This repository demonstrates how Cilium Service Mesh implements the Gateway API in a kind cluster. It provides a set of scenarios that exercise different configuration models so you can compare their behavior directly.

• mise
• Docker (running locally)

mise manages all other required tools (kind, helm, cilium-cli, hubble, kyverno) automatically.

Make sure to activate mise in your shell so the mise run ... tasks can load the right tools. Don’t skip this. Follow the official mise activate instructions for your shell:

• mise activate documentation

After adding the activation line, restart your shell or open a new terminal.

When mise installs tools hosted on GitHub, unauthenticated requests can hit GitHub API rate limits. Create a personal access token (no scopes needed for public tools) and set it for this project with mise set --prompt. See the GitHub token creation guide or go directly to the token creation page:

• https://docs.github.com/articles/creating-an-oauth-token-for-command-line-use
• https://github.com/settings/tokens/new

Set the token interactively:

mise set --prompt GITHUB_TOKEN

Avoid setting the token using export GITHUB_TOKEN=token or mise set GITHUB_TOKEN as that stores the token the history of your shell.

mise run cluster:start

This creates a kind cluster and installs Cilium in kube-proxy-free mode with Hubble observability.

This is already done as part of mise run cluster:start. Instruction left here for reference.

mise run cluster:verify

mise run scenario:01:start
mise run scenario:01:verify

This deploys one gateway-system namespace with the Gateway, one client namespace with a netshoot-client pod, and two backend namespaces that both reuse the same backend-http app base:

Test the two HTTPRoutes from your machine:

curl -i -H 'Host: backend-a.example.test' http://localhost/headers
curl -i -H 'Host: backend-b.example.test' http://localhost/headers

Read each scenario README for the scenario-specific test flow.

Scenarios use a numbered-tier system. The prefix tells you the category at a glance; the slug tells you the content.

Gap numbering leaves room for insertion without renaming existing scenarios.

Demonstrates Kyverno mutating and validating policies that enforce Gateway API routing conventions across namespaces. Three policies work together:

1. Mutating policy — auto-inject parentRefs: When a team creates an HTTPRoute or GRPCRoute with a label like gateway: shared (or a namespace label maps to a known gateway), a mutate policy injects the correct parentRefs block pointing to the shared Gateway in gateway-system. Teams never hard-code gateway names or namespaces in their route manifests.

2. Validating policy — require hostname from namespace label: Each namespace carries a label like routing.example.test/hostname: backend-a.example.test. A validate policy requires that every route's hostnames list includes at least one hostname that matches the value derived from this namespace label. This prevents teams from accidentally routing under a hostname that belongs to another namespace.

3. Validating policy — forbid wildcard hostnames: A validate policy rejects any route whose hostnames list contains a bare wildcard entry (* or *.example.test). This prevents a single namespace from accidentally capturing all traffic on the listener.

The verify task deploys conforming routes (pass), then attempts non-conforming routes (blocked by policy) to prove all three policies are enforced.

• apps/ contains reusable, namespace-agnostic app bases.
• scenarios/ contains namespaces, app instances, and Gateway API resources.
• App-base conventions live in apps/README.md.

TLS-focused scenarios use cert-manager, but it is intentionally not part of mise run cluster:start.

Install it only when a scenario needs certificates:

mise run cert-manager:install
mise run cert-manager:verify

The self-signed certificate pattern for this repo lives in docs/tls-selfsigned.md.

Gateway API CRDs are installed by the repo tasks before Cilium is installed. This repo now uses the Gateway API experimental CRD bundle at v1.5.0, because current Cilium Gateway behavior can log v1alpha2.TLSRouteList registration errors when only the standard bundle is installed.

For local TLS and gRPC checks in this repo, use insecure client flags against the self-signed certificates:

curl -k https://...
grpcurl -insecure ...

Kyverno is also optional and is intentionally not part of mise run cluster:start because no current scenario depends on it yet.

Install it only when a scenario or experiment needs policy enforcement:

mise run kyverno:install
mise run kyverno:verify
mise run kyverno:delete

Open the Hubble UI to watch network flows in real time as you run each scenario:

cilium hubble ui

Or observe from the command line:

cilium hubble port-forward &
hubble observe --namespace client --follow
hubble observe --namespace backend-a --follow
hubble observe --namespace backend-b --follow

k9s is a terminal UI for browsing and managing Kubernetes resources. Start it with:

k9s

Basic navigation:

• Use : to open the command bar, then type a resource (for example, pods, ns, deploy) and press Enter.
• Use j/k (or arrow keys) to move, Enter to drill in, and Esc to go back.
• Press / to filter the current list.

mise run scenario:01:delete
mise run cluster:delete