We're missing a step before this one: mounting the CA cert from the ConfigMap into the gateway pods: https://github.com/Kuadrant/kuadrant-operator/blob/main/doc/user-guides/auth/x509-tier2-provider-specific.md#step-4-mount-ca-certificate-into-gateway-pods

Ah, but that appears to be something we would not do manually on core OpenShift (your own warning there). Should we instead show the Gateway using clientCertificateRefs in an Istio setup? Alternately, should we use a passthrough route for clusters that are using standard OpenShift ingress + Connectivity Link?

IDK for sure, but I was wondering about the instructions to create a TLS-enabled gateway anyway.

The upstream user guide provides top-to-bottom instructions to enable this feature, from defining a gateway, to testing the authentication using a test client cert. We have documentation about how to enable TLS on a Gateway using the TLSPolicy. For the "Using X.509 cryptographic identity verification" guide, because this is focused on Tier 2, if you prefer, we could skip the procedure for defining the Gateway object, which includes the cert-manager CR and the TLSPolicy, to just refer to this other doc and mention that gateway is assumed to be called mtls-gateway, in the gateway-system namespace, for the next steps.

Please let me know what you prefer.

This content is from Step 3, https://github.com/Kuadrant/kuadrant-operator/blob/main/doc/user-guides/auth/x509-tier2-provider-specific.md#step-3-configure-gateway. I just pulled in the YAMLs from the link.

I'm pretty sure we don't give instructions anywhere in the current docs for the cert-manager CR. We probably want it here, right?

The cert-manager CR is only for the TLSPolicy to work. If we have a page where we explain about the TLSPolicy and how to use it, that's the one.

Do we always need cert-manager for all TLSPolicies? This is the existing doc: https://docs.redhat.com/en/documentation/red_hat_connectivity_link/1.3/html/deploying_red_hat_connectivity_link/rhcl-config-deploy-gateway-policies#proc-set-tls-policy_rhcl-config-deploy-gateway-policies

Yes. It's not explicitly mentioned as a prerequisite in section 1.2.2, but spread all over the doc. In fact, section 1.2.1 is all about using cert-manager in preparation for a TLSPolicy. And as you can see from the example TLSPolicy resource provided further below, there's a issuerRef field that references a cert-manager object (of Issuer or ClusterIssuer kind).

This feature is covered by our automated tests from our test suite that run on OpenShift: Kuadrant/testsuite#894.