From ec50a8cbd4b467f8dad80c70d59e4f72b9aefbf3 Mon Sep 17 00:00:00 2001
From: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
Date: Fri, 17 Oct 2025 23:44:05 +0200
Subject: [PATCH 1/3] tasks/egress: document TLS origination with
 BackendTLSPolicy

Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
---
 .../egress/egress-tls-origination/index.md    | 63 +++++++++++++++++--
 .../egress/egress-tls-origination/snips.sh    | 31 ++++++++-
 2 files changed, 88 insertions(+), 6 deletions(-)

diff --git a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md
index 99abeb4f997d1..b7c4f62f0f423 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md
@@ -114,10 +114,9 @@ Both of these issues can be resolved by configuring Istio to perform TLS origina
 
 ## TLS origination for egress traffic
 
-1.  Redefine your `ServiceEntry` from the previous section to redirect HTTP requests to port 443
-    and add a `DestinationRule` to perform TLS origination:
+1.  Redefine your `ServiceEntry` from the previous section to redirect HTTP requests to port 443:
 
-    {{< text syntax=bash snip_id=apply_origination >}}
+    {{< text syntax=bash snip_id=apply_origination_serviceentry >}}
     $ kubectl apply -f - <<EOF
     apiVersion: networking.istio.io/v1
     kind: ServiceEntry
@@ -135,7 +134,17 @@ Both of these issues can be resolved by configuring Istio to perform TLS origina
         name: https-port
         protocol: HTTPS
       resolution: DNS
-    ---
+    EOF
+    {{< /text >}}
+
+1.  Add a policy to perform TLS origination:
+
+    {{< tabset category-name="tls-origination" >}}
+
+    {{< tab name="Istio API" category-value="istio-api" >}}
+
+    {{< text syntax=bash snip_id=apply_origination_destinationrule >}}
+    $ kubectl apply -f - <<EOF
     apiVersion: networking.istio.io/v1
     kind: DestinationRule
     metadata:
@@ -154,6 +163,35 @@ Both of these issues can be resolved by configuring Istio to perform TLS origina
     The above `DestinationRule` will perform TLS origination for HTTP requests on port 80 and the `ServiceEntry`
     will then redirect the requests on port 80 to target port 443.
 
+    {{< /tab >}}
+
+    {{< tab name="Gateway API" category-value="gateway-api" >}}
+
+    {{< text syntax=bash snip_id=apply_origination_backendtlspolicy >}}
+    $ kubectl apply -f - <<EOF
+    apiVersion: gateway.networking.k8s.io/v1
+    kind: BackendTLSPolicy
+    metadata:
+      name: edition-cnn-com
+    spec:
+      targetRefs:
+      - group: networking.istio.io
+        kind: ServiceEntry
+        name: edition-cnn-com
+        sectionName: http-port
+      validation:
+        hostname: edition.cnn.com
+        wellKnownCACertificates: System
+    EOF
+    {{< /text >}}
+
+    The above `BackendTLSPolicy` will perform TLS origination for HTTP requests on the `http` port and the `ServiceEntry`
+    will then redirect the requests on port 80 to target port 443.
+
+    {{< /tab >}}
+
+    {{< /tabset >}}
+
 1. Send an HTTP request to `http://edition.cnn.com/politics`, as in the previous section:
 
     {{< text syntax=bash snip_id=curl_origination_http >}}
@@ -198,11 +236,28 @@ topics and articles but does not prevent attackers from learning that `edition.c
 
 Remove the Istio configuration items you created:
 
+{{< tabset category-name="cleanup-tls-origination" >}}
+
+{{< tab name="Istio API" category-value="istio-api" >}}
+
 {{< text bash >}}
 $ kubectl delete serviceentry edition-cnn-com
 $ kubectl delete destinationrule edition-cnn-com
 {{< /text >}}
 
+{{< /tab >}}
+
+{{< tab name="Gateway API" category-value="gateway-api" >}}
+
+{{< text bash >}}
+$ kubectl delete serviceentry edition-cnn-com
+$ kubectl delete backendtlspolicy edition-cnn-com
+{{< /text >}}
+
+{{< /tab >}}
+
+{{< /tabset >}}
+
 ## Mutual TLS origination for egress traffic
 
 This section describes how to configure a sidecar to perform TLS origination for an external service, this time using a
diff --git a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh
index 26a8a1967c612..31d5cad19364e 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh
+++ b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/snips.sh
@@ -66,7 +66,7 @@ HTTP/2 200
 ...
 ENDSNIP
 
-snip_apply_origination() {
+snip_apply_origination_serviceentry() {
 kubectl apply -f - <<EOF
 apiVersion: networking.istio.io/v1
 kind: ServiceEntry
@@ -84,7 +84,11 @@ spec:
     name: https-port
     protocol: HTTPS
   resolution: DNS
----
+EOF
+}
+
+snip_apply_origination_destinationrule() {
+kubectl apply -f - <<EOF
 apiVersion: networking.istio.io/v1
 kind: DestinationRule
 metadata:
@@ -100,6 +104,24 @@ spec:
 EOF
 }
 
+snip_apply_origination_backendtlspolicy() {
+kubectl apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: BackendTLSPolicy
+metadata:
+  name: edition-cnn-com
+spec:
+  targetRefs:
+  - group: networking.istio.io
+    kind: ServiceEntry
+    name: edition-cnn-com
+    sectionName: http-port
+  validation:
+    hostname: edition.cnn.com
+    wellKnownCACertificates: System
+EOF
+}
+
 snip_curl_origination_http() {
 kubectl exec "${SOURCE_POD}" -c curl -- curl -sSL -o /dev/null -D - http://edition.cnn.com/politics
 }
@@ -123,6 +145,11 @@ kubectl delete serviceentry edition-cnn-com
 kubectl delete destinationrule edition-cnn-com
 }
 
+snip_cleanup_the_tls_origination_configuration_2() {
+kubectl delete serviceentry edition-cnn-com
+kubectl delete backendtlspolicy edition-cnn-com
+}
+
 snip_generate_client_and_server_certificates_and_keys_1() {
 openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example.com.key -out example.com.crt
 }

From d70dc6a106ac2c0fcb5a7cd71450df8de7b41a04 Mon Sep 17 00:00:00 2001
From: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
Date: Sat, 18 Oct 2025 00:05:41 +0200
Subject: [PATCH 2/3] Try to fix broken indentation in rendered code blocks

Signed-off-by: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
---
 .../egress/egress-tls-origination/index.md    | 86 +++++++++----------
 1 file changed, 43 insertions(+), 43 deletions(-)

diff --git a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md
index b7c4f62f0f423..5a27be169d221 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md
@@ -139,58 +139,58 @@ Both of these issues can be resolved by configuring Istio to perform TLS origina
 
 1.  Add a policy to perform TLS origination:
 
-    {{< tabset category-name="tls-origination" >}}
+{{< tabset category-name="tls-origination" >}}
 
-    {{< tab name="Istio API" category-value="istio-api" >}}
+{{< tab name="Istio API" category-value="istio-api" >}}
 
-    {{< text syntax=bash snip_id=apply_origination_destinationrule >}}
-    $ kubectl apply -f - <<EOF
-    apiVersion: networking.istio.io/v1
-    kind: DestinationRule
-    metadata:
-      name: edition-cnn-com
-    spec:
-      host: edition.cnn.com
-      trafficPolicy:
-        portLevelSettings:
-        - port:
-            number: 80
-          tls:
-            mode: SIMPLE # initiates HTTPS when accessing edition.cnn.com
-    EOF
-    {{< /text >}}
+{{< text syntax=bash snip_id=apply_origination_destinationrule >}}
+$ kubectl apply -f - <<EOF
+apiVersion: networking.istio.io/v1
+kind: DestinationRule
+metadata:
+  name: edition-cnn-com
+spec:
+  host: edition.cnn.com
+  trafficPolicy:
+    portLevelSettings:
+    - port:
+        number: 80
+      tls:
+        mode: SIMPLE # initiates HTTPS when accessing edition.cnn.com
+EOF
+{{< /text >}}
 
-    The above `DestinationRule` will perform TLS origination for HTTP requests on port 80 and the `ServiceEntry`
-    will then redirect the requests on port 80 to target port 443.
+The above `DestinationRule` will perform TLS origination for HTTP requests on port 80 and the `ServiceEntry`
+will then redirect the requests on port 80 to target port 443.
 
-    {{< /tab >}}
+{{< /tab >}}
 
-    {{< tab name="Gateway API" category-value="gateway-api" >}}
+{{< tab name="Gateway API" category-value="gateway-api" >}}
 
-    {{< text syntax=bash snip_id=apply_origination_backendtlspolicy >}}
-    $ kubectl apply -f - <<EOF
-    apiVersion: gateway.networking.k8s.io/v1
-    kind: BackendTLSPolicy
-    metadata:
-      name: edition-cnn-com
-    spec:
-      targetRefs:
-      - group: networking.istio.io
-        kind: ServiceEntry
-        name: edition-cnn-com
-        sectionName: http-port
-      validation:
-        hostname: edition.cnn.com
-        wellKnownCACertificates: System
-    EOF
-    {{< /text >}}
+{{< text syntax=bash snip_id=apply_origination_backendtlspolicy >}}
+$ kubectl apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1
+kind: BackendTLSPolicy
+metadata:
+  name: edition-cnn-com
+spec:
+  targetRefs:
+  - group: networking.istio.io
+    kind: ServiceEntry
+    name: edition-cnn-com
+    sectionName: http-port
+  validation:
+    hostname: edition.cnn.com
+    wellKnownCACertificates: System
+EOF
+{{< /text >}}
 
-    The above `BackendTLSPolicy` will perform TLS origination for HTTP requests on the `http` port and the `ServiceEntry`
-    will then redirect the requests on port 80 to target port 443.
+The above `BackendTLSPolicy` will perform TLS origination for HTTP requests on the `http` port and the `ServiceEntry`
+will then redirect the requests on port 80 to target port 443.
 
-    {{< /tab >}}
+{{< /tab >}}
 
-    {{< /tabset >}}
+{{< /tabset >}}
 
 1. Send an HTTP request to `http://edition.cnn.com/politics`, as in the previous section:
 

From 4e5fe85e471b6ded2668c5dcd7b4b9958c256527 Mon Sep 17 00:00:00 2001
From: Jacek Ewertowski <jacek.ewertowski1@gmail.com>
Date: Wed, 5 Nov 2025 11:13:14 +0100
Subject: [PATCH 3/3] Revert "Try to fix broken indentation in rendered code
 blocks"

This reverts commit d70dc6a106ac2c0fcb5a7cd71450df8de7b41a04.
---
 .../egress/egress-tls-origination/index.md    | 86 +++++++++----------
 1 file changed, 43 insertions(+), 43 deletions(-)

diff --git a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md
index 5a27be169d221..b7c4f62f0f423 100644
--- a/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md
+++ b/content/en/docs/tasks/traffic-management/egress/egress-tls-origination/index.md
@@ -139,58 +139,58 @@ Both of these issues can be resolved by configuring Istio to perform TLS origina
 
 1.  Add a policy to perform TLS origination:
 
-{{< tabset category-name="tls-origination" >}}
+    {{< tabset category-name="tls-origination" >}}
 
-{{< tab name="Istio API" category-value="istio-api" >}}
+    {{< tab name="Istio API" category-value="istio-api" >}}
 
-{{< text syntax=bash snip_id=apply_origination_destinationrule >}}
-$ kubectl apply -f - <<EOF
-apiVersion: networking.istio.io/v1
-kind: DestinationRule
-metadata:
-  name: edition-cnn-com
-spec:
-  host: edition.cnn.com
-  trafficPolicy:
-    portLevelSettings:
-    - port:
-        number: 80
-      tls:
-        mode: SIMPLE # initiates HTTPS when accessing edition.cnn.com
-EOF
-{{< /text >}}
+    {{< text syntax=bash snip_id=apply_origination_destinationrule >}}
+    $ kubectl apply -f - <<EOF
+    apiVersion: networking.istio.io/v1
+    kind: DestinationRule
+    metadata:
+      name: edition-cnn-com
+    spec:
+      host: edition.cnn.com
+      trafficPolicy:
+        portLevelSettings:
+        - port:
+            number: 80
+          tls:
+            mode: SIMPLE # initiates HTTPS when accessing edition.cnn.com
+    EOF
+    {{< /text >}}
 
-The above `DestinationRule` will perform TLS origination for HTTP requests on port 80 and the `ServiceEntry`
-will then redirect the requests on port 80 to target port 443.
+    The above `DestinationRule` will perform TLS origination for HTTP requests on port 80 and the `ServiceEntry`
+    will then redirect the requests on port 80 to target port 443.
 
-{{< /tab >}}
+    {{< /tab >}}
 
-{{< tab name="Gateway API" category-value="gateway-api" >}}
+    {{< tab name="Gateway API" category-value="gateway-api" >}}
 
-{{< text syntax=bash snip_id=apply_origination_backendtlspolicy >}}
-$ kubectl apply -f - <<EOF
-apiVersion: gateway.networking.k8s.io/v1
-kind: BackendTLSPolicy
-metadata:
-  name: edition-cnn-com
-spec:
-  targetRefs:
-  - group: networking.istio.io
-    kind: ServiceEntry
-    name: edition-cnn-com
-    sectionName: http-port
-  validation:
-    hostname: edition.cnn.com
-    wellKnownCACertificates: System
-EOF
-{{< /text >}}
+    {{< text syntax=bash snip_id=apply_origination_backendtlspolicy >}}
+    $ kubectl apply -f - <<EOF
+    apiVersion: gateway.networking.k8s.io/v1
+    kind: BackendTLSPolicy
+    metadata:
+      name: edition-cnn-com
+    spec:
+      targetRefs:
+      - group: networking.istio.io
+        kind: ServiceEntry
+        name: edition-cnn-com
+        sectionName: http-port
+      validation:
+        hostname: edition.cnn.com
+        wellKnownCACertificates: System
+    EOF
+    {{< /text >}}
 
-The above `BackendTLSPolicy` will perform TLS origination for HTTP requests on the `http` port and the `ServiceEntry`
-will then redirect the requests on port 80 to target port 443.
+    The above `BackendTLSPolicy` will perform TLS origination for HTTP requests on the `http` port and the `ServiceEntry`
+    will then redirect the requests on port 80 to target port 443.
 
-{{< /tab >}}
+    {{< /tab >}}
 
-{{< /tabset >}}
+    {{< /tabset >}}
 
 1. Send an HTTP request to `http://edition.cnn.com/politics`, as in the previous section: