istio
diff --git a/‎.gitignore
Lines changed: 6 additions & 0 deletions b/‎.gitignore
Lines changed: 6 additions & 0 deletions
diff --git a/‎.spelling
Lines changed: 1 addition & 0 deletions b/‎.spelling
Lines changed: 1 addition & 0 deletions
diff --git a/‎content/en/docs/ambient/install/multicluster/_index.md
Lines changed: 17 additions & 14 deletions b/‎content/en/docs/ambient/install/multicluster/_index.md
Lines changed: 17 additions & 14 deletions
diff --git a/‎content/en/docs/ambient/install/multicluster/before-you-begin/index.md
Lines changed: 2 additions & 6 deletions b/‎content/en/docs/ambient/install/multicluster/before-you-begin/index.md
Lines changed: 2 additions & 6 deletions
diff --git a/‎content/en/docs/ambient/install/multicluster/common.sh
Lines changed: 7 additions & 0 deletions b/‎content/en/docs/ambient/install/multicluster/common.sh
Lines changed: 7 additions & 0 deletions
diff --git a/‎content/en/docs/ambient/install/multicluster/multi-primary_multi-network/helm_test.sh
Lines changed: 23 additions & 12 deletions b/‎content/en/docs/ambient/install/multicluster/multi-primary_multi-network/helm_test.sh
Lines changed: 23 additions & 12 deletions
@@ -41,3 +41,9 @@ archived_version
 
 # Local Netlify folder
 .netlify
+
+# Local artifacts when running tests
+artifacts
+
+# Certs generated during tests
+certs
@@ -704,6 +704,7 @@ ISTIO-SECURITY-2024-007
 istio-system
 istio.io
 istio.io.
+istio.io/rev
 IstioBirthday
 IstioCon
 istioctl
 
@@ -32,42 +32,45 @@ the current state and limitations of this feature:
 
 ### Supported Configurations
 
-Currently, ambient multicluster **only supports**:
-- **Multi-network topologies** with multiple primary clusters
-- **Double HBONE encapsulation** for cross-cluster traffic
+Currently, ambient multicluster only supports:
+- **Multi-network topologies** with each cluster acting as a primary cluster.
 - **Universal waypoint deployments** across all clusters with identical names
 
 ### Critical Limitations
 
 #### Network Topology Restrictions
-- **Multi-cluster single-network configurations are untested, broken, and pre-experimental**
-  - Do not attempt to deploy ambient across clusters that share the same network
+
+**Multi-cluster single-network configurations are untested, and may be broken**
+  - Use caution when deploying ambient across clusters that share the same network
   - Only multi-network configurations are supported
 
-#### Control Plane Limitations  
-- **Primary remote configuration is not currently supported**
+#### Control Plane Limitations
+
+**Primary remote configuration is not currently supported**
   - You can only have multiple primary clusters
   - Configurations with one or more remote clusters will not work correctly
 
 #### Waypoint Requirements
-- **Universal waypoint deployments are assumed across clusters**
+
+**Universal waypoint deployments are assumed across clusters**
   - All clusters must have identically named waypoint deployments
-  - Waypoint configurations must be synchronized manually across clusters
+  - Waypoint configurations must be synchronized manually across clusters (e.g. using Flux, ArgoCD, or similar tools)
   - Traffic routing relies on consistent waypoint naming conventions
 
 #### Service Visibility and Scoping
-- **Service scope configurations are not read from across clusters**
+
+**Service scope configurations are not read from across clusters**
   - Only the local cluster's service scope configuration is used as the source of truth
-  - Remote cluster service scopes are ignored, which can lead to unexpected traffic behavior
+  - Remote cluster service scopes are not respected, which can lead to unexpected traffic behavior
   - Cross-cluster service discovery may not respect intended service boundaries
 
 #### Gateway Limitations
-- **Ambient east-west gateways only support double HBONE**
-  - Cannot expose `istiod` across networks using ambient east-west gateways
 
+**Ambient east-west gateways only support double HBONE**
+  - Cannot expose `istiod` across networks using ambient east-west gateways
 
 {{< tip >}}
 As ambient multicluster matures, many of these limitations will be addressed.
-Check the [Istio release notes](https://istio.io/latest/news/) for updates on
+Check the [Istio release notes](https://istio.io/news/) for updates on
 ambient multicluster capabilities.
 {{< /tip >}}
@@ -26,7 +26,7 @@ This guide requires that you have two Kubernetes clusters with any of the
 
 The API Server in each cluster must be accessible to the other clusters in the
 mesh. Many cloud providers make API Servers publicly accessible via network
-load balancers (NLB). The ambient east-west gateway cannot be used to expose 
+load balancers (NLB). The ambient east-west gateway cannot be used to expose
 the API server as it only supports double HBONE traffic. A non-ambient
 [east-west](https://en.wikipedia.org/wiki/East-west_traffic) gateway could be
 used to enable access to the API Server.
@@ -75,11 +75,7 @@ below may have to be altered based on your choice of CA.
 
 ## Next steps
 
-You're now ready to install an Istio ambient mesh across multiple clusters. The
-particular steps will depend on your requirements for network and
-control plane topology.
-
-Choose the installation that best fits your needs:
+You're now ready to install an Istio ambient mesh across multiple clusters.
 
 - [Install Multi-Primary on Different Networks](/docs/ambient/install/multicluster/multi-primary_multi-network)
 
 
@@ -81,6 +81,7 @@ function cleanup_istioctl
   cleanup_cluster1_istioctl &
   cleanup_cluster2_istioctl &
   wait
+  snip_delete_crds
 }
 
 # cleanup_cluster1_istioctl removes the istio-system and sample namespaces on CLUSTER1 with istioctl.
@@ -123,6 +124,12 @@ function verify_load_balancing
   _wait_for_deployment sample helloworld-v2 "${CTX_CLUSTER2}"
   _wait_for_deployment sample curl "${CTX_CLUSTER2}"
 
+  # Expose the helloworld service in both clusters.
+  echo "Exposing helloworld in cluster1"
+  kubectl --context="${CTX_CLUSTER1}" label svc helloworld -n sample istio.io/global="true"
+  echo "Exposing helloworld in cluster2"
+  kubectl --context="${CTX_CLUSTER2}" label svc helloworld -n sample istio.io/global="true"
+
   # Verify everything is deployed as expected.
   VERIFY_TIMEOUT=0 # Don't retry.
   echo "Verifying helloworld v1 deployment"
 
@@ -21,38 +21,52 @@ set -e
 set -u
 set -o pipefail
 
-source content/en/docs/setup/install/multicluster/common.sh
+source content/en/docs/ambient/install/multicluster/common.sh
+source "tests/util/gateway-api.sh"
+
 set_multi_network_vars
 setup_helm_repo
 
 function install_istio_on_cluster1_helm {
+    echo "Installing Gateway API CRDs on Primary cluster: ${CTX_CLUSTER1}"
+    install_gateway_api_crds "${CTX_CLUSTER1}"
+
     echo "Installing Istio on Primary cluster: ${CTX_CLUSTER1}"
 
     snip_set_the_default_network_for_cluster1_1
 
-    snip_configure_cluster1_as_a_primary_3
-    snip_configure_cluster1_as_a_primary_4
+    _rewrite_helm_repo snip_configure_cluster1_as_a_primary_3
+    _rewrite_helm_repo snip_configure_cluster1_as_a_primary_4
+    _rewrite_helm_repo snip_install_cni_cluster1
+    _rewrite_helm_repo snip_install_ztunnel_cluster1
 
     echo "Creating the east-west gateway"
-    snip_install_the_eastwest_gateway_in_cluster1_2
+    snip_install_the_eastwest_gateway_2
+    snip_install_the_eastwest_gateway_3
 
     echo "Waiting for the east-west gateway to have an external IP"
-    _verify_like snip_install_the_eastwest_gateway_in_cluster1_3 "$snip_install_the_eastwest_gateway_in_cluster1_3_out"
+    _verify_like snip_install_the_eastwest_gateway_4 "$snip_install_the_eastwest_gateway_4_out"
 }
 
 function install_istio_on_cluster2_helm {
+    echo "Installing Gateway API CRDs on Primary cluster: ${CTX_CLUSTER2}"
+    install_gateway_api_crds "${CTX_CLUSTER2}"
+
     echo "Installing Istio on Primary cluster: ${CTX_CLUSTER2}"
 
     snip_set_the_default_network_for_cluster2_1
 
-    snip_configure_cluster2_as_a_primary_3
-    snip_configure_cluster2_as_a_primary_4
+    _rewrite_helm_repo snip_configure_cluster2_as_a_primary_3
+    _rewrite_helm_repo snip_configure_cluster2_as_a_primary_4
+    _rewrite_helm_repo snip_install_cni_cluster2
+    _rewrite_helm_repo snip_install_ztunnel_cluster2
 
     echo "Creating the east-west gateway"
     snip_install_the_eastwest_gateway_in_cluster2_2
+    snip_install_the_eastwest_gateway_in_cluster2_3
 
     echo "Waiting for the east-west gateway to have an external IP"
-    _verify_like snip_install_the_eastwest_gateway_in_cluster2_3 "$snip_install_the_eastwest_gateway_in_cluster2_3_out"
+    _verify_like snip_install_the_eastwest_gateway_in_cluster2_4 "$snip_install_the_eastwest_gateway_in_cluster2_4_out"
 }
 
 function install_istio_helm {
@@ -68,11 +82,7 @@ function enable_endpoint_discovery {
   snip_enable_endpoint_discovery_2
 }
 
-function delete_crds_cluster_1() {
-kubectl get crd -oname --context "${CTX_CLUSTER1}" | grep --color=never 'istio.io' | xargs kubectl delete --context "${CTX_CLUSTER1}"
-}
 
-time delete_crds_cluster_1
 time configure_trust
 time install_istio_helm
 time enable_endpoint_discovery
@@ -98,6 +108,7 @@ function cleanup_helm {
   cleanup_cluster1_helm
   cleanup_cluster2_helm
   snip_delete_crds
+  snip_delete_gateway_crds
 }
 
 time cleanup_helm