackendTLSPolicy
+metadata:
+  name: edition-cnn-com
+spec:
+  targetRefs:
+  - group: networking.istio.io
+    kind: ServiceEntry
+    name: edition-cnn-com
+    sectionName: http-port
+  validation:
+    hostname: edition.cnn.com
+    wellKnownCACertificates: System
+EOF
+}
+
 snip_curl_origination_http() {
 kubectl exec "${SOURCE_POD}" -c curl -- curl -sSL -o /dev/null -D - http://edition.cnn.com/politics
 }
@@ -123,6 +145,11 @@ kubectl delete serviceentry edition-cnn-com
 kubectl delete destinationrule edition-cnn-com
 }
 
+snip_cleanup_the_tls_origination_configuration_2() {
+kubectl delete serviceentry edition-cnn-com
+kubectl delete backendtlspolicy edition-cnn-com
+}
+
 snip_generate_client_and_server_certificates_and_keys_1() {
 openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt
 }